Clear evidence of falling data protection standards in the UK, and how to restore them

The draft Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2024 (“the Regulations”) have been laid in Parliament.  The effect of these Regulations is significant and is not confined to the field of immigration:  the Regulations are clear evidence of how data protection rights and standards in the UK have been weakened as a result of the Retained EU Law (Revocation and Reform) Act 2023 (“REULA”).  The government could easily restore data protection rights to what they were before the end of 2023, using the vehicle of the Data Protection and Digital Information Bill, which is scheduled for Committee in the Lords in March.  This would help to ensure trust[1] in the UK’s data protection standards which would support, rather than undermine, the government’s efforts to make the UK a “technology superpower”[2] by the end of this decade.

Context

When the UK stopped being subject to EU law at the end of 2020 the European Union (“Withdrawal”) Act 2018 (“EUWA”) saved EU rights and obligations that applied in the domestic statute book as a result of the UK’s EU membership.   This meant that the GDPR was retained as domestic law (and was renamed the UK GDPR).[3]  The Data Protection Act 2018 (“DPA 2018”) also continued to apply.[4]

Importantly, EUWA also preserved the relationship between existing domestic law and what had been EU law by keeping the principle of the supremacy of EU law on the statute book. This ensured that the relationship between different parts of the UK’s domestic law remained as before, thus creating continuity and certainty.  In terms of data protection law this meant that in a conflict between the UK GDPR and the DPA 2018, the UK GDPR would take precedence. [5]

The Retained EU Law (Revocation and Reform) Act 2023

At the end of 2023, REULA deleted the principle of the supremacy of EU law and turned the statute book on its head.  Domestic law (whenever enacted) now takes precedence over the parts of the domestic statute book which were previously EU law.  There are exceptions to this rule, but those exceptions do not apply to the relationship between the DPA 2018 and the UK GDPR.  In a conflict between the DPA 2018 and the UK GDPR, the DPA 2018 will now take precedence[6]:  the opposite of what the Parliamentary draftsman intended when the provisions of the Act were written and a change which clearly lowers the standard of the protection of personal data in the UK.

The Open Rights Case

The Open Rights case[7], which has culminated in the government drafting the Regulations, was brought after the UK left the EU, but before the relevant provisions of REULA came into effect.  The case is an example of how the preservation of the principle of the supremacy of EU law continued to guarantee high standards of data protection.  In broad terms, the Court of Appeal found that the immigration exemption in Schedule 2 to the DPA 2018[8] conflicted with the safeguards in Article 23 of the UK GDPR.  This was because the immigration exemption was drafted too broadly, and failed to incorporate the safeguards prescribed for exemptions under Article 23 of the UK GDPR.  The immigration exemption was therefore held to be unlawful and was disapplied.  The Regulations follow two previous attempts by the Home Office to craft an immigration exemption which contains sufficient safeguards to satisfy the requirements set out in Article 23 of the UK GDPR.[9]

How has the government changed the Immigration Exemption?

In order to make the immigration exemption compatible with the requirements of Article 23 of the UK GDPR the government has added a number of safeguards to the exemption which were not there before. These are set out in the Regulations.  They include requirements to:

  • make decisions on the application of the exemption on a case-by-case basis;
  • make separate decisions in respect of each of the relevant UK GDPR provisions which relate to the data subject;
  • make fresh decisions on each occasion where there is consideration or restriction of any of the relevant UK GDPR provisions in relation to the data subject;
  • take into account all the circumstances of the case including the potential vulnerability of the data subject, as well as all the rights and freedoms of the data subject including under relevant Treaties which the UK has ratified, and the need to comply with the UK GDPR;
  • only apply the exemption if the application of the particular UK GDPR provision would give rise to a substantial risk of prejudice that outweighs the risk of prejudice to the interests of the data subject, ensuring that the application of the exemption is necessary and proportionate to the risks in the particular case. 

In addition, a record must be made of the decision to apply the exemption, together with reasons for that decision.  There is also a rebuttable presumption that the data subject will be informed of the use of the exemption.

How will the amended immigration exemption compare with the other exemptions in Schedule 2 to the DPA 2018?

The safeguards which will be in place for data subjects’ rights in an immigration context will now be far more extensive than the protections that exist in other areas.  For example, where personal data is being processed for the prevention or detection of crime, the apprehension or prosecution of offenders or the assessment or collection of a tax or duty a controller will not need to be nearly as meticulous in applying safeguards as they would in an immigration context.  The same is true where personal data is being processed for other purposes including discharging regulatory functions relating to legal services, the health service and children’s services or by public bodies in discharging their statutory functions. 

How has REULA altered the position as regards rights and safeguards?

Before the end of 2020 it would have been possible to bring a challenge to other exemptions in Schedule 2 to the DPA 2018 based on the same arguments that were successfully advanced in the Open Rights case:  that the exemptions in Schedule 2 are incompatible with the requirement for protections as set out in Article 23 of the UK GDPR, are therefore unlawful and must be made more protective in the interests of data subjects.  REULA removes this ground of challenge because it is now impossible to argue that the exemptions under the DPA 2018 must comply with the safeguards set out in Article 23 of the UK GDPR.  This is because the removal of the principle of the supremacy of EU law and the new rule introduced by REULA means that any inconsistency between the UK GDPR and the DPA 2018 must be resolved in favour of the provisions of the DPA 2018.  In other words the broad exemptions under the DPA 2018 trump the safeguards in the UK GDPR, thus making the safeguards inapplicable. A litigant in this situation may be able to argue that the courts should make an “incompatibility order” under section 8 of the REULA which would delay, explain, remove or constrain the consequence of the Schedule 2 condition trumping data subject rights, but this is a less certain remedy than would have existed before.  In practice this means that data subject rights in UK law will be less certain and less protective than before.  This is clearly demonstrated by the significantly higher levels of protection which will exist in the context of immigration when compared with other areas.  An example of how this plays out in practice is that a pensioner making a subject access request relating to their pensions payments will have fewer safeguards to ensure that their rights are protected as compared with an individual whose data is being processed for immigration purposes. 

The advantages conferred by the safeguards in Article 23 of the UK GDPR were underscored by the Information Commissioner’s press release, issued when judgment was given in the Open Rights case.  The Information Commissioner stated that the judgement would mean that “people will have greater confidence when they ask to see what is happening with their information, those responding to their requests will have the guidance they need to treat people fairly and with greater empathy, and it will be easier for my office to scrutinise where those requests for information have not been handled correctly.”[10]   

How to restore UK data protection standards to what they were before the end of 2020

The Lords stages of the Data Protection and Digital Information Bill provide an opportunity for the government to reverse the damaging effects of the REULA by restoring UK data protection standards to what they were before the end of 2023.  The Bill should be amended so as to ensure that the same safeguards as will now apply in an immigration context apply across the board to protect all data subjects, including other vulnerable individuals such as children.  

Wider Risks

Falling data protection standards in the UK also create wider risks.  The free flow of data from the EU to the UK is based on the UK and the EU having “essentially equivalent” data protection standards.  If the UK standards fall (as the Regulations clearly prove they have) then this risks the free flow of data from the EU to the UK causing significant barriers to trade and costs and red tape for UK businesses. 


[1] The former Information Commissioner, Elizabeth Denham, asserted that there was a link between people’s trust in how their data is used and the development of new technologies. That is because new technologies depend on the ability to use personal data to train them.  If individuals do not trust how their data is being used they will refuse to allow it to be shared, in turn hampering technological innovation.  See ico.org.uk. (2023). Response to DCMS consultation ‘Data: a new direction’ – Foreword from Elizabeth Denham CBE, UK Information Commissioner. [online] Available at: https://ico.org.uk/about-the-ico/response-to-dcms-consultation-data-a-new-direction-foreword-from-elizabeth-denham-cbe-uk-information-commissioner/#:~:text=ICO%20research%20shows%20that%20people.‌

[2] See GOV.UK. (2023). The UK’s International Technology Strategy. [online] Available at: https://www.gov.uk/government/publications/uk-international-technology-strategy/the-uks-international-technology-strategy.‌

[3] This is the effect of section 3 of EUWA as it was originally enacted, which saved the GDPR into domestic law.  The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 rebadged the GDPR as the UK GDPR (see Regulation 2).

[4] See section 2 of the EUWA, as originally enacted.

[5] See section 5(2) of the EUWA, as originally enacted.

[6] See section 3(1) of REULA, which introduced new section 5(A2) of EUWA.  The change in the relationship between the UK GDPR and the DPA 2018 is confirmed in the explanatory notes to the Data Protection and Digital Information Bill at paragraph 503.  The explanatory notes state:  The UK GDPR constitutes retained direct EU legislation (now assimilated direct EU legislation – see section 5(1) of REULA) and therefore falls within the scope of new section 5(A2) of the European Union (Withdrawal) Act 2018.” Section 5(A2) provides that:

 “Any provision of assimilated direct legislation—

(a) must, so far as possible, be read and given effect in a way which is compatible with all domestic enactments, and

(b) is subject to all domestic enactments, so far as it is incompatible with them.. Note that this position is not changed by the reference to data protection legislation in Section 5(A3)(a) of the EUWA as introduced by section 3(1) of the REULA.

[7] R (Open Rights Group and another) v Secretary of State for the Home Department and another [2023] EWCA Civ 1474.

[8] The purpose of the immigration exemption in paragraph 4 of Schedule 2 to the DPA 2018 is to enable a controller of personal data is to disapply certain key rights in the data protection regime such as the right to be informed about the processing of personal data, the right of access and the right to object to the processing, to the extent that complying with those rights would be likely to prejudice matters relating to immigration including the maintenance of effective immigration control.  Schedule 2 contains exemptions which apply in the same way in other contexts.  For an overview of the exemptions see ico.org.uk. (2023). What other exemptions are there? [online] Available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/what-other-exemptions-are-there/#:~:text=Firstly%2C%20personal%20data%20processed%20for [Accessed 26 Feb. 2024].‌

[9] For a history of the case see R (Open Rights Group and another) v Secretary of State for the Home Department and another [2023] EWCA Civ 1474 at [1] – [4].

[10] See ico.org.uk. (2023). Court of Appeal ruling on immigration exemption brings ‘greater empathy’ – Commissioner. [online] Available at: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2023/12/court-of-appeal-ruling-on-immigration-exemption-brings-greater-empathy-commissioner/ [Accessed 26 Feb. 2024].