The Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 – a  failure to contain damaging uncertainty

The Data Protection (Fundamental Rights and Freedoms (Amendment) Regulations (“the Regulations”) are insufficient to stabilise the UK’s data protection frameworks once the tsunami of legal uncertainty unleashed by the Retained EU Law (Revocation and Reform) Act 2023 (“REULA”)  engulfs us on 31^st December 2023.

Continuity and legal certainty – retained EU law

Saving EU rights and obligations

When the UK stopped being subject to the EU Treaties at the end of 2020, the European Union (Withdrawal) Act 2018 (“EUWA”) saved the rights and obligations which applied in domestic law as a result of the UK’s EU membership.  This meant that the EU GDPR became the UK GDPR[1].  The Data Protection Act 2018 remained on the statute book[2].  They became part of “retained EU law” – the vast body of law saved on the UK’s departure from the EU legal framework. 

Interpretation

Retained EU law was to be interpreted as it had been while the UK was an EU member state.  This created continuity and certainty as to what the law meant.[3]  The CJEU case law from before the end of 2020 was also preserved in domestic law, as was domestic case law interpreting EU rights and obligations.[4]  The general principles of EU law[5], which include fundamental rights[6] and the protection of personal data[7] were retained as an aid to the interpretation of our data protection frameworks.[8]  The principle of the supremacy of EU law was preserved.  This meant that in a conflict between the provisions in the UK GDPR and the DPA 2018, the UK GDPR took precedence[9].  This was confirmed in the case of R (Open Rights Group & the3million) v Secretary of State for the Home Department & Secretary of State for Digital, Culture, Media and Sport  [2021] EWCA Civ 800.  In this case the retained principle of supremacy was relied on by the Court of Appeal to find that the overly broad exemption in the DPA 2018 from data subject rights in an Immigration context was unlawful.[10] 

The EU’s Charter of Fundamental Rights (“the Charter”) was not saved into the domestic statute book.  The government’s view was that this made no substantive difference because the Charter simply listed the rights found in EU law.[11]  Because the rights and obligations listed in the Charter were being saved into domestic law through EUWA, no rights would be lost.[12]  Further, the EUWA clarified that retained case law which referred to rights in the Charter should be read as referring to the underlying rights and obligations listed in the Charter.  This ensured that case law which referred to the Charter would still be applicable. 

Nothing in the EUWA prevented the UK Parliament from legislating to change the UK GDPR and the DPA 2018.  Indeed, the White Paper on the EUWA stated that after the UK’s exit from the EU “It will then be for democratically elected representatives in the UK to decide on any changes to that law, after full scrutiny and proper debate. ”[13]

The Retained EU Law (Revocation and Reform) Act 2023 and legal uncertainty

The UK’s data protection frameworks are being changed through the vehicle of the Data Protection and Digital Information (No2) Bill, and will be subject to “full scrutiny and proper debate”.  However, there are also fundamental changes to the UK’s statute book being made at the end of this year through the REULA.  The REULA will sweep away the retained EU general principles (including fundamental rights)[14] and the requirement to interpret retained EU law in accordance with those principles.  Further, the principle of the supremacy of EU law is being deleted.  The default position is that domestic law (whenever enacted) will trump the law which came from the EU.[15]

EU fundamental rights and Human Rights under the ECHR

Changes introduced by the REULA are bound to create legal uncertainty.  In terms of the UK GDPR and the DPA 2018, EU fundamental rights are the underpinning foundation of the law.[16]  If they are simply deleted (the default position under REULA) then the UK GDPR and the Data Protection Act 2018 will become more difficult to interpret.  This is why the Regulations have been introduced. The Regulations ensure that references to fundamental rights and freedoms in the UK GDPR and the DPA 2018 are read as references to fundamental rights and freedoms as set out in the European Convention on Human Rights as implemented through the Human Rights Act 1998.  On one level this makes sense.  Article 8 of the EU’s Charter of Fundamental rights – the right to the protection of personal data – is based on Article 8 of the ECHR – the right to a private and family life.[17]  But it is not certain that the rights under Article 8 of the ECHR provide exactly the same protections as the right to data protection in the EU legal order.  First, this is because the ECHR has no specific fundamental right to the protection of personal data.[18]  In the case of of R (Davis & Watson) v. Secretary of State for the Home Department [2015] EWHC 2092 (Admin) at [80], the High Court held that Article 8 of the Charter “goes further” and “is more specific” than Article 8 of the ECHR. Second, the Charter contains general provisions explaining how the relevant rights should be interpreted.  Article 52 of the Charter confirms that where the rights in the Charter correspond to the rights in the ECHR, the meaning and scope of those rights should be the same as in the ECHR, although the EU is not prevented from providing more extensive protections.[19] Whether EU fundamental rights provided more extensive protection than those under the ECHR will be tested in the courts over the coming years, but there is likely to be uncertainty in relation to this point from the end of this year. 

Uncertainty about the application of established case law

Another area of significant uncertainty will be how, if and the extent to which the CJEU’s case law still applies when interpreting the UK GDPR and the DPA 2018.  Much of the CJEU’s case law on data protection references EU fundamental rights as set out in the Charter.[20]  If EU fundamental rights have been deleted then it is not clear that the case law still applies.  Again, we will have to wait for cases to reach the courts to understand whether and to what extent the case law is still applicable.  The explanatory note makes no attempt to answer this question, other than stating that “no, or no significant impact” is foreseen by the implementation of the Regulations.

The relationship between the UK GDPR and the DPA 2018 – lowering rights

The deletion of supremacy also turns the relationship between the UK GDPR and the DPA 2018 on its head:  if there is a conflict between the UK GDPR and the DPA 2018, the DPA 2018 will take precedence.  This is the opposite of the intention of the legislation when it was drafted and may have unforeseen consequences. 

There is a limited exception to the general rule that REULA introduces that domestic law will trump retained direct EU legislation.[21]  This exception operates in the context of data protection rights.[22]  Data subject rights in the UK GDPR will generally take precedence over rights or obligations in other domestic law[23].  However, the rights and obligations in Chapter III of the UK GDPR (rights of the data subject) are subject to the exceptions in Schedule 2 to the DPA 2018.[24]  There is, it appears, no scope under REULA to disapply the Schedule 2 exceptions on the basis that they are overly broad, as happened in the Open Rights case.  Instead, the courts would need to make an “incompatibility order” under section 8 of the REULA which may delay, explain, remove or constrain the consequence of the Schedule 2 condition trumping data subject rights, but this is a less certain remedy than would have existed before.  Under EUWA or when EU law still applied it would have been clear that the UK GDPR had precedence and that overly broad exceptions in Schedule 2 to the DPA 2018 were unlawful.  In practice this means that data subject rights in UK law will be less certain and potentially less protective than before.

Unnecessary uncertainty? 

The significant uncertainty caused by the changes the REULA makes to the statute book could have been remedied by the government using powers in the REULA.  The powers in section 11 of the REULA could have been used to turn the effect of EU fundamental rights and supremacy back on.  Alternatively, the current relationship between the UK GDPR and the DPA 2018 could have been restored using the power in section 7.  The government could have clarified that established case law still applies[25].  The government has chosen not to do so.  The Regulations seek only to cure the problem of deleting EU fundamental rights by replacing those references to fundamental rights under the ECHR, using the powers in section 14[26], but this creates new uncertainties as outlined above.

What will the outcome of these changes be?

Lowering the standard of data protection rights in the UK creates obvious risks to the continuing UK data adequacy decision, which rests on data protection rights being “essentially equivalent” to those rights in the EU.[27]  If the Conservative Party campaigns to leave the ECHR at the next election[28] then this simply magnifies the uncertainties – the substitution that the Regulations make of ECHR human rights for EU fundamental rights may be short-lived.  Lowering the standard of protection of personal data in the UK also risks failure in delivering the “trusted data regime”[29] which purports to be one of the underpinning foundations of the UK’s ambition to become a “technology superpower” by 2030[30]. 

If you have any questions, get in touch.

[1] The GDPR was saved as domestic law through section 3 of the EUWA.

[2] See section 2(1) of the EUWA. 

[3] This is the effect of the wording in section 2(1) of the EUWA – “EU-derived domestic legislation, as it has effect in domestic law…continues to have effect” and section 3(2)(a) of the EUWA – direct EU legislation continues to have effect in the same way as it did in EU law.  For a more detailed discussion of this drafting see Duhs, E. and Rao, I. (2021). Retained EU law : a practical guide. London: The Law Society.at 11.5. 

[4] See section 6(7) of the EUWA and the definition of retained case law.

[5] For a discussion of the general principles of EU law see Duhs, E. and Rao, I. (2021). Retained EU law : a practical guide. London: The Law Society at Chapter 6. 

[6] For a discussion of the Fundamental Rights of EU law see Duhs, E. and Rao, I. (2021). Retained EU law : a practical guide. London: The Law Society Chapter 7. 

[7] See the case of Stauder (Erich) v City of Ulm – Sozialamt (Case 29/69) EU:C:1969:57.

[8] The general principles were saved into domestic law.  For an explanation of how the EUWA deals with the general principles see Duhs, E. and Rao, I. (2021). Retained EU law : a practical guide. London: The Law Society at Chapter 13.5.4.  Under the EUWA, the general principles are no longer capable of being used as the basis for a claim, apart from under transitional arrangements (this is the effect of paragraph 3 of Schedule 1 to the EUWA, subject to the transitional provisions at Schedule 8 to the EUWA – see Duhs, E. and Rao, I. (2021). Retained EU law : a practical guide. London: The Law Society at Appendix C).  However, the general principles were preserved as an aid to interpretation of retained EU law. See section 6(3)(a) and section 6(7) of the EUWA. See also the case of Secretary of State for Work and Pensions v Beattie & Ors [2022] EAT 163 at [135]. 

[9] This is the effect of section 5(2) of the EUWA.

[10] See the judgment at [11]- [13] and [53] – [54].

[11] The view that the Charter of Fundamental Rights did not create rights is not universally accepted.  For further discussion see Duhs, E. and Rao, I. (2021). Retained EU law : a practical guide. London: The Law Society at 14.4.3.

[12] This is the effect of section 5(5) of the EUWA.  For further discussion see Duhs, E. and Rao, I. (2021). Retained EU law : a practical guide. London: The Law Society at Chapter 14.4.

[13] GOV.UK. (2017). The Repeal Bill: White Paper. [online] Available at: https://www.gov.uk/government/publications/the-repeal-bill-white-paper [Accessed 4 Nov. 2023].

[14] See section 4 of the REULA, which introduces new section 5(A4) of the EUWA, which states that “No general principle of EU law is part of domestic law after the end of 2023”.  The provision in section 6(3)(a) of EUWA which states that retained EU law should be interpreted in accordance with the retained general principles of EU law is deleted (see section 4(3) of the REULA).  See also section 2 of the REULA which deletes the rights and obligations saved through section 4 of the EUWA.

[15] See section 3 of the REULA, which inserts new provisions into section 5 of the EUWA.  New section 5(A2) states that any provision of direct EU legislation (such as the UK GDPR) must “so far as possible, be read and given effect in a way which is compatible with all domestic enactments” and “is subject to all domestic enactments, so far as it is incompatible with them.”   This is subject to limited exceptions for data protection law – see discussion below.

[16] See for example recital 1 of the UK GDPR, which states “
The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.”  The DPA 2018 is domestic law which implemented EU law and therefore reflects the fundamental rights in the EU legal order – see the discussion on the requirements of domestic law which implements EU law in Duhs, E. and Rao, I. (2021). Retained EU law : a practical guide. London: The Law Society at Chapter 7.14.

[17] See the Charter Explanations relating to Article 8 of the Charter. 

[18] The lack of a specific right to the protection of personal data under the ECHR was discussed by the High Court in the case of R (Davis & Watson) v. Secretary of State for the Home Department [2015] EWHC 2092 (Admin) at [80].

[19] See Article 52(3).

[20] Examples of the importance of the Charter and of EU fundamental rights to the interpretation of the GDPR are the CJEU’s reasoning in the case of See for example Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18 EU:C:2020:559 at [168 – 176]). As set out above, the EUWA ensured that this kind of uncertainty was avoided by spelling out that references to the Charter in retained case law should be read as if they referred to the underlying rights (see section 5(5) of the EUWA). 

[21] Retained direct EU legislation was saved through section 3 of the EUWA and comprises EU regulations, EU decisions or EU tertiary legislation.  For further discussion see Duhs, E. and Rao, I. (2021). Retained EU law : a practical guide. London: The Law Society at Chapter 12.4.

[22] See section 3 (1) of the REULA which inserts section 5(A3) into the EUWA.  Section 5(A3) provides that the rule that domestic law trumps retained direct EU legislation is subject to section 186 of the DPA 2018 (data subject’s rights and other prohibitions and restrictions).

[23] See section 186(1) of the DPA 2018. 

[24] The exceptions in Schedule 2 to the DPA 2018 restrict the data subject rights if specified conditions are met (for example, paragraph 16 of Schedule 2 permits a controller to withhold information following a data subject access request where disclosure would adversely affect the privacy rights of others).

[25] There are a number of potential routes that could have been considered here:  first, the power in section 11 of REULA would have allowed the government to codify retained case law.  An alternative would be to set out the intended effect of the changes in the explanatory memorandum.  The courts could take this into account when considering whether the government intended that the retained case law should remain relevant to the interpretation of the relevant instrument or not.  See for example R (on the application of PACCAR Inc and others) vCompetition Appeal Tribunal and others[2023] UKSC 28 at [46].  This could also be clarified in the affirmative debates on the Regulations.  It should be noted that retained case law can still apply to retained EU law even when it has been modified under the scheme set out in EUWA (see section 6(3) and (6)).  This position is not changed by the REULA.

[26] This is the power to revoke or replace retained EU law.

[27] See GOV.UK. (n.d.). EU adopts ‘adequacy’ decisions allowing data to continue flowing freely to the UK. [online] Available at: https://www.gov.uk/government/news/eu-adopts-adequacy-decisions-allowing-data-to-continue-flowing-freely-to-the-uk.  See also the adequacy decision itself here.

[28] Tories could campaign to leave European human rights treaty if Rwanda flights blocked. (2023). BBC News. [online] 9 Aug. Available at: https://www.bbc.co.uk/news/uk-politics-66438422.

[29] See GOV.UK. (n.d.). UK launches data reform to boost innovation, economic growth and protect the public. [online] Available at: https://www.gov.uk/government/news/uk-launches-data-reform-to-boost-innovation-economic-growth-and-protect-the-public [Accessed 1 Nov. 2023].‌

[30] See GOV.UK. (2023). The UK’s International Technology Strategy. [online] Available at: https://www.gov.uk/government/publications/uk-international-technology-strategy/the-uks-international-technology-strategy.‌