Forthcoming changes to the basis of UK data protection law, although likely to be of minor practical impact, nevertheless represent an important shift in the lens through which domestic data protection legislation is viewed.
The 2023 Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations (the SI) will, among other things, amend UK data protection legislation to refer to rights derived from UK law, rather than retained EU law rights. Provided it is approved by parliament, the SI will come into force at the start of 2024.
The SI signals that the government’s commitment to preserve the UK’s adequacy status and protect data subject rights continues. However, the change highlights that the Retained EU Law (Revocation and Reform) Act 2023 (REUL Act) made changes to the foundations of UK data protection law. The day-to-day effects are likely to be small, but as a change to the principles on which the UK’s data protection is built, this is nevertheless significant.
The change will preserve similar rights to the rights previously preserved in retained EU law. It will serve to demonstrate the UK’s commitment to protecting data subject rights when the UK’s EU adequacy status is reviewed.
From a day-to-day compliance perspective, controllers should continue to follow the General Data Protection Regulation (UK GDPR) principles and controllers and processors should continue to follow their obligations under the UK GDPR and Data Protection Act 2018 (DPA 2018). The SI does not make substantive changes to those principles and obligations.
We have set out the change made by the SI below and what changes we could expect to see as a result of the SI.
The SI amends the references in the UK GDPR to fundamental rights and freedoms. Effectively, it swaps references to rights in retained EU law for references to rights in domestic law. The UK GDPR currently refers to the rights and freedoms which form part of retained EU law under section 4 of the European Union (Withdrawal) Act 2018. The SI will amend these references to the rights set out in the European Convention on Human Rights (ECHR), incorporated into UK law under the Human Rights Act 1998.
The REUL Act amends the European Union (Withdrawal) Act 2018 so that EU law rights and principles no longer form part of retained EU law in the UK from January 2024. This means that the references in the UK GDPR to retained EU law fundamental rights would not have worked, as those rights have fallen away.
The government made this change under s14 REUL Act, which allows it to revoke “secondary retained EU law” and replace it with such provisions as it considers appropriate, making substantive changes to the law. The use of this power indicates that the government considers the change to the UK GDPR is a substantive one with some practical effect.
No – the government has taken action to ensure that there is still an explicit reference to fundamental rights underpinning the UK’s data protection framework. Taking no action would have been detrimental to UK data subjects’ fundamental rights, as there would no longer be any reference to specific fundamental rights.
The UK’s adequacy decision was granted in June 2021 for a period of four years, after which it will only be renewed if the European Commission considers that the UK continues to ensure an adequate level of data protection.
It is likely that the Department for Science, Innovation and Technology was mindful of the UK’s commitment to maintain its adequacy status when drafting the SI. The accompanying explanatory note and memorandum specifically reference the ECHR, not just the Human Rights Act. This inclusion could be intended to emphasise the UK’s continued ECHR membership, which was looked on favourably during the negotiations on the UK’s adequacy status prior to the 2021 adequacy decision.
Not very different in practice. The lens through which we view data protection legislation has changed, but the view is likely to stay constant for the most part.
The previous reference to fundamental rights and freedoms in the UK GDPR pointed to the rights contained in EU law, as reflected in the EU Charter of Fundamental rights. While many of these rights were not relevant to data protection law, two were foundational: the right to respect for private and family life (under article 7 of the Charter) and the right to protection of personal data (article 8).
The SI will preserve the right to respect for private and family life (which implicitly includes a right to protection of personal data), as this is included at article 8 of the ECHR. The change will not impact on the importance of the rich case law built on article 8 of the ECHR, giving rise to causes of action such as misuse of private information. Indeed, the right has recently been applied by data subjects in relation to UK government activity. In Wieder and Guarnieri v the UK, the European Court of Human Rights found that two individuals’ article 8 rights had been infringed under the UK’s Regulation of Investigatory Powers Act 2000 (now replaced by the Investigatory Powers Act 2016).
However, the switch from EU law to Article 8 of the ECHR, and the switch of focus from the case law of the EU Court of Justice to that of the European Court of Human Rights, may lead to subtle changes in approach by the UK courts in two respects.
Firstly it has been argued that the European Court of Human Rights has taken a more permissive approach to mass surveillance laws, viewing them as acceptable with conditions and safeguards. This may be relevant when companies are carrying out an assessment of the necessary protections afforded by the laws of a third country, as part of an international data transfer impact assessment.
Secondly under the Human Rights Act, UK courts will only ‘keep pace’ with the European Court of Human Rights, and will not recognise rights in contexts where the case law is as yet undeveloped. Where this case law on Article 8 ECHR has not yet developed to recognise rights in contexts that have been recognised by the EU Court of Justice, this could lead to UK courts taking a more restrictive approach to rights under Article 8 than would be the case under EU law.
Changes are unlikely to be necessary. Compliance programmes are generally centred on substantive obligations of the UK’s data protection framework, which remain largely unchanged. To the extent that there are changes, as is the case with article 9 of the UK GDPR, continuing to apply existing processes is unlikely to raise concerns from a compliance perspective. Indeed, assuming that a right to protection of personal data continues to apply will continue to be helpful for demonstrating compliance with the UK GDPR principles, which continue to apply. Controllers who wish to maintain a combined EU and UK GDPR approach, or simply maintain the status quo, are likely to be free to do so.
The Information Commissioner’s Office (ICO) will take account of the change in its guidance and enforcement decisions. However, for the most part, the ICO’s guidance and decisions are concerned with substantive obligations of the UK GDPR and DPA 2018 rather than the fundamental rights underpinning them.