Draft Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023

Debate between John Whittingdale and Nigel Mills
Monday 4th December 2023

(11 months, 3 weeks ago)

General Committees
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
John Whittingdale Portrait The Minister for Data and Digital Infrastructure (Sir John Whittingdale)
- Hansard - -

I beg to move,

That the Committee has considered the draft Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023.

It is a pleasure to serve under your chairmanship, Mrs Latham.

As Members will be aware, the UK’s departure from the European Union provided us with an opportunity to amend, remove and replace unsuitable retained EU law. The European Union (Withdrawal) Act 2018 and the Retained EU Law (Revocation and Reform) Act 2023, which was passed earlier this year, set out that certain EU-derived laws, principles, rights and regulations should cease to apply in the UK by the end of 2023.

The Data Protection Act 2018 and the UK General Data Protection Regulation, known as UK GDPR, require that the Government, the Information Commissioner and other organisations using personal data to consider people’s “fundamental rights and freedoms” in certain situations. For example, such rights and freedoms must be considered by data controllers when relying on the “legitimate interests” lawful ground for processing under article 6(1)(f) of the UK GDPR, and by Ministers when considering whether to create new permissions in relation to the use of people’s sensitive data.

Before EU exit, those were taken to be rights under the EU charter of fundamental rights. Following the European Union (Withdrawal) Act, they have been those fundamental rights retained by section 4 of the Act. Given that section 4 is set to be repealed at the end of 2023, it is important for us to take action through this draft statutory instrument to substitute the reference to it. Failing to do so would lead to ambiguity surrounding the interpretation of references to “fundamental rights and freedoms” in the data protection legislation. The lack of clarity could pose significant difficulties for organisations using the data protection legislation, resulting in inconsistent outcomes and legal uncertainty.

That is why, through the draft regulations, the Government are clarifying that “fundamental rights and freedoms” refer to rights under the European convention on human rights, known as the ECHR, which has been given further effect in UK law under the Human Rights Act 1998. By doing that, the Government are ensuring that there is a clear, legally meaningful definition to rely on. That will provide consistency and certainty for organisations that are subject to data protection legislation, as well as continued protection of people’s rights.

The draft regulations are made under powers in the REUL Act, which allow Departments to revoke or replace references to EU-derived law. However, it is important to note that the regulations themselves do not remove any EU law rights; it is the European Union (Withdrawal) Act and the REUL Act that do that. The regulations are simply designed to replace references to EU law that would otherwise become meaningless at the end of the year.

Nigel Mills Portrait Nigel Mills (Amber Valley) (Con)
- Hansard - - - Excerpts

Will my right hon. Friend confirm what happens if we have left the ECHR by the end of the year? Do we have to make up our own definition, or is that not going to happen after all?

John Whittingdale Portrait Sir John Whittingdale
- Hansard - -

My hon. Friend raises a wholly theoretical proposition. Should it ever occur, we will probably have to define our own version back in Committee. For the moment, however, we are members of the ECHR and the Human Rights Act applies, and it is the rights as defined in that Act to which we will now refer.

Subject to the approval of the Committee here gathered, the draft regulations will ensure clarity for organisations. From the end of 2023, they will provide ongoing protection for people’s rights when their personal data is processed by replacing a redundant definition of fundamental rights with a new one based on rights protected by domestic law in the UK. I commend the regulations to the Committee.