Skip to main content

Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023

Volume 834: debated on Tuesday 12 December 2023

Considered in Grand Committee

Moved by

That the Grand Committee do consider the Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023.

Relevant document: 3rd Report from the Secondary Legislation Scrutiny Committee

My Lords, these regulations, which were laid before the House on 7 November 2023, will be made under the powers provided by the Retained EU Law (Revocation and Reform) Act 2023, known as the retained EU law Act. They are concerned with the definition of “fundamental rights and freedoms” in the data protection legislation and making sure we continue to have a meaningful definition beyond the end of the year, when the retained EU law Act takes effect.

In several areas, the data protection legislation—specifically the Data Protection Act 2018 and the UK general data protection regulation, which I will refer to as the UK GDPR from now on—requires the Government, the Information Commissioner and organisations using personal data to consider people’s “fundamental rights and freedoms” in certain situations. For example, Ministers must consider such rights and freedoms when creating new exemptions or permissions for the use of people’s special category data, and data controllers must consider them when relying on the “legitimate interests” lawful ground for processing under Article 6(1)(f) of the UK GDPR. It is vital that, in circumstances such as this, the rights of individuals continue to be carefully considered and protected.

Prior to EU exit, references to fundamental rights and freedoms in the data protection legislation were taken to mean rights described in the EU Charter of Fundamental Rights—which I will refer to as the charter. Following the European Union (Withdrawal) Act 2018, some of these rights were retained by Section 4 of that Act. Given that Section 4 of the European Union (Withdrawal) Act will be repealed at the end of 2023 by the retained EU law Act 2023, action is needed now via this statutory instrument to replace the definition of “fundamental rights and freedoms”. Without action, there would be a lack of clarity about what these references mean. This could cause significant difficulties for organisations trying to apply the data protection legislation, risking inconsistent approaches, legal uncertainty and insufficient protection of data subjects’ rights.

That is why, through the draft regulations, the Government are clarifying that references to fundamental rights and freedoms in the data protection legislation mean rights under the European Convention on Human Rights, known as the ECHR, as defined by the Human Rights Act 1998. By doing this, the Government are ensuring that there is a clear, legally meaningful definition to rely on. This will provide consistency and certainty for organisations which are subject to data protection legislation, as well as continued protection for people’s rights. It is important to note that these regulations themselves do not remove any EU law rights; it is the European Union (Withdrawal) Act and the retained EU law Act that do that. These regulations are simply designed to replace references to EU law that would become meaningless at the end of this year.

I thank the Secondary Legislation Scrutiny Committee and European Statutory Instruments Committee for their views on these regulations. I have noted their concerns that rights protected by domestic law under the Human Rights Act might not provide the same level of protection as rights protected by EU law under the Charter of Fundamental Rights of the European Union. The matter of protection of people’s rights is of utmost importance, and I take this opportunity to reassure the Committee that the changes we are making via these regulations will not significantly affect the way the data protection framework works or indeed erode the protections it affords to people. Prior to EU exit, EU law rights protected by the charter included, for example, the right to respect for private and family life, the right to protection of personal data and the right to freedom of expression. The new definition will be based on rights protected by the ECHR, which includes the right to respect for private and family life and the right to freedom of expression.

The committee and others have raised a concern that the regulations remove reference to the specific right to data protection that was a feature of the charter. It is true that there is no such free-standing right under the ECHR. However, case law on this issue shows that data protection forms part of the protection offered by the right to respect for private and family life in Article 8 of the ECHR. It is further protected by our data protection legislation, which provides a comprehensive set of rules for organisations to follow and rights for people in relation to use of their data. The stand-alone right to protection of personal data was a feature of EU law and its removal is a result of EU exit legislation, including the retained EU law Act, rather than these regulations, which merely replace outdated terminology to recognise the new position.

I inform the Committee that we have formally consulted the Information Commissioner’s Office on the drafting of these regulations, and it recognises why the data protection legislation cannot continue to refer to rights that have been repealed. I hope that noble Lords will join me in supporting the draft regulations. I beg to move.

My Lords, I welcome the Minister to this crowded box-office occasion—over the years it has been for aficionados, by and large.

I thank her for setting out the purpose of these regulations. Originally, they were to be approved by the negative procedure. It is to the great credit of the Secondary Legislation Scrutiny Committee that, in its 53rd report, it recommended an upgrade of the instrument to the affirmative procedure because of concerns about a potential reduction in rights protection. I heard what the Minister said in her introduction.

In its report, the committee quoted the Department for Science, Innovation and Technology, which stated that

“the impact on organisations and individuals as a result of the proposed changes was expected ‘to be minimal’”,

and that the changes

“replicate the current position ‘as far as possible’, but it was unable to rule out entirely potential differences in the rights and freedoms”.

In those circumstances, I need to thank the Minister and the Government for bringing back these draft regulations for affirmative approval—in other words, for listening to the committee.

However, our conclusion is that the regulations fail to contain damaging uncertainty and inconsistency in this area, which is exactly what concerned the SLSC. I am afraid it will be clear from our debate next week on the Data Protection and Digital Information Bill, as it was when we recently debated the Digital Government (Disclosure of Information) (Identity Verification Services) Regulations 2023, that data is a really weak spot for this Government—as if they needed any more.

I am afraid that it is clear that these regulations by themselves are insufficient to stabilise the UK’s data protection frameworks once what has been called the tsunami of legal uncertainty unleashed by the retained EU law Act—REULA—engulfs us on 31 December 2023. The Minister lightly skipped over that. When the UK stopped being subject to the EU treaties at the end of 2020, the European Union (Withdrawal) Act 2018—EUWA—saved the rights and obligations which applied in domestic law as a result of the UK’s EU membership. This meant, in essence, that the EU GDPR became the UK GDPR. The Data Protection Act 2018 remained on the statute book. The rights and obligations became part of retained EU law—the vast body of law saved from the EU legal framework on the UK’s departure. Retained EU law was to be interpreted as it had been while the UK was an EU member state. This created continuity and certainty as to what the law meant.

The Court of Justice of the European Union—CJEU—case law from before the end of 2020 was also preserved in domestic law, as was domestic case law interpreting EU rights and obligations. The general principles of EU law, which include fundamental rights and the protection of personal data, were retained as an aid to the interpretation of our data protection frameworks. The principle of the supremacy of EU law was preserved. This meant that, in a conflict between the provisions in the UK GDPR and the DPA 2018, the UK GDPR took precedence. This was confirmed in the case of R (on the application of the Open Rights Group) v the Secretary of State for the Home Department and the Secretary of State for Digital, Culture, Media and Sport. In this case, the retained principle of supremacy was relied on by the Court of Appeal to find that the overly broad exemption in the DPA 2018 from data subject rights in an immigration context was unlawful. Yesterday, the Court of Appeal ruled that the Government must amend the immigration exemption in Schedule 2 to the Data Protection Act because it is incompatible with Article 23 of the UK GDPR. This sort of argument will no longer be possible after the end of this month because the exemptions in Schedule 2 to the DPA will take precedence over the UK GDPR.

The EU Charter of Fundamental Rights was not saved into the domestic statute book. The Government’s view was that this made no substantive difference because the charter simply listed the rights found in EU law, so because the rights and obligations listed in the charter were being saved into domestic law through the European Union (Withdrawal) Act, no rights would be lost. Further, the EUWA clarified that retained case law which referred to rights in the charter should be read as referring to the underlying rights and obligations listed in the charter. This ensured that case law which referred to the charter would still be applicable.

Nothing in EUWA prevented Parliament legislating to change the UK GDPR and the DPA 2018. Indeed, the White Paper on the EUWA stated that, after the UK’s exit from the EU:

“It will then be for democratically elected representatives in the UK to decide on any changes to that law, after full scrutiny and proper debate”.

As we will be discussing next Tuesday at its Second Reading, the UK’s data protection frameworks are being changed through the vehicle of the Data Protection and Digital Information Bill. As I have indicated to the Minister, the noble Viscount, Lord Camrose, these Benches do not welcome those changes and regard them as dilutions of data subject rights.

However, there are also fundamental changes to the UK’s statute book being made at the end of this year through the REULA, which will sweep away the retained EU general principles, including fundamental rights and the requirement to interpret retained EU law in accordance with those principles. Further, the principle of the supremacy of EU law is being deleted. The default position is that domestic law whenever enacted will trump the law which came from the EU.

Changes introduced by REULA are bound to create legal uncertainty. In terms of the UK GDPR and the DPA 2018, EU fundamental rights are the underpinning foundation of the law. If they are simply deleted—the default position under REULA—the UK GDPR and the Data Protection Act 2018 will become more difficult to interpret. This is, of course, why the regulations have been introduced. They are intended to ensure that, as the Minister said, references to fundamental rights and freedoms in the UK GDPR and the DPA 2018 are read as references to fundamental rights and freedoms as set out in the European Convention on Human Rights as implemented through the Human Rights Act 1998.

On one level, this makes sense. Article 8 of the EU’s Charter of Fundamental Rights—the right to the protection of personal data—is based on Article 8 of the ECHR on the right to private and family life, but it is not certain that the rights under Article 8 of the ECHR provide exactly the same protections as the right to data protection in the EU legal order. First, this is because the ECHR has no specific fundamental right to the protection of personal data. In the case of R (Davis & Watson) v Secretary of State for the Home Department, the High Court held that Article 8 of the charter goes further and is more specific than Article 8 of the ECHR. Secondly, the charter contains general provisions explaining how the relevant rights should be interpreted, and Article 52 of the charter confirms that, when rights in the charter correspond to the rights in the ECHR, the meaning and scope of those rights should be the same as in the ECHR, although the EU is not prevented from providing more extensive protections. Whether EU fundamental rights provided more extensive protection than those under the ECHR will be tested in the courts over the coming years, but there is likely to be uncertainty in relation to this point from the end of this year.

Another area of significant uncertainty will be how, if and to what extent CJEU case law still applies when interpreting the UK GDPR and the DPA 2018. Much of the CJEU case law on data protection references EU fundamental rights, as set out in the charter. If EU fundamental rights have been deleted, it is not clear that the case law still applies. Again, we will have to wait for cases to reach the courts to understand whether and to what extent the case law is still applicable. The Explanatory Memorandum and Explanatory Note make no attempt to answer whether the Government consider that they do, other than stating that

“no, or no significant, impact”

is foreseen by the implementation of the regulations.

Given what I have said so far, this looks a rather complacent and even misleading statement, especially when Sir John Whittingdale in the Commons said of these regulations that

“they simply tidy up the existing statute book as a result of the UK’s withdrawal from the European Union”.—[Official Report, Commons, Second Delegated Legislation Committee, 4/12/23; col. 8.]

In fact, looking closely at the wording of the Explanatory Memorandum, we see that there is no unequivocal statement to the effect that there is “no, or no significant, impact” on individual human rights as such. I think that the Minister, when she introduced those regulations, actually used those words—that there is no significant impact on human rights as such—but I hope that she will reassure us by repeating those and that she anticipates that there will be no significant impact.

The deletion of supremacy also turns the relationship between the UK GDPR and the DPA 2018 on its head. If there is a conflict between the UK GDPR and the DPA 2018, the DPA 2018 will take precedence. That is the opposite of the intention of the legislation when it was drafted and may have unforeseen consequences. There is a limited exception to the general rule that REULA introduces, that domestic law will trump retained direct EU legislation. This exception operates in the context of data protection rights. Data subject rights under the UK GDPR will generally take precedence over rights or obligations in other domestic law. However, the rights and obligations in chapter 3 of the UK GDPR, relating to the rights of the data subject, are subject to the exceptions in Schedule 2 to the DPA 2018.

It appears that there is no scope under REULA to disapply the Schedule 2 exceptions on the basis that they are overly broad, as happened in the Open Rights Group case; instead, the courts would need to make an incompatibility order under Section 8 of REULA, which may delay, explain, remove or constrain the consequence of the Schedule 2 condition trumping data subject rights, but this is a less certain remedy than would have existed before. Under EUWA or when EU law still applied, it would have been clear that the UK GDPR had precedence and that overly broad exceptions in Schedule 2 to the DPA 2018 were unlawful. In practice, this means that data subject rights in the UK will be less certain and potentially less protected than before.

The significant uncertainty caused by the changes that REULA makes to the statute book could have been remedied by the Government using powers in REULA. The powers in Section 11 of REULA could have been used to turn the effect of EU fundamental rights and supremacy back on. Alternatively, the current relationship between the UK GDPR and the DPA 2018 could have been restored by using the power in Section 7. For instance, the Government could have clarified that established case law still applies, but they have chosen not to do so. The regulations seek only to cure the problem of deleting EU fundamental rights by replacing those references to fundamental rights under the ECHR, using the powers in Section 14, but this creates new uncertainties as outlined above.

I think noble Lords would agree that all this potentially makes the head spin, but I have not even got to the point where we might need to talk about the consequences if the UK withdraws from the ECHR or repeals the Human Rights Act, as so many Conservative MPs seem to want to do. Lowering the standard of data protection rights in the UK creates obvious risks to the continuing UK data adequacy decision, which rests on data protection rights being essentially equivalent to those rights in the EU. If the Conservative Party campaigns to leave the ECHR or repeal the Human Rights Act at the next election, then this will simply magnify the uncertainties. The substitution that the regulations make of ECHR human rights for EU fundamental rights may be short-lived. Lowering the standard of protection of personal data in the UK also risks failure in delivering the trusted data regime, which purports to be one of the underpinning foundations of the UK’s ambition to become a technology superpower by 2030.

There are clearly major questions to answer, which the Explanatory Memorandum and the Minister’s introduction come nowhere near answering. Perhaps she will now make a bit of a stab at this—although I would be perfectly happy for her to write with a response. We should be very grateful to Eleonor Duhs for her SOAS ICOP policy briefing and to Professor David Erdos for raising these issues in the first place.

In addition to all the foregoing, Professor Erdos also raises the question of ultra vires. I hesitate to raise this at this stage, having said quite a lot already, but he raises the fundamental issue concerning what appears to be a problem with the draft regulations’ legal basis— I expect that the Minister has been briefed on this. This is stated to be issues relating to Section 14 of the Retained EU Law (Revocation and Reform) Act 2023.

There is a case to answer, in a number of respects. I hope the Minister can give us some assurance on all of these issues, and I certainly hope that the chickens do not come home to roost.

The Minister will probably be relieved to know that I do not have a speech as long as that of the noble Lord, Lord Clement-Jones, but I share many of his concerns. I would very much appreciate some of the detailed questions that the noble Lord asked being put to the test in an essay to us, perhaps in the form of a letter. That might be very helpful.

As the noble Baroness said, the regulations propose to replace the definition of fundamental rights and freedoms contained in the UK general data protection regulation and the Data Protection Act 2018. As the SLSC noted, these are currently defined by reference to rights contained in retained EU law.

I share the concern of the noble Lord, Lord Clement-Jones, that the regulations were originally to be under the negative procedure. I am glad that the Minister and officials have decided that that was an unwise course, because it would have given us very little control over the process and would not have enabled the sort of scrutiny that we in this House have come to expect.

I also share the noble Lord’s concern about the data protection framework being a weak spot. There is not much question about that. As he says, this acts as a curtain-raiser to our discussions and debates on the Bill coming forward next Tuesday. The data protection framework is undoubtedly being changed and not, it seems, for the better. These regulations foresee a time when there will be a weaker level of data protection, and I do not think that is in the public interest.

The DSIT colleague, as the noble Lord, Lord Clement-Jones, said, told the SLSC that

“the impact on organisations and individuals as a result of the proposed changes was expected ‘to be minimal’, … but … was unable to rule out entirely potential differences in the rights and freedoms”.

As the SLSC concluded, while DSIT had

“not identified any discernible impact, any changes in this sensitive area may be regarded as politically significant”

and something on which, quite rightly, the House would want to comment.

We welcome the work of the sifting committees and that, as a result of their reports, the SI is being debated as it should be. We do not oppose the statutory instrument. We share the sifting committees’ concern about changes brought by the repeal of EU-derived rights at the end of the year and that these may, directly or indirectly, lead to a lower overall level of protection for individuals. However, we note that, while we are debating the SI only a short time before the Christmas Recess, the department did publish draft regulations in September. This has given relevant parties time to prepare for the changes, which has not always been the case under different iterations of His Majesty’s Government.

As highlighted by the Commons debate, we must consider this SI in the context of broader changes to domestic data protection law, and the potential long-term consequences of these changes on our relationship with other jurisdictions. As I said earlier, your Lordships’ House will shortly begin consideration of the Data Protection and Digital Information Bill. Concerns have already been voiced that this will lower data protection standards and thresholds and, as a result, put our EU data adequacy decision at risk when it comes up for review.

We will have the opportunity to discuss those issues in more detail next week, but we would be grateful to the Minister if she could distance herself from the unfortunate comments of Minister Whittingdale in the Commons, who accused my colleague, Sir Chris Bryant, of appearing to see conspiracy where none actually exists. We do not believe that is the case; we believe these concerns are rightly stated. It is our role to scrutinise His Majesty’s Government and to ask legitimate questions that are of concern to the public. We are doing so at a time when there are live debates within the Conservative Party about the extent to which the UK should adhere or even remain signatories to international human rights treaties.

So, while we support the SI’s passage, as it will keep the statute book in order as parts of retained EU law are swept away, the department has a lot more work to do to convince us and other noble Lords of its broader approach to data protection law. I give notice today that we will be following very closely the debates next week scrutinising legislation at Second Reading and, with colleagues, will no doubt be submitting amendments to the legislation to toughen it up. It is clear to us that there is a direction of travel, and it is not one that we agree with.

I thank noble Lords, who are very well versed in this topic and have obviously spent a lot of time thinking about it. I have had some flashbacks to my time in the European Parliament, where I did the original GDPR. I am glad that people now think it was a perfect piece of work. At the time, people were very critical of what we did.

It is definitely not punishment, but it has taken me back, and I am on a steep learning curve here. I thank noble Lords for their interventions. I will try to do some justice to them. As was suggested, if I have not covered the topics adequately, given that the questions were incredibly detailed, I will respond in writing so that noble Lords will have the detail.

As I mentioned in my introductory remarks, it is important to note that these regulations themselves do not remove any EU law rights. Parliament has already agreed to do that in passing the European Union (Withdrawal) Act and the retained EU law Act. If we support these regulations today, instead of allowing references to EU law rights in the data protection legislation to lapse without replacement, we will instead ensure that the relevant organisations continue to consider analogous rights under our domestic law where it is appropriate to do so.

The overall effect of the changes made by these regulations will neither undermine protections for individuals nor increase the regulatory burden for organisations. There could even be some benefits for organisations in the sense they will only need to consider how the rights of individuals are protected by rights recognised in domestic law rather than trying to comprehend how retained EU law protected those rights.

I turn to some of the specific questions raised. The noble Lords, Lord Clement-Jones and Lord Bassam, suggested that the regulations could undermine protections. As noble Lords will know, the current definition of fundamental rights and freedoms refers to those rights retained in Section 4 of the European Union (Withdrawal) Act 2018. The EU Charter of Fundamental Rights was not retained under that section, although many of the rights found in the charter were retained because they existed in other EU law. There is no authoritative list of these rights, which means that deciding which rights are caught by this definition is a question of complex legal analysis. The ECHR, by contrast, contains a specific and defined list of rights, which are already familiar in the domestic context. We accept that there may be differences between the rights under EU law and the convention rights described and given further effect in the Human Rights Act, but where these differences are in areas relevant to data protection, we consider that there are analogous rights and protections, even if phrased differently.

The noble Lord, Lord Clement-Jones, also raised the issue of supremacy. The purpose of the REUL Act is to ensure that the UK has control over its laws. However, we acknowledge the importance of making sure that data processing provisions in wider legislation continue to be read consistently with the data protection principles in the UK GDPR. That is why Clause 49 of the DPDI Bill, which will be debated in due course, will make sure that any new data processing provisions continue to be subject to the data protection legislation, unless Parliament decides otherwise. Replication of the effect of UK GDPR supremacy is a significant decision, and we consider that the use of primary legislation is the more appropriate way to achieve these effects, such as under Clause 49 where the Government consider it appropriate.

The noble Lord, Lord Clement-Jones, also raised the retention of EU case law. Any further effect on the application of retained case law by domestic courts will be governed by Section 6 of the European Union (Withdrawal) Act 2018, as amended by Section 6 of the REUL Act once that section is commenced, rather than by this SI. It is not possible to state precisely, of course, how the courts will treat each individual piece of retained case law. However, it is unlikely that a court will depart from a decision simply on the basis that it refers to the right to the protection of personal data where the relevant interest is also protected by Article 8 of the ECHR.

The noble Lord also raised the issue of withdrawal from the ECHR. In these regulations, we are referring to rights recognised in UK law as it currently stands. The changes we are making refer to rights currently given effect in UK domestic law under the Human Rights Act.

We note that the noble Lord’s concerns about vires were not shared by the Joint Committee on Statutory Instruments.

The noble Lord, Lord Bassam, asked if there were any adequacy concerns about these provisions. We do not believe that there are concerns about adequacy. These are technical changes, designed to ensure legal certainty and protect the coherence of the data protection framework following the commencement of the REUL Act. As we are seeking to provide for continuity as far as possible, we do not think that the measures in the regulations pose a material risk to the EU’s adequacy decisions. Indeed, if we did not have a definition of fundamental rights and freedoms, this could weaken rights protections, which could itself be an adequacy concern.

My Lords, before the Minister sits down, I want to pose a brief question to her. The Explanatory Memorandum states:

“As this instrument is made under the Retained EU Law (Revocation and Reform) Act 2023, no review clause is required”.

Does that mean that absolutely no review will take place for these provisions and how they work out in future? Or is the implication that it is wrapped inside all the impacts of REULA and therefore that there will be an assessment of how REULA has affected domestic law in general? I would be quite happy if the Minister writes to me on that.

Motion agreed.