Skip to Main Content

Find Case LawBeta

Judgments and decisions from 2001 onwards

Open Rights Group & Anor, R (On the Application Of) v Secretary of State for the Home Department & Anor

[2019] EWHC 2562 (Admin)

Neutral Citation Number: [2019] EWHC 2562 (Admin)Case No: CO/3386/2018
IN THE HIGH COURT OF JUSTICE
QUEEN'S BENCH DIVISION
ADMINISTRATIVE COURT

Royal Courts of JusticeStrand, London, WC2A 2LL

Date: 3 October 2019

Before :

THE HONOURABLE MR JUSTICE SUPPERSTONE

- - - - - - - - - - - - - - - - - - - - -

Between :

THE QUEEN

on the application of

(1) OPEN RIGHTS GROUP

(2) THE3MILLION

Claimants

- and -

(1) SECRETARY OF STATE FOR

THE HOME DEPARTMENT

(2) SECRETARY OF STATE FOR DIGITAL,

CULTURE, MEDIA AND SPORT

Defendants

- and -

(1) LIBERTY

(2) THE INFORMATION COMMISSIONER

Interveners

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Ben Jaffey QC and Julianne Kerr Morrison (instructed by Leigh Day) for the Claimants

Sir James Eadie QC and Holly Stout (instructed by GLD) for the Defendants

Hugh Tomlinson QC and Aidan Wills (instructed by Liberty) for the 1st Intervener

Christopher Knight (instructed by Information Commissioner) for the 2nd Intervener

Hearing dates: 23 and 24 July 2019

Approved Judgment

Mr Justice Supperstone :

Introduction

1.

The Claimants challenge the lawfulness of the immigration exemption in paragraph 4,

Schedule 2, of the Data Protection Act 2018 (“DPA 2018”), which was brought into force on 25 May 2018 (“the Immigration Exemption”).

2.

The Immigration Exemption applies to the data protection rights in the General Data Protection Regulation 2016/679 (“the GDPR”).

3.

By a claim form filed on 24 August 2018 the Claimants seek to challenge the introduction of the Immigration Exemption on two grounds: first, that the immigration exemption is (i) contrary to Article 23 of the GDPR, and (ii) incompatible with the rights guaranteed by Articles 7 (privacy) and 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union (“the Charter”); and second, it is discriminatory, contrary to Article 21 of the Charter.

4.

The Open Rights Group is a UK-based digital campaigning organisation working to protect the rights to privacy and free speech online. The3million is an organisation of EU citizens in the UK that campaigns for EU citizens who have made their home in the UK to be able to continue their life here after Brexit. EU citizens will be required to apply for settled status should they wish to continue living in the UK after Brexit. A particular concern is that, as acknowledged by the Chief Inspector of Borders and Immigration, there is a 10% error rate in immigration status checks.

5.

The Information Commissioner (“the Commissioner”) is the independent statutory regulator under the DPA 2018, and the supervisory authority for the UK under the GDPR.

6.

On 21 January 2019 Ouseley J granted permission.

7.

During the course of his oral submissions Mr Ben Jaffey QC, for the Claimants, accepted that the second ground of challenge adds nothing to the first ground. It is therefore only necessary to consider the first ground.

The Legal Framework

The Charter of Fundamental Rights of the European Union (“the Charter”)

8.

Article 7 of the Charter provides that:

“Everyone has the right to respect for his or her private and family life, home and communications.”

9.

Article 8 of the Charter provides that:

“1.

Everyone has the right to the protection of personal data concerning him or her.

2.

Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.” 10.Article 52, so far as is relevant, provides:

“1.

Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.

3.

In so far as this Charter contains rights which correspond to rights guaranteed by the Convention for the Protection of Human Rights and Fundamental Freedoms, the meaning and scope of those rights shall be the same as those laid down by the said Convention. This provision shall not prevent Union law providing more extensive protection.”

The General Data Protection Regulation 2016/679 (the “GDPR”)

11.

The GDPR, which was made pursuant to Article 16 of the Treaty on the Functioning of the European Union (“TFEU”), is binding in its entirety and directly applicable in all member states by virtue of Article 288 TFEU.

12.

By Article 2(1) the GDPR “applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system”.

13.

By Article 2(2)(d) the GDPR does not apply to the processing of personal data “by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and the prevention of threats to public security”. Cross-border law enforcement processing which is within the competence of the EU is subject to a different regime under the Law Enforcement Directive 2016/680 (“the LED”).

14.

Chapter III of the GDPR which is headed “Rights of the data subject” includes the following rights set out in Articles 12-22:

Article 12 (Transparent information, communication and modalities for the

exercise of the rights of the data subject)

Article 13 (Information to be provided where personal data are collected from the data subject)

Article 14 (Information to be provided where personal data have not been obtained from the data subject)

Article 15 (Right of access by the data subject)

Article 16 (Right to rectification)

Article 17 (Right to erasure (“right to be forgotten”))

Article 18 (Right to restriction of processing)

Article 19 (Notification obligation regarding rectification or erasure of personal data or restriction of processing)

Article 20 (Right to data portability)

Article 21 (Right to object)

Article 22 (Automated individual decision making, including profiling).

15.

Article 23 is headed “Restrictions” and makes provision for the circumstances in which Member States may enact restrictions on the rights in Articles 12-22. It provides:

“1.

Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

(a)

national security;

(b)

defence;

(c)

public security;

(d)

the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

(e)

other important objectives of general public interest of the Union or of a Member State, in particular on important economic or financial interest of the Union or a Member State, including monetary, budgetary and taxation matters, public health and social security;

(f)

the protection of judicial independence and judicial proceedings;

(g)

the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

(h)

a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);

(i)

the protection of the data subject or the rights and freedoms of others;

(j)

the enforcement of civil law claims.

(2)

In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least where relevant as to:

(a)

the purposes of the processing or categories of processing;

(b)

the categories of personal data;

(c)

the scope of the restrictions introduced;

(d)

the safeguards to prevent abuse or unlawful access or

transfer;

(e)

the specification of the controller or categories of controllers;

(f)

the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;

(g)

the risks to the rights and freedoms of data subjects; and

(h)

the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.”

The Data Protection Act 2018 (“DPA 2018”)

16.

Section 15 of the DPA refers to Schedules 2, 3 and 4 of the DPA which make provision for exemptions from, and restrictions and adaptations of the application of, rules of the GDPR. Part 1 of Schedule 2 makes provision adapting or restricting the application of rules contained in Articles 13 to 21 and 34 (requirement to communicate to the data subject where there has been a personal data breach) of the GDPR in specified circumstances, as allowed for by Article 6(3) and Article 23(1) of the GDPR.

17.

The Immigration Exemption is included in paragraph 4 of Part 1 of Schedule 2. It is a new exemption, which was not contained in the previous legislation. It provides:

“(1)

The GDPR provisions listed in sub-paragraph (2) do not apply to personal data processed for any of the following purposes—

(a)

the maintenance of effective immigration control, or

(b)

the investigation or detection of activities that would undermine the maintenance of effective immigration control,

to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) and (b).

(2)

The GDPR provisions referred to in sub-paragraph (1) are the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR)—

(a)

Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(b)

Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(c)

Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers); (d) Article 17(1) and (2) (right to erasure);

(e)

Article 18(1) (restriction of processing);

(f)

Article 21(1) (objections to processing);

(g)

Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (f).

(That is, the listed GDPR provisions other than Article 16 (right to rectification), Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing) and Article 20(1) and (2) (right to data portability) and, subject to sub-paragraph (2)(g) of this paragraph, the provisions of Article 5 listed in paragraph 1(b).)

(3)

Sub-paragraph (4) applies where— (a) personal data is processed by a person (‘Controller 1’), and

(b)

another person (‘Controller 2’) obtains the data from Controller 1 for any of the purposes mentioned in subparagraph (1)(a) and (b) and processes it for any of those purposes.

(4)

Controller 1 is exempt from the obligations in the following provisions of the GDPR—

(a)

Article 13(1) to (3) (personal data collected from data subject: information to be provided),

(b)

Article 14(1) to (4) (personal data collected other than from data subject: information to be provided),

(c)

Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers), and

(d)

Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c),

to the same extent that Controller 2 is exempt from those obligations by virtue of sub-paragraph (1).”

Factual Background

18.

Ms Alison Samedi, the senior civil servant responsible for data protection policy within the Border Immigration and Citizenship System (BICS) Policy and International Group of the Home Office, explains in her first witness statement (“her witness statement”) that DPA 2018 repealed and replaced the Data Protection Act 1998 (“DPA 1998”) as the primary piece of domestic data protection legislation in the UK. DPA 1998, and the previous domestic data protection legislation (the Data Protection Act 1984), included no equivalent to the Immigration Exemption. Where an exemption was required in an immigration context, reliance was placed on the crime exemption contained latterly in s.29 of DPA 1998.

19.

Further, Ms Samedi explains at paragraphs 14-22 of her witness statement why it was considered necessary to create a specific Immigration Exemption in DPA 2018. She states (at para 21): “The Government believes that the UK’s approach is the most proportionate and effective way to keep the country safe and maintain immigration control, without unnecessarily criminalising those who commit immigration offences. This also means that data subjects in this context enjoy the protections of the GDPR regime rather than being treated as solely subject to the LED”.

20.

Ms Samedi gives examples (at paras 62-65) of “the sorts of situations” in which it was always envisaged the Immigration Exemption may apply:

“(a)

Information might be withheld in response to a subject access request under Article 15 (or the data subject information provisions in Articles 13 and 14 not complied with) where full compliance with those Articles would result in the data subject being ‘tipped off’ about potential immigration investigation or enforcement action (such as an intention to arrest and detain for removal). This might happen where information is received from a member of the public or a local authority about a suspected overstayer, or where the information is already held by the Home Office. If the Home Office were required to notify the individual that this information had been received (or reveal it in response to a subject access request), that may lead to the individual absconding before the Home Office has an opportunity to pursue enquiries or, if appropriate, effect administrative removal. For the same reasons, in those circumstances it is evidently necessary for the third party from whom the information has been obtained or received also to be able to rely on the Exemption.

(b)

In relation to the work that the Home Office does in profiling individual’s data in order to identify patterns of travel that may indicate someone abusing their rights. This involves the processing of data from both legitimate and illegitimate travellers. If someone could stop that processing by restricting it (Article 18) or objecting to it (Article 21), there may be prejudice to the maintenance of effective immigration control. I should add that the Home Office does not make adverse decisions (such as a decision not to allow a border crossing) based solely on automated decision making.

(c)

Likewise, data profiling is undertaken to identify patterns that might indicate that a marriage on the basis of which someone is seeking to establish a right to remain in the UK is a sham. Again, if someone could stop that processing by restricting it or objecting to it, there may be prejudice to the maintenance of effective immigration control.

(d)

Further, the right to erasure (Article 17) could, if complied with, in principle be used to wipe an individual’s immigration history and thus prevent the Home Office from considering an individual’s case on a proper basis.”

21.

At paragraph 63 of her witness statement Ms Samedi gives by way of illustration of how the Immigration Exemption has been applied in practice a number of “real-life examples from Home Office records”. At paragraph 64 she gives examples of other situations in which it is envisaged that the Immigration Exemption might be applied. At paragraph 65 she states: “The Exemption may also be used by third parties outside of Government, if the data controller judges that to comply with the data subject right request would be likely to prejudice the maintenance of effective immigration control. This could include, for example, a local authority which has liaised with the Home Office for safeguarding purposes ahead of an enforcement operation, a third-party supplier delivering frontline services for the Home Office, or an airline operating a removal flight”.

22.

In her second witness statement Ms Samedi states (at para 6) that in the first year of operation of DPA 2018 the Home Office received 27,984 new subject access requests relating to the border and immigration system (and not including cases handled by Her Majesty’s Passport Office or relating to other aspects of Home Office business). Of those 27,984, a total of 18,332 were progressed for response by a caseworker and in 10,823 responses the Immigration Exemption was relied on (para 7). That is in about 59% of responses. Ms Samedi states (at para 8) that in the vast majority of those 10,823 cases “[her] understanding is that the Exemption has been used to prevent disclosure of only small elements of the overall case file, not the whole set of information. An individual decision has to be taken in each case as to what must be released and what it is necessary, appropriate and proportionate to redact in reliance on the Immigration Exemption and in line with the internal staff guidance…”.

The Parties’ Submissions and Discussion

The parties’ submissions in outline

23.

Mr Jaffey submits that the Immigration Exemption is contrary to Article 23 of the GDPR and incompatible with the rights guaranteed by Articles 7 and 8 of the Charter for, in summary, three reasons. First, the Immigration Exemption is open-ended and vague, as well as available to any data controller, whether a governmental authority or not. The term “effective immigration control”, which is not defined, was selected specifically as a “wrap-around” term so that the provision would not need to be amended or updated. Paragraph 4(1)(b) of the Immigration Exemption is particularly wide. There are also no other safeguards built-in to the Immigration Exemption as enacted in DPA 2018 to prevent or reduce the risk of abuse. There is a need for strong safeguards, Mr Jaffey submits, particularly so in an age of developing technology (see Lord Sumption in R (Catt) v Association of Chief Police Officers of

England, Wales and Northern Ireland [2015] AC 1065 at para 2; and GDPR recital

(6)).

24.

Second, instead of being in a position to justify and evidence the strict necessity of the Immigration Exemption, the Secretary of State for the Home Department has only sought to point to the “sorts of situations” in which it may apply. No evidence has been put forward demonstrating why it was strictly necessary to introduce the Immigration Exemption alongside other exemptions included in DPA 2018 that were also available under DPA 1998. Third, the Immigration Exemption as enacted (and as interpreted by the Defendants in their pre-action response and the original version of the draft internal guidance) provides a blanket exemption from fundamental data protection rights (GDPR Art.1(2) and recital (1)). It does not require expressly that controllers be able to demonstrate that non-compliance with fundamental rights is strictly necessary and proportionate taking into account the rights and interests of the individual on the facts of the particular case (as required by GDPR, Arts.6(1)(e) and 9(2)(g)).

25.

Mr Hugh Tomlinson QC, for Liberty, supports the Claimants’ contention that the interferences with privacy and data protection rights arising from the application of the Immigration Exemption are not in accordance with the law. Specifically, he submits, these interferences are not “foreseeable” because there are insufficient safeguards to constrain the exercise of a very broad discretion. This means that there

is a clear risk of arbitrary and disproportionate interferences with privacy and data protection rights.

26.

Mr Christopher Knight, for the Commissioner, agrees with Sir James Eadie QC, for the Defendants, that the Immigration Exemption is in accordance with the law. However, he submits that without accompanying statutory guidance to provide safeguards as to the meaning and application of the Immigration Exemption, the exemption will not be a proportionate implementation of Article 23(1) of the GDPR.

27.

Sir James notes that the claim has from the outset been concerned only with the lawfulness of the Immigration Exemption in the abstract. He observes that it is not part of the Claimants’ claim that the Immigration Exemption is being used in practice in a way that systematically abuses the rights of individuals. Indeed, there is no evidence that the Immigration Exemption has been misused in practice.

28.

In summary, Sir James submits that the Immigration Exemption is lawful for two reasons. First, it falls comfortably within the scope of what is permitted by Article 23 of the GDPR. In particular, it clearly and precisely prescribes the purposes for which the affected data protection rights may be denied and the scope of the restrictions placed on those rights. Moreover, it is subject to the same well-established safeguards as many other exemptions in DPA 2018 (including the crime and taxation exemption). It can only be applied in specific circumstances and to the specific data processing activities listed when it is proportionate to do so. It is subject to the same requirements as other exemptions in respect of notifying data subjects. Data subjects who consider the Immigration Exemption has been wrongly applied have recourse to the courts and to the Commissioner in the usual way.

29.

Second, the question of whether the Immigration Exemption is compliant with the

Charter (and the European Convention on Human Rights (“ECHR”)) is to be determined by reference to whether the legislation is capable of being operated in a manner that is compatible with Charter/ECHR rights without giving rise to an unjustified interference with Charter/ECHR rights in most cases. That standard is plainly satisfied in this case and there is no serious suggestion by the Claimants (or the Interveners) that it is not. It is common ground that Articles 7 and 8 of the Charter relied on go no further than the rights laid down by the ECHR, and that for all practical purposes the test for infringement of the two sets of rights is the same. Accordingly, the Immigration Exemption is in accordance with the law and it is a proportionate implementation of Article 23(1) of the GDPR.

Discussion

30.

In my view the Immigration Exemption is plainly a matter of “important public interest” and pursues a legitimate aim. I consider it is reasonable for Parliament to have enacted the exemption (applying the appropriate margin of appreciation, see para 19 above for evidence of so doing). It applies only where the purpose of the data processing is the maintenance of effective immigration control, or the investigation or detection of activities that would undermine the maintenance of effective immigration control. I agree with the Defendants that those are terms that are readily understood.

31.

In support of the Claimants’ contention that the Immigration Exemption is not in accordance with the law Mr Jaffey makes three points. First, the case-law (Opinion

1/15 of the European Court of Justice (Grand Chamber) (2018)) 1 CMLR 36 at paras

138-189 and 192) and the terms of Article 23(1) of the GDPR make clear that it is the “legislative measure” itself which must prescribe where it applies and contain the relevant safeguards. Second, the test of strict necessity applies at the stage at which the legislative measure is introduced permitting a derogation, as in the case of Article 23(1) of the GDPR, and on a case by case basis as that derogation is relied upon to deny specific individual’s rights (see Institut professionnel des agents immobiliers v Engelbert [2014] 2 CMLR 9, and Guriev v Community Safety Development (UK) Ltd [2016] EWHC 643 (QB), per Warby J at paras 43 and 45). Third, it is no answer to the claim for the Defendants to argue that the Immigration Exemption must be lawful because it applies in the same way as other exemptions under DPA 2018. The specific need for this exemption must be justified as strictly necessary on its own merits.

32.

I agree with Sir James that the issue is what the law requires where, as is the case with the exemptions in Schedule 2 (including the Immigration Exemption), the legislation does not itself create or require interference with the data rights of individuals, but instead makes abstract provision for an exemption which may be relied upon by data controllers if they can justify doing so in the circumstances of a particular case.

33.

The applicable principles appear from the approach taken by the Supreme Court in The Christian Institute v The Lord Advocate (Scotland) [2016] UKSC 51. That case concerned the provision for a “named person service” in Part 4 of the Children and Young People (Scotland) Act 2014 (“the Act”), and, so far as relevant to the present case, whether those provisions were compatible with DPA 1998 and Directive 95/46/EC (“the Directive”). The appellant’s challenge to the compulsory appointment of a named person as a breach of the rights of the parents of children under Article 8 ECHR proceeded on both a broad basis and a narrower basis. The broad challenge was that the compulsory appointment of a named person to a child involved a breach of the parent’s Article 8 rights unless the parents have consented to the appointment or the appointment is necessary to protect the child from significant harm. The narrower challenge focussed on the provisions in sections 26 and 27 of the Act for the sharing of information about a child. In the court’s view these challenges raised the following four questions: (i) what are the interests which Article 8 ECHR protects in this context, (ii) whether and in what respects the operation of the Act interferes with the Article 8 rights of parents or of children and young people, (iii) whether the interference is in accordance with the law, and (iv) whether that interference is proportionate, having regard to the legitimate aim pursued.

34.

When considering the third question the Court stated (at para 79):

“In order to be ‘in accordance with the law’ under Article 8(2), the measure must not only have some basis in domestic law – which it has in the provisions of the Act of the Scottish Parliament – but also be accessible to the person concerned and foreseeable as to its effects. These qualitative requirements of accessibility and foreseeability have two elements. First, a rule must be formulated with sufficient precision to enable any individual – if need be with appropriate advice – to regulate his or her conduct… Secondly, it must be sufficiently precise to give legal protection against arbitrariness.”

35.

The Court continued (at para 80):

“Recently in R (T) v Chief Constable of Greater Manchester Police [2015] AC 49 this court has explained that the obligation to give protection against arbitrary interference requires that there must be safeguards which have the effect of enabling the proportionality of the interference to be adequately examined.”

36.

In this case the “logical puzzle” of the legislation at issue gave rise to “very serious difficulties in accessing the relevant legal rules”, and the legislation was therefore “not in accordance with the law” (para 83). The Court said that “Of even greater concern is the lack of safeguards which would enable the proportionality of an interference with Article 8 rights to be adequately examined” (para 84). The Court concluded therefore that the information-sharing provisions of Part 4 of the Act and the statutory guidance as currently drafted did not meet the Article 8 criterion of being “in accordance with the law” (para 85). The limitations which may lawfully be placed on the right to protection of personal data under EU law correspond to those tolerated in relation to Article 8 ECHR (see Christian Institute at para 104; and see Article 52(3) of the Charter at para 10 above).

37.

In the recent decision of the Supreme Court in In Re Gallagher [2019] 2 WLR 509, Lord Sumption explained that the statements in R (T) v Chief Constable of Greater Manchester Police about the need for safeguards against “arbitrary” interference with

Convention rights refer to “safeguards essential to the rule of law because they protect against the abuse of imprecise rules or unfettered discretionary powers” (para 41).

38.

Applying these principles, I consider that the Immigration Exemption satisfies the requirements for a measure to be “in accordance with the law”. It is comprehensible and does not suffer from the lack of clarity or foreseeability that rendered the legislation in the Christian Institute case “not in accordance with the law”.

39.

The Immigration Exemption may only be relied on if and to the extent that compliance with “the listed GDPR provisions” would be likely to prejudice the maintenance of effective immigration control or the investigation or detection of activities that would undermine the maintenance of effective immigration control. The words “would be likely to prejudice”, in the context of DPA 1998, were interpreted to mean “a very significant and weighty chance of prejudice to the particular public interest. The degree of risk must be such that there ‘may very well’ be prejudice to those interests, even if the risk falls far short of being more probable than not” (R (Lord) v Secretary of State for the Home Department [2003] EWHC 2073 (Admin) at para 100, and see Guriev at para 43).

40.

By s.4(2)(b) of DPA 2018, Chapter 2 of Part 2 (General Processing) “supplements, and must be read with, the GDPR”. Thus the complaint that DPA 2018 does not itself expressly specify that the Immigration Exemption can only be relied on where it is proportionate to do so in a particular case does not render it not in accordance with the law. The requirement of proportionality is set out in terms in the GDPR. Further the case law regarding proportionality requirements is well established and can be explained by a legal adviser.

41.

An exemption from the data protection regime can only be applied in any particular case if it is “necessary” to do so. In Guriev Warby J stated (at para 45): “The test of necessity is a strict one, requiring any interference with the subject’s rights to be proportionate to the gravity of the threat to the public interest. The exercise therefore involves a classic proportionality analysis” (see also Lin v Commissioner of Police for the Metropolis [2015] EWHC 2484 (QB), per Green J at para 80).

42.

The “likely to prejudice” test and the requirements of necessity and proportionality provide, in my view, an adequate set of safeguards to protect individual data subject rights. As Lord Sumption stated in Catt (para 11) the rules governing the scope and application of measures, as well as minimum safeguards,

“need not be statutory, provided that they operate within a framework of law and that there are effective means of enforcing them. Their application, including the manner in which any discretion will be exercised, should be reasonably predictable, if necessary with the assistance of expert advice. But except perhaps in the simplest cases, this does not mean that the law has to codify the answers to every possible issue which may arise. It is enough that it lays down principles which are capable of being predictably applied to any situation”.

43.

The GDPR/DPA 2018 regime also provides for enforcement through the Commissioner, the First-tier Tribunal (Information Rights), and the ordinary courts (see, in particular, Articles 77-80 of the GDPR and ss.142-180 of the DPA 2018). These enforcement provisions are part of overall safeguarding which give a legal remedy and judicial protection (see Christian Institute at para 105).

44.

I agree with Sir James that there is no requirement for the state to justify the enactment of the provision by evidence as being “strictly necessary”. The question of whether the exemption is necessary in principle is a matter for the state, in respect of which a margin of appreciation applies. The observations of Lady Hale in South Lanarkshire v Scottish Information Commissioner [2013] UKSC 55 at para 27 do not support the Claimants’ contention that the higher standard of “strict necessity” is the test in a derogation case. Lady Hale was merely indicating that in that case derogation had not been considered. What is required for a derogation depends on the circumstances (see Child Soldiers International v Secretary of State for Defence [2015] EWHC 2183 (Admin) at paras 13-17, 23 and 29, per Kenneth Parker J). In the present case the language of “necessity” is used which, following the Supreme Court in South Lanarkshire (at para 27), means “reasonably” rather than “strictly” necessary.

45.

The authorities on which the Claimants rely in support of the contention that the state must justify the enactment of the provision as being “strictly necessary” are, I agree with Sir James, cases where the legislation itself constituted or required an interference with individual rights (see, for example, Opinion 1/15 at paras 205-207; and Tele2 Sverige AB v Post-Och Telestyrelsen [2017] 2 CMLR 30 at paras 95-97). The Immigration Exemption itself involves no interference with any individual’s rights.

46.

The Commissioner supports the Claimants’ submission that the test applicable to the use of an exemption is one of strict necessity, the context being one of derogation from a right. However, even if, contrary to my view, that is correct, Mr Knight accepts, and I agree, that the evidence satisfies such a requirement.

47.

It is to be noted that the Immigration Exemption does not apply to the right to rectification in Article 16 of the GDPR. It also does not provide exemption from Articles 12, 19, 20, 22 and 34.

48.

The Claimants contend that the right to rectification of incorrect data (Article 16) is a meaningless right in circumstances where the right of access is denied and the use of the exemption may be secret. However, as Ms Samedi explains in her witness statement in most cases the combined effect of DPA 2018 and the GDPR is that an individual must be told when data has been redacted in reliance upon an exemption. Ms Samedi adds (at para 49(h)) that:

“Since Article 12 is not a right to which the Exemption can be applied, it follows that any controller relying on the Exemption in order not to action a request under Articles 15, 17, 18 and 21 is required by Article 12(4) to inform the data subject of the reasons for not taking action (which would normally include informing the data subject that an exemption has been applied). As such, an individual who wishes to complain about the application of an exemption, or who suspects that the application of an exemption may be obscuring the fact that inaccurate data is held about them (a particular concern of the Claimants), may exercise their right to complain to the Commissioner or seek more urgent relief from a Court.”

(See also Ms Samedi’s third witness statement at para 5 where she says: “I recognise that the standard letter does not explicitly refer to the use of an exemption. Consequently, the Home Office will amend this standard response in the future so that if an exemption is relied upon, this is explicitly stated”).

49.

The Claimants further contend that in any event the Immigration Exemption does not comply with the specific requirements of Articles 23(2)(a)-(h).

50.

In the light of the conclusions I have already reached on the applicable principles I can deal with this submission more shortly.

51.

As to Article 23(2)(a)-(c) (purposes/categories of personal data/scope of the restriction), Mr Jaffey submits that it is essential to ensure that a derogation from data protection rights is the subject of clear and precise rules, tailored to the public interest served. The Immigration Exemption is too broad and vague. As I have said, I do not agree. The provisions of the exemption setting out the purposes for which, and categories of data to which, it may be applied are, in my view, clear and appropriately delineated.

52.

As to Article 23(2)(d) (safeguards), the Claimants contend that the Immigration Exemption does not contain any safeguards against abuse or unlawful application.

However, these do not need to be specified in the Immigration Exemption itself, being contained in DPA 2018 and the GDPR. In the Christian Institute case the Court stated that when considering whether there are sufficient safeguards “the court can look not only at formal legislation but also at published official guidance and codes of conduct” (para 81).

53.

As to Article 23(2)(e) (specification of controllers), the Immigration Exemption may be relied upon by any data controller that decides its processing falls within paragraph 4(1). The Claimants’ concern is that affords a potential exemption to many public and private persons, including private landlords who may not be conversant with or concerned about the intricacies of data protection law (see GDPR Article 14 which contains detailed rules as to “Information to be provided where personal data has not been obtained from the data subject”). This concern applies a fortiori, the Claimants say, to paragraphs 4(3)-(4) of the Immigration Exemption which extends its application to controllers that are not even processing data for the purposes of effective immigration control.

54.

In my view there is nothing unlawful about the Immigration Exemption being available to all data controllers processing data for the specified purposes. As the Defendants point out, without paragraphs 4(3)-(4) the Immigration Exemption would be rendered ineffective in cases where data is obtained from third parties (such as a local authority or HM Revenue and Customs) for the purposes of maintaining effective immigration control.

55.

As to Article 23(2)(g) and (h) (risks and notification), the Claimants’ concern in this regard is that the Immigration Exemption may prevent individuals from understanding that inaccurate data is being processed about them, including through the sharing of that information; or they may be deprived of data which they need to challenge unlawful decision making in respect of them. Ms Samedi suggests in her witness statement (at para 49(h)) that information should be given (see para 48 above), but the Claimants, on the evidence available to them, suggest that this is not happening. Again, the Defendants respond, and I agree, that risks and notification do not need to be specified in the Immigration Exemption itself as notification rights are provided for elsewhere in the legislation (see para 52 above).

56.

Finally, I turn to the Commissioner’s submission that without accompanying statutory guidance to provide safeguards as to the meaning and application of the Immigration Exemption, the exemption would not be a proportionate implementation of Article 23(1) of the GDPR. Mr Knight says that supplemented by such guidance, the provision is proportionate.

57.

Mr Knight informs me that the Commissioner is finalising guidance on the Exemption, but it will have “statutory” status only in the sense of being issued by virtue of the Commissioner’s powers under Article 57(1) of the GDPR. It will have no legal status under DPA 2018. I understand also that the Home Office has produced draft internal staff guidance on the Immigration Exemption (see para 22 above). In practice guidance issued by the Commissioner is influential regardless of its legal basis. However, there is no power for the Commissioner to issue “binding” guidance of the sort that the Supreme Court had in mind in the Christian Institute case (at paras 101 and 107). It appears that primary legislation would be required if it were considered necessary for there to be guidance on the Immigration Exemption of the

same status as the codes of practice currently provided for in ss.121-124 of DPA 2018.

58.

In his argument for statutory guidance Mr Knight contends that the context in which the use of the Immigration Exemption will arise necessarily frames the concerns about the necessity and proportionality of its existence and use. He draws attention to two matters in particular in the legal context. First, personal data to which the Immigration Exemption is applied is inherently likely to involve special category data within the meaning of Article 9(1) of the GDPR (i.e. data “revealing racial or ethnic origin”). Such data is identified in the GDPR because it requires a higher measure of protection (Opinion 1/15 at para 141). Second, it is a basic proposition of data protection law that the right of subject access in particular is of great importance as the gateway to being able to exercise the other rights provided to data subjects (see YS v Minister voor Immigratie [2015] 1 WLR 409 at para 44).

59.

Mr Knight identifies four points of a practical nature. First, when controllers do not explain to data subjects that they have relied upon a statutory exemption, nor provide a broad summary of the reasons why, the data subject will be unaware that the exemption has been applied, and unable to challenge it effectively as a result. Second, data subjects will be especially reliant on controllers to apply the exemption with care and only so far as necessary. Although any data subject is entitled to complain to the Commissioner about the application of the exemption, or to bring legal proceedings before the courts, it is likely that the data subject will be unaware of their rights and lack the funds to take legal steps, in circumstances where there is a need for prompt and accurate compliance with data protection rights. Third, as an immigrant the data subject is likely to be in a vulnerable position. Fourth, this is not an abstract issue in the light of the Defendants’ evidence as to the use of the Immigration Exemption (see para 4 above).

60.

Mr Knight suggests that there is a close parallel between the present challenge to the Immigration Exemption and the reasoning of the Court in Christian Institute. As in Christian Institute, he contends, the Immigration Exemption is wide, uses undefined terms, applies a low threshold, is subject to controls not apparent on the face of the provision and applies to a very broad array of contexts and rights. Unlike Christian Institute there is no publicly available guidance, still less of a statutory status even to which regard must be had, on the Immigration Exemption.

61.

In Christian Institute (when considering the issue as to whether the interference was proportionate), the Court stated (at para 88):

“This court has explained that an ab ante challenge to the validity of legislation on the basis of a lack of proportionality faces a high hurdle: if a legislative provision is capable of being operated in a manner which is compatible with Convention rights in that it will not give rise to an unjustified interference with article 8 rights in all or almost all cases, the legislation itself will not be incompatible with Convention rights: R (Bibi) v Secretary of State for the Home Department [2015] UKSC 68…, paras 2 and 60 per Lady Hale, para 69 per Lord Hodge. The proportionality challenge in this case does not surmount that hurdle. Nonetheless, it can readily be foreseen that in practice the sharing and exchange of information between public authorities are likely to give rise to disproportionate interferences with article 8 rights, unless the information holder carries out a scrupulous and informed assessment of proportionality.”

62.

The Court (at paras 94-100) set out the ways in which the legislation risked giving rise to disproportionate interferences; and stated (at para 101) that “In order to reduce the risk of disproportionate interferences, there is a need for guidance to the information holder on the assessment of proportionality when considering whether information should be provided”.

63.

The Commissioner accepts that the Court’s reasoning in Christian Institute in respect of proportionality was strictly obiter on this issue, because the 2014 Act was not in accordance with the law, but Mr Knight submits that the inference to be drawn from the Court’s reasoning is that had it been necessary for them to do so, it would have found Part 4 of the 2014 Act to be a disproportionate interference with the rights of data subjects.

64.

I do not accept that the reasoning of the Court in Christian Institue assists the Commissioner’s argument on proportionality. The challenge to the validity of the

Immigration Exemption on the basis of a lack of proportionality is an “ab ante challenge”. I agree with the Defendants that there is nothing in the evidence to suggest that the Immigration Exemption is being operated in a manner that will give rise to an unjustified interference with Article 8 rights in all or almost all cases. Acknowledging that to be so, Mr Knight advances what Sir James describes as a more subtle case. He accepts that “in principle” the Immigration Exemption can be a lawful and proportionate implementation of Article 23, but submits that it cannot be said, in the absence of statutory guidance, that the operation of the exemption will not give rise to an unjustified interference in all, or almost all, cases.

65.

I do not consider that the reasoning in Christian Institute provides any support for this submission. The Court made clear (at para 96) that had there been sufficient clarity in the drafting of the provisions to render them in accordance with the law, the Court considered that “the Act would be capable of being operated in a manner which is compatible with Convention rights”. Moreover, when the Court referred to “a need for guidance” (at para 101, see para 61 above) in order to reduce the risk of disproportionate interferences the Court was not thereby identifying any further unlawfulness in the legislation. This risk of disproportionate interferences did not lead the Court to conclude that guidance was required as a matter of law to render the legislation lawful.

66.

I agree with Sir James that Christian Institute provides no basis for Mr Knight’s submission that involves imposing two different inconsistent standards of risk when determining whether legislation is unlawful. I do not accept that some lower unspecified standard of risk applies when considering the risk of disproportionate interferences. This would have the effect of undermining the clear approach of the Court in Christian Institute. The Court made no finding that the scheme was unlawful because of the risk of disproportionate interferences. The Court considered it was unlawful because the Act and the guidance as drafted did not meet the Article 8 criterion of being “in accordance with the law”.

67.

A legislative measure does not require to be accompanied by guidance as to proportionality in order to be lawful. In the present context Parliament has chosen not to have statutory guidance. Additional guidance was only held to be required in Christian Institute because the legislation itself was found to be so unclear that it was not in accordance with the law. I accept the Defendants’ submission that in the present case the legislation is in accordance with the law and guidance is not required to render it lawful.

Conclusion

68.

For the reasons I have given none of the grounds of challenge are made out.

Accordingly, this claim is dismissed.

Open Rights Group & Anor, R (On the Application Of) v Secretary of State for the Home Department & Anor

[2019] EWHC 2562 (Admin)

Download options

Download this judgment as a PDF (321.1 KB)

The original format of the judgment as handed down by the court, for printing and downloading.

Download this judgment as XML

The judgment in machine-readable LegalDocML format for developers, data scientists and researchers.