The Ministry of Justice (MoJ) Consultation, “Human Rights Act Reform: A modern Bill of Rights”, has the potential to significantly undermine the application of UK’s data protection regime.
These MoJ proposals are in addition to the DCMS proposals which also weakened the UK_GDPR (discussed in various blogs last November). Neither the DCMS nor the MoJ make any reference to the fact that their separate public consultations are connected when data protection is concerned. One wonders how this fundamental omission was missed?
The MoJ Consultation, in summary, is designed to expurgate any European contamination associated with the words “necessary”, “public interest” and “proportionate”. For example, MoJ proposes changing the interpretation of the word “necessary” so that “great weight” has to be given to Parliament’s view of what is necessary. The same goes for “public interest”.
This has a knock on to the data protection regime. For example, the word “necessary” is used in: three Principles in A.5; most lawful bases in A.6; most conditions for the processing of special category of personal data and criminal offence personal data (A.9, A.10 and Schedule 1 of the DPA2018) and several A.23(1) exemptions.
It can be seen that if that “great weight has to be given to Parliament’s view of "necessary" processing, then any enforcement action by the ICO becomes far more difficult. And if the data protection regime cannot be properly enforced, it follows that the protection for data subjects is weakened.
In addition, the MoJ Consultation uses the term “public interest” over 70 times, without a formal definition. This is like the DCMS consultation “Data: a new direction” which uses the term “public interest” more than 40 times without defining it.
So when Ministers refer to “the public interest” what they mean?
As will be seen, the answer I derive is not a happy one.
ICO as A.8 ECHR Commissioner?
Both the DPA2018, UK_GDPR & Human Rights Act (HRA) are intertwined mainly through the word “necessary” as used, for example, in A.6 of the UK_GDPR or in A.8(2) of the European Convention on Human Rights (ECHR).
For instance, in the context of interference by a public body into an individual’s private and family life (e.g. by police surveillance), the interference (i.e. surveillance) can be justified if it is necessary to safeguard the functioning of a democratic society for reasons listed in Article 8(2) of the ECHR (e.g. “necessary … for the prevention of crime”).
The European Data Protection Board explained the linkage between the data protection and human rights regimes in the following terms: “In cases where there is 'interference with privacy' [legitimised in terms of A.8(2) of the ECHR] a legal basis is required [as a result of A.6 of the GDPR] … as a precondition to assess the necessity of the interference”. (quotation from WP217).
In other words, when there is an interference by a public body, A.8(2) of the ECHR sets out a general “necessity” requirement for the processing of personal data to be lawful whilst A.6 of the GDPR additionally sets out why that processing is “necessary” (e.g. “necessary for a legal obligation” etc).
The corollary is also valid: a public authority does not infringe the A.8(1) ECHR right, if it can show that its interference by the processing of personal data is justified (i.e. necessary) and has an A.6 lawful basis (e.g. necessary for its public task).
Note that it is possible for the ICO to enforce A.8 ECHR when personal data are processed by a public authority via its link to A.6 of the GDPR. For example, if a public authority controller misapplied its powers to disclose personal data, then it could not rely on the obvious lawful basis as the disclosure of personal data would, for instance, not be necessary for a legal obligation (as the legal obligation has been misapplied).
In other words, the breach of A.8 would also translate into a breach of the relevant lawful basis, in this example A.6(1)(c). It is the same for “public task” in A.6(1)(e).
It follows that the ICO (as can any European Data Protection Authority) can make an assessment of necessity or proportionality and could become an A.8 Commissioner whenever personal data were processed by a public body.
Unfortunately all data protection regulators (UK and in Europe) down the ages have steadfastly refused to go down this road except, in the UK, for one notable case (see references which also contains a link to a definitive document on the reach of A.8).
Changes to “necessary” & “public interest”
The MoJ Consultation suggests two possible legislative changes to the human rights regime which have significant interpretive impact across the UK_GDPR. Namely, those UK_GDPR provisions that rely on the words “necessary” or “in the public interest” for their effect.
Note that the text of the UK_GDPR does NOT change (e.g. the UK_GDPR provision still refers to “necessary”), but the interpretation and consequential impact on application or enforcement of the UK_GDPR does change significantly.
These proposed legislative changes will apply when an A.8 case is heard by a Court; these require the Court to give “great weight”:...
“… to Parliament’s view of what is necessary in a democratic society (and the fact that Parliament has enacted the legislation is for these purposes determinative of Parliament’s view that the legislation is necessary in a democratic society)”;
Or (this “or” could possibly end up being an “and”?)
“… to the fact that Parliament was acting in the public interest in passing the legislation” (page 100; MoJ Consultation; my emphasis).
“Legislation” as used in the above quotations is defined to be “primary legislation, and subordinate legislation …. which has been approved by a resolution of either or both Houses of Parliament” (i.e. the affirmative resolution Parliamentary procedure has been followed).
If the MoJ proposals become law, it can be seen that whenever Parliament enacts legislation that relates to (or requires) the processing of personal data, this fact has to be given “great weight” by the Courts when assessing whether the processing is “necessary” or “in the public interest”.
Clearly therefore, the ICO will also have to give them “great weight” prior to enforcing the data protection regime (or indeed in the ICO’s official data protection guidance).
Worked example
Suppose the ICO is enforcing the lawful basis used for the processing of personal data by a public authority and suppose further the processing was authorised by law or related to its public task functions as set in legislation approved by Parliament.
To have a successful enforcement under A.6, the ICO has to establish that the processing was neither “necessary” nor “in the public interest” AND overcome the “great weight” that has to be given to the alternative view (e.g. Parliament’s view that the processing was necessary).
This allows a public authority controller that is facing such ICO enforcement action (e.g. for unlawful processing) to defend the ICO’s action in Court (or Tribunal) arguing that: “The ICO has failed to give “great weight” to Parliament’s view that the controller’s processing was indeed necessary”.
Similarly, if the “in the public interest” option arises; the argument changes to: “The ICO has failed to understand that “great weight” had to be given to the “public interest” in the processing especially as the Controller was merely following Parliament’s wishes”.
Remember, in general, A.6(1)(e) provides a lawful basis for the processing if it is “necessary for the performance of a task carried out in the public interest” where the public interest in question is likely to carry automatic “great weight” (in favour of the controller rather than the data subject).
Wider impact on the UK_GDPR
The question then arises as to whether this kind of knock on effect undermines other data protection provisions where the words “necessary” or “the public interest” are used? I am afraid to say that I suspect this is the case.
For instance the word “necessary” appears in three Principles in A.5, most lawful bases in A.6, most conditions for the processing of special category of personal data and criminal offence personal data (A.9, A.10; Schedule 1) whereas ”public interest” appears in A.23 exemptions, certain rights (e.g. A.13), Schedules 1 to 5 of the DPA2018 (Special category of personal data and exemptions), transfer arrangements, data breach notification etc (and in a number of other places).
So assume the Government use powers approved by Parliament in the Digital Economy Act 2017 to specify data sharing between two controllers of specified personal data for a specified period. Suppose further the ICO considers that the controllers were processing excessive personal data for far too long.
The controllers can resist any ICO enforcement to by arguing:
- Parliament has determined that the lawful basis for the processing is both “necessary” and “in the public interest” (i.e. A.6(1)(e)) and this fact should carry “great weight”;
- The Data Minimisation Principle is not breached because Parliament has explicitly stated the processing of certain items of personal data; these have been deemed necessary for the purpose and this fact should carry “great weight”;
- The Storage Limitation Principle is not breached because Parliament has explicitly specified the that personal data should be retained in a name linked form for a specific period; Parliament has deemed this retention time as being “necessary” for the purpose, and that this fact carries “great weight”.
It can be seen that there is not much data protection left (e.g. transparency, security) and the provisions in the MoJ Consultation (as illustrated above) effectively comprise an exemption from the two Principles mentioned above and A.6.
Note also that the data subject’s right to object also becomes almost exempt as the objection has to overcome the fact that Parliament has judged that the continued processing by the controller has to carry great weight.
With respect to “substantial public interest” (as used in Schedule 1 to legitimise the processing of special category of personal data), the DCMS has suggested changes where legislation specifies when the substantial public interest is satisfied (para 297 of DCMS Consultation).
If this happens the processing will automatically become “necessary” and this fact will have to be given “great weight” by the ICO. The result is that such special category of personal data and criminal offence personal data could be made easier to process by public bodies to the detriment of the protected offered to data subjects.
In the public interest?
With respect to enacting legislation, what Government wants usually is enacted; there is no separation of powers in the UK as the executive (i.e. Government) sits in the legislature (i.e. Parliament) and is in control of the legislature’s agenda. This is exacerbated by an Electoral System that delivers majority Governments with a minority popular vote (e.g. 58% of the Parliamentary seats with 43.6% of the popular vote).
This means that opposition parties might huff and puff, but with a large majority, a Government should get its legislative way.
The point being made is that Parliament could vote primary legislation down but very rarely does so. So when the MoJ Consultation refers to “…Parliament’s view of what is necessary in a democratic society “ it is really referring to what the Government considers as being necessary in a democratic society.
Similarly when Parliament acts in the public interest in passing the legislation it is usually because Government has the view that the proposed legislation is in the public interest.
It’s the same with the secondary legislation subject to affirmative resolution procedures. Although in theory, secondary legislation can be voted down, it is not. A House of Commons Research Paper on Statutory Instrument explains that:
“In the House of Commons, the last time a draft Statutory Instrument subject to affirmative procedure was not approved was in July 1978 when the draft Dock Labour Scheme 1978 was defeated by 301 votes to 291. (see references).
So, in summary, what is necessary is what the Government specifies as necessary; what is in the public interest equates to the interests of the Government of the day.
But then it gets worse. Given the primacy of the (almost Presidential) post of Prime Minister, what is “in the public interest” equates to “in the interests of Boris Johnson”, insofar, at the time of writing, he is the current Prime Minister of the UK.
Now that is a really unpleasant thought to end with.
Data Protection Courses (Winter 2022)
Because of continued COVID uncertainty, fuel crisis, or the results at Barnsley FC the course can be attended in person, or via Zoom, or as a mixture if you something untoward happens: it's up to you.
- The Data Protection Practitioner Course is in London, and starts Tuesday, March 22-25; March 29-31 (6 days); Full details on amberhawk.com/StandardDP.asp or by emailing info@amberhawk.com
- The Data Protection Foundation Course is in London, and starts Tuesday, February 1st to 3rd (3 days); Full details on http://www.amberhawk.com/DPFoundation.asp or by emailing info@amberhawk.com
References
Information Commissioner should enforce Article 8 privacy rights http://amberhawk.typepad.com/amberhawk/2010/04/information-commissioner-should-enforce-article-8-privacy-rights.html
Information Commissioner’s enforcement proceedings links Article 8 to unlawful processing. https://amberhawk.typepad.com/amberhawk/2012/11/information-commissioners-enforcement-proceedings-links-article-8-to-unlawful-processing.html
House of Commons Research Paper on Statutory Instruments: https://researchbriefings.files.parliament.uk/documents/SN06509/SN06509.pdf
Guide to Article 8 prepared by the Registry of the European Court of Human Rights: https://www.echr.coe.int/Documents/Guide_Art_8_ENG.pdf
Example of affirmative SI procedure for the “Economic Growth (Regulatory Functions) Order 2017”: see middle of Ministers want to pull the strings and rein-in the ICO’s independence; https://amberhawk.typepad.com/amberhawk/2021/11/ministers-want-to-pull-the-strings-and-rein-in-the-icos-independence.html
Comments