A fortnight ago, the Government published its UK Bill of Rights to replace the Human Rights Act 1998 (HRA).
My main conclusions concerning the Bill of Rights relevant to data protection are:
- The Bill changes who interprets the meaning of necessity, public interest and proportionality and thereby changes the nature of the link between the UK_GDPR and A.8 of the European Convention of Human Rights (right of respect for private and family life etc).
- The Courts do not undertake the balancing tests associated with “proportionality”, “necessity” and what is “in the public interest”; these tests are undertaken by Ministers if a Government has a Parliamentary majority.
- The Bill is a significant risk to the Adequacy Agreement with the European Commission.
- The Bill protects the powers of the State from challenge, rather than protecting the individual from the misuse of State powers.
- The Bill is intellectually flawed with respect to its treatment of A.8 issues.
- The Bill allows Government to fashion wide ranging exemptions from the UK_GDPR, not listed in A.23 of the UK_GDPR; it also explicitly permits processing that breaches A.8.
- The Bill neither addresses nor resolves the serious data protection issues identified by the ICO in his evidence to the MoJ Consultation.
- The Commissioner might have misled Parliament in his recent Oral Evidence.
The Bill is intellectually flawed
Suppose legislation requires a public body to disclose specific items of personal data with another controller. Under the current data protection regime, such a disclosure would be “necessary for a legal obligation” (the controller’s A.6 legal basis for the disclosure).
Additionally, such legislation that demands disclosure would also have to be justify its interference of the A.8(1) right in terms of “necessity” and “proportionality” as required by A.8(2).
Note that currently the two regimes (DP & ECHR) are firmly linked through the word “necessary” which has the same meaning in both regimes. So, in our example above, the ICO can consider whether the test of necessity in human rights terms, applies to the disclosure of personal data in data protection terms (i.e. whether the disclosure is really necessary for a legal obligation).
Under the Bill of Rights, this is not possible. Processing becomes “necessary” because Ministers have used their Government majority to enact legislation, approved by Parliament. The Courts have to give the greatest possible weight to the assumption that Parliament has balanced all the factors associated with necessity (and proportionality and in the public interest) when enacting that legislation.
In summary, under the Bill, Parliament determines the balancing concepts such as of necessity, proportionality or the public interest in legislation as it passes through its Parliamentary stages. This contrasts with the current position where the Courts (or ICO) consider such concepts, once legislation has been enacted.
The difference in timing exposes an intellectual shortcoming in the Bill of Rights. The Bill’s position is that Parliament considers concepts such as “necessity” as the legislation passes through its Parliamentary stages (i.e. the legislation is not yet an Act of Parliament).
This is to be compared with the current position where legislation has been enacted, but its operation in practice has created a human rights difficulty which is being considered by the Courts.
In other words, balancing the concept of “necessity” etc is currently considered by a Court in the context of knowledge of all relevant facts. Under the Bill, Parliament considers such concepts in the absence of any fact.
This is hardly a rational approach towards enacting trouble-free legislation.
Unlawful processing is OK!
Suppose a future piece of legislation, passed by Parliament, requires a public authority to process specific items of personal data items it already holds for a new purpose Z, disclose them another organisation for purpose X. Assume further the Bill of Rights is an Act of Parliament.
All these processing activities are lawful, necessary, proportionate and in the public interest because the provisions of Bill of Rights requires the courts to assume Parliament has considered all the relevant balancing factors.
Indeed the Bill of Rights goes further, as it allows a public authority to process personal data in a way that is incompatible with a Convention right.
Although the Bill states that “it is unlawful for a public authority to act in a way that is incompatible with a Convention right” (e.g. the act in question being to process personal data as described above), this prohibition does not apply “as a result of one or more provisions on primary legislation, the authority could have not acted differently” (See Clause 12(2) of the Bill).
As the processing in the above example is required by law, the public “authority could have not acted differently”. It follows that, if processing of personal data is required by law, it does not breach A.8 and never can be an unlawful breach of A.8.
If this interpretation carries over to the UK_GDPR, it serves as an exemption from the lawfulness requirements of the UK_GDPR and permits unlawful processing.
Why call it an exemption?
Suppose Parliament enacts a law which states that personal data have to be retained for seven years, when in practice the retention time should be one year. The text of the Storage Limitation Principle states that personal data shall be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”.
Note that the current test of “necessity” is linked to the “purpose of the processing”. Because the word necessary has the same meaning in the human rights and data protection regimes, the question the ICO could explore under the current regime is: “In the context of this seven year retention period, is the law that requires such retention, proportionate and necessary?”.
Under the Bill of Rights this question is not even asked. This is because it is presumed that Parliament has struck an appropriate balance between competing factors (e.g. proportionality, public interest, necessity) in approving this seven year retention period. Indeed, the ICO is obliged to give Parliament’s balance “the greatest possible weight” if he were to enforce the Storage Limitation Principle.
In other words, the prospect of enforcement for seven-year-retention is remote. If an UK_GDPR provision cannot be enforced, then the provision itself is effectively exempt. In the case above, the Storage Limitation Principle is effectively exempt for seven years.
In general, the Bill’s impact on the UK_GDPR is profound: any legislation if it contains provisions that relate to the processing of personal data, fashion future exemptions from the data protection regime, far beyond the requirements of A.23 of the UK_GDPR which requires any exemption to be “a necessary and proportionate measure in a democratic society” (where it is assumed the Courts assess the underlined words).
If you want an example of legislation that contains many such processing provisions which are likely to conflict with the UK_GDPR, see S.12 of the Childrens Act 2004. The ICO will have obvious difficulties in enforce UK_GDPR standards if the standards set out in S.12 differ.
Protecting powers not humans
It is important to understand, the UK Bill of Rights does not grant rights to protect individuals from the abuse of powers by the State. Instead the Bill protects the powers of the State from individuals who currently argue in Court that such powers have been unlawfully exercised.
This objective is achieved by making it more difficult for an individual to commence a Court case under the UK Bill of Rights. If, for example, Ministerial or public authority powers are misused, the complainant has first to show “significant disadvantage” from the misuse of powers.
Then the individual has to overcome the very strong presumption that the Minister (or public authority) is acting lawfully, proportionally, in the public interest etc. If the issue under scrutiny accords with legislation enacted by Parliament (which has considered all relevant balancing factors remember!) and if the controller is a public authority that has no choice, then the use of these powers is not a breach of A.8. (See the section on Unlawful processing is OK above).
If, perchance, an individual complainant then took the case to the Strasbourg Court of Human Rights and won, the Bill of Rights ensures the UK Courts and Government can effectively ignore that Strasbourg jurisprudence (see next section).
That’s why the Bill protects the powers of the State from interference from data subjects and does not protect data subjects from the excessive use of State power.
How the Bill protects state powers
There are three procedural changes, targeted at the courts, that also protect the powers of Ministers or of the State from scrutiny. These are set out in Clause 1 of the Bill of Rights.
- “it is the Supreme Court (and not the European Court of Human Rights) that determines the meaning and effect of Convention rights for the purposes of domestic law” (Comment: this allows future “Strasbourg jurisprudence” concerning the use of powers to be ignored);
- “courts are no longer required to read and give effect to legislation, so far as possible, in a way which is compatible with the Convention rights” (Comment: this permits UK Bill of Rights to diverge from existing human rights precedents and existing Strasbourg jurisprudence; it also removes the requirement to ensure that an interpretation of any legislation is supportive of human rights);
- “courts must give the greatest possible weight to the principle that in a Parliamentary democracy, decisions about the balance between different policy aims… are properly made by Parliament” (Comment: this allows Government, via its Parliamentary majority, to constrain further the Courts drawing a conclusion that a particular right has been infringed when powers are used).
The Explanatory Notes to the Bill state that a court must understand that “judgments, decisions and interim measures” of the ECHR “are not part of domestic law” and that the Principle of Parliamentary democracy (i.e. what Parliament enacts) is expected to prevail unless a case before the Court is exceptional.
As Government is in control of the Parliamentary agenda (e.g. Government Bills tabled before Parliament are usually enacted), another way of summarising the Bill’s impact is as follows: “the powers that Ministers specify for themselves in legislation is what Parliament decides in terms of the Bill of Rights”. And “what Parliament decides is what the Courts must give the greatest possible weight”.
A shorthand for this is: under the Bill, “Ministers propose; the Courts dispose”.
Adequacy down the tubes?
The Adequacy Agreement between the UK and European Commission mentions the current Human Rights Act over 50 times and assumes that the:
- “… United Kingdom’s adherence to the ECHR … as well as its submission to the jurisdiction of the European Court of Human Rights” is assured. (my emphasis). Comment: as can be seen from the Bill of Rights, the UK will be no longer “submitting” to the jurisdiction of the European Court.
- “….any person that considers that his or her rights, including rights to privacy and data protection, have been violated by public authorities, can obtain redress before the UK courts under the Human Rights Act 1998”. Comment: this is no longer true as the Bill of Rights imposes a significant threshold on the person seeking redress to show that he/she is a “victim” of an action that results in “significant disadvantage” to that person (Clause 15(3) of the Bill).
- there is “continued adherence to such instruments” (e.g. “submission to the jurisdiction of the European Court of Human Rights”). ”. Comment: The Bill of Rights ensures that “continued adherence…” is no longer the case.
So what are the implications of the above for Adequacy?
- Does the above mean that the UK will lose the Adequacy Agreement immediately? Answer: “NO” as the Bill has yet to pass through Parliament.
- Does the above mean that the European Commission could argue that the UK is set to renege on the Adequacy Agreement? Answer: “YES”, and at any time.
- Could the European Commission set in motion the steps needed to revoke the Adequacy Agreement? Answer: “YES”, and at any time.
You don’t need to take my word for it: the ICO could not be clearer in his evidence to the MoJ: “In order to maintain EU adequacy decisions, the Government should ensure its proposals continue to effectively implement the ECHR in British law”; para 4.23).
How necessity etc is determined
Article 8 of the ECHR contains the balance between the right to respect for private life (A.8(1)) versus the lawfulness of any interference with that right (A.8(2)). This raises the question of whether or not any interference is “in the public interest”, “necessary” or “proportionate”.
Clause 7 of the Bill of Rights sets out the role of Parliament in assessing these concepts when balancing different objectives (e.g. in A.8)). It states that when a Court is a considering whether there is a breach of a right, it must “strike the appropriate balance” between:
- “different policy aims” (e.g. as in A.8(1) and A.8(2) ECHR). Comment: the Explanatory Notes says this also “includes weighing up competing social and economic considerations”;
- “different Conventions rights” (e.g. as with A.8 and A.10 ECHR);
- “the Convention rights of different persons”; or
- “a combination of matters mentioned in (i) to (iii)” Comment: the Explanatory Notes says this, includes balancing “a person’s Convention rights” against “the interests of society at large”.
In striking that “appropriate balance”, a Court must (i.e. NO flexibility here):
- “regard Parliament as having decided, in passing the Act” (i.e. the Act under scrutiny by the Courts), “that the Act strikes an appropriate balance” between the matters as set out in (i)-(iii) above; and
- place “the greatest possible weight” on the principle that “in a Parliamentary democracy, decisions about how such a balance should be struck are properly made by Parliament”.
In the context of A.8, the Courts must assume Parliament has considered different policy aims (e.g. whether the law enforcement authorities can access a database of personal data). Such consideration will naturally include concepts such as necessity, in the public interest and proportionality.
It can be seen that the courts will find it very difficult to diverge from this “appropriate balance” as it has to give this balance “the greatest possible weight”.
This difficulty also applies to the ICO when enforcing the UK_GDPR.
Conclusion
The ICO published a trenchant criticism of the MoJ Consultation document of the impact of the Bill of Rights on the UK_GDPR (see references). Since then Information Commissioner has gone quiet on this impact.
The Commissioner might think that the problems he raised in his submission to the MoJ about “in the public interest”, “necessary” and “proportionality” have gone away. They haven’t. Whilst these were explicit in the MoJ Consultation, they are implied in any detailed analysis of Clause 7 above.
Indeed, when the Information Commissioner was last before MPs, he said the following in relation to a direct question about the Adequacy Agreement: “As I say, when the European Commission comes to look at the law and examine it, I hope that it will see everything that guarantees a sufficient level of protection of Europeans’ data in the United Kingdom” (Q287; see references).
I can’t see how the Commissioner has reached this conclusion. The statement to Parliament is, in my view, misleading.
Autumn Data Protection Courses
Because of continued COVID uncertainty, the following courses can be attended in person, or via Zoom, or as a mixture if you something untoward happens. It's up to you.
- The next Data Protection PRACTITIONER Courses is in London on Monday September 19-24 (5 days); full details by emailing info AT amberhawk.com
- The next Data Protection FOUNDATION Course is in London on Tuesday, July 12-14 and November 15-17 (3 days); full details by emailing info AT amberhawk.com
References
Link to all UK Bill of Rights documents: https://www.gov.uk/government/publications/bill-of-rights-bill-documents (you will need the Bill & Explanatory Notes)
Link to ICO’s Human Rights response to the MoJ (a must read): https://ico.org.uk/about-the-ico/consultations/ministry-of-justice-consultation-human-rights-act-reform-a-modern-bill-of-rights/
The link to my four blogs on the MoJ human rights Consultation (see end of): https://amberhawk.typepad.com/amberhawk/2022/03/omissions-in-human-rights-proposals-degrade-privacy-and-freedom-of-expression.html
All the draft Oral evidence transcripts (the ICO one quoted above is 8th June) can be found on: https://committees.parliament.uk/work/1733/the-right-to-privacy-digital-data/