Considered in Grand Committee
Moved by
That the Grand Committee do consider the Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022.
Relevant document: 25th Report from the Secondary Legislation Scrutiny Committee
My Lords, Schedule 2(4) to the Data Protection Act 2018 outlines specific rights under the UK general data protection regulation, otherwise known as UK GDPR, that can be restricted if they would likely prejudice either
“the maintenance of effective immigration control”
or
“the investigation or detection of activities that would undermine the maintenance of effective immigration control”.
This is known as the immigration exemption.
These regulations amend the immigration exemption, following the judgment in the case of Open Rights Group and another v the Secretary of State for the Home Department. In that case, the Court of Appeal held that, while there was nothing in principle unlawful about having an exemption for the purposes of maintaining effective immigration control, the legislation itself did not fully reflect the safeguards required by Article 23(2) of the GDPR. As a result, the department made a commitment to amend the immigration exemption, setting out additional safeguards where further safeguards were considered relevant. The deadline for bringing these changes into force is 31 January this year. As part of the process of preparing these draft regulations, the department has consulted the parties to the litigation and the Information Commissioner’s Office and considered carefully their observations and comments, making amendments to the draft as appropriate.
I will now provide some detail about the new safeguards. The right of the data subject to be informed of the immigration exemption’s use, save in certain circumstances, is now on the face of the legislation, once again proving our commitment to be as open and transparent as we are able to be. We have also put in place an immigration exemption policy document—the IEPD—explaining how the immigration exemption must be operationally applied and the circumstances in which data rights might be exempted. The IEPD has been published and we will, of course, keep it under review. Publication will give stakeholders the opportunity to offer their views on the IEPD and where it can be improved, and we will act to make it so.
We are committed to addressing legitimate concerns, promoting high standards in the application of the immigration exemption and protecting individuals’ personal data. The IEPD builds on the rights and safeguards already enshrined in legislation and adds to the existing guidance that the Home Office and the ICO have published. As we said in court, we follow the ICO guidance and welcome its comments and the changes it would wish to make to the document. We are also limiting use of the immigration exemption to the Secretary of State. In doing so, we have now put it beyond doubt that the immigration exemption may not be used by so-called rogue landlords to restrict a migrant’s rights, a point that was raised in court by other parties.
I want to be clear that by laying these regulations, we do not see to remove anyone’s rights but to add more safeguards to those rights and increase transparency on how the immigration exemption will be used. This builds on the guidance that the Information Commissioner’s Office has issued, which we are adhering to and will adhere to.
I shall highlight why the immigration exemption is vital to how we protect our borders and our citizens. For the main part, it is used when individuals request the data held about them by the Government, usually as part of a subject access request. The immigration exemption enables the Home Office to, for example, redact certain information about ongoing operational activity or security checks in circumstances where releasing it would be likely to prejudice the maintenance of effective immigration control. After all, it is common sense that someone in this country illegally should not be given information about the enforcement activity that is about to be used to remove them.
Through targeted use of the immigration exemption, we are able to maintain an effective watchlist capability at the border to prevent criminals and those who seek to halt cause us harm threatening our country as well as to support other agencies and international partners in their vital work. We can frustrate and prevent sham marriages and protect the integrity of ongoing immigration removal and enforcement action and forgery investigations. The immigration exemption is also used to protect people being forced into a marriage and to prevent individuals absconding where there is a planned immigration visit.
There are many other ways in which the immigration exemption is used, but the central aim is to protect our citizens, ensure the integrity of the border and prevent abuses of the immigration system. It is not, however, used in a blanket way. It is applied on a case-by-case basis to the minimum amount of relevant data for the shortest possible time. The immigration exemption can be used only when we have identified the likely prejudice to the immigration system that releasing the data would be likely to cause. Once those concerns are addressed, the data may be released.
I know that noble Lords will appreciate the urgency and sensitivity that accompanies these regulations, and I think that the Committee will today support the regulations, given the safeguards that they provide. They are vital for our effort to protect the border and our citizens, and I hope that the Committee will support the measures to ensure that this tool remains part of that endeavour beyond 31 January this month. I beg to move.
My Lords, the Minister will not be surprised that I have comments on the immigration exemption. We have discussed it a number of times. When I first came across it, in the Data Protection Bill, I was outraged and affronted. The Minister is nodding. I know that she is not agreeing with me; she is just nodding that that was my reaction. I felt affronted because it is basic to me that a solicitor should be able to ask, and get an answer to, what a department of state knows, or thinks it knows, about his client—not about the evidence against him. Immigration control is a very wide issue; it covers far more than national security. More than that, it is basic for everyone, because we are all data subjects, to ask that question and get an answer. If the Home Office, the UKVI, says no, we should know why. That is why the Liberal Democrats divided the House on the issue on Report on the Data Protection Bill.
In the first of the Court of Appeal’s judgments, referring to Home Office evidence, Lord Justice Warby said:
“it is clear that the Immigration Exemption plays a significant role in practice as a brake on access to personal data”.
As I said, this was taken from the Home Office evidence, which referred to the first year of operation of the DPA and gave numbers of subject access requests. The immigration exemption was relied on in 59% of responses. Lord Justice Warby went on to say:
“The Exemption is available in principle in a wide range of … situations.”
Article 23 of the UK GDPR of course allows for the restriction on subject access requests by way of legislative measure that is necessary, proportionate and subject to safeguards. Article 23.2 says that the legislative measure—the “legal basis”, as the court termed it —provides for restrictions, but, again, as the court says, the article is “remarkably specific”. The court also referred to transparency, the equality of decision-making and facilitating a review of proportionality. These of course are all important and characteristic of good law, which is why the measure should be clear and precise and its application foreseeable.
The immigration exemption policy document—at any rate, the current one which has been circulated with the statutory instrument—may or may not be clear and precise. I have to say that the same may be said of the statutory instrument itself, and it relies on—if I may use the acronym—the IEPD. Its own limitations preclude clarity and precision. The IEPD is not legislation. To say, as the Minister did, that it is on the face of legislation is stretching the description. It is not “part and parcel” of the legislation, which was the phrase used in the litigation, not even of secondary legislation, which in practice of course is unamendable. By definition, it is not foreseeable, because it can be varied. The IEPD or any successors introduced by the Secretary of State under the proposed amended provisions can be varied in part or in whole without any legislative process. The SI does not attempt to address this; there has been no attempt—at any rate, none that has seen the light of day—to produce anything such as a code of practice or codification of safeguards. It is simply a Home Office policy document, which, as I understand it, repeats existing safeguards and contains no new ones beyond what is already imposed by the general law or already in place in respect of Home Office data. I think that the Minister said that this builds on previous arrangements. Perhaps she could explain how.
Added to that, the policy document seems not even to be quite consistent within itself. Paragraph 7 uses the words
“for as long as is strictly necessary”,
while paragraph 9 uses the term “necessary and proportionate”. Those words are almost hyphenated in the way we use them now, but they are separate criteria, and “strictly necessary” is more than “necessary”.
The fourth bullet in the checklist in paragraph 9 of the document tells the caseworker and the Home Secretary that
“there should be a rebuttable assumption to inform the data subject of the use of the exemption and only not do so where it would be prejudicial to the immigration purposes”.
Thinking about this, I got quite caught up in a loop, because if it is prejudicial, the exemption kicks in, but one cannot find out how or whether it is prejudicial, and I am not really sure how it works in terms of informing the data subject.
If the Home Office think that it would be prejudicial to disclose, should the Home Office simply refuse to respond? Does it intend any change of practice in responding to a data subject request—a data access request—or will everything continue as previously? If the Minister can explain what happens in a case where the Home Office thinks it will be prejudicial to good, effective immigration control, I should be interested to know.
I have a rather similar query about the SI and new paragraph 4B(2) of Schedule 2, which will go into the Act. Under that, the Secretary of State is not required to inform the data subject of the determination, if doing so may be prejudicial to effective immigration control. In any event, paragraph 4B requires a record of reasons for determination, but not that they are given to the data subject even if he is told of the determination himself. How extensive is the information given in response to the access request? The reasons for refusal of a visa could be much less even than that you have a step-grandson living in a dodgy part of the world, but what you do not know, you cannot challenge, which is really my objection to so much of this.
I remain concerned that maintenance of effective immigration control is everything that the UKVI and parts of the Home Office dealing with immigration do day in, day out. The term itself is not clear and precise. So why are there no safeguards in a legislative measure—the SI—which would qualify to meet that term? Why is everything in draft Home Office policy and what is the difference in the draft policy from what the Home Office already do? And why do we not have the formality of a code of practice approved by Parliament?
My Lords, I thank the Minister for explaining these regulations. For the record, I think that it was the noble Baroness’s mobile phone that was making a noise, rather than the noble Baroness herself.
As my noble friend Lady Hamwee has explained, the Liberal Democrats opposed the immigration exemption when we debated the Data Protection Bill as it was—now the Data Protection Act 2018—which incorporated the EU general data protection regulation into UK law to ensure that the UK could be issued with a data adequacy certificate to enable the continued exchange of data with EU member states after Brexit. The Government sought to exempt data controllers to bypass and restrict fundamental rights where compliance was prejudicial to the maintenance of effective immigration control through the immigration exemption. This could be used by the Home Office to withhold information from those applying for leave to remain in the UK, for example, hampering their ability to challenge Home Office decisions to withhold permission.
The Court of Appeal decided that the immigration exemption contained inadequate safeguards to protect individual data subject rights and was therefore incompatible with UK GDPR. This SI, as the noble Baroness the Minister has explained, is an attempt to comply with the Court of Appeal judgment. Legal minds greater than mind say that this statutory instrument does not bring the legislation into line with the Court of Appeal judgment.
As noble Lords will know, I am not a lawyer, this SI is technical and I have been frying other fish. However, if providing applicants for asylum, for example, with all the information that the Home Office holds on them—information that it is using to decide their case—is considered to be prejudicial to the maintenance of effective immigration control, then the Government must surely withhold only that information that is likely to be prejudicial to the maintenance of effective immigration control.
For example, information from an informant, the disclosure of which would compromise the source, could be blocked, but the immigration exemption is not a blanket licence to refuse to provide any information on any claimant. Nor would it be acceptable for the Home Office to say, “We are not disclosing information under the immigration exemption”. It is surely in the interests of justice that if information is withheld an explanation is given about what kind of information is being withheld and for what reason. So even if the full details cannot be disclosed to the data subject, the data subject can tell an immigration tribunal the nature and extent to which they are appealing blindfold.
As noble Lords have said, the Court of Appeal said that greater safeguards needed to be incorporated into legislation, not just into guidance, as this SI proposes. The Court of Appeal said that legislation needs to be clear and precise, not simply that the withholding of information is in the interests of immigration control. The Court of Appeal also said that the consequences must be foreseeable, as my noble friend Lady Hamwee said, unlike this SI, which relies on guidance that can be changed at any time without notice and without parliamentary scrutiny. I understand that the Home Office has been distracted by conjuring up new public order legislation at short notice that it introduced into this House at the last minute. Bearing in mind what a waste of time that turned out to be, perhaps it should have been concentrating instead on the Court of Appeal decision in this case.
I am advised that this statutory instrument does not comply with the Court of Appeal’s decision. This needs to be brought to the attention of the House, and we will table a regret Motion to that effect. I am also advised that a court challenge is inevitable if these regulations are the basis of the response to the decision of the Court of Appeal. I look forward to the Minister’s response.
My Lords, I want to add a brief coda to my noble friend’s remarks. As the Liberal Democrats’ digital spokesperson, I was closely involved in the passage of the Data Protection Bill. I commend my noble friend Lady Hamwee for her consistent and determined opposition to this immigration exemption. Sadly, during the passage of the Bill, we did not succeed in deleting these provisions, but we are quite clear that this new SI does not at all, in the words of the Minister, reflect the safeguards required by the GDPR. I thought that her statement that the original did not fully reflect the safeguards required by the GDPR was somewhat provocative, given the Court of Appeal’s decision. However, it is clear.
On this side of the Committee, we all supported the case taken by Open Rights and the3million in order to overturn this exemption. One can only wonder what kind of advice the Minister has had. How has she been able to convince herself that this SI will not meet the same fate as the previous provisions? If you read what Lord Justice Warby had to say last May, what needs to be done is blindingly obvious:
“It is not to be forgotten that the Immigration Exemption applies to a range of private bodies and individuals. In any event, the term ‘legislative measure’, whatever its precise scope, must refer to something other than a non-binding code promulgated by a regulator that counts as a relevant consideration for the purposes of administrative decision-making … I have indicated a provisional view that the legislative measure in question must be”—
the words quoted by my noble friend Lady Hamwee—
“part and parcel of the legislation.”
Surely there must be legal advice underpinning all this which must have examined very closely precisely what Recital 41 of EU GDPR had to say—again, my noble friend quoted this:
“Where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act”—
that means primary legislation—
“… without prejudice to requirements pursuant to the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable.”
It is utterly clear that the provisions being put in place today do not comply with any of that, and certainly not with the way in which Lord Justice Warby interpreted Recital 41. One could almost say that the Home Office is being reckless in going forward with this construct, with an IEPD which is simply not good enough. There has been no consultation. As both my noble friends have said, it adds nothing in the way of safeguards, which were there. Essentially, it seems that the Home Office is disrespecting the decision of the Court of Appeal. As we know, the Government have form in disrespecting the decisions of the judiciary and maybe this is just a continuation of that. It is very sad to see, but I cannot imagine that the Minister would want to proceed on such shaky foundations.
My Lords, we support these regulations. There is currently an exemption in our data protection law known as the immigration exemption, as the Minister explained when she introduced this statutory instrument. It disapplies some data protection rights and obligations where applying them would have a prejudicial effect on maintaining effective immigration control or on detection of activities that would
“undermine the maintenance of effective immigration control”.
In practice, this means that the Home Office and other organisations processing information on its behalf can refuse an individual access to their personal information. That has been the burden of the points made by the other noble Lords who have spoken in this short debate. Concerns were raised about the immigration exemption in both Houses of Parliament when the Data Protection Act 2018 was passed. The Government refuted the concerns raised, stating that it had adequate safeguards.
We have heard about the court case, and I suspect we have received the same briefing; my briefing is from the3million and the Open Rights Group, which took the case to the Court of Appeal. I will quote from the letter I received which, as I said, repeats some of the points noble Lords have made. Those groups consider that the draft statutory instrument “does not meet” the requirements of the Court of Appeal and state that:
“The basic problem is simple to identify. The Court of Appeal decided that Article 23(2) of the UK GDPR required additional safeguards. The draft Regulations do not contain those safeguards … At paragraphs 53 and 54 of the first judgment, Lord Justice Warby expresses his provisional view that the legislative measure in question should be ‘part and parcel’ of the legislation that creates the derogation. The proposed regulations do nothing to expand the safeguards applying to the existing exemption; it retains its imprecise and unclear wording. No changes have been made to adopt the above observations of the court … The draft legislation instead makes reference to guidance … that is removed from the legislation, and which cannot be said to be ‘part and parcel’ of the legislation. Such guidance has no force in law and can be changed with ease and no scrutiny. Nor has the guidance been approved by Parliament. It does not have, for example, the status of a Code of Practice that is approved by Parliament. This undermines the principles set out for legislative measures to be clear, precise and foreseeable.”
Those points have been made by all noble Lords who have spoken, and we agree with them. It is clear from other noble Lords’ contributions that they have considerably more history on this subject than I have.
However, I read the debate in the other place and was interested in the questions put by the Conservative Back-Benchers to Kevin Foster, the Minister concerned. Michael Fabricant asked whether there was likely to be another appeal. This is not the Government appealing to the Supreme Court—they have obviously decided that they are not going to do that—but appeals by other groups such as those mentioned. Indeed, may there need to be further legislation? That is another point to which I can see the noble Lord, Lord Clement-Jones, nodding his head. The Liberal Democrats have stated their intention to move a Regret Motion for further debate at another time.
As I said, I came to the wider debate recently and listened with great interest to what the Liberal Democrats said. We support these regulations as far as they go but I suspect the story will be ongoing and I am interested to hear the Minister’s response.
My Lords, I had a question that I forgot to put to the Minister. She said that the Government have consulted the parties and made amendments to their initial proposals, as appropriate. If she is able in her response, or subsequently, to explain more about that consultation and what form the responses take, it would be helpful. I forgot to note that down. What the noble Lord, Lord Ponsonby, meant was that we have form as well as history.
Yes, that is exactly what I meant.
My Lords, I thank noble Lords for their questions. Regarding the question of the noble Lord, Lord Ponsonby, about whether there will be another appeal, not from us but from those groups represented, it will be a matter for them as to what they decide to do. I thought that it might be helpful at this point to give a bit of a background on the measures.
The Home Office introduced into the Data Protection Act the immigration exemption, as noble Lords know, which came into law on 3 May 2018. The Open Rights Group and the3million issued a judicial review later that year to challenge the legality of the immigration exemption, their case being, first, that the exemption was not expressly mentioned in Article 23(1) of the then GDPR and, secondly, that it did not satisfy the requirements laid out by Article 23(2). Our position was that it fell to be covered by Article 23(1)(e) under,
“other important objectives of general public interest”.
The Court of Appeal agreed with that position, thereby putting the matter to rest. It agreed with the appellants, though, on the second point, in that the requirements of Article 23(2) needed to be contained within the immigration exemption itself and not, as we had argued, covered elsewhere. It is that point on which we are bringing forward the legislative changes necessary to address the findings. In doing so, as noble Lords said, we have consulted the Open Rights Group, the3million and the Information Commissioner’s Office, and taken on board any issues that they have put forward.
The noble Baroness, Lady Hamwee, asked me to detail those issues. I cannot do so today but will provide those responses if they are not data-protected.
My Lords, perhaps I may interrupt the Minister briefly. The Minister seems to be saying that the Home Office had taken on board the points made by the Open Rights Group and the3million. Surely, that cannot be the case—otherwise they would not be briefing us that this proposal is totally unsatisfactory and that the Home Office is in great danger of having another judicial review against it precisely on these regulations.
I said that if another judicial review is forthcoming, it will be a matter for those who bring it forward. I said to the noble Baroness, Lady Hamwee, that I do not have details of that but will provide them if I can. However, by developing the immigration exemption policy document, we have sought to make it easier to change our policy to address future concerns and to be seen as being as open and transparent as we can be.
The only other major change is to make the immigration exemption available only for the use of the Secretary of State. This was due to arguments about so-called rogue landlords, who could use it to deny immigrants’ rights. We have always maintained that only a person with intimate knowledge of the immigration system would be able to lawfully justify the prejudice that is built into the immigration exemption, and we think that this change puts those arguments and concerns to rest. We have also added a requirement to inform a data subject where the immigration exemption has been applied, except where to do so would be prejudicial to the purpose of the immigration exemption itself. That is, to go back to it, the maintenance of effective immigration control or the investigation or detection of activities that would undermine the maintenance of immigration control.
I think it was the noble Baroness, Lady Hamwee, who asked: “How can people challenge what you have on them if they don’t know what you hold?” I would say to that that we redact only small parts of documents that contain sensitive data that could affect operations. The information we redact therefore mainly relates to operational matters. The immigration exemption is used only on a case-by-case basis, when necessary and proportionate, and is subject to the safeguards set out in the instrument.
On the number of cases, we have to be able to show that it is necessary to use the immigration exemption when relying on it. Even when it is deployed, it is used in a proportionate and necessary way, and only the minimum amount of data is ever redacted. On solicitors, the exemption is not used to prevent a person establishing a legal claim, and that is stated in the immigration policy document.
On individuals not knowing what the Home Office holds on them and how they can rectify any errors, the immigration exemption can be used only to the extent that releasing information would be likely to prejudice the maintenance of effective immigration control, as I said. It is likely to be applicable only to a limited amount of information—for example, information specifically relating to attempts to locate an individual, such as an absconder, could be withheld—if the prejudice test is met, and an individual making a subject access request would still receive the rest of the personal data that did not satisfy the prejudice test. Individuals can also request rectification of their data. The immigration exemption does not restrict the right to seek rectification of inaccurate data, and anyone who seeks the Home Office’s help—for example, to prove residency—will not ordinarily be restricted by the immigration exemption.
On safeguards in the statutory instrument, the court did not specify which limbs of Article 23(2) we need to address, and expressly envisaged the possibility that some might not be relevant. The Secretary of State considers that the legislative measure wholly addresses the reasons for incompatibility referred to in the judgment in the Court of Appeal. We think that the immigration exemption is fully compliant with restrictions allowed in the UK GDPR, and Article 23(2) of the UK GDPR states that any legislative measure restricting obligations and data rights must contain specific provisions, where relevant. We have determined that some limbs of Article 23(2) are already sufficiently covered in the Act, and that one is not relevant; therefore, no amendments will be made to legislation in relation to that limb. The immigration exemption policy document is a guidance document; it is open to the public and, if necessary, to court scrutiny.
The noble Lord, Lord Paddick, asked about the safeguards in the SI. They include restricting the application of the exemption to where the department itself is the controller, and the requirement to inform where the data subject has applied for data about them, save in circumstances which I think I have gone through.
My Lords, just in case the Minister does not have a note on this yet, she has not dealt with the fundamental issue of the mechanism being used to introduce this new form of exemption. She has not dealt with the comments of Lord Justice Warby; she has not dealt with Recital 41; she has not explained to us what legal advice she has as to why she thinks this is in conformity with that judgment and with Recital 41. That is the underpinning issue in terms of the legality of the SI that she is desirous of introducing today. I hope that she has a brief on this.
My Lords, I hope that I have outlined what we have done in trying to comply with the Court of Appeal. As I said right at the beginning, if a judicial review is brought with respect to our not complying, I am sure that it will be forthcoming. I hope that I have outlined the steps that we have taken.
We are satisfied as a department that the judgment and Article 23 have been complied with in full. The Court of Appeal was clear that it was for the department to decide which safeguards were relevant and that not all of them necessarily would be—that was in paragraph 54 of the judgment.
I will study what noble Lords have said and add to what I have said today if necessary—obviously, the Liberal Democrats are going to bring forward a regret Motion—but, with that, I commend the regulations to the Committee.
Motion agreed.