Skip to main content

Draft Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023

Debated on Monday 4 December 2023

The Committee consisted of the following Members:

Chair: Mrs Pauline Latham

† Bradshaw, Mr Ben (Exeter) (Lab)

† Bryant, Sir Chris (Rhondda) (Lab)

† Coyle, Neil (Bermondsey and Old Southwark) (Lab)

† Foster, Kevin (Torbay) (Con)

† French, Mr Louie (Old Bexley and Sidcup) (Con)

† Glindon, Mary (North Tyneside) (Lab)

† Hollobone, Mr Philip (Kettering) (Con)

Johnson, Dame Diana (Kingston upon Hull North) (Lab)

† Lord, Mr Jonathan (Woking) (Con)

† Mak, Alan (Havant) (Con)

† Mills, Nigel (Amber Valley) (Con)

Monaghan, Carol (Glasgow North West) (SNP)

Penning, Sir Mike (Hemel Hempstead) (Con)

† Russell, Dean (Watford) (Con)

† Timms, Sir Stephen (East Ham) (Lab)

† Webb, Suzanne (Stourbridge) (Con)

† Whittingdale, Sir John (Minister for Data and Digital Infrastructure)

Stella-Maria Gabriel, Committee Clerk

† attended the Committee

Second Delegated Legislation Committee

Monday 4 December 2023

[Mrs Pauline Latham in the Chair]

Draft Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023

I beg to move,

That the Committee has considered the draft Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023.

It is a pleasure to serve under your chairmanship, Mrs Latham.

As Members will be aware, the UK’s departure from the European Union provided us with an opportunity to amend, remove and replace unsuitable retained EU law. The European Union (Withdrawal) Act 2018 and the Retained EU Law (Revocation and Reform) Act 2023, which was passed earlier this year, set out that certain EU-derived laws, principles, rights and regulations should cease to apply in the UK by the end of 2023.

The Data Protection Act 2018 and the UK General Data Protection Regulation, known as UK GDPR, require that the Government, the Information Commissioner and other organisations using personal data to consider people’s “fundamental rights and freedoms” in certain situations. For example, such rights and freedoms must be considered by data controllers when relying on the “legitimate interests” lawful ground for processing under article 6(1)(f) of the UK GDPR, and by Ministers when considering whether to create new permissions in relation to the use of people’s sensitive data.

Before EU exit, those were taken to be rights under the EU charter of fundamental rights. Following the European Union (Withdrawal) Act, they have been those fundamental rights retained by section 4 of the Act. Given that section 4 is set to be repealed at the end of 2023, it is important for us to take action through this draft statutory instrument to substitute the reference to it. Failing to do so would lead to ambiguity surrounding the interpretation of references to “fundamental rights and freedoms” in the data protection legislation. The lack of clarity could pose significant difficulties for organisations using the data protection legislation, resulting in inconsistent outcomes and legal uncertainty.

That is why, through the draft regulations, the Government are clarifying that “fundamental rights and freedoms” refer to rights under the European convention on human rights, known as the ECHR, which has been given further effect in UK law under the Human Rights Act 1998. By doing that, the Government are ensuring that there is a clear, legally meaningful definition to rely on. That will provide consistency and certainty for organisations that are subject to data protection legislation, as well as continued protection of people’s rights.

The draft regulations are made under powers in the REUL Act, which allow Departments to revoke or replace references to EU-derived law. However, it is important to note that the regulations themselves do not remove any EU law rights; it is the European Union (Withdrawal) Act and the REUL Act that do that. The regulations are simply designed to replace references to EU law that would otherwise become meaningless at the end of the year.

Will my right hon. Friend confirm what happens if we have left the ECHR by the end of the year? Do we have to make up our own definition, or is that not going to happen after all?

My hon. Friend raises a wholly theoretical proposition. Should it ever occur, we will probably have to define our own version back in Committee. For the moment, however, we are members of the ECHR and the Human Rights Act applies, and it is the rights as defined in that Act to which we will now refer.

Subject to the approval of the Committee here gathered, the draft regulations will ensure clarity for organisations. From the end of 2023, they will provide ongoing protection for people’s rights when their personal data is processed by replacing a redundant definition of fundamental rights with a new one based on rights protected by domestic law in the UK. I commend the regulations to the Committee.

It is a great delight to sit under your chairmanship, Mrs Latham. You and I have many things in common, not least our determination to see that fewer people suffer from melanoma and that more get the proper treatment that they deserve. I know that has been a long-standing campaign of yours.

First, I will just correct the Minister. He mentioned these regulations being subject to the agreement of the Committee today. There is no such thing as the agreement of the Committee today, because even if every single member of the Committee voted that we disagreed with the motion, it would go through none the less as all it does is ask whether the Committee has “considered” the regulations. On a minor point, this is one of my arguments regarding the problems with Henry VIII powers and the extensive use of secondary legislation, all of which is unamendable.

To get back to the bit where I agree with the Minister, these regulations do indeed amend the existing UK data protection regime so that references in relation to data controllers and Ministers, and to “fundamental rights and freedoms”, pertain to the European convention on human rights—enshrined by the Human Rights Act 1988—as opposed to the charter of fundamental rights of the European Union. This may of course feel like a great deal of dancing upon the head of a pin, in that we are changing one European Court for another—I am sure that has been a very useful waste of British legislative time over these years. As the Minister says, the Government are making this change under section 14 of the Retained EU Law (Revocation and Reform) Act 2023, which allows the Government to revoke secondary retained EU law and replace it with such provisions as they consider appropriate.

I do have a few questions. Paragraph 2.2 of the explanatory memorandum refers to

“an alternative source of fundamental rights and freedoms, namely those under the European Convention on Human Rights (ECHR), which have been enshrined in the UK’s domestic law under the Human Rights Act 1998.”

The regulations themselves, however, refer directly only to the Human Rights Act, thereby making me worry as to the true intentions of the Government in relation to the European convention on human rights and the European Court of Human Rights. Why is there a difference between what is in the memorandum and what is in the regulations?

Secondly, can we presume from this that the Government—as the Minister’s helpful, mischievous friend at the back, the hon. Member for Amber Valley, pointed out earlier—have no plans to leave the European convention on human rights? I know the Minister has been a very outspoken critic of Russia and of Belarus. I am sure he would personally hate for the UK to be joining a small group of Belarus and Russia as the countries that have left the European convention. Or should we presume that the Government do intend to resile from the convention? That seems to be the implication of the difference between the memorandum and the regulations.

What further amendment to the data protection regime would be necessary if we were to leave the European convention on human rights? The Minister said that we would have to convene again. Is that right, or would we simply be able to rely on the Human Rights Act 1998 as it stands?

The next set of questions relate to the fact that we are changing essentially from one Court to another. The ECHR has often taken a much more permissive approach than the European Court of Justice to mass surveillance by Governments and other organisations. Is this an attempt from the Government to move to a situation where they are intending to extend mass surveillance of, for instance, bank accounts, including the bank accounts of people with state pensions in the UK, as was agreed to by hon. Members last week in the debate on the Data Protection and Digital Information Bill? Have the Government made an assessment of the difference between the approaches of the European Court of Human Rights and the European Court of Justice towards such mass surveillance issues?

Under the Human Rights Act, UK courts will obviously be adhering to their understanding of what the European Court of Human Rights has held on these views, particularly in relation to the two key human rights of privacy and freedom of expression—articles 8 and 10. The truth, however, is that the UK courts will only effectively keep pace with the European Court of Human Rights. They will not recognise rights in contexts where the case law has not yet been developed. What analysis have the Government done of the case law, which might therefore be applied by UK courts in interpreting the Human Rights Act?

My hon. Friend referred a moment ago to the enormous new power that the Government put into their legislation last week that will allow them to look into the bank accounts of anyone claiming a state pension. In last week’s debate, he said that the House of Commons Library had confirmed that that is indeed the implication of the amendment that was agreed, and the Library has also confirmed that to me today. However, journalists speaking to the Department for Work and Pensions were told that that is not what that amendment does. Does my hon. Friend have an update on whether the Government are in fact taking that power for themselves?

I am afraid I am unable to update my right hon. Friend—he is updating me—but perhaps the Minister will be able to update us. I know that he is not a Department for Work and Pensions Minister but none the less it is his Bill that is going off to the House of Lords now. As my right hon. Friend the Member for East Ham knows, we have significant concerns about the extent of the power the Government are taking and the set of circumstances in which they would want to use it. I have a sneaking worry that these regulations are aimed at helping them to take more substantive power and a bigger step, but perhaps the Minister will relieve my anguished breast on these matters.

My final question concerns the UK’s data adequacy, because it is obviously in the interests of UK businesses to have stability and certainty about where data protection law is going and that we have full data adequacy not only with the United States of America, which has been arranged through the new bridge agreement that we supported, but with the EU. I think the Minister agrees, notwithstanding the points he made about Brexit freedoms and all that stuff.

The EU made the decision to grant UK data adequacy in June 2021 for a period of four years, after which it will be renewed only if the European Commission considers that the UK continues to ensure an adequate level of data protection. What assessment have the Government made of how the regulations will impact on a future decision by the European Commission on data adequacy? For instance, if the Human Rights Act embraced the kinds of decisions previously made by the European Court of Human Rights and allowed a much more permissive approach than the European Court of Justice towards mass surveillance, that could thrust us into a situation where UK courts effectively allowed far more generous mass surveillance by Government and other organisations than the EU would allow. Would that not threaten the UK’s data adequacy arrangements? Nevertheless, despite those points, we are broadly happy to support the measure and I am sure that the Minister will want to reassure me.

I will do what I can to soothe the anguished breast of the Opposition spokesman, the hon. Member for Rhondda. He said that you and he share an interest in relieving melanoma, Mrs Latham. I would like to put on record that you and I share something as well: we are both holders of the order of merit of Ukraine, conferred by President Zelensky—something of which I am very proud, and I have no doubt you are too.

The hon. Member for Rhondda made a number of points, most of which appeared to see conspiracy where I have to say to him none actually exists. He followed the lead of my hon. Friend the Member for Amber Valley in pursuing the theoretical question of what would happen if the UK left the European convention on human rights. As I said in response to my hon. Friend, the Government have no intention of the UK leaving the convention. The regulations do obviously refer to the Human Rights Act, although there is a reference to the convention rights within that Act. I say to the hon. Gentleman that there is no intention to somehow make it easier for surveillance to take place or infringe data protection rights. In the Government’s view, the rights referred to in the ECHR provide an equivalent level of protection to that which is available under the EU charter of fundamental rights. The regulations therefore represent no shift in the level of protection provided to citizens in this country by replacing the first reference with this particular reference.

The hon. Member for Rhondda rightly refers to articles 8 and 10 of the European convention as the principal articles that have been interpreted by the courts to confer privacy rights and in the area of data protection. We have looked at existing case law, which is quite extensive, and the courts have used those articles as justification for data protection. I therefore do not think there is any concern to be had by that.

The hon. Gentleman also suggested that this might somehow put data adequacy at risk. We had a slight reprise of the debate we had last week on the Data Protection and Digital Information Bill with the right hon. Member for East Ham, who, I have absolutely no doubt, will be rigorous in his pursuit of the Department for Work and Pensions through his chairing of the Work and Pensions Committee. I will therefore probably leave it to my colleagues in DWP to answer the precise questions on that particular point.

On data adequacy, I do think there might be a concern should we fail to pass these particular regulations. It would leave existing UK law referring to something that is essentially meaningless and of which we would no longer be a member: the EU charter of fundamental rights. To that extent, the regulations will ensure that the freedoms and rights are still relevant and refer to a convention of which we remain a member.

I do not think, therefore, that the regulations represent a reduction in the rights of citizens of this country; they simply tidy up the existing statute book as a result of the UK’s withdrawal from the European Union, using powers passed by Parliament in the European Union (Withdrawal) Act and the Retained EU Law (Revocation and Reform) Act. On that basis, I welcome the rather qualified support that the hon. Member for Rhondda gave at the end.

Question put and agreed to.

Committee rose.