April 3, 2023
In August 2018 the Open Rights Group, a digital rights organisation that seeks to promote and uphold privacy and data protection rights, and the3million, a grassroots organisation of EU citizens resident in the UK, brought a judicial review claim against the Government seeking a declaration that the “Immigration Exemption” under Paragraph 4 of Schedule 2 to the Data Protection Act 2018, which disapplies some data protection rights and obligations where their application would be likely to prejudice immigration control, was unlawful. They argued that the Immigration Exemption was incompatible with the General Data Protection Regulation (206/679/EU) and/or with the Charter of Fundamental Rights of the EU.
In May 2021, allowing the claimants’ appeal, the Court of Appeal found that the Immigration Exemption was indeed unlawful because there existed no “legislative” measure that contained specific provisions in accordance with the mandatory requirements of Article 23(2) of the UK GDPR. It also held that in the absence of such a measure, the exemption was an unauthorised derogation from the fundamental rights conferred by the UK GDPR and was therefore incompatible with that Regulation. Following a remedies hearing, the Government was directed to amend the exemption and given until 31 January 2022 to put in place compliant legislation.
Under Article 23(2) of the UK GDPR, when the Secretary of State exercises his/her powers to restrict the scope of certain rights and obligations pursuant to Article 23(1), he/she must ensure that there are specific provisions as to:
- the purposes of the processing or categories of processing;
- the categories of personal data;
- the scope of the restrictions introduced;
- the safeguards to prevent abuse or unlawful access or transfer;
- the specification of the controller or categories of controllers;
- the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
- the risks to the rights and freedoms of data subjects; and
- the right of data subjects to be informed about the restriction unless that may be prejudicial to the purpose of the restriction.
Further, according to case law, a measure restricting rights under Article 23(2) must satisfy the following tests:
- be made by way of legislation;
- be clear and precise;
- be legally binding under domestic law;
- be accessible and foreseeable; and
- provide substantive and procedural conditions (including safeguards) in respect of the relevant processing.
The Government consulted with the claimants and the ICO on an amended version of the exemption. Both the claimants and the ICO told the Government that the proposed amendments failed to address the unlawfulness found by the Court of Appeal and still did not achieve compliance with the mandatory requirements of Article 23(2). However, the Government went ahead with the amendments, which came into force on 31 January 2022 in the form of an amendment to the 2018 Act pursuant to the Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022.
The amended exemption introduced various qualifications to the original version to:
- limit the scope of the exemption to personal data processed “by the Secretary of State” and only if she “has an immigration exemption policy document in place” (the IEPD);
- introduce the IEPD, which must be kept under review, updated as appropriate, and published (along with any updates) “in such manner as the Secretary of State considers appropriate”; the IEPD must explain the Secretary of State’s “policies and processes” for:
- determining the extent to which the application of any GDPR provisions affected by the exemption “would be likely to prejudice” the immigration purposes identified in the 2018 Act (the “Immigration Purposes”); and
- where the exemption is applied, preventing the abuse of the relevant personal data and any access to, or transfer of, it otherwise than in accordance with the UK GDPR;
- oblige the Secretary of State, when applying the exemption, to make a case-by-case assessment of the extent to which the relevant UK GDPR provisions liable to be exempted “would be likely to prejudice” the Immigration Purposes; in doing so, she must “have regard” to the IEPD; and
- oblige the Secretary of State, where she has determined that the application of any relevant provision of the UK GDPR “would be likely to prejudice any of the [Immigration Purposes]”, to:
- “keep a record of that determination and the reasons for it”; and
- “inform the data subject of that determination” unless that would prejudice any of the Immigration Purposes.
The claimants applied for judicial review of the Government’s second attempt to remedy the faults in the exemption, arguing that:
- it still did not meet the requirement of being a “legislative measure” necessary for compliance with Article 23 of the UK GDPR; and/or
- it still did not comply with the mandatory requirements listed in Article 23(2) of the UK GDPR because it omitted necessary substantive and procedural safeguards.
In essence, the claimants argued that the Government had effectively “outsourced” to the IEPD the safeguards required by Article 23(2) and the guidance in the case law. Therefore, the amended exemption failed to ensure that the exemption constituted a “legislative measure”.
Mr Justice Saini noted that, clearly, the IEPD was not a legislative measure. He said that the issues that flowed from the IEPD’s limited status, and thereby the claimed limitations of the amendments under challenge, had to be analysed through the lens of the specific provisions of Articles 23(2).
Saini J rejected several of the claimants’ arguments, but he accepted their general challenge that the exemption did not meet the requirements of necessity and proportionality because the exemption did not set out any minimum requirement regarding the “extent” of prejudice that would trigger the disapplication of relevant fundamental rights, to be measured through a balancing test between an individual’s rights and claimed prejudice to the purposes. The claimants said that even where the identified prejudice was negligible, the exemption could still apply, thereby failing the requirements of necessity and proportionality. Saini J said that there was nothing in the legislation to direct the decision-maker to undertake a balancing test. The IEPD expressly referred to the need to consider proportionality and whether the rights of the individual overrode the prejudice to immigration control, but contracting the requirement out to the IEPD rather than putting it in the legislation was not lawful.
Saini J also accepted the claimants’ argument that the amended exemption did not meet the requirements under Article 23(2)(d) on safeguards to prevent abuse or unlawful access or transfer because, again, these were not on the face of the legislation or in a binding code, but in the IEPD. Therefore, the amendments were unlawful.
Saini J also accepted the claimants argument that the amendments made no provision as to the risks to the rights and freedoms of the data subject, as required by Article 23(2)(g). Saini J found that there was, in fact, no provision at all on this in the amendments. In fact, its relevance was denied in the accompanying Explanatory Memorandum.
Saini J concluded that both the claimants’ grounds of appeal succeeded. He said that the overriding matter that the Government had to address was the use of a policy to set out the safeguards and tests to be applied in using the exemption. The cure was straightforward: the measures to satisfy the relevant provisions of Article 23(2) must be set out in either legislation, or a code endorsed by Parliament, with binding legal effect in domestic law. An obligation merely to “have regard to” a code or policy would not do, Saini J said. That was the price under the UK GDPR regime for using the derogation.
Accordingly, Saini J said that he would make declaratory orders that the exemption was unlawful. As agreed by the parties, he suspended such orders for a short period to allow the Government to put in place compliant legislation. (R v Secretary of State for the Home Department  EWHC 713 (Admin) (29 March 2023) — to read the judgment in full, click here).