Business can benefit from changing UK approach to data protection exemptions

While UK data protection law allows the UK government to restrict the rights data subjects enjoy in certain contexts, there are significant limitations on its powers to do so. However, that looks set to change under provisions contained in the Retained EU Law (Reform and Revocation) Bill (the REUL Bill) and the Data Protection and Digital Information (DPDI) (No. 2) Bill – both of which are currently before the UK parliament.

If the reforms pass as currently drafted, there will be an opportunity for the UK government to reduce some compliance burdens on businesses and make it easier for them to innovate, but its challenge will be to achieve that without interfering so disproportionately with the rights data subjects enjoy that it puts at risk the UK’s ‘adequacy’ designation – a vital endorsement of the UK’s data protection regime by the European Commission that promotes data flows between the EU and UK and sustains cross-border trade.

What are the data protection exemptions?

The UK General Data Protection Regulation (GDPR) sets out rules and obligations organisations must comply with when processing personal data. The UK GDPR also provides data subjects with a series of rights that they can exercise against organisations that process their data.

A series of carve-outs from the general rules and obligations that apply are contained in schedules to the UK Data Protection Act (DPA) 2018. This article focuses on exemptions provided for in Schedule 1 and Schedule 2 of the DPA.

Schedule 1 of the DPA provides details on when exemptions in Article 9 of the UK GDPR, permitting the processing of ‘special category’ data, such as data about a person’s health, religious beliefs or race, and exemptions under Article 10 of the UK GDPR on the processing of criminal convictions data, can be exercised.

Schedule 2 of the DPA concerns exemptions made by the Secretary of State using powers under Article 23 GDPR. 

Article 23 of the UK GDPR, read in conjunction with the DPA, provides the Secretary of State with qualified powers to make regulations to restrict data subject rights – which include the right of access to data, the right to erasure, the right to object, and the right to be informed about how data is being processed – in certain contexts. The specific rights restricted vary by exemption, but Article 23 requires exemptions to be for specific purposes, including “important objectives of general public interest”, and requires that they respect “the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard”. 

An example of the exemptions listed under Schedule 2 of the DPA is the immigration exemption, which applies to data processed by the Secretary of State for certain purposes related to immigration control. Schedule 2 also contains exemptions for information subject to legal professional privilege, for certain types of confidential information, and for information about other data subjects.

The UK has twice used the Article 23 powers to make restrictions on data protection rights in the context of immigration control. Initially, parliament used the powers under Article 23 of the EU GDPR to set out restrictions in the DPA.  However, the courts have twice ruled the immigration exemption to be unlawful. The Court of Appeal found the initial immigration exemption to be unlawful following a challenge brought by campaign groups The3Million and the Open Rights Group. The government then used its powers to amend Schedule 2 via secondary legislation before the High Court found that the amended immigration exemption was also unlawful, following a further judicial review challenge brought by the same campaign groups.

The exemptions and supremacy of law

At the moment, UK law provides for retained direct EU legislation like the UK GDPR to take precedence over other domestic legislation. This is relevant in the context of the data protection exemptions under Schedule 1 and Schedule 2 of the DPA because the government’s scope to draft exemptions under either schedule is governed by the provisions of the UK GDPR. This precedence is established under section 5 of the European Union (Withdrawal) Act 2018 and reinforced by provisions in the DPA.

It is also relevant because provisions contained in the REUL Bill would, if enacted as drafted, remove the supremacy of retained EU law over domestic UK legislation. Nothing in the government’s move to amend the ‘sunsetting’ provisions in the REUL Bill would alter that position. This would mean that future amendments to the DPA, including any changes introduced by the DPDI No.2 Bill, would by default assume primacy over the provisions in the UK GDPR, notwithstanding the potential for specific legislation to be drawn up by the government to make express provision to adapt that default rule.

Section 186 of the DPA contains an additional protection for data subjects’ rights, although it is secondary to Article 23 and other UK GDPR provisions, which take precedence. It provides that an “enactment” or rule of law prohibiting or restricting the disclosure of information, or authorising the withholding of information, generally does not restrict the data subject rights set out in the UK GDPR. However, there is a carve-out for certain provisions, including the exemptions under Schedule 2. An ‘enactment’ can be comprised in subordinate legislation, so would cover the scenario where secondary legislation is made under the DPA.

Upcoming potential changes

Under the REUL Bill, Article 23 and Articles 9 and 10 of the UK GDPR will no longer take precedence.

The DPDI (No.2) Bill also provides a broader carve-out to the protection for data subject rights under section 186 of the DPA, extending it to any enactment making express provision to the contrary referring to section 186. 

The DPDI (No.2) Bill also provides for a new section 183A of the DPA, which includes a more general provision that a relevant enactment or rule of law on processing personal data does not override the UK GDPR and DPA – unless it makes express provision to the contrary.

If the REUL Bill passes in its current form, the government would be free to use its powers to create or amend exemptions outside the bounds of Article 23 UK GDPR. The new provisions under section186 and section 183A DPA 2018 do little to limit those powers.

However, the government is likely to be mindful of the importance of not exercising these powers in a way that threatens UK ‘adequacy’.

The proposed legislative changes could also make it more difficult to raise legal challenges against exemptions in future, like the one brought by The3Million and Open Rights Group in relation to the immigration exemption. Challenges raised under the Human Rights Act would remain a possibility.

Supremacy, and AI

When it consulted on data protection law reform (146-page / 1.36MB PDF) in September 2021, the government sought views on a potential amendment to Schedule 1 that would introduce a new condition to enable the processing of special category and criminal convictions data for the purpose of monitoring and correcting bias in AI systems. It confirmed its intention to proceed with that change via secondary legislation in its consultation response.

This could be a welcome change for businesses wishing to harness the power of generative AI. 

At the moment, businesses may find an appropriate lawful ground for their processing personal data for the purpose of monitoring and correcting bias in AI systems under Article 6 of the UK GDPR, such as legitimate interests. Finding an exemption under Article 9(2), for processing special category data, can be more challenging. In addition, some activities to mitigate bias may not fit neatly into the existing exemption for identifying or reviewing equality of opportunity or treatment, or some research activities requiring the use of health data may not fit into the exemptions for scientific research or health and social care.

If the REUL Bill and DPDI (No.2) Bill were enacted as drafted, Article 9 of the UK GDPR would not take precedence over the new exemption, potentially giving the government more flexibility. Safeguards would still be needed to govern processing, but the government has recognised the importance of maintaining adequacy and protecting data subjects’ rights, and it stated in its consultation response that the new condition “will be subject to appropriate safeguards, such as limitations on re-use and the implementation of security- and privacy-preserving measures when processing for this purpose”.

Delivering this change in the UK would ensure businesses operating in the UK do not face greater challenges in this area than those in the EU. The proposed new AI Act envisages allowing use of special category data to ensure bias monitoring, detection, and correction in relation to high-risk AI systems, subject to appropriate safeguards – albeit MEPs are seeking to limit this activity to ‘exceptional’ cases.