On 31 January 2022, the House of Lords is scheduled to debate the following motion:
Lord Paddick (Liberal Democrat) to move that this House takes note of (1) the Data Protection Act 2018 (Amendment of Schedule 2 Exemption) Regulations 2022 and the safeguards to protect individual data subject rights, and (2) the Court of Appeal judgment in Open Rights Group and another v the Secretary of State for the Home Department.
Data protection, the immigration exemption and court judgment
Under the UK’s data protection regime, individuals have certain rights to obtain a copy of their personal data. This is known as “right of access”, or “subject access”. However, these rights may be suspended for certain purposes. For example, schedule 2 to the Data Protection Act 2018 allows for certain data rights, including subject access requests, to be suspended where these would otherwise be prejudicial to either “the maintenance of effective immigration control” or “the investigation or detection of activities that would undermine the maintenance of effective immigration control”. This has become known as the “immigration exemption”. Meanwhile the General Data Protection Regulation (GDPR), retained in UK domestic law since the end of the transition period as the UK GDPR, stipulates that a legislative provision restricting data rights for security or other public interest reasons must contain specific details where relevant.
On 26 May 2021, the Court of Appeal ruled in Open Rights Group and another v the Secretary of State for the Home Department ( EWCA Civ 800) that the current wording of the immigration exemption in the Data Protection Act 2018 was unlawful because it did not fully comply with the requirements of the UK GDPR. The judgment said:
There presently exists no legislative measure that contains specific provisions in accordance with the mandatory requirements of Article 23(2) of the GDPR. In the absence of any such measure, the immigration exemption is an unauthorised derogation from the fundamental rights conferred by the GDPR, and therefore incompatible with the regulation. For that reason, it is unlawful.
Following a remedy hearing held on 8 October 2021, the court ordered (see  EWCA Civ 1573) that the immigration exemption was incompatible with retained EU law because it did not “satisfy the requirements of Article 23(2) of the UK GDPR”. However, the court’s order was suspended until 31 January 2022 “in order to provide a reasonable time for the Data Protection Act 2018 to be amended so as to remedy the incompatibility”.
Data protection regulations and parliamentary scrutiny
In response to the Court of Appeal’s order, the Government laid the draft Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 before both Houses of Parliament on 10 December 2021. The regulations will come into force on 31 January 2022 after now having been approved by both Houses.
In an explanatory note appended to the regulations themselves, the Home Office explained that the instrument would amend the immigration exemption “to make clear that it may be relied on only by the secretary of state and only if the secretary of state has in place an immigration exemption policy document”. Regarding this document, it further noted:
An ‘immigration exemption policy document’ [IEPD] is a document which explains the secretary of state’s polices and processes for determining whether, and the extent to which, the immigration exemption applies in any particular case, and for ensuring that any personal data covered by the exemption is not abused or accessed or transferred in a manner contrary to the UK GDPR.
The explanatory memorandum (EM) published alongside the regulations added that the instrument would require the secretary of state to “have regard to their IEPD when applying the exemption”. The Home Office published a draft IEDP and an equalities impact assessment alongside the EM.
In a report published on 13 January 2022, the House of Lords Secondary Legislation Scrutiny Committee noted the regulations as an instrument of interest. The report noted the matter would return to the Court of Appeal on 31 January 2022. The Joint Committee on Statutory Instruments did not report the instrument.
The House of Commons debated the regulations in a delegated legislation committee meeting held on 18 January 2022. Kevin Foster, Parliamentary Under Secretary of State at the Home Office, argued the regulations introduced additional data protection safeguards as required by the Court of Appeal judgment. He added that the Government had “consulted with the parties to the litigation and with the Information Commissioner’s Office [ICO]” as part of the process of preparing the draft regulations.
Shadow Home Office Minister Naz Shah said the Labour Party supported the proposed regulations but cautioned that it “should not require public campaigners to go to court to bring the Government into line”. However, Mhairi Black, speaking on behalf of the Scottish National Party, said her party would oppose the measure. Ms Black alleged that the proposed regulations did not remedy the “unlawful conduct identified by the court” because the UK GDPR made clear that “a legislative measure should be clear and precise, and its applications must be foreseeable to persons subject to it”. She contended the regulations did not meet this requirement as the instrument deferred to guidance over which Parliament would have no oversight. She said:
The basic problem is that the Court of Appeal decided that article 23(2) of UK GDPR required additional safeguards. The SI [statutory instrument] does not provide that, and it does nothing to provide any clarity about or expansion of the existing safeguards.
Lord Justice Warby expressed his provisional view that such safeguards should be “part and parcel” of the legislation, but instead the draft SI refers to guidance that is removed from the legislation. First, the SI cannot be considered “part and parcel”, and secondly, such guidance has no force in law and can be changed with ease and without scrutiny. Thirdly, the guidance has not been approved by Parliament. It does not have the status of a code of practice that is approved by Parliament.
Mr Foster replied that the Government believed the regulations represented a “positive step forward that will resolve the core concerns”. The House of Commons formally approved the regulations the following day.
The House of Lords considered the regulations in Grand Committee on 19 January 2022. Baroness Williams of Trafford, Minister of State at the Home Office, repeated that the IEPD would explain “how the immigration exemption must be operationally applied and the circumstances in which data rights might be exempted”. She invited the committee to support the measure.
However, Baroness Hamwee, Lord Paddick and Lord Clement-Jones, the Liberal Democrat spokespersons for immigration, home affairs and digital respectively, expressed their concerns about the draft regulations. In line with Ms Black’s criticism of the measure in the House of Commons, they noted the IEDP was not legislation and as such was not “foreseeable” as required by the UK GDPR because it could be amended at any time in whole or in part without parliamentary scrutiny.
Speaking for the Labour Party, Lord Ponsonby of Shulbrede said the Opposition would support the regulations. However, he expressed the concerns of the campaign groups the Open Rights Group and the3million, who were both claimants in the Court of Appeal case, that the draft regulations did not meet the requirements of the judgment. He cited a briefing from both groups, which stated:
The basic problem is simple to identify. The Court of Appeal decided that Article 23(2) of the UK GDPR required additional safeguards. The draft regulations do not contain those safeguards.
At paragraphs 53 and 54 of the first judgment, Lord Justice Warby expresses his provisional view that the legislative measure in question should be ‘part and parcel’ of the legislation that creates the derogation. The proposed regulations do nothing to expand the safeguards applying to the existing exemption; it retains its imprecise and unclear wording. No changes have been made to adopt the above observations of the court.
The draft legislation instead makes reference to guidance (draft immigration exemption policy document) that is removed from the legislation, and which cannot be said to be ‘part and parcel’ of the legislation. Such guidance has no force in law and can be changed with ease and no scrutiny. Nor has the guidance been approved by Parliament. It does not have, for example, the status of a code of practice that is approved by Parliament. This undermines the principles set out for legislative measures to be clear, precise and foreseeable.
Lord Ponsonby repeated that his party would “support these regulations as far as they go”. However, he added: “I suspect the story will be ongoing and I am interested to hear the minister’s response”.
Baroness Williams replied that it would be for the Open Rights Group and the3million to pursue further legal action if they thought the regulations did not comply with the court’s judgment. In the meantime, she added that in developing the IEDP the Government had “sought to make it easier to change our policy to address future concerns and to be seen as being as open and transparent as we can be”. In conclusion, she said the Home Office was “satisfied” that both the judgment and the requirements of the UK GDPR had been “complied with in full”.
- Information Commissioner’s Office, ‘Immigration exemption’, accessed 26 January 2022
Cover image by StevovoB from Pixabay.