On 11 September 2023, the UK’s Department for Science, Innovation, and Technology (DSIT), published the draft Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 (DP Regulations), which seek to amend the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018).
Background:
The DP Regulations will update the UK’s data protection legislation by amending the reference to “fundamental rights and freedoms” in the UK GDPR , so that they refer to rights recognised under UK law, rather than retained EU rights.
This is because retained EU rights will be repealed by the UK at the end of this year under the Retained EU Law (Revocation and Reform) Act 2023. The repeal of these rights means that any EU-derived rights under section 4 of the European Union (Withdrawal) Act 2018 (EUWA 2018) will cease to be recognised under UK law. When the DP Regulations come into force, references to fundamental rights and fundamental freedoms in the UK GDPR or the DPA will instead be interpreted by reference to rights under the European Convention on Human Rights (ECHR) as set out in the UK’s Human Rights Act 1998 (HRA 1998). As such, the protection of personal data will now fall within the right to respect for private and family life under Article 8 of the ECHR. This change results in a narrowing of rights under the UK GDPR and DPA.
In addition, the DP Regulations seek to amend Article 9 (and, consequentially, Articles 50, 85 and 86) of the UK GDPR by removing references to “respect the essence of the right to data protection”.
The UK government published an explanatory memorandum alongside the DP Regulations, stating (i) that there are unlikely to be significant changes to regulatory guidance for organisations; and (ii) that the amendments may alleviate the regulatory burden for organisations, as they will now only be required to undertake analysis of how these rights are recognised in domestic law (rather than performing retained EU law analysis). In contrast, the Information Commissioner acknowledged in a submission to the Ministry of Justice consultation on Human Rights Act Reform that the change to fundamental rights and freedoms by reference to the right to privacy under the HR Act resulted in a narrowing of rights, since “Privacy does not necessarily engage all examples of information related to individuals in the way that data protection does; and data protection does not have to engage in the ‘private’ or ‘personal’ sphere, it also includes the public sphere”. The Information Commissioner (IC) advocated for an explicit reference to data protection under the right to privacy in any future British Bill of Rights.
Comment:
While the government states that the changes brought about by the FRF Regulations are expected to be minimal, the change is likely to have wider consequences for data protection in the UK. The IC has pointed out that there could be consequences for personal data that is public or where it is arguably innocuous because such personal data may not impinge on either private or family life under the HR Act. That in turn could result in more data being collected if controllers can more easily meet the data protection principles under the UK GDPR and DPA.
What’s next?
The draft DP Regulations are currently with the sifting committee sifting until the 23 October 2023, at which stage, the Minister of State for the Department of Science, Innovation and Technology can sign the statutory instrument approving the FRF Regulations into law, unless a motion to reject the statutory instrument is agreed by either House of Parliament.