Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 Debate
Full Debate: Read Full DebateBaroness Swinburne
Main Page: Baroness Swinburne (Conservative - Life peer)Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023
Baroness Swinburne Excerpts
Baroness Swinburne
That the Grand Committee do consider the Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023.
Relevant document: 3rd Report from the Secondary Legislation Scrutiny Committee
Baroness Swinburne (Con)
My Lords, these regulations, which were laid before the House on 7 November 2023, will be made under the powers provided by the Retained EU Law (Revocation and Reform) Act 2023, known as the retained EU law Act. They are concerned with the definition of “fundamental rights and freedoms” in the data protection legislation and making sure we continue to have a meaningful definition beyond the end of the year, when the retained EU law Act takes effect.
In several areas, the data protection legislation—specifically the Data Protection Act 2018 and the UK general data protection regulation, which I will refer to as the UK GDPR from now on—requires the Government, the Information Commissioner and organisations using personal data to consider people’s “fundamental rights and freedoms” in certain situations. For example, Ministers must consider such rights and freedoms when creating new exemptions or permissions for the use of people’s special category data, and data controllers must consider them when relying on the “legitimate interests” lawful ground for processing under Article 6(1)(f) of the UK GDPR. It is vital that, in circumstances such as this, the rights of individuals continue to be carefully considered and protected.
Prior to EU exit, references to fundamental rights and freedoms in the data protection legislation were taken to mean rights described in the EU Charter of Fundamental Rights—which I will refer to as the charter. Following the European Union (Withdrawal) Act 2018, some of these rights were retained by Section 4 of that Act. Given that Section 4 of the European Union (Withdrawal) Act will be repealed at the end of 2023 by the retained EU law Act 2023, action is needed now via this statutory instrument to replace the definition of “fundamental rights and freedoms”. Without action, there would be a lack of clarity about what these references mean. This could cause significant difficulties for organisations trying to apply the data protection legislation, risking inconsistent approaches, legal uncertainty and insufficient protection of data subjects’ rights.
That is why, through the draft regulations, the Government are clarifying that references to fundamental rights and freedoms in the data protection legislation mean rights under the European Convention on Human Rights, known as the ECHR, as defined by the Human Rights Act 1998. By doing this, the Government are ensuring that there is a clear, legally meaningful definition to rely on. This will provide consistency and certainty for organisations which are subject to data protection legislation, as well as continued protection for people’s rights. It is important to note that these regulations themselves do not remove any EU law rights; it is the European Union (Withdrawal) Act and the retained EU law Act that do that. These regulations are simply designed to replace references to EU law that would become meaningless at the end of this year.
I thank the Secondary Legislation Scrutiny Committee and European Statutory Instruments Committee for their views on these regulations. I have noted their concerns that rights protected by domestic law under the Human Rights Act might not provide the same level of protection as rights protected by EU law under the Charter of Fundamental Rights of the European Union. The matter of protection of people’s rights is of utmost importance, and I take this opportunity to reassure the Committee that the changes we are making via these regulations will not significantly affect the way the data protection framework works or indeed erode the protections it affords to people. Prior to EU exit, EU law rights protected by the charter included, for example, the right to respect for private and family life, the right to protection of personal data and the right to freedom of expression. The new definition will be based on rights protected by the ECHR, which includes the right to respect for private and family life and the right to freedom of expression.
The committee and others have raised a concern that the regulations remove reference to the specific right to data protection that was a feature of the charter. It is true that there is no such free-standing right under the ECHR. However, case law on this issue shows that data protection forms part of the protection offered by the right to respect for private and family life in Article 8 of the ECHR. It is further protected by our data protection legislation, which provides a comprehensive set of rules for organisations to follow and rights for people in relation to use of their data. The stand-alone right to protection of personal data was a feature of EU law and its removal is a result of EU exit legislation, including the retained EU law Act, rather than these regulations, which merely replace outdated terminology to recognise the new position.
I inform the Committee that we have formally consulted the Information Commissioner’s Office on the drafting of these regulations, and it recognises why the data protection legislation cannot continue to refer to rights that have been repealed. I hope that noble Lords will join me in supporting the draft regulations. I beg to move.
Lord Bassam of Brighton (Lab)
The Minister will probably be relieved to know that I do not have a speech as long as that of the noble Lord, Lord Clement-Jones, but I share many of his concerns. I would very much appreciate some of the detailed questions that the noble Lord asked being put to the test in an essay to us, perhaps in the form of a letter. That might be very helpful.
As the noble Baroness said, the regulations propose to replace the definition of fundamental rights and freedoms contained in the UK general data protection regulation and the Data Protection Act 2018. As the SLSC noted, these are currently defined by reference to rights contained in retained EU law.
I share the concern of the noble Lord, Lord Clement-Jones, that the regulations were originally to be under the negative procedure. I am glad that the Minister and officials have decided that that was an unwise course, because it would have given us very little control over the process and would not have enabled the sort of scrutiny that we in this House have come to expect.
I also share the noble Lord’s concern about the data protection framework being a weak spot. There is not much question about that. As he says, this acts as a curtain-raiser to our discussions and debates on the Bill coming forward next Tuesday. The data protection framework is undoubtedly being changed and not, it seems, for the better. These regulations foresee a time when there will be a weaker level of data protection, and I do not think that is in the public interest.
The DSIT colleague, as the noble Lord, Lord Clement-Jones, said, told the SLSC that
“the impact on organisations and individuals as a result of the proposed changes was expected ‘to be minimal’, … but … was unable to rule out entirely potential differences in the rights and freedoms”.
As the SLSC concluded, while DSIT had
“not identified any discernible impact, any changes in this sensitive area may be regarded as politically significant”
and something on which, quite rightly, the House would want to comment.
We welcome the work of the sifting committees and that, as a result of their reports, the SI is being debated as it should be. We do not oppose the statutory instrument. We share the sifting committees’ concern about changes brought by the repeal of EU-derived rights at the end of the year and that these may, directly or indirectly, lead to a lower overall level of protection for individuals. However, we note that, while we are debating the SI only a short time before the Christmas Recess, the department did publish draft regulations in September. This has given relevant parties time to prepare for the changes, which has not always been the case under different iterations of His Majesty’s Government.
As highlighted by the Commons debate, we must consider this SI in the context of broader changes to domestic data protection law, and the potential long-term consequences of these changes on our relationship with other jurisdictions. As I said earlier, your Lordships’ House will shortly begin consideration of the Data Protection and Digital Information Bill. Concerns have already been voiced that this will lower data protection standards and thresholds and, as a result, put our EU data adequacy decision at risk when it comes up for review.
We will have the opportunity to discuss those issues in more detail next week, but we would be grateful to the Minister if she could distance herself from the unfortunate comments of Minister Whittingdale in the Commons, who accused my colleague, Sir Chris Bryant, of appearing to see conspiracy where none actually exists. We do not believe that is the case; we believe these concerns are rightly stated. It is our role to scrutinise His Majesty’s Government and to ask legitimate questions that are of concern to the public. We are doing so at a time when there are live debates within the Conservative Party about the extent to which the UK should adhere or even remain signatories to international human rights treaties.
So, while we support the SI’s passage, as it will keep the statute book in order as parts of retained EU law are swept away, the department has a lot more work to do to convince us and other noble Lords of its broader approach to data protection law. I give notice today that we will be following very closely the debates next week scrutinising legislation at Second Reading and, with colleagues, will no doubt be submitting amendments to the legislation to toughen it up. It is clear to us that there is a direction of travel, and it is not one that we agree with.
Baroness Swinburne (Con)
I thank noble Lords, who are very well versed in this topic and have obviously spent a lot of time thinking about it. I have had some flashbacks to my time in the European Parliament, where I did the original GDPR. I am glad that people now think it was a perfect piece of work. At the time, people were very critical of what we did.
Baroness Swinburne (Con)
It is definitely not punishment, but it has taken me back, and I am on a steep learning curve here. I thank noble Lords for their interventions. I will try to do some justice to them. As was suggested, if I have not covered the topics adequately, given that the questions were incredibly detailed, I will respond in writing so that noble Lords will have the detail.
As I mentioned in my introductory remarks, it is important to note that these regulations themselves do not remove any EU law rights. Parliament has already agreed to do that in passing the European Union (Withdrawal) Act and the retained EU law Act. If we support these regulations today, instead of allowing references to EU law rights in the data protection legislation to lapse without replacement, we will instead ensure that the relevant organisations continue to consider analogous rights under our domestic law where it is appropriate to do so.
The overall effect of the changes made by these regulations will neither undermine protections for individuals nor increase the regulatory burden for organisations. There could even be some benefits for organisations in the sense they will only need to consider how the rights of individuals are protected by rights recognised in domestic law rather than trying to comprehend how retained EU law protected those rights.
Lord Clement-Jones (LD)
My Lords, before the Minister sits down, I want to pose a brief question to her. The Explanatory Memorandum states:
“As this instrument is made under the Retained EU Law (Revocation and Reform) Act 2023, no review clause is required”.
Does that mean that absolutely no review will take place for these provisions and how they work out in future? Or is the implication that it is wrapped inside all the impacts of REULA and therefore that there will be an assessment of how REULA has affected domestic law in general? I would be quite happy if the Minister writes to me on that.
Baroness Swinburne (Con)
Given the specificity of that question, we will write to the noble Lord with an answer.