My Lords, I thank the Minister for that very careful exposition. I feel that we are heavily into wet towel, if not painkiller, territory here, because this is a tricky area. As the Minister might imagine, I will not respond to his exposition in detail, at this point; I need to run away and get some external advice on the impact of what he said. He is really suggesting that the Government prefer a pick ‘n’ mix approach to what he regards as a one size fits all. I can boil it down to that. He is saying that you cannot just apply the rules, in the sense that we are trying to reverse some of the impacts of the previous legislation. I will set out my stall; no doubt the Minister and I, the Box and others, will read Hansard and draw our own conclusions at the end, because this is a complicated area.
Until the end of 2023, the Data Protection Act 2018 had to be read compatibly with the UK GDPR. In a conflict between the two instruments, the provisions of the UK GDPR would prevail. The reversing of the relationship between the 2018 Act and the UK GDPR, through the operation of the Retained EU Law (Revocation and Reform) Act—REUL, as the Minister described it—has had the effect of lowering data protection rights in the UK. The case of the Open Rights Group and the3million v the Secretary of State for the Home Office and the Secretary of State for Digital, Culture, Media and Sport was decided after the UK had left the EU, but before the end of 2023. The Court of Appeal held that exemptions from data subject rights in an immigration context, as set out in the Data Protection Act, were overly broad, contained insufficient safeguards and were incompatible with the UK GDPR. The court disapplied the exemptions and ordered the Home Office to redraft them to include the required safeguards. We debated the regulations the other day, and many noble Lords welcomed them on the basis that they had been revised for the second time.
This sort of challenge is now not possible, because the relationship between the DPA and the UK GDPR has been turned on its head. If the case were brought now, the overly broad exemptions in the DPA would
take precedence over the requirement for safeguards set out in the UK GDPR. These points were raised by me in the debate of 12 December, when the Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 were under consideration. In that debate, the noble Baroness, Lady Swinburne, stated that
“we acknowledge the importance of making sure that data processing provisions in wider legislation continue to be read consistently with the data protection principles in the UK GDPR … Replication of the effect of UK GDPR supremacy is a significant decision, and we consider that the use of primary legislation is the more appropriate way to achieve these effects, such as under Clause 49 where the Government consider it appropriate
”.—[Official Report, 12/12/23; col. GC 203.]
This debate on Clause 49 therefore offers an opportunity to reinstate the previous relationship between the UK GDPR and the Data Protection Act. The amendment restores the hierarchy, so that it guarantees the same rights to individuals as existed before the end of 2023, and avoids unforeseen consequences by resetting the relationship between the UK GDPR and the DPA 2018 to what the parliamentary draftsmen intended when the Act was written. The provisions in Clause 49, as currently drafted, address the relationship between domestic law and data protection legislation as a whole, but the relationship between the UK GDPR and the DPA is left in its “reversed” state. This is confirmed in the Explanatory Notes to the Bill at paragraph 503.
The purpose of these amendments is to restore data protection rights in the UK to what they were before the end of 2023, prior to the coming into force of REUL. The amendments would restore the fundamental right to the protection of personal data in UK law; ensure that the UK GDPR and the DPA continue to be interpreted in accordance with the fundamental right to the protection of personal data; ensure that there is certainty that assimilated case law that references the fundamental right to the protection of personal data still applies; and apply the protections required in Article 23 of the UK GDPR to all the relevant exemptions in Schedule 2 to the Data Protection Act. This is crucial in avoiding diminishing trust in our data protection frameworks. If people do not trust that their data is protected, they will refuse to share it. Without this data, new technologies cannot be developed, because these technologies rely on personal data. By creating uncertainty and diminishing standards, the Government are undermining the very growth in new technologies that they want.
5.15 pm
It is also worth pointing out that these amendments replicate what the Government have already taken powers to do through the vehicle of REUL. These are the powers on the statute book to recreate the effect of the principle of the supremacy of EU law and the general principles of EU law, and to ensure the continuing applicability of assimilated CJEU case law. The Government have rolled over all the EU’s adequacy decisions on a transitional basis and conferred data adequacy on the EU. They were intending to make independent adequacy assessments of all the jurisdictions listed in paragraph 4(5) of Schedule 21 to the DPA, but they have failed to do so. Instead, they are treating all these adequacy decisions as if they had been subject to proper scrutiny and
putting them into primary legislation, which means that they cannot be quashed if they breach data subject rights. This is not the case in the EU, where the CJEU has twice quashed unlawful adequacy decisions. This is another example of the weaker rights of UK citizens in the context of the protection of their personal data as compared with their counterparts in the EU.
I am not going to go through the individual amendments. The Minister has done that effectively with regard to the impact of each amendment. But reinstating EU fundamental rights in this way has important advantages, including ensuring that the standard of data protection rights in the UK is the same as it was when the EU granted adequacy to the UK, thus confirming the essential equivalence of UK-EU standards. That is important in ensuring that a discrepancy in standards does not give rise to the loss of adequacy and the imposition of new barriers to UK-EU trade. I am sure that we will carry on with that discussion in a future group. Furthermore, it is important in ensuring that the case law that discusses data protection as a fundamental right is still applicable, thereby increasing legal certainty.
I do not expect the Minister to come back on the detail of this at this stage, but there is a really important discussion here about the importance of the fundamental guarantees to our data protection rights, which we really need to investigate in some detail.