Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 Debate
Full Debate: Read Full DebateLord Clement-Jones
Main Page: Lord Clement-Jones (Liberal Democrat - Life peer)My Lords, I welcome the Minister to this crowded box-office occasion—over the years it has been for aficionados, by and large.
I thank her for setting out the purpose of these regulations. Originally, they were to be approved by the negative procedure. It is to the great credit of the Secondary Legislation Scrutiny Committee that, in its 53rd report, it recommended an upgrade of the instrument to the affirmative procedure because of concerns about a potential reduction in rights protection. I heard what the Minister said in her introduction.
In its report, the committee quoted the Department for Science, Innovation and Technology, which stated that
“the impact on organisations and individuals as a result of the proposed changes was expected ‘to be minimal’”,
and that the changes
“replicate the current position ‘as far as possible’, but it was unable to rule out entirely potential differences in the rights and freedoms”.
In those circumstances, I need to thank the Minister and the Government for bringing back these draft regulations for affirmative approval—in other words, for listening to the committee.
However, our conclusion is that the regulations fail to contain damaging uncertainty and inconsistency in this area, which is exactly what concerned the SLSC. I am afraid it will be clear from our debate next week on the Data Protection and Digital Information Bill, as it was when we recently debated the Digital Government (Disclosure of Information) (Identity Verification Services) Regulations 2023, that data is a really weak spot for this Government—as if they needed any more.
I am afraid that it is clear that these regulations by themselves are insufficient to stabilise the UK’s data protection frameworks once what has been called the tsunami of legal uncertainty unleashed by the retained EU law Act—REULA—engulfs us on 31 December 2023. The Minister lightly skipped over that. When the UK stopped being subject to the EU treaties at the end of 2020, the European Union (Withdrawal) Act 2018—EUWA—saved the rights and obligations which applied in domestic law as a result of the UK’s EU membership. This meant, in essence, that the EU GDPR became the UK GDPR. The Data Protection Act 2018 remained on the statute book. The rights and obligations became part of retained EU law—the vast body of law saved from the EU legal framework on the UK’s departure. Retained EU law was to be interpreted as it had been while the UK was an EU member state. This created continuity and certainty as to what the law meant.
The Court of Justice of the European Union—CJEU—case law from before the end of 2020 was also preserved in domestic law, as was domestic case law interpreting EU rights and obligations. The general principles of EU law, which include fundamental rights and the protection of personal data, were retained as an aid to the interpretation of our data protection frameworks. The principle of the supremacy of EU law was preserved. This meant that, in a conflict between the provisions in the UK GDPR and the DPA 2018, the UK GDPR took precedence. This was confirmed in the case of R (on the application of the Open Rights Group) v the Secretary of State for the Home Department and the Secretary of State for Digital, Culture, Media and Sport. In this case, the retained principle of supremacy was relied on by the Court of Appeal to find that the overly broad exemption in the DPA 2018 from data subject rights in an immigration context was unlawful. Yesterday, the Court of Appeal ruled that the Government must amend the immigration exemption in Schedule 2 to the Data Protection Act because it is incompatible with Article 23 of the UK GDPR. This sort of argument will no longer be possible after the end of this month because the exemptions in Schedule 2 to the DPA will take precedence over the UK GDPR.
The EU Charter of Fundamental Rights was not saved into the domestic statute book. The Government’s view was that this made no substantive difference because the charter simply listed the rights found in EU law, so because the rights and obligations listed in the charter were being saved into domestic law through the European Union (Withdrawal) Act, no rights would be lost. Further, the EUWA clarified that retained case law which referred to rights in the charter should be read as referring to the underlying rights and obligations listed in the charter. This ensured that case law which referred to the charter would still be applicable.
Nothing in EUWA prevented Parliament legislating to change the UK GDPR and the DPA 2018. Indeed, the White Paper on the EUWA stated that, after the UK’s exit from the EU:
“It will then be for democratically elected representatives in the UK to decide on any changes to that law, after full scrutiny and proper debate”.
As we will be discussing next Tuesday at its Second Reading, the UK’s data protection frameworks are being changed through the vehicle of the Data Protection and Digital Information Bill. As I have indicated to the Minister, the noble Viscount, Lord Camrose, these Benches do not welcome those changes and regard them as dilutions of data subject rights.
However, there are also fundamental changes to the UK’s statute book being made at the end of this year through the REULA, which will sweep away the retained EU general principles, including fundamental rights and the requirement to interpret retained EU law in accordance with those principles. Further, the principle of the supremacy of EU law is being deleted. The default position is that domestic law whenever enacted will trump the law which came from the EU.
Changes introduced by REULA are bound to create legal uncertainty. In terms of the UK GDPR and the DPA 2018, EU fundamental rights are the underpinning foundation of the law. If they are simply deleted—the default position under REULA—the UK GDPR and the Data Protection Act 2018 will become more difficult to interpret. This is, of course, why the regulations have been introduced. They are intended to ensure that, as the Minister said, references to fundamental rights and freedoms in the UK GDPR and the DPA 2018 are read as references to fundamental rights and freedoms as set out in the European Convention on Human Rights as implemented through the Human Rights Act 1998.
On one level, this makes sense. Article 8 of the EU’s Charter of Fundamental Rights—the right to the protection of personal data—is based on Article 8 of the ECHR on the right to private and family life, but it is not certain that the rights under Article 8 of the ECHR provide exactly the same protections as the right to data protection in the EU legal order. First, this is because the ECHR has no specific fundamental right to the protection of personal data. In the case of R (Davis & Watson) v Secretary of State for the Home Department, the High Court held that Article 8 of the charter goes further and is more specific than Article 8 of the ECHR. Secondly, the charter contains general provisions explaining how the relevant rights should be interpreted, and Article 52 of the charter confirms that, when rights in the charter correspond to the rights in the ECHR, the meaning and scope of those rights should be the same as in the ECHR, although the EU is not prevented from providing more extensive protections. Whether EU fundamental rights provided more extensive protection than those under the ECHR will be tested in the courts over the coming years, but there is likely to be uncertainty in relation to this point from the end of this year.
I thank noble Lords, who are very well versed in this topic and have obviously spent a lot of time thinking about it. I have had some flashbacks to my time in the European Parliament, where I did the original GDPR. I am glad that people now think it was a perfect piece of work. At the time, people were very critical of what we did.
It is definitely not punishment, but it has taken me back, and I am on a steep learning curve here. I thank noble Lords for their interventions. I will try to do some justice to them. As was suggested, if I have not covered the topics adequately, given that the questions were incredibly detailed, I will respond in writing so that noble Lords will have the detail.
As I mentioned in my introductory remarks, it is important to note that these regulations themselves do not remove any EU law rights. Parliament has already agreed to do that in passing the European Union (Withdrawal) Act and the retained EU law Act. If we support these regulations today, instead of allowing references to EU law rights in the data protection legislation to lapse without replacement, we will instead ensure that the relevant organisations continue to consider analogous rights under our domestic law where it is appropriate to do so.
The overall effect of the changes made by these regulations will neither undermine protections for individuals nor increase the regulatory burden for organisations. There could even be some benefits for organisations in the sense they will only need to consider how the rights of individuals are protected by rights recognised in domestic law rather than trying to comprehend how retained EU law protected those rights.
My Lords, before the Minister sits down, I want to pose a brief question to her. The Explanatory Memorandum states:
“As this instrument is made under the Retained EU Law (Revocation and Reform) Act 2023, no review clause is required”.
Does that mean that absolutely no review will take place for these provisions and how they work out in future? Or is the implication that it is wrapped inside all the impacts of REULA and therefore that there will be an assessment of how REULA has affected domestic law in general? I would be quite happy if the Minister writes to me on that.
Given the specificity of that question, we will write to the noble Lord with an answer.