The Data Protection and Digital Information Bill and the government’s legislative programme – lowering privacy standards

The government’s vision of developing a “world-leading data policy” and “unleashing the power of data” may be undermined by its own legislative agenda.  Together, the Data Protection and Digital Information Bill, the ‘Brexit Freedoms Bill’ and the Bill of Rights are likely to lower data protection standards in the UK by undermining the central underpinning human rights framework on which UK data protection law rests.

The Data Protection and Digital Information Bill

The Data Protection and Digital Information Bill (“DPDIB”) makes changes to the UK GDPR.  Some of the changes will no doubt be welcomed, for example relaxing of rules on cookies and on direct marketing by charities.  But other changes are worrying.

The government stated in its response to the consultation: ‘Data: a New Direction’ that it would not be removing the right to human review of automated decision making. Whilst the DPDIB does not explicitly take this right away, wide powers conferred on the Secretary of State could be used to remove protection from decisions made by algorithms with little Parliamentary scrutiny or debate (see the power in Clause 11 – new Article 22D). 

DPDIB signals a move away from the requirement for independence. One of the central concepts of the EU regime is the requirement for an independent data protection supervisory authority. For example, the free flow of data from the EU to third countries is dependent on the existence of an “independent supervisory authority”. The changes made by the DPDIB would remove the reference to independence, replacing it with a requirement for the Secretary of State to consider “the existence, and powers, of an authority responsible for….the protection of data subjects”.

This theme is seen elsewhere in the DPDIB. The Bill has the potential to compromise the independence of the UK regulator by requiring that the Information Commissioner submits codes of practice to the Secretary of State for approval. The Commissioner must revise the code if the Secretary of State does not approve it (see clause 31). The previous Information Commissioner stated “Proposals for the Secretary of State to approve ICO guidance…do not sufficiently safeguard [the regulator’s] independence. I urge Government to reconsider these proposals to ensure the independence of the regulator is preserved.”

It is not clear whether the Bill in its current form will be revised: it was introduced by a caretaker government which is itself about to exit (see for example the fate of the Online Harms Bill). But the potential for the government to undermine the independence of the regulator and to remove important protections via secondary legislation without proper scrutiny is concerning.

Data Protection as Human Rights law

The UK GDPR is a detailed “working out” of Article 8 of the European Convention on Human Rights (“ECHR”) – the right to a private and family life (see for example paragraph 19 of the Explanatory Report to Council of Europe’s Convention 108). Data protection law requires the controller to weigh the privacy rights of the individual against the interests of government, business or third sector bodies. The Courts have held that the references in data protection law to processing being “necessary” carry with them “the connotations of the European Convention on Human Rights:  those include the proposition that a pressing social need is involved and that the measure employed is proportionate to the legitimate aim pursued” (which is the case of Stone v South East Coast SHA (formerly Kent and Medway SHA) [2006] EWHC 1668 (Admin)).

Article 8 of the EU’s Charter of Fundamental Rights (“the Charter”) is based on Article 8 of the ECHR – See the Charter Explanations relating to Article 8. The case law on data protection rights makes frequent reference to Article 8 of the Charter. Recital 1 to the GDPR and the UK GDPR refer to the protection of personal data as a fundamental right. In other words, human rights law is the central underpinning theory of data protection law.

How is the government changing human rights law in the UK?

The Bill of Rights was introduced in Parliament in July 2022. It would repeal and replace the Human Rights Act 1998 which implements the ECHR. Note that the government is not intending to denounce the ECHR, but to change how the ECHR is implemented in domestic law – an example can be found in paragraph 2 of the Explanatory notes to the Bill. The Bill of Rights makes changes which will have a significant effect on the functioning of Article 8 of the ECHR and the right to privacy. For example, clause 4(1) of the Bill suggests that freedom of expression should be given greater weight than other rights (this would include the right to privacy).  Parliament’s Joint Committee on Human Rights stated that “When freedom of expression and the right to privacy are in conflict, the courts conduct a finely-tuned balancing exercise to decide which should prevail. To give stronger priority to freedom of expression would unbalance the Convention rights, undermine the principle that all rights are equal and fundamental, and prevent the courts from undertaking a balancing exercise as required by the Convention”. The changes brought about by the Bill of Rights would therefore create significant uncertainty as to how competing rights should be interpreted. The Bill of Rights interferes with the balancing test which is at the core of data protection law.

Further, the ‘Brexit Freedoms Bill’, which is likely to be introduced shortly after the next Prime Minister is appointed will either scrap or amend retained EU law (the body of EU law as saved into UK domestic law at the end of the transition period). The UK GDPR is an example of retained EU law. Even if the UK GDPR is kept, the government will go through a process of “normalising” it (a term coined by Lord Frost). This is likely to involve removing EU methods of interpretation and the case law retained from the CJEU which ensures continuity of meaning.  Further, the protection of personal data is a general principle of EU law, which informs how the UK GDPR should be interpreted.  Removing that general principle and “normalising” retained EU law undermines the foundation on which the law rests.  This creates uncertainty in terms of its meaning and application. 

Conclusion

The legislative changes on the horizon have the potential to undermine trust in UK data protection standards and the government’s vision of having a “world-leading data protection regime”. In the response to ‘Data: a new Direction’ the Information Commissioner stated that “The economic and societal benefits of this digital growth are only possible through earning and maintaining people’s trust and their willing participation in how their data is used. Data-driven innovations rely on people being willing to share their data”.

Want to know more?

We will be running a webinar this Autumn on the key legislative changes mentioned above. To receive an invitation, sign up to ‘data protection’ here.