28.The GDPR allows Member States to pass legislation providing for exemptions from, and restrictions and adaptations to, specified data protection principles and data subject rights. For the most part, these have to be (a) for purposes of general public interest, and (b) subject to appropriate safeguards.
29.Schedules 2 to 4 to the Bill set out the exemptions that will apply in the UK. For example, certain data protection principles and provisions such as individuals’ right of access of personal data held about them by a controller will not apply if there would be prejudice to:
30.Clause 15(2) in Part 2 of the Bill confers a power on the Secretary of State, by affirmative procedure regulations, to provide for further exemptions from the obligations and rights set out in the GDPR. This is a Henry VIII power because the regulations may amend or repeal any provision in clause 14 of and Schedules 2 to 4 to the Bill.
31.Part 4 of the Bill regulates the intelligence services. They will be required to process data consistently with six principles laid in down in clauses 84 to 89. Clauses 90 to 98 confer various rights on data subjects, for example a right to seek information from the data controller. Clause 108 set out exemptions for the purpose of safeguarding national security. Schedule 11 sets out further exemptions, for example in relation to processing carried out for the purposes of the detection and prevention of crime.
32.Clause 111 confers a power analogous to that in clause 15(2). It enables the Secretary of State, by affirmative procedure regulations, to provide for further exemptions from any provisions of Part 4. This is also a Henry VIII power, because clause 111(2) allows the regulations to amend or repeal any provision of Schedule 11. According to the memorandum, the power would be used “if the Secretary of State considers that the exemption is necessary for safeguarding the interests of data subjects or the rights and freedoms of others”; but clause 111 itself contains no such limitation on the circumstances in which the power could be used.
33.The memorandum gives the following justification for these powers:
“The Bill exercises these derogations to reflect current public policy, but this is subject to change over time. Flexibility is required, including after the UK leaves the EU when the regulation-making power in section 2(2) of the European Communities Act 1972 will no longer available, to enable the UK to make full use of the permissible derogations, including by adapting (and, if necessary, amending existing provision in clause 14 and Schedules 2 to 4) or extending these derogations in the light of changing public policy requirements.”
34.We regard this is an insufficient and unconvincing explanation for such an important power. As we have observed in several reports, it is not good enough for Government to say that they need “flexibility” to pass laws by secondary instead of primary legislation without explaining in detail why this is necessary—particularly in the case of widely-drawn Henry VIII powers. While we recognise that the affirmative procedure would apply to regulations under clauses 15 and 111, this is not an adequate substitute for a Bill allowing Parliament fully to scrutinise proposed new exemptions to data obligations and rights.
35.We consider that the delegations of power in clauses 15 and 111 are inappropriately wide, and recommend their removal from the Bill.
36.However, as with clause 9, it may be appropriate for Ministers to have a more focused power enabling them to update specific paragraphs in Schedules 2, 3, 4 and 11 as result of changes to other legislation (for example, the reference to the NHS Redress Act 2006 in paragraph 8 of Schedule 2). Again, the Government may wish to consider which particular provisions in these four Schedules might need to be changed if this approach were to be adopted.
13 See Articles 6(3), 23(1), 85(2) and 89(2) and (3) of the GDPR.
14 Para 2 of Sch 2.
15 Para 4 of Sch 2.
16 Para 45.
17 Section 2(2) of the European Communities Act 1972 would allow Ministers to make regulations providing for further derogations from the GDPR; but that power will disappear as from exit day: see section 1 of the EU (Withdrawal) Bill.
18 Para 46.
19 See in particular Delegated Powers and Regulatory Reform Committee, Special Report: Quality of Delegated Powers Memoranda (7th Report, Session 2014–15, ), Appendix 4, paras 29 and 35.