Compatibility with the European Convention on Human Rights
802 Lord Ashton of Hyde has made the following statement under section 19(1)(a) of the Human Rights Act 1998:
"In my view the provisions of the Data Protection Bill are compatible with the Convention rights."
Article 6: Right to a fair trial
803 The defences to criminal offences in clauses 139, 160 to 163 and 171 are intended to place a legal burden on a defendant through the use of the term "prove". The 1998 Act used both the terms "prove" and "show" in sections 47(3) and 55(2) respectively. Clause 176(3)-(6) makes an exception to section 127 of the Magistrates’ Court Act 1990 for an offence brought under clause 163 (alteration etc of personal data to prevent disclosure) so that the usual six month limitation period from the date of the offence runs instead from the date the prosecuting authority first knew of the possible offence, but for no longer than three years after the offence was committed.
804 The imposition of a legal burden on a defendant may interfere with their rights under Article 6 of the ECHR. The modification to standard limitation periods for criminal offences may also interfere with Article 6 rights.
805 Any interference with the Article 6(2) right must be according to law. The Government consider that the extent and nature of the factual matters the defendant is required to prove are not unduly onerous, and are likely to relate to matters which are more readily provable by the defendant than the prosecution. On balance the Government believe that the burden to prove the defence is justified having regard to the seriousness of the offence and to give effective enforcement support to the aims of a framework that regulates the processing of personal data. None of the offences will carry custodial penalties.
806 The modification to standard limitation periods is a practical step in light of the fact that such offences may not come to light until sometime after they have been committed. Such a modification is not unprecedented - see e.g. section 6 of the Road Traffic Offenders Act 1988. The three year long-stop provides a safeguard against the prospect of such a prosecution being brought within an indeterminate period. In the Government’s view, any interference is proportionate.
Article 8: Right to respect for private and family life
807 The Bill includes a number of exemptions from the rights given to data subjects in the GDPR and obligations imposed on controllers in relation to personal data. These rights include the right of access to data (Article 15), the right of erasure (Article 17) and the right to receive certain information from the controller (Articles 13 and 14). Exemptions may also permit disclosure of personal data for a purpose other than the purpose for which the data was originally collected.
808 Restricting certain rights of data subjects and obligations of controllers could result in interference with Article 8 rights of individuals. The Government consider that the restrictions being made under the Bill meet the balancing test in Article 8(2) and therefore do not constitute an unlawful interference with Article 8 as they are proportionate in pursuit of a legitimate aim i.e. that in each case they are in the interests of public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others; and they are no more than are necessary and proportionate in a democratic society. The exemptions only apply to the extent of any prejudice to those interests and make the specific provisions and contain safeguards as required.
809 Article 9(1) of the GDPR prohibits the processing of special categories of data. These are: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. However, Article 9(2) permits the processing of this data in certain circumstances and subject to safeguards. Clause 9 gives effect to Schedule 1, which provides for derogations from the ban on processing of special categories of personal data where Member State law permits such processing for certain purposes. Schedule 1 sets out the general safeguards that are required to be applied by data controllers when processing under most of these conditions, which are in addition to the safeguards that may already be incorporated in a particular condition.
810 The Government consider that these potential interferences with Article 8 rights are justified as they are in accordance with the law, meet the test of necessity and proportionality and fall within one of the categories in Article 8(2) such as the protection of health.
811 Clause 17 exercises a derogation under Article 49(4) GDPR by enabling the Secretary of State to specify in regulations circumstances in which data transfer may or may not be taken to be necessary for important reasons of public interest, for the purpose of relying on Article 49(1)(d) GDPR to transfer personal data to a third country or international organisation. In exercising the power in the Bill to specify such circumstances,the Secretary of State could provide further grounds for transfers of personal data to third countries and international organisations. Such transfers could result in interferences with Article 8 rights of data subject.
812 Article 49(1)(d) GDPR resembles an existing provision in paragraph 4(1) of Schedule 4 to the 1998 Act. Paragraph 4(1) enables overseas transfers of personal data for reasons of substantial public interest, for example to help combat money laundering. Paragraph 4(2) of Schedule 4 gives the Secretary of State a similar power to that in clause 17, but the paragraph 4(2) power has not been exercised.
813 Any regulations made under clause 17 will, in accordance with that clause, be subject to parliamentary scrutiny (through the negative procedure) and to scrutiny by the courts, for example on grounds of irrationality or incompatibility with ECHR. The Government consider that these safeguards will ensure that any resulting interference with Article 8 rights is proportionate.
814 The approach adopted in the Bill to national security exemptions, mirrors the approach to national security in the 1998 Act. Clauses 24, 41(4), 42(4), 45(3), 65(7) and 110 provide for national security exemptions. Exempting from data protection standards in the relevant regimes on the grounds of national security necessarily interferes with Article 8 rights, as in such circumstances data controllers will be seeking to restrict the rights which data subjects would otherwise benefit from.
815 The approach in the Bill to national security exemptions will not change the existing position in the 1998 Act, which already provide a broad exemption from data standards. As a result, in the Government’s view, the Bill itself will not be creating any greater interference with rights. Furthermore, the exemptions do not impact on the existing foreseeability position, with restrictions of data protection rights under the Bill no less foreseeable than under the 1998 Act.
816 In addition, the approach taken to exemptions in the Bill is consistent with Convention 108, Article 9 of which permits member states to restrict specified data rights and principles for the purposes of safeguarding national security. As a result the Government consider the national security exemptions provided for in the Bill are envisioned by the Convention and consistent with the ECHR. Any interference with Article 8 rights resulting from any restrictions on data rights is also clearly in pursuit of a legitimate aim, namely the safeguarding of national security.
Article 10: Freedom of expression
817 Article 85 of the GDPR requires Member States to provide exemptions or derogations from certain rights and obligations in the context of processing personal data for journalistic purposes or the purpose of academic, artistic or literary expression, if such exemptions or derogations are necessary to reconcile the right to the protection of personal data with the right to freedom of expression and information. Part 4 of Schedule 2 exempts the data protection principles, many of the data subject rights and other obligations imposed on a data controller to the extent necessary to allow for publication of such material. Article 10 is engaged as there is an inherent tension between data protection, and the right to freedom of expression.
818 The limits imposed on the ability to rely on the exemption in paragraph 24 of Part 4 of Schedule 2 mean that the exemption from the privacy rights is only activated when necessary for publication and that publication is reasonably considered to be in the public interest. The Government’s view is that this balances the right to privacy and the right to freedom of expression.