In a little noticed or commented on proposal, the UK Government published draft Regulations last month which would remove the overarching right of data protection from UK law and limit fundamental rights or freedoms within UK data protection law (however and wherever expressed) to rights protected within the European Convention on Human Rights (ECHR) as recognised by the Human Rights Act 1998.

It is proposed that these Regulations will be made under the controversial Retained EU Law (Revocation and Reform) (REURR) Act 2023 which grants the Government sweeping powers, including Henry VIII powers, to amend and replace law.

The draft Regulations would not directly nullify any of the duties or specific rights within UK data protection and are therefore less significant than general reduction of the status of the UK GDPR to something below that of secondary law which is directly effected through section 3 of the REURR Act.  It must also be recognised that earlier statutory instrument changes to the GPDR and DPA 2018, which were made under the EU (Withdrawal) Act 2018 at the end of the Brexit Implementation Period, inserted references to directly enforceable retained EU rights but that these are to be abolished at the end of 2023 under sections 2 (and 4) of the REURR Act. However, it is important to note that this reference was without a clear legal basis insofar as it sought to apply to those parts of the DPA 2018 which engage processing that always went beyond the scope of EU law, such that which concerns the intelligence services area.  Nevertheless, this earlier insertion means that some legal intervention is now necessary.  It does not, however, follow that any such intervention would need to extinguish data protection as a fundamental right or narrow the concept of fundamental rights and freedoms in any other way.

This lack of such necessity is important since such a narrowing is in tension with the broader understanding of fundamental rights and freedoms in the Council of Europe’s Data Protection Convention 108 (1981) and, even more so, the updated Convention 108+ (2018, but yet to come into force due to having only 30 as opposed to the 38(+) State Parties necessary).  Article 1 of Convention 108 explicitly refers to a free-standing and fully horizontally applicable “right to privacy” which is wider and more categorical than the right to respect for private life set out in Article 8 of the ECHR.

Meanwhile, its advisory Explanatory Report refers to an overarching fundamental right to “non-discrimination” (para. 25) which is only comprehensively set out within the ECHR under Protocol 12, a sub-instrument which the UK has neither signed nor ratified.  Meanwhile, the Convention 108+ preamble explicitly recognises “the right to the protection of personal data” itself as a fundamental right.   This wider understanding of fundamental rights will no longer reflected in domestic law should the draft Regulations be enacted and so these could at most only be recognised as mere data subjects interests.  That, in turn, could lead to their underweighting by data controllers, the Information Commissioner’s Office (ICO) and ultimately the courts.  This may be especially concerning when such data subject interests conflict with controller interests including, most notably, the economic interests which data protection often also has to take into account.

Nevertheless, since the new draft Regulations would not in and of themselves disapply any duties or specific rights, it is hard to claim that they would directly violate the UK’s international obligations.  This is particularly the case as the UK is only a signatory as opposed to a ratifier of the Protocol which would bring Convention 108+ into force and so it is only obliged to refrain from acts which could defeat the very object and purpose of the new instrument (Vienna Convention, art. 18(a)).

It is proposed that the draft Regulations be made under the REULRR Act which grants the Government sweeping powers not only to revoke any “secondary EU retained law” but, with few restrictions, also to replace such law with any provision which the Government consider “appropriate” (s. 14) as well as making any purely supplementary, incidental or consequential provision (s. 20(1)(b)).  Even if not necessary, the basic thrust of the draft Regulations could reasonably be considered appropriate.  It follows that the various amendments proposed to the UK GDPR are clearly intra vires since, despite being derived from an EU Regulation (the highest form of ordinary EU law making), this law is not a primary statute.  Given that the definition of fundamental rights and freedoms in the DPA 2018 was inserted by secondary instrument, amendment here is also generally permissible although this must be subject to the caveat that this definition was without a clear legal vires as regards those parts of the DPA 2018 which go beyond what was formally EU law.

It is even more difficult to justify removing recognition of the fundamental right to data protection from that part of the DPA 2018 which regulates the ICO’s international mutual assistance (s. 120(1)(b)) since this provision dates from the original primary enactment and has always had a scope which can extend to processing, for example as regards intelligence services, which have always been outside the reach of EU law.  Amendment of this provision could therefore, at least arguably, be considered not to be purely supplementary, incidental or consequential to the other changes and, if so, then it would be ultra vires.

Notwithstanding its apparent technicality, there are clearly some important legal and policy questions raised by this draft Regulation both from a domestic and also international standpoint.  These arguments are further considered in the following SSRN working paper. Whilst not similarly explored in the draft Regulation’s Explanatory Memorandum, Parliament can and should insist on fuller consideration.  Following receipt of an early iteration of some of these arguments, both the House of Lords’ Secondary Legislation Scrutiny Committee and the House of Commons’ European Secondary Instrument Committee have recommended that the draft Regulations be subject to the affirmative, as opposed to only the negative, resolution procedure.  Hopefully, a debate in both chambers will now happen and this will provide an opportunity to consider the significant implications of the changes now proposed and also obtain clarity on whether the UK still intends to become a State Party to Convention 108+ and, if so, when.

This piece has been reposted from the Inforrm Blog, with permission and thanks. This blog post was first published on the Inforrm Blog on 24 October 2023.

David Erdos is Professor of Law and the Open Society and Director of the Centre for Intellectual Property and Information Law in the Faculty of Law and WYNG Fellow at Trinity Hall, University of Cambridge.  He is also an associate member of Matrix Chambers.