Royal Courts of Justice
Strand, London, WC2A 2LL
Before :
THE HONOURABLE MR JUSTICE SAINI
Between :
THE KING ON THE APPLICATION OF THE3MILLION AND OPEN RIGHTS GROUP | Claimants |
- and - | |
SECRETARY OF STATE FOR THE HOME DEPARTMENT SECRETARY OF STATE FOR DIGITAL CULTURE MEDIA AND SPORT - and – THE INFORMATION COMMISSIONER | Defendants Interested Party |
Ben Jaffey KC and Nikolaus Grubeck (instructed by Leigh Day) for the Claimants
Aidan Eardley KC (instructed by Government Legal Department) for the Defendants
Christopher Knight (instructed by Information Commissioner’s Office) for the Interested Party
Hearing dates: 21 March 2023
Approved Judgment
Mr Justice Saini :
This judgment is in 6 main sections as follows:
Overview: paras [1]-[7].
The Statutory Framework: paras [8]-[24].
The Evidence: paras [25]-[35].
Article 23 UK GDPR: paras.[36]-[45].
The Grounds: paras.[46]-[74].
Conclusion: paras.[75]-[76].
Overview
This is a claim about the legality of statutory restrictions on data protection rights in the context of immigration control. The judicial review is a challenge to HM Government’s second attempt to produce an immigration exemption from the United Kingdom General Data Protection Regulation (“the UK GDPR”). The Government’s first attempt at fashioning a lawful exemption was unsuccessful: R (Open Rights Group and the3million) v SSHD and SSDCMS [2021] EWCA Civ 800; [2021] 1 WLR 3611 (CA) (referred to as “JR1” below). The Court of Appeal held that the exemption was unlawful because there existed no “legislative” measure that contained specific provisions in accordance with the mandatory requirements of Article 23(2) of the UK GDPR. It further held that in the absence of such a measure, the exemption was an unauthorised derogation from the fundamental rights conferred by the UK GDPR and was therefore incompatible with that Regulation. Following a remedies hearing, the Defendants were directed to amend the exemption and given until 31 January 2022 to put in place compliant legislation: R (Open Rights Group and the3million) v SSHD and SSDCMS [2021] EWCA Civ 1573; [2022] QB 166 (CA). The issue before me is whether the Defendants have remedied the problems and now produced a lawful legislative restriction.
The First Claimant is an organisation formed after the 2016 referendum to work on the specific issue of protecting the rights of EU, European Economic Area and Swiss citizens living in the UK. The Second Claimant is an organisation that seeks to promote and uphold privacy and data protection rights. These Claimants brought the proceedings which went to the Court of Appeal in JR1.
The Claimants challenge the lawfulness of the Government’s second attempt at an immigration exemption as set out in §4 of Schedule 2 of the Data Protection Act 2018 (“the DPA”), as amended by the Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 (SI 2022/76) (“the Regulations”), which came into force on 31 January 2022. I will refer to these together as “the Immigration Exemption”. The legislative provisions are set out in more detail in Section II below but, in broad terms, the Immigration Exemption provides an exemption to fundamental data protection rights under the UK GDPR. It applies when the application of those rights “would be likely to prejudice” either “the maintenance of effective immigration control”, or “the investigation or detection of activities that would undermine the maintenance of effective immigration control”. There is also a new requirement in the Regulations that the Secretary of State have “an immigration exemption policy document” in place before the exemption can be used. That policy (called “the IEPD”) has featured heavily in the arguments before me.
The Claimants argue that the second attempt fails to remedy the defects identified in JR1 and the Immigration Exemption accordingly remains in breach of the basic safeguards required by Article 23 of the UK GDPR. In particular, they submit that the incompatibility specifically identified by the Court of Appeal has not been remedied by the mandatory deadline set following the remedies hearing.
The Claimants advance two related grounds:
First, the Immigration Exemption still does not meet the requirement of being a “legislative measure” necessary for compliance with Article 23 of the UK GDPR; and/or
Second, the Immigration Exemption still does not comply with the mandatory requirements listed in Article 23(2) of the UK GDPR, because it omits necessary substantive and procedural safeguards. This complaint is broken down into 6 sub-grounds.
Although there are differences of emphasis, the Claimants are supported by the Information Commissioner (“the Commissioner”) as an Interested Party. The Commissioner’s support of the claim for relief is upon a substantially narrower basis than that put by the Claimants: he submits that terms of the Immigration Exemption are incompatible with the requirements of Article 23(2)(d) and (g) of the UK GDPR (these are two of the sub-grounds within the Claimant’s second ground of challenge). That said, the Article 23(3)(d) complaint which is strongly supported by the Commissioner (lack of safeguards to prevent abuse, etc.) is the focal point of the Claimants’ challenge.
The Defendants submit that the flaws identified by the Court of Appeal in JR1 have been remedied and the new Immigration Exemption is lawful. They emphasise that the real issue between the parties is related to the second ground: whether the Immigration Exemption contains specific provisions as to the matters listed in Article 23(2).
II. Statutory Framework
The DPA creates a detailed statutory scheme. It makes provision, following the end of the Brexit transition period, for three different legal regimes for data protection. For the purposes of the claim before me, the relevant regime is to be found in the UK GDPR, which applies to the vast majority of processing of personal data in the UK.
As section 3(10) of the DPA provides through the definitions it sets out, the UK GDPR is “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018”. In other words, the UK GDPR is the retained version of the European Union’s GDPR Regulation 2016/679 ("EU GDPR”), with amendments made to secure its practical effectiveness. Insofar as material, those amendments were made by the Data Protection, Privacy and Electronic Communications (Amendments, etc) (EU Exit) Regulations 2019 (SI 2019/419) (“the Amending Regulations”).
It is the UK GDPR which contains the body of rights and obligations applicable to data subjects and controllers, and the definitions of those terms (in Article 4). However, the UK GDPR permits (as did the EU GDPR in similar terms) the UK to make provision in national law to specify certain bases for processing personal data and for exemptions from the rights it provides to data subjects. In the UK, that specification has been done through the DPA, and the UK GDPR must accordingly be read together with the DPA.
The focus of the present challenge is Article 23 of the UK GDPR. Article 23 falls within Chapter III, which is headed “Rights of the Data Subject”. The rights themselves are set out in Articles 12-22, which concern: transparency and general provisions concerning the exercise of the following rights (Article 12); the right to have information provided when data is collected (Article 13); the right to have information provided when data is processed which was collected by a third party (Article 14); the right of subject access (Article 15); the right to rectify inaccurate data (Article 16); right to erasure/to be forgotten (Article 17); the right to restrict processing (Article 18); obligations to notify others following exercise of Articles 16-18 (Article 19); the right to data portability (Article 20); the right to object to processing (Article 21); and the right not to be subject to automated processing (Article 22).
Article 23 UK GDPR is headed “Restrictions” and, following the amendments made by the Amending Regulations, provides (insofar as relevant):
“1. The Secretary of State may restrict the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
… (e) other important objectives of general public interest…
2. In particular, provision made in exercise of the power under paragraph 1 shall contain specific provisions at least, where relevant, as to:
(a) the purposes of the processing or categories of processing;
(b) the categories of personal data;
(c) the scope of the restrictions introduced;
(d) the safeguards to prevent abuse or unlawful access or transfer;
(e) the specification of the controller or categories of controllers;
(f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
(g) the risks to the rights and freedoms of data subjects; and
(h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.
3. The Secretary of State may exercise the power under paragraph 1 only by making regulations under section 16 of the 2018 Act.”
By section 15 of the DPA, which expressly refers to Article 23(1), the exemptions made under Article 23 are set out in Schedules 2-4 of the DPA. Most of the exemptions are contained in Schedule 2, Parts 1-4. The exemption in relation to personal data processed for the maintenance of effective immigration control, or the investigation or detection of activities that would undermine the maintenance of effective immigration control, was included in §4 of Part 1 of Schedule 2 to the DPA, as enacted.
As specifically addressed in Article 23(3), as amended, section 16 provides a power to make further exemptions by regulations. It provides:
“(1) The following powers to make provision altering the application of the UK GDPR may be exercised by way of regulations made by the Secretary of State under this section—
…(b) the power in Article 23(1) to make provision restricting the scope of the obligations and rights mentioned in that Article where necessary and proportionate to safeguard certain objectives of general public interest…
(2) Regulations under this section may—
(a) amend Schedules 2 to 4—
(i) by adding or varying provisions, and
(ii) by omitting provisions added by regulations under this section…
(3) Regulations under this section are subject to the affirmative resolution procedure.”
By section 182(1) of the DPA, regulations made under section 16 are to be made by statutory instrument, and they engage a duty on the Secretary of State to consult with the Commissioner and with other appropriate persons before being made.
The replacement by the Amending Regulations of the phrase “legislative measure” in Article 23 with the requirement that any restrictions be made in regulations under section 16 is not a modification such as to disapply the application of retained EU case law, within the terms of section 6 of the European Union (Withdrawal) Act 2018. The amendment replaced a general phrase with a specific legislative mechanism known in the UK.
Parliament exercised the power under Article 23(1) of the UK GDPR to make the original Immigration Exemption, which is set out in Schedule 2 of the DPA. In its brief original form, it provided:
“4. Immigration
(1) The GDPR provisions listed in sub-paragraph (2) do not apply to personal data processed for any of the following purposes –
(a) the maintenance of effective immigration control, or
(b) the investigation or detection of activities that would undermine the maintenance of effective immigration control,
to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) and (b).”
This provision was challenged in JR1. In those proceedings, the Claimants contended that the Immigration Exemption was unlawful because both Article 23(2) UK GDPR, and the CJEU case law, required that the circumstances in which a derogation could apply, and the substantive and procedural safeguards which curtail its application, had to be clearly prescribed by the legislation itself. The Claimants submitted that no such provision had been made in respect of the Immigration Exemption, thus rendering it unlawful. The Court of Appeal agreed and held that “…there presently exists no legislative measure that contains specific provisions in accordance with the mandatory requirements of Article 23(2) of the GDPR”: [29]. Therefore “the Immigration Exemption was an unauthorised derogation” from the relevant statutory provisions, and thus, “unlawful”: [29].
Having referred to the reasoning in a number of CJEU cases, in JR1 Warby LJ further explained at [50]:
“The essence of the reasoning, as I see it, is that broad legal provisions, such as those that require a measure to be necessary and proportionate in pursuit of a legitimate aim, are insufficient to protect the individual against the risk of unlawful abrogation of fundamental rights. The legal framework will not provide the citizen with sufficient guarantees that any derogation will be strictly necessary and proportionate to the aim in view, unless the legislature has taken the time to direct its attention to the specific impacts which the derogation would have, to consider whether any tailored provisions are required and, if so, to lay them down with precision. This approach will tend to make the scope and operation of a derogation more transparent, improve the quality of decision-making, and facilitate review of its proportionality. To my mind the evidence to date as to the relevant decision-making tends to emphasise the importance of characteristics such as these.”
The Defendants did not appeal but decided to have another go at meeting the mandatory requirements. I turn to the language of this second attempt.
The second version of the Immigration Exemption
The Defendants’ amended version of the Immigration Exemption (contained within §§4-4B of Schedule 2 of the DPA) provides as follows (with amendments made by the SI underlined):
“4. Immigration
(1) The UK GDPR provisions listed in sub-paragraph (2) do not apply to personal data processed by the Secretary of State for any of the following purposes—
(a) the maintenance of effective immigration control, or
(b) the investigation or detection of activities that would undermine the maintenance of effective immigration control,
to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) and (b).
(1A) But sub-paragraph (1) does not apply unless the Secretary of State has an immigration exemption policy document in place.
(1B) For the purposes of sub-paragraph (1A), the Secretary of State has an immigration exemption policy document in place if the Secretary of State has produced a document which explains the Secretary of State’s policies and processes for—
(a) determining the extent to which the application of any of the UK GDPR provisions listed in sub-paragraph (2) would be likely to prejudice any of the matters mentioned in sub-paragraph (1)(a) and (b), and
(b) where it is determined that any of those provisions do not apply in relation to personal data processed for any of the purposes mentioned in sub-paragraph (1)(a) and (b), preventing—
(i) the abuse of that personal data, and
(ii) any access to, or transfer of, it otherwise than in accordance with the UK GDPR.
(1C) Paragraphs 4A and 4B make provision about additional safeguards in connection with the exemption in this paragraph.
(2) The UK GDPR provisions referred to in sub-paragraphs (1) and (1B) are the following provisions of the UK GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the UK GDPR)—
(a) Article 13(1) to (3) (personal data collected from data subject: information to be provided);
(b) Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
(c) Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
(d) Article 17(1) and (2) (right to erasure);
(e) Article 18(1) (restriction of processing);
(f) Article 21(1) (objections to processing);
(g) Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub- paragraphs (a) to (f).”
(That is the listed GDPR provisions other than Article 16 (right to rectification), Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing), Article 20(1) and (2) (right to data portability) and, subject to sub-paragraph (2)(g) of this paragraph, the provisions of Article 5 listed in paragraph 1(b)).
“4A.— Immigration: additional safeguard: decisions for the purposes of paragraph 4(1) and requirement to have regard to immigration exemption policy document
(1) The Secretary of State must—
(a) determine the extent to which the application of the relevant UK GDPR provisions would be likely to prejudice any of the matters mentioned in paragraph 4(1)(a) and (b) on a case by case basis, and
(b) have regard, when making such a determination, to the immigration exemption policy document.
(2) The Secretary of State must also—
(a) review the immigration exemption policy document and (if appropriate) update it from time to time;
(b) publish it, and any update to it, in such manner as the Secretary of State considers appropriate.
(3) In this paragraph and paragraph 4B “the relevant UK GDPR provisions” means the provisions of the UK GDPR listed in paragraph 4(2).
4B.— Immigration: additional safeguard: record etc of decision that exemption applies
(1) Where the Secretary of State determines in any particular case that the application of any of the UK GDPR provisions would be likely to prejudice any of the matters mentioned in paragraph 4(1)(a) and (b), the Secretary of State must—
(a) keep a record of that determination and the reasons for it, and
(b) inform the data subject of that determination.
(2) But the Secretary of State is not required to comply with sub-paragraph (1)(b) if doing so may be prejudicial to any of the matters mentioned in paragraph 4(1)(a) and (b).”
What has changed?
Standing back from the detail, I note that the Regulations introduced a number of qualifications to the original version of the Immigration Exemption:
Limiting the scope of the exemption to personal data processed “by the Secretary of State”, and only if she “has an immigration exemption policy document in place” (the IEPD).
Introduction of the IEPD which must be kept under review, updated as appropriate, and published (along with any updates) “in such manner as the Secretary of State considers appropriate”. It must explain the Secretary of State’s “policies and processes” for:
Determining the extent to which the application of any GDPR provisions affected by the Immigration Exemption “would be likely to prejudice” the immigration purposes identified in subparagraphs (1)(a) and (b) of §4 of Schedule 2 of the 2018 Act (the “Immigration Purposes”); and
Where the Immigration Exemption is applied, preventing the abuse of the relevant personal data and any access to, or transfer of, it otherwise than in accordance with the UK GDPR.
In applying the Immigration Exemption, the Secretary of State must make a case-by-case assessment of the extent to which the relevant UK GDPR provisions liable to be exempted “would be likely to prejudice” the Immigration Purposes. In doing so, she must “have regard” to the IEPD.
Where the Secretary of State determines in any particular case that the application of any relevant provision of the UK GDPR “would be likely to prejudice any of the [Immigration Purposes]”, she must:
“keep a record of that determination and the reasons for it”; and
“inform the data subject of that determination”, unless that would prejudice any of the Immigration Purposes.
An IEPD, dated January 2022, has been published on the Home Office website. The terms of the IEPD are instructive as to its purposes and the work it is intended to do when being applied in practice. So, it records:
“The key topics covered by this guidance are:
The policies and processes for determining the extent to which the application of certain UK GDPR provisions would be likely to prejudice the immigration purposes;
Where it is determined that any of those provisions do not apply in relation to personal data processed for any of those purposes, preventing—
the abuse of that personal data (see section 8 below), and
any access to, or transfer of, it otherwise than in accordance with the UK GDPR.Scope of the immigration exemption;
When the immigration exemption may be used;
What the prejudice test is, including the rights and obligations that are affected;
How a restriction may be applied;
The rationale for applying the exemption;
The need for it to be applied on an individual case by case basis;
The time constraints on any such use; and
Retention schedules”.
Before making version 2 of the Immigration Exemption, the Defendants consulted the Claimants and the Commissioner on draft Regulations. The Claimants said that the proposed amendments failed to address the unlawfulness found by the Court of Appeal and the Commissioner expressed similar concerns that the draft Regulations still did not achieve compliance with the mandatory requirements in Article 23(2). The Defendants went ahead to make the Regulations which came into force on 31 January 2022. Following pre-action correspondence, on 25 April 2022, the Claimants applied for judicial review of the amended Immigration Exemption and obtained permission on 29 July 2022.
The Evidence
Why is an Immigration Exemption needed?
Before turning to the Claimants’ grounds, I will summarise why the Defendants say an Immigration Exemption is required. I start by noting that it is not suggested by the Claimants or the Commissioner that the Immigration Exemption does not seek to serve “important objectives of general public interest” within the terms of Article 23(1)(e) of the UK GDPR. In JR1, the Court of Appeal agreed that such objectives were served by the first version of the Immigration Exemption: [53].
The Defendants’ evidence is that administering border and immigration policy has become increasingly complex and is heavily reliant on data processing. It is the Government’s policy to deal with immigration matters where possible through civil, administrative channels rather than the criminal law (e.g. through voluntary removals, civil penalties etc), which brings much of the data processing involved under the UK GDPR, rather than DPA Part 3 (which implemented the EU Law Enforcement Directive). The UK GDPR bestows more favourable data protection rights on individuals than the law enforcement regime. It is said that taking into account the importance of immigration control to the security and prosperity of the UK, the Government considers that there is a need to strike a fair balance between individual data protection rights and the wider public interest in maintaining effective immigration control, such that, in appropriate circumstances, where necessary and proportionate, certain individual rights should be restricted.
The Defendants’ evidence identifies a number of respects in which the unrestricted exercise of data protection rights may prejudice effective immigration control. It is said that tipping off is a major concern: an individual who learns, through an Article 15 Subject Access Request (‘SAR’) that he is under investigation or about to be detained may abscond or otherwise frustrate the investigation or enforcement action. Likewise, an individual who sees a caseworker’s notes about their immigration application may be able to tailor their evidence or frustrate steps taken to corroborate their accounts. Another potential area of tension is said to be the monitoring of an individual’s travel patterns and similar, which may provide valuable evidence that a person is abusing their immigration rights or has obtained them on a false basis (such as a sham marriage). It is said that this would be frustrated if data subjects were able to restrict the processing of their data (Art 18) or object to it (Art 21).
The Defendants say that the situations in which it will be truly necessary and proportionate to decline to respond fully to the assertion of a data protection right are likely to be rare but there will be instances when the unrestricted application of data subject rights will cause unwarranted prejudice to effective immigration control. Leading Counsel for the Defendants emphasised the point that the situations in which full compliance with data subject rights might prejudice effective immigration control are wide-ranging and apt to change over time. For this reason, he argued that it is unrealistic to attempt to define a priori all the situations in which it may be necessary to restrict data subject rights. Overall the Defendants say that the wide-ranging and evolving nature of immigration work means that it requires a prejudice-based exemption, where a decision maker is required to consider, in all the circumstances, whether the degree of prejudice to effective immigration control outweighs the rights of the data subject. It is also argued that this is a paradigm example of a situation in which the need for operational flexibility and the need to safeguard data subject rights are best balanced by requiring the controller to have in place and have regard to a policy document.
Important contextual matters
At the level of principle, these general points are not contested by the Claimants – they do not make a threshold challenge to the need for an immigration exemption at all. Their challenge is not directed at the policy arguments for or against such an exemption but is a more straightforward legality challenge. They say, if you are going to do this then you must do it by way of legislation (not using administrative policy) and the legislation itself (not just a policy) must be compliant with the mandatory requirements of Article 23(2), as that provision has been explained in the case law.
Against the points made by the Defendants’ in their evidence, one needs to take note of the powerful submissions of the Claimants and the Commissioner as to context, as well as the evidence in JR1. It is said that the context in which the use of the Immigration Exemption will arise must frame the particular and distinctive concerns which arise about its form and interpretation. Although ultimately I consider that the basis for the Claimant’s challenge is not evidence dependent, both Leading Counsel for the Claimants and Counsel for the Commissioner forcefully make a number of points which I consider to be correct. They underline why particular safeguards and policing of the application of the Immigration Exemption are needed in practice. There are five points which I consider are particularly important and they rather redress the balance when put against the wider policy concerns of the Government and the claimed need for a dynamic or flexible policy. I observe that the Government’s evidence tends to show a lack of appreciation of the particular vulnerabilities of those who are likely to be caught by the Exemption. I turn to the five contextual points.
First, in my judgment the personal data to which the Immigration Exemption is applied is inherently likely to involve special category data within the meaning of Article 9(1) UK GDPR (i.e. data “revealing racial or ethnic origin”). Special category data is identified in the UK GDPR because it requires a higher measure of protection: the processing of it is more intrusive and the data is likely to be more private; see for example Opinion 1/15 (EU:C:2017:592) at [141] and the authorities there cited, and recital (51) to the UK GDPR. It can only be processed where additional conditions set out in Article 9(2) UK GDPR, and Schedule 1 DPA, are met.
Secondly, it is obvious that the data subject is inherently likely to be in a vulnerable position, with a significant imbalance of power as against the immigration authorities for which the First Defendant is responsible. In the context of the UK GDPR, it is relevant to note that these are precisely the sorts of circumstances in which processing of the subject’s personal data on the basis of genuinely freely-given consent is unlikely: see Articles 4(11) and 7 UK GDPR and recital (43).
Thirdly, although any data subject is entitled to complain to the Commissioner about the application (or suspected application) of the Immigration Exemption to the exercise of their rights, or to bring legal proceedings before the courts to vindicate those rights, the context renders it particularly likely that the data subject will be unaware of their rights, lack the funds to take legal steps, and will be seeking to exercise their rights against a particularly time-sensitive context. It is a context in which data subjects will be especially reliant on the Home Office to apply the Immigration Exemption with care and only so far as necessary. The critical importance of prompt and accurate compliance with data protection rights, particularly the right of subject access, is obvious. I accept that it is borne out by reference to the experience of immigration law practitioners.
Fourthly, the characterisation in their pleadings by the Defendants of the rights afforded to data subjects by Chapter III UK GDPR as being “second order rights” is simply wrong. That is unfortunate language, as Leading Counsel for the Defendants appeared to accept. The matters addressed in Article 5 UK GDPR are described by the UK GDPR as “Principles”, and those in Chapter III as “Rights”. It is a foundational principle of data protection law that the right of subject access in particular is of great importance as the gateway to being able to exercise the other rights provided to data subjects: see, for example, Case C-141/12 YS v Minister voor Immigratie (EU:C:2014:2081) [2015] 1 WLR 409 at [44] and the more recent decision in Case C-154/21 RW v Österreichische Post AG (EU:C:2023:3) at [38].
Fifthly, the evidence before me is that the use of the Immigration Exemption by the Home Office has been extensive. I note that in the evidence served in JR1, the First Defendant disclosed that in the first year of use of the original Immigration Exemption, it had been relied upon by the Home Office in response to some 59% of subject access requests (albeit not 59% of the requested data). The evidence before me in the present claim is that in the first five months of the existence of the new Immigration Exemption, it had been relied upon by the Home Office in response to some 66% of subject access requests (albeit, again, not 66% of the requested data). That extensive use in this context underscores the need for particularly clear and precise safeguards. I also note the observations in JR1 at [14]-[17] as to the evidence concerning historic use of the exemption.
IV. Article 23 UK GDPR
Given that both grounds are centred on Article 23 of the UK GDPR, I need to begin with an examination of that provision and assistance to be found in CJEU case law and in JR1 concerning its interpretation and application. As to Article 23(2), it was held in JR1 at [49], this requires a legally enforceable legislative measure which “contains provisions that are specific to the listed topics…precise and produce a reasonably foreseeable outcome”. They are “conditions precedent” to a lawful derogation: [33]. As explained by Warby LJ, the reason for this is that the “legal framework will not provide the citizen with sufficient guarantees that any derogation will be strictly necessary and proportionate to the aim in view, unless the legislature has taken the time to direct its attention to the specific impacts which the derogation would have, to consider whether any tailored provisions are required and, if so, to lay them down with precision. This approach will tend to make the scope and operation of a derogation more transparent, improve the quality of decision-making, and facilitate review of its proportionality”: [50]. On a natural reading of the provisions the legislative measure itself is required to include (where the matter is relevant) specific provisions about those matters.
Warby LJ referred in some detail in JR1 to the judgment of the CJEU in Case C-511/18, La Quadrature du Net (EU:C:2020:791). At [209]-[210] the CJEU specifically addressed Article 23 in the following terms:
“With regard, more specifically, to Article 23(1) of Regulation 2016/679, that provision, much like Article 15(1) of Directive 2002/58, allows Member States to restrict, for the purposes of the objectives that it provides for and by means of legislative measures, the scope of the obligations and rights that are referred to therein ‘when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard’ the objective pursued. Any legislative measure adopted on that basis must, in particular, comply with the specific requirements set out in Article 23(2) of that regulation.
Accordingly, Article 23(1) and (2) of Regulation 2016/679 cannot be interpreted as being capable of conferring on Member States the power to undermine respect for private life, disregarding Article 7 of the Charter, or any of the other guarantees enshrined therein... In particular, as is the case for Article 15(1) of Directive 2002/58, the power conferred on Member States by Article 23(1) of Regulation 2016/679 may be exercised only in accordance with the requirement of proportionality, according to which derogations and limitations in relation to the protection of personal data must apply only in so far as is strictly necessary.”
(citations omitted).
On that basis, the CJEU held that the requirements it had set out in relation to e-Privacy Directive (Directive 2002/58) in that case applied equally to Article 23: [211]. Those requirements were summarised at [168] and include an obligation that any legislative measure purportedly implementing permitted derogations must “ensure, by means of clear and precise rules, that the retention of data at issue is subject to compliance with the applicable substantive and procedural conditions and that the persons concerned have effective safeguards against the risks of abuse”. The CJEU also set out the general principle of interpretation applicable to the GDPR, taken from recital (10), was that it was intended “to ensure a high level of protection of natural persons”: [207].
In Case C-175/20, ‘SS’ SIA (EU:C:2022:124), the CJEU addressed a question referred to it as to whether provisions of the GDPR could be derogated from without national law having conferred such a right to do so. The CJEU emphasised that there may be no derogation unless permitted by a legislative measure in accordance with Article 23(1): at [58]. In particular, the CJEU explained at [56] (using the unofficial translation of the French language judgment) that:
“…any measure adopted under Article 23 of Regulation 2016/679 must, as the EU legislature moreover pointed out in recital 41 of that regulation, be clear and precise and its application be foreseeable for individuals. In particular, the Member States must be able to identify the circumstances and conditions in which the scope of the rights conferred on them by that regulation may be subject to limitation.”
The CJEU has also considered what would constitute a legislative measure for the purpose of implementing in national law an exemption from data protection rights. Under the preceding Directive 95/46/EC, the equivalent provision to Article 23 UK GDPR was Article 13, which similarly permitted Member States to restrict the scope of the wider obligations and rights through the adoption of “legislative measures”. (There was no equivalent to Article 23(2).) In Case C-201/14, Bara (EU:C:2015:638), the CJEU considered the lawfulness of the transfer of tax information between Romanian public authorities for the purpose of identifying those owing money to the health insurance regime. The basis for the transfer was a protocol agreed between the two relevant authorities, which appears not to have been published, but which furthered relevant statutory functions. The CJEU held, at [39]-[41], that Romanian law had not implemented any relevant derogation permitted by Article 13 of the Directive. In particular, it held that the “detailed arrangements for transferring that information were laid down not in a legislative measure but in the 2007 Protocol agreed between [the two authorities], which was not the subject of an official publication”: [40].
One can add to the five cases Warby LJ considered in JR1 at [36]-[50] the Grand Chamber decision in Case C-746/18 HK v Prokuratuur (EU:C:2021:152) (handed down after the oral arguments in JR1). In summary, the principle that emerges from this case (in line with the earlier cases) is that legislation must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards, so that the persons whose personal data are affected have sufficient guarantees that data will be effectively protected against the risk of abuse.
By way of summary, the UK GDPR and CJEU retained case law, as interpreted by the Court of Appeal in JR1 (and as supplemented by more recent case law), provides that a measure restricting rights under Article 23(2) of the UK GDPR, must satisfy the following tests:
be made way of legislation (here, regulations);
be clear and precise;
be legally binding under domestic law;
be accessible and foreseeable; and
provide substantive and procedural conditions (including safeguards) in respect of the relevant processing.
I emphasise that these criteria are basic Rule of Law requirements in this context. The CJEU case law could not be clearer in this regard when derogations from fundamental rights are sought to be adopted. These requirements (where relevant) are matters to be satisfied within and by the legislation and are to be assessed prior to any analysis of the necessity and proportionality of a particular restriction, although the matters are closely related and seen as part of a holistic exercise: see JR1 at [34] and La Quadrature at [132].
Ultimately, when I asked the question of Counsel I understood them all to agree that the Rule of Law matters need to be addressed first within the scheme of Article 23. As appears below, save in a single respect (see [49] below), as I read the Claimants’ grounds, they are focussed on the Rule of Law requirements (on both Grounds 1 and 2) and are not merits-based necessity and proportionality challenges.
The IEPD: relevance and role
Before I turn to the grounds, I must address a general submission put at the forefront of the arguments made by Leading Counsel for the Claimants on Ground 1. I substantially accept that submission but how it applies to the specific terms of the Immigration Exemption will be a matter to be addressed in more detail below. The Claimants say that given the central role given to the IEPD in the new version, the Immigration Exemption lacks certain substantive and procedural safeguards to ensure Parliamentary scrutiny, a key component of any legislative measure. I note that the Defendants rely on Parliamentary scrutiny by way of the affirmative resolution procedure. I agree with the Claimants that this is in practice absent given the reliance the Regulations place on the IEPD as containing safeguards. The IEPD is separate from the legislation and is not approved or voted on by Parliament (cf. a Code of Practice under e.g. the Investigatory Powers Act 2016 or the Police and Criminal Evidence Act 1984). I note also that the Regulations do not prescribe any of the substantive content of the IEPD. The IEPD itself is not subject to Parliamentary scrutiny under the affirmative resolution procedure. The IEPD can be changed without formality or any Parliamentary procedure. The IEPD is not a legislative measure but is in the form of a readily changeable government policy. That may be said to be an attraction (to be “nimble” as Leading Counsel for the Defendants put it), but it is simply a policy document subject to a well-known form of public law “have regard to” duty. I will return to this point further below.
V. The Grounds
Although the Claimants present their arguments under two distinct grounds, when analysed the grounds are better approached as one legal challenge in substance. In essence, the argument is that by effectively “outsourcing” to the IEPD the safeguards required by Article 23(2), and the guidance in the case law, the Regulations fail to ensure that the Immigration Exemption constitutes a ‘legislative measure’. As I have foreshadowed above, the IEPD is clearly not a legislative measure – that is not in issue. The issues which flow from its limited status, and thereby the claimed limitations of the Regulations under challenge, are most appropriately analysed through the lens of the specific provisions of Articles 23(2).
I also note that not all of the provisions set out under Article 23(2) will necessarily be relevant in every case. The derogating power may be used in many different data protection contexts. I highlight this point because in relation to certain complaints the Defendants argue that the provisions are not relevant to the Immigration Exemption.
Article 23(2)(a): purposes of processing
The Claimants’ first complaint is that the Immigration Exemption does not satisfy Article 23(2)(a) of the UK GDPR, in that it does not contain “specific provisions” prescribing “the purposes of the processing…”, for which the relevant fundamental rights may be denied. There is no issue that the purpose appears in the legislation. But Leading Counsel for the Claimants submits that the Regulations have not amended §4(1)(a) and (b) of the DPA, which allow restrictions of relevant fundamental rights for purposes of “effective immigration control.” The complaint is that this term is not further defined in the DPA (or even in Regulations or the IEPD) and on its own is too vague to amount to a sufficiently specific provision. He argued that in effect it amounts to an “open-ended” exemption. The Commissioner does not support this submission.
In response, the Defendants rely upon the decision of Supperstone J at first instance in the proceedings which went on to the Court of Appeal as JR1. Supperstone J explained: “those terms are readily understood” and that “the provisions of the exemption setting out the purposes for which, and categories of data to which, it may be applied are, in my view, clear and appropriately delineated”: [2019] EWHC 2562 (Admin); [2020] 1 WLR 811 at [51].
I put to one side whether there is any form of issue estoppel on the basis that the Court of Appeal left this part of Supperstone J’s decision undisturbed. I doubt whether an issue estoppel would arise, but independently I am of the same view as Supperstone J. “Effective immigration control” is a clear concept, used without difficulty in other statutes: see section 117B of the Nationality, Immigration and Asylum Act 2002. The purposes of processing and categories of processing are identified on the face of the legislation. It is not a vague and open-ended exemption; and it is hard to identify how it could be defined more narrowly given the Defendants’ evidence as to the differing contexts in which the exemption might need to be applied. I accordingly reject the first complaint.
Necessity and Proportionality: the prejudice test
The Claimants’ second ground of challenge is that the Immigration Exemption does not meet the requirements of necessity and proportionality. This is not a complaint directed at any specific sub-paragraph in Article 23(2) but is a general challenge. It is not supported by the Commissioner.
As noted above, §4(1) of Schedule 2 of the DPA provides that compliance with relevant fundamental rights will be exempted if their exercise is “likely to prejudice” “effective immigration control”. The Claimants say that the Immigration Exemption does not set out any minimum requirement regarding the “extent” of prejudice that will trigger the disapplication of relevant fundamental rights. While §4A(1) now requires the Secretary of State to determine the extent of prejudice “on a case by case basis”, they argue that the legislation still contains no express requirement for any balancing test to be carried out as between an individual’s rights and claimed prejudice to the purposes. They submit that even where the identified prejudice is negligible, the Immigration Exemption can still apply. This is said to fail to give due effect to the requirements of necessity and proportionality in the context of what must be a carefully policed derogation. They also refer to The Home Office Rationale and Reasoning Note, (and the disclosed correspondence from the Home Office to the Commissioner) which says that “Paragraph 4(1) makes it clear that the Immigration Exemption can only be relied upon when the usual application of the relevant data provisions would prejudice the maintenance of effective immigration control” (my underlining). They argue that even that, however, overstates the strictness of the test – in fact, the Immigration Exemption applies whenever the exercise of a right is only “likely to prejudice”, affording much wider discretion to the Secretary of State.
As I said during oral submissions, it seemed to me that two distinct but closely related complaints were being made by the Claimants. First, that the extent of prejudice is not identified other than by way of what is said to be a low hurdle and a potentially wide discretionary measure (the “likely to prejudice” test); and second, there is no legislative balancing test expressly required when consideration is being given to invoking the exemption.
As to the first point, the Defendants submit that the test of “would be likely to prejudice” is clear and precise. As to the second complaint, the Defendants say that the Secretary of State must conduct a “classic proportionality balancing exercise” and may only invoke the exemption “where strictly necessary”: relying on Zaw Lin v Commissioner of Police of the Metropolis [2015] EWHC 2484, [78]-[85]. They accept none of this balancing is required on the face of the legislation but submit it is implicit.
As to the first complaint (the level of prejudice), I do not consider this needs any further definition. It is readily understandable. It may be potentially wide and easily satisfied but the control mechanism is the balancing test and that must have a legislative basis as I identify below. I accordingly consider there is real force in the second complaint: once prejudice (at whatever level) is identified, where is the decision-maker directed in the legislation to balance this against the countervailing interests of the data subject?
I start by noting that it is common ground that there is no express legislative basis for any balancing test, and that a balancing exercise must be conducted to comply with Article 23(2). As to Zaw Lin, I do not find that case of assistance in resolving the issue before me which is to be decided by reference to case law concerning a bespoke legislative scheme. Zaw Lin was a case concerned with the proportionality of a police decision to decline subject access requests made by two men facing the death penalty, relying on the crime exemption under section 29 of the Data Protection Act 1998. The court performed a balancing exercise, assessing whether there existed “any particular piece of information to which [the court] would attribute any substantial weight to be set against” the interests against disclosure: [125]. In that case there was, however, no challenge to the lawfulness of the exemption per se. The fact that the judge construed a different exemption as requiring a balancing exercise cannot in my judgment excuse the failure of the Immigration Exemption to incorporate an express requirement to that effect. I do not find attractive the submission that this is an implicit requirement when the thrust of JR1 and the CJEU case law is the need for compliance with Rule of Law standards which identify with precision how and when the exemption can be invoked.
I note that the IEPD does expressly refer to the need to consider proportionality and whether the rights “of the individual override the prejudice to immigration control” (para. 8). The existence of a non-binding IEPD requiring a balance does not however improve the Defendants’ position. Contracting out the job of complying with Article 23(2) to the IEPD rather than doing it through the legislation is not lawful. I note that the IEPD makes express reference to the need to ensure use of the exemption must be shown to be “necessary and proportionate in each case”. But that obligation needs to be identified with legislative force in the Regulations themselves. It would be relatively straightforward to spell that task out. The second complaint accordingly succeeds on this basis.
Article 23(2)(c) and (e): scope and specification
The Claimants’ third complaint is that contrary to Article 23(2)(c) and (e), the Immigration Exemption does not contain specific provision as to the “scope of the restrictions introduced” or the “specification of the controller or categories of controllers to which it applies”. The Commissioner does not support this complaint.
I reject the complaint as regards Article 23(2)(c) concerning the scope of the Immigration Exemption. The Immigration Exemption is plainly compliant in this regard. It itself states the particular data subject rights it may be used to restrict: §4(2).
As to Article 23(2)(e) concerning the specification of the controller, §4(1) of Schedule 2 of the DPA now confines the operation of the Immigration Exemption to personal data processed “by the Secretary of State”. There is thus only one controller who may invoke the Immigration Exemption. The third complaint fails.
Article 23(2)(d): safeguards to prevent abuse
This was the focus of the oral submissions on both Ground 1 and as part of Ground 2. Article 23(2)(d) requires, where relevant, a derogating measure to contain specific provision as to “the safeguards to prevent abuse or unlawful access or transfer”. The Claimant’s fourth complaint, supported by the Commissioner, is that this requirement is breached by the Immigration Exemption. They argue that the requirement to have an IEPD (even with some prescribed content) and to have regard to it does not satisfy the requirements of limb (d).
The Defendants say that the safeguards, which are clear and precise on the face of the Immigration Exemption, are (1) that the Exemption may only be invoked if there is an IEPD in place; (2) that, to be a qualifying IEPD, it must exhibit specified features (including provision as to how unlawful access/transfer should be guarded against in respect of data to which the exemption applies); (3) the IEPD must be kept under review and updated as appropriate; (4) the IEPD must be published; (5) a record must be made, with reasons, every time the Exemption is invoked, and (6) unless self-defeating, the data subject must be informed that the Exemption has been applied. They also rely on the fact that the obligation to “have regard” to the IPED satisfies the requirement that the safeguards are provided by law.
I pause to note that it is clear on the Defendants’ own case that the IEPD is central to compliance with the Article 23(2)(d) requirement. However, Leading Counsel for the Defendants emphasised that the content of the IEPD was not relied upon but only the safeguards created by the fact that it exists, must be published and that regard must be had to it.
The Claimants and the Commissioner argue that the Defendants’ approach to compliance with this provision is insufficient. In my judgment they are correct. Their submissions covered essentially the same ground. My reasons are as follows:
First, no substantive content of the IEPD is prescribed by the Regulations. The IEPD is not subject to any Parliamentary approval or laid before it. I note that it need only “explain” such “policies and processes” as the First Defendant has in place for applying the Immigration Exemption. It does not control or determine those polices and processes; it does not even contain them. Nothing in the Regulations specifies the safeguards the IEPD is to set out: as I have noted, the mere existence of the IEPD, regardless of its content, is said to be the safeguard. Recitation in §4(1B)(b)(i) of the term “abuse of that personal data”, reflecting Article 23(2)(d), does not give that term content or meaning. In short, where the content is not prescribed, safeguards are not provided. This does not satisfy the requirements of La Quadrature or the additional CJEU cases relied upon before me (cited at Section IV above).
Second, the Defendants’ Leading Counsel drew an analogy with the requirement on a controller of special category data, who wishes to rely on a processing gateway set out in Schedule 1 to the DPA, to have in place an “appropriate policy document”: see at §§5, 38-40 of Schedule 1. The analogy does not hold. Schedule 1 and the appropriate policy document requirement implements Article 9(2)(g), which requires – for processing necessary for reasons of substantial public interest – domestic law to “provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject”. Schedule 1 provides for specified contexts which constitute substantial public interest, and one further suitable safeguard measure it provides for is the appropriate policy document. But the legislative formulation in Article 23(2) is different and requires that regulations made under section 16 contain “specific provisions…as to” the safeguards to prevent abuse of the exemption. The context is also different because Article 23 is a derogation provision which must be restrictively construed under well-established principles.
Third, despite the IEPD being the First Defendant’s own document, about her own “policies and processes”, she is still only required to “have regard” to it. That is a “soft” obligation in public law terms. The IEPD does not have binding force. In my judgment, it is not a sufficient safeguard if a data subject cannot rely on a failure to comply with the IEPD to found a claim for breach of their UK GDPR rights. A duty to have regard (even a duty to have “due regard”, which I note the Immigration Exemption does not impose) requires only that the Secretary of State have proper and conscientious focus on any relevant part of the IEPD, but does not permit a court to interfere with the balance struck: R (Bracking) v Secretary of State for Work and Pensions [2013] EWCA Civ 1335 at [25(8)]. Indeed, a public law body may lawfully undertake action wholly opposite to what a policy states it should do, as long as the policy has been taken into account. I would add that contrary to the Defendants’ submissions, the duty to have regard is not the same as the public law duty on a public authority to follow the term of its published policy unless there is good reason not to do so; the more limited duty has been prescribed instead (c.f. R (Good Law Project) v Prime Minister [2022] EWCA Civ 1580 at [61]).
Fourth, the nature of a ‘policy document’ to which only regard need be had affects the type of document produced, and thereby the quality of the safeguards being set. In my judgment, the very wording of the Regulations encourages a generalised, non-prescriptive document, rather than one of detail and specificity. The IEPD is required only to “explain” such policies and procedures the Secretary of State has in place for addressing the matters in (1B) (a) and (b). That assumes there are such policies and procedures; it is not the content of the IEPD which determines those policies and procedures or defines their adequacy.
Fifth, the IEPD is of little use as a safeguard unless it is published in a manner which ensures it is readily accessible to everyone who may wish to consider its terms. The Regulations do not require that, despite an assertion in correspondence made to the Commissioner that there would be a requirement to publish it on gov.uk specifically. It is not disputed that the publication choice would be subject to public law controls, but publication duties in legislation are frequently met, for example, by inclusion of a notice in the London Gazette. That would not be adequate in the present context.
Overall, the basic structural requirements of the UK GDPR and the DPA are not met by “outsourcing” the safeguards required by Article 23(2)(d) to the IEPD which is not a legislative measure. The fourth complaint succeeds. Safeguards must appear on the face of the legislation or in a binding code (approved by Parliament) and with statutory force. I was not persuaded by the argument that such a code cannot be produced because of the multiplicity of situations it must cover. Many areas of state regulation are conducted by detailed and flexible provisions which have statutory force.
Article 23(2)(f): storage
Article 23(2)(f) requires – where relevant – specific provision as to “the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing”. The Claimants’ fifth complaint is that the Immigration Exemption does not comply with this provision because it does not include any provisions concerning the “storage periods” for the relevant personal data, nor does it contain any provisions as to “applicable safeguards” related to data retention. The Claimants rely upon §4B(1)(a) which requires the Secretary of State to keep records in relation to the use of the Immigration Exemption, with no corresponding provisions regarding the storage periods and safeguards pertaining to such records (including in particular the circumstances in which data subjects will be able to access such records). The Commissioner does not support this ground; and the Defendants submit that this provision as to storage is not relevant.
In my judgment, Leading Counsel for the Defendants is right to submit that Article 23(2)(f) is qualitatively very different from the other Article 23(2) factors. I start by noting that a restriction may, on its face, state that it applies only to data processed for a particular purpose, only to certain categories of data, only to certain data subject rights and only in respect of data processed by a certain controller: see Articles 23(2)(a), (b), (c) & (e). But there is no equivalent literal reading of Article 23(2)(f): Article 23 does not permit any restriction of the “storage limitation” principle in Article 5(1)(e). A controller cannot rely on an Article 23 based exemption to hold data for longer than Article 5(1)(e) permits. That was not contradicted by the Claimants.
Accordingly, I agree with the Defendants that Article 23(2)(f) must have some different, non-literal meaning. They submit that Article 23(2)(f) comes into play where a restriction on data subject rights would otherwise be unnecessary and disproportionate: regulations can, in that situation, further limit the general prohibition on storing data for longer than necessary, so as to specify that data that are subject to a restriction must be deleted at some earlier point. However, the Immigration Exemption is a prejudice-based exemption. It applies only when, and for so long as, the “likely to prejudice” test is satisfied. That is a test that will yield different results as circumstances change. It cannot be relied upon to put whole classes of data permanently beyond the ordinary reach of data subject rights. It can only operate for so long as the “likely to prejudice” test requires the withholding (etc.) of a specific piece of information. Accordingly, there is no need, for the purposes of ensuring necessity and proportionality, for any further limitation to be imposed on the length of time the First Defendant may hold data to which the Exemption applies. There is no extension of storage periods. I reject the fifth complaint.
Article 23(2)(g): risks to rights and freedoms
The Claimants’ sixth and final complaint, supported by the Commissioner, is that the Regulations, and the Immigration Exemption, make no provision as to the “risks to the rights and freedoms of the data subject”, to address Article 23(2)(g). Leading Counsel for the Claimants and Counsel for the Commissioner reminded me of what they say are the obvious risks to the particularly vulnerable category of data subjects especially likely to have their rights curtailed by the application of the Immigration Exemption. They rely also upon the penultimate sentence of [50] in JR1 (cited in full above at [19]).
The Defendants argue that Article 23(2)(g) cannot be read literally. Either it means that an exemption must be drafted in a way that prevents it being used to the detriment of data subjects except where strictly necessary (in which case, it adds nothing to the requirement for “safeguards” in Article 23(2)(d)), or it means that data subject rights have to be carefully considered as part of the process of drafting an exemption. They rely on the fact that the European Data Protection Board (“EDPB”) takes the latter view., adding that, where the impact on data subjects has been addressed, “the EDPB considers it necessary to include it in the recitals or explanatory memorandum of the legislation or the impact assessment”. As I understand the argument the Defendants say that what is required is contemporaneous evidence, recorded with a degree of formality, that proper consideration has been given to data subject rights. In oral argument Leading Counsel for the Defendants submitted that this was achieved by the First Defendant’s “Rationale and Reasoning Note” (referred to further below), which identifies potential risks to data subjects’ rights and demonstrates that these have been taken into account.
The starting point is to note that the Explanatory Memorandum to the Regulations states, at §7.10, that because the Immigration Exemption contains (and has always contained) a prejudice test as part of its scope, nothing further is required to satisfy Article 23(2)(g).
I accept the Claimants’ and the Commissioner’s submissions. In my judgment, the matters relied upon by the Defendants are not in the context of the Immigration Exemption, a legally adequate implementation of Article 23 and the judgment in JR1. The Defendants’ reliance on the EDPB’s “Guidelines 10/2020 on restrictions under Article 23 GDPR”, at §63 does not assist because the EDPB states that the necessary assessment of risks to rights and freedoms must be included in “the recitals or explanatory memorandum of the legislation”. I acknowledge that UK legislation drafting convention is not to use recitals in this way, but the Explanatory Memorandum (an official published document collected with the Regulations on the legislation.gov.uk website, and laid before Parliament) not only fails to address the issue but specifically denies that any such issue arises. It is in my judgment significant that the only document the Defendants can identify which purports to contain any such assessment is the unpublished ‘Rationale and Reasoning Note’. The only version of that document before me which pre-dates the Regulations being made on 26 January 2022 is that of 6 September 2021. That is in the same terms of denial as the Explanatory Memorandum. Leading Counsel for the Defendants took me to a later version of the unpublished Note. Even if they were capable of being relied upon (which I strongly doubt), they cannot address the published positive assertion in the formal Explanatory Memorandum that nothing more than the existing terms of the Immigration Exemption are required to satisfy Article 23(2)(g).
In oral submissions, Leading Counsel for the Defendants asked that if I accepted any of the complaints, I should provide guidance as to what should appear in compliant legislation. I do not consider it is appropriate for me to engage in a drafting exercise. It is for HM Government not the court to produce compliant legislation. That said, I accept the Commissioner’s submission that there would be significant force in an express statutory direction to the Secretary of State to consider in all cases in which use of the Immigration Exemption is contemplated, for example: the potential relevance of the exercise of the UK GDPR right in issue to the data subject’s ECRH rights (which in some cases will extend beyond Articles 6 and 8 to include Articles 3 and 4); the relevance of the UK GDPR right in issue to the data subject’s possible rights under the Refugee Convention (and thereby section 2 of the Asylum and Immigration Appeals Act 1993); and the potential vulnerability of the data subject in all the circumstances. Without expressing any concluded view on the issue, I consider that this sort of express recognition of the particular risks to the rights and freedoms of data subjects in the context in which the Immigration Exemption is, or is likely, to be applied would constitute the type of provision required by Article 23(2)(g).
Overall, the absence of any provision at all in the Regulations – and indeed its relevance being denied in the accompanying Explanatory Memorandum – cannot satisfy Article 23(2)(g). The sixth complaint accordingly succeeds.
VI. Conclusion
Grounds 1 and 2 succeed on the basis I have identified above. The overriding matter which needs to be addressed by the Defendants is the use of a policy to set out the safeguards and tests to be applied in using the Immigration Exemption. The cure is straightforward: the measures to satisfy the relevant provisions of Article 23(2) need to be set out in either legislation, or a code endorsed by Parliament, with binding legal effect in domestic law. An obligation to merely “have regard to” a code or policy will not do. That is the price under the UK GDPR regime for using the derogation.
I will make declaratory orders that the Immigration Exemption is unlawful. As agreed by the parties, I will suspend such orders for a short period to allow the Defendants to put in place compliant legislation.