By paragraph 4 of Schedule 2 to the Data Protection Act 2018 the Government introduced an “immigration exception” which, in certain circumstances, exempted data controllers from complying with certain of their data protection obligations under Parliament and Council Regulation (EU) 2016/679 (“the GDPR”). Paragraph 4(1) provided that the GDPR provisions listed in paragraph 4(2) did not apply to personal data processed for the purposes of (a) the maintenance of effective immigration control or (b) the investigation or detection of activities that would undermine the maintenance of effective immigration control, to the extent that the application of those provisions would be likely to prejudice those purposes. In proceedings challenging the lawfulness of the immigration exception, the Court of Appeal found the exception to be unlawful for failure to comply with article 23 of the GDPR and directed that amendments be put in place to secure such compliance. The amendments were effected by the Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 which, inter alia, introduced a new paragraph 4A into Schedule 2 to the 2018 Act, thereby requiring the Secretary of State to publish an immigration exemption policy document (“IEPD”), to be reviewed and updated as appropriate from time to time, to which regard was to be had when making a determination on whether the immigration exception applied in any given case. In January 2022 the Government published an IEPD which was said to contain the necessary safeguards to ensure compliance with article 23 of the GDPR and which was subject to parliamentary scrutiny by the affirmative resolution procedure. The claimants sought judicial review challenging the lawfulness of the new immigration exemption on the grounds that it still failed to meet article 23 requirement of being a “legislative measure; and/or that it did not comply with the mandatory requirements listed in article 23(2) of the GDPR because, inter alia, (i) the requirement to have an IEPD (even with some prescribed content) and to have regard to it did not satisfy and/or was incompatible with the requirement in article 23(2)(d) to make specific provision, where relevant, for safeguards to prevent abuse or unlawful access to or transfer of data and (ii) it failed to make specific provision with regard to the “risks to the rights and freedoms of the data subject”, contrary to article 23(2)(g). The Secretaries of State referred to para 63 of the European Data Protection Board’s Guidelines 10/2020 on restrictions under Article 23 GDPR as supporting the view that the amended exception was lawful.
On the claim for judicial review—
Held, claim allowed. (1) The personal data to which the immigration exemption was applied was inherently likely to involve special category data within the meaning of article 9(1) of the GDPR (ie data revealing racial or ethnic origin), which required a higher measure of protection and could only be processed where additional conditions set out in article 9(2) of the GDPR and Schedule 1 to the Data Protection Act 2018 were met. The data subject was inherently likely to be in a vulnerable position, with a significant imbalance of power when compared to the immigration authorities, those being precisely the sorts of circumstances in which processing of the subject’s personal data on the basis of genuinely freely given consent was unlikely. While a data subject was entitled to complain to the Information Commissioner about the application (or suspected application) of the immigration exemption to the exercise of their rights (particularly prompt and accurate compliance with data subject access requests), or to bring legal proceedings before the courts to vindicate those rights, the context rendered it particularly likely that the data subject would be unaware of their rights, lack the funds to take legal steps and would be seeking to exercise their rights against a particularly time-sensitive context, in which data subjects would be especially reliant on the Home Office to apply the immigration exemption with care and only so far as necessary. In that context, article 23(2) of the GDPR required that regulations made under section 16 of the 2018 Act contain specific provisions as to the safeguards to prevent abuse of the exemption. For that purpose, safeguards were not provided unless they were enshrined in legislative measures or in a binding code approved by Parliament. Nor were sufficient safeguards to prevent abuse in place if a data subject could not rely on a failure to comply to found a claim for breach of their GDPR rights. As no substantive content of the IEPD was prescribed by the Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 and the IEPD had not been subject to parliamentary scrutiny, and as it was not a legislative measure but instead took the form of a readily changeable government policy, it did not have binding force. Accordingly, there presently existed no legislative measure which contained specific provisions complying with the mandatory requirements of article 23(2). It followed that the immigration exemption was an unauthorised derogation from the fundamental rights conferred by the GDPR and, therefore, was incompatible with it and unlawful (paras 31–33, 42, 43, 45, 46, 64, 65, 75, 76).
(2) In so far as the Secretaries of State relied on para 63 of the European Data Protection Board’s Guidelines 10/2020 on restrictions under Article 23 GDPR, that did not assist in satisfying the court of compliance with article 23(2)(g) of the GDPR because the board had stated that the necessary assessment of risks to rights and freedoms had to be included in “the recitals or explanatory memorandum of the legislation”. Conventions of drafting in domestic law did not use recitals in that way and the Explanatory Memorandum to the 2022 Regulations, while an official published document laid before Parliament and collected with the 2022 Regulations on the Government website, not only failed to address the risks to the rights and freedoms of data subjects but specifically denied that any such issue arose (paras 19, 72, 74).
Per curiam. While it is for the Government, not the courts, to produce compliant legislation, there would be significant force in enacting an express statutory direction to the Secretary of State to consider, in all cases in which use of the immigration exemption is contemplated: (i) the potential relevance of the exercise of the GDPR right in issue to the data subject’s rights under the Convention for the Protection of Human Rights and Fundamental Freedoms (which in some cases will extend beyond articles 6 and 8 to include articles 3 and 4); (ii) the relevance of the GDPR right in issue to the data subject’s possible rights under the non-refoulement provisions of the Convention and Protocol relating to the Status of Refugees adopted on 25 July 1951 and 16 December 1976 (and thereby section 2 of the Asylum and Immigration Appeals Act 1993); and (iii) the potential vulnerability of the data subject in all the circumstances. That sort of express recognition of the particular risks to the rights and freedoms of data subjects, in the context in which the immigration exemption is, or is likely, to be applied, would seem to constitute the type of provision required by article 23(2)(g) of the GDPR (para 73).
Ben Jaffey KC and Nikolaus Grubeck (instructed by Leigh Day) for the claimants.
Aidan Eardley KC (instructed by Treasury Solicitor) for the Secretaries of State.
Christopher Knight (instructed by Information Commissioner’s Office) for the Information Commissioner, as an interested party.