The new Data Protection and Digital Information (No 2) Bill (“No.2 Bill”) has been published, minus any Keeling Schedule, and minus any indication of how the new Bill has diverged from the old. The Department for Science, Innovation & Technology (DSIT) has this information to hand; its failure to publish it performs an unnecessary public disservice.
The press release accompanying the No.2 Bill says the legislation has been “Co-designed with business from the start, this new Bill ensures that a vitally important data protection regime is tailored to the UK’s own needs and our customs”. It does not take an expert to guess that the No.2 Bill is likely to contain provisions tailored to diminish the protection for data subjects.
What about human rights (again)?
However, the first matter is that should be raised is a matter of procedure. The No.2 Bill should not proceed to any further Parliamentary stage because the UK’s Bill of Rights is still awaiting its Second Reading.
The problem arises because the UK Bill of Rights is likely to have fundamental impact on the UK’s data protection regime (evidence from the ICO – see references) so much so, it is likely undermine completely any Parliamentary consideration of the data protection aspects of the No.2 Bill.
Quite simply, it is a waste of valuable Parliamentary time to consider this No.2 Bill, if the Bill of Rights devastates the data protection landscape to the extent that any Ministerial statement concerning data protection made during No.2 Bill debates (e.g. in relation to the principles or lawful basis) is rendered worthless.
Although the No. 2 Bill is accompanied with a Human Rights Memorandum, this document is also wholly irrelevant. It assumes the UK will follow Strasbourg Jurisprudence (e.g. it even quotes from several European cases and explains that voluntary data sharing by public bodies would fall within the UK’s “margin of appreciation”). In addition, there is a statement on the face of the No.2 Bill saying it is ECHR compliant.
In other words, the No.2 Bill gives the impression that the UK follows the ECHR, when DSIT/Government knows that this is completely misleading if the UK Bill of Rights commences its Second Reading.
This can be seen from the Bill of Rights itself. In clause 1(2) it says “that it is the Supreme Court (and not the European Court of Human Rights) that determines the meaning and effect of Convention rights for the purposes of domestic law”. Clause 1(3) states “judgments, decisions and interim measures of the European Court of Human Rights (a) are not part of domestic law…..”. In other words, the basic assumption towards human rights compliance is the complete opposite to that promulgated by the No.2 Bill.
Further evidence for the negation of human rights arises from the aptly named “Illegal Immigration Bill” (IIB); this explicitly raises the idea that the UK will not follow ECHR. Indeed, many human rights commentators have suggested that the IIB creates a vast smorgasbord of ECHR non-compliance. This includes breach of: the right to life; freedom from torture and from slavery; the right to a fair trial and the risk of detention without trial; the lack of respect for family and private life; the prospect of discrimination, and finally removal of the right to seek a legal remedy.
As an aside, the IIB sets a dangerous precedent in that it is an example of Government enacting legislation that it knows is likely to breach the ECHR. Just imagine data sharing legislation being enacted (via a large majority Government that has a minority of the popular vote) that included something like: "The minister unable to confirm the data sharing law is compatible with A.8".
In addition, the UK’s Adequacy Agreement with the European Commission mentions compliance with ECHR judgements and refers to the Human Rights Act over 80 times. There is no point Ministers saying the Adequacy Agreement “is safe with the No.2 Bill”, if the risk of trashing it arises from the implementation of the UK Bill of Rights.
Finally, look at the Transfer Risk Assessment published by the ICO, in particular Q4 which deals with a human rights assessment. The expected bonfire of human rights, consequent on the passage of the IIB, would probably mean, using the ICO’s own risk assessment methodology, that the UK would become a dodgy, no-go area for certain transfers from the EU.
The Bill of Rights subjugates the No.2 Bill
The UK Bill of Rights fundamentally changes the interpretation of the word “necessary” which is integral to the application of: any lawful basis (A.6 of the UK_GDPR); the Data Protection Principles (A.5); the Special Category of Personal Data conditions (A.9); the processing of Criminal Offence personal data (A.10); the understanding of Schedule 1 (DPA2018); the exemptions from rights (A.23), and finally, transfers outside the UK (A.49).
This is confirmed by the ICO’s evidence to the MoJ (see references). For instance, the ICO writes:
- “Changes in how the concepts of necessity and the public interest are assessed in human rights law will inevitably have an knock on effect on their assessment in data protection law”.
- “The concept of necessity is fundamental across the DPA/UK_GDPR (Article 5 principles, Article 6 lawful bases, Article 9 conditions for processing special category data, Article 23 exemptions, and Schedule 1)”.
- “…likely impact could make it more difficult for the ICO to protect individuals data” (e.g. “if public authorities are be able to rely on public interest grounds in a presumptive way”: (para 3.27).
The human rights challenges arising from the No.2 Bill as explained in the Memorandum are a mere pinprick compared with the privacy wasteland promised by the UK Bill of Rights.
Concluding comment
In short, Parliament needs protecting from a Government that presents one Bill for detailed consideration, when it knows that these considerations are made redundant by other legislation, also before the Parliament at the same time (in this case, the UK Bill of Rights).
An honest Government would progress, or ditch, the UK Bill of Rights first, and then second, move on to the No.2 Bill so the data protection changes can be properly debated.
Data Protection Courses (Spring 2023)
Because of the uncertainty (e.g. transport, strikes etc), the following BCS Practitioner or Foundation courses can be attended in person, or via Zoom, or as a mixture (i.e. part Zoom, part attendance just in case “stuff happens on the day”).
- The next Data Protection PRACTITIONER Course is in London on Monday, 22 May 2023 to Friday, 26 May 2023 (5 days: 9.30am to 5.30pm).
- The next Data Protection FOUNDATION Course is in London on June 21-23, 2023 (3 days: Wednesday to Friday 9.45am to 5.00pm).
Full details on the new Amberhawk website (www.amberhawk.com) or obtained by emailing info AT amberhawk.com.
References
The ICO’s evidence re the Bill of Rights is summarised/accessible from my blog at: https://amberhawk.typepad.com/amberhawk/2022/05/ico-confirms-human-rights-changes-undermine-uk_gdpr.html
Blog post: UK Bill of Rights set to undermine UK_GDPR : https://amberhawk.typepad.com/amberhawk/2022/07/uk-bill-of-rights-set-to-undermine-uk_gdpr-and-adequacy.html
Press release and Human Rights commentary is accessible at https://www.gov.uk/government/news/british-businesses-to-save-billions-under-new-uk-version-of-gdpr
Bill of Rights: https://bills.parliament.uk/bills/3227
Comments
You can follow this conversation by subscribing to the comment feed for this post.