Draft Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 Debate
Full Debate: Read Full DebateJohn Whittingdale
Main Page: John Whittingdale (Conservative - Maldon)Department Debates - View all John Whittingdale's debates with the Department for Digital, Culture, Media & Sport
(11 months, 3 weeks ago)
General CommitteesI beg to move,
That the Committee has considered the draft Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023.
It is a pleasure to serve under your chairmanship, Mrs Latham.
As Members will be aware, the UK’s departure from the European Union provided us with an opportunity to amend, remove and replace unsuitable retained EU law. The European Union (Withdrawal) Act 2018 and the Retained EU Law (Revocation and Reform) Act 2023, which was passed earlier this year, set out that certain EU-derived laws, principles, rights and regulations should cease to apply in the UK by the end of 2023.
The Data Protection Act 2018 and the UK General Data Protection Regulation, known as UK GDPR, require that the Government, the Information Commissioner and other organisations using personal data to consider people’s “fundamental rights and freedoms” in certain situations. For example, such rights and freedoms must be considered by data controllers when relying on the “legitimate interests” lawful ground for processing under article 6(1)(f) of the UK GDPR, and by Ministers when considering whether to create new permissions in relation to the use of people’s sensitive data.
Before EU exit, those were taken to be rights under the EU charter of fundamental rights. Following the European Union (Withdrawal) Act, they have been those fundamental rights retained by section 4 of the Act. Given that section 4 is set to be repealed at the end of 2023, it is important for us to take action through this draft statutory instrument to substitute the reference to it. Failing to do so would lead to ambiguity surrounding the interpretation of references to “fundamental rights and freedoms” in the data protection legislation. The lack of clarity could pose significant difficulties for organisations using the data protection legislation, resulting in inconsistent outcomes and legal uncertainty.
That is why, through the draft regulations, the Government are clarifying that “fundamental rights and freedoms” refer to rights under the European convention on human rights, known as the ECHR, which has been given further effect in UK law under the Human Rights Act 1998. By doing that, the Government are ensuring that there is a clear, legally meaningful definition to rely on. That will provide consistency and certainty for organisations that are subject to data protection legislation, as well as continued protection of people’s rights.
The draft regulations are made under powers in the REUL Act, which allow Departments to revoke or replace references to EU-derived law. However, it is important to note that the regulations themselves do not remove any EU law rights; it is the European Union (Withdrawal) Act and the REUL Act that do that. The regulations are simply designed to replace references to EU law that would otherwise become meaningless at the end of the year.
Will my right hon. Friend confirm what happens if we have left the ECHR by the end of the year? Do we have to make up our own definition, or is that not going to happen after all?
My hon. Friend raises a wholly theoretical proposition. Should it ever occur, we will probably have to define our own version back in Committee. For the moment, however, we are members of the ECHR and the Human Rights Act applies, and it is the rights as defined in that Act to which we will now refer.
Subject to the approval of the Committee here gathered, the draft regulations will ensure clarity for organisations. From the end of 2023, they will provide ongoing protection for people’s rights when their personal data is processed by replacing a redundant definition of fundamental rights with a new one based on rights protected by domestic law in the UK. I commend the regulations to the Committee.
I will do what I can to soothe the anguished breast of the Opposition spokesman, the hon. Member for Rhondda. He said that you and he share an interest in relieving melanoma, Mrs Latham. I would like to put on record that you and I share something as well: we are both holders of the order of merit of Ukraine, conferred by President Zelensky—something of which I am very proud, and I have no doubt you are too.
The hon. Member for Rhondda made a number of points, most of which appeared to see conspiracy where I have to say to him none actually exists. He followed the lead of my hon. Friend the Member for Amber Valley in pursuing the theoretical question of what would happen if the UK left the European convention on human rights. As I said in response to my hon. Friend, the Government have no intention of the UK leaving the convention. The regulations do obviously refer to the Human Rights Act, although there is a reference to the convention rights within that Act. I say to the hon. Gentleman that there is no intention to somehow make it easier for surveillance to take place or infringe data protection rights. In the Government’s view, the rights referred to in the ECHR provide an equivalent level of protection to that which is available under the EU charter of fundamental rights. The regulations therefore represent no shift in the level of protection provided to citizens in this country by replacing the first reference with this particular reference.
The hon. Member for Rhondda rightly refers to articles 8 and 10 of the European convention as the principal articles that have been interpreted by the courts to confer privacy rights and in the area of data protection. We have looked at existing case law, which is quite extensive, and the courts have used those articles as justification for data protection. I therefore do not think there is any concern to be had by that.
The hon. Gentleman also suggested that this might somehow put data adequacy at risk. We had a slight reprise of the debate we had last week on the Data Protection and Digital Information Bill with the right hon. Member for East Ham, who, I have absolutely no doubt, will be rigorous in his pursuit of the Department for Work and Pensions through his chairing of the Work and Pensions Committee. I will therefore probably leave it to my colleagues in DWP to answer the precise questions on that particular point.
On data adequacy, I do think there might be a concern should we fail to pass these particular regulations. It would leave existing UK law referring to something that is essentially meaningless and of which we would no longer be a member: the EU charter of fundamental rights. To that extent, the regulations will ensure that the freedoms and rights are still relevant and refer to a convention of which we remain a member.
I do not think, therefore, that the regulations represent a reduction in the rights of citizens of this country; they simply tidy up the existing statute book as a result of the UK’s withdrawal from the European Union, using powers passed by Parliament in the European Union (Withdrawal) Act and the Retained EU Law (Revocation and Reform) Act. On that basis, I welcome the rather qualified support that the hon. Member for Rhondda gave at the end.
Question put and agreed to.