Briefing to the Statutory Instruments (Joint Committee)
The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022
The above statutory instrument is due to be considered by the Joint Committee. We ask that these submissions be considered by the Committee. We consider that the proposed legislation is not compatible with the UK General Data Protection Regulation (“UK GDPR”) and undermines people’s fundamental data rights.
The draft regulations are HM Government’s response to the Court of Appeal’s judgments in R (Open Rights Group and the 3 Million) v Secretary of State for the Home Department  EWCA Civ 800 and  EWCA Civ 1573. We were the claimants in those proceedings. The case was a claim for judicial review challenging the legality of paragraph 4 of Schedule 2 of the Data Protection Act 2018 (“DPA”), otherwise known as the “Immigration Exemption”. The Immigration Exemption allowed data controllers to bypass and restrict fundamental data rights where compliance was prejudicial to the maintenance of effective immigration control.
The court found that the Immigration Exemption contained inadequate safeguards to protect individual data subject rights and was therefore incompatible with the UK GDPR. It found that any derogation from fundamental rights could only be by way of legislative measures and such measures must be compliant with the framework set out in article 23(2) of the UK GDPR. The court found that the Immigration Exemption was unlawful, noting that “The Exemption itself contains nothing, specific or otherwise, about any of the matters listed in Article 23(2)” (paragraph 53 [2021 EWCA Civ 800]).
The Government has accepted the Court of Appeal’s analysis. It has not sought to appeal to the Supreme Court.
The Court of Appeal suspended the effect of its declaration until 31 January 2022 to afford the Government an opportunity to remedy the unlawfulness via legislation. Unfortunately, the proposed Regulations do not address the unlawful conduct identified by the Court of Appeal in the judgments.
GDPR Recital (41) makes clear that a “legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union (the ‘Court of Justice’) and the European Court of Human Rights.” In its first judgment, the Court of Appeal held at §35: “There is a degree of flexibility in the concept. It evidently need not be primary legislation, but clearly it must be something that qualifies as “legislative” in some sense. And whatever it is, it must be clear, precise and its application must be foreseeable. Those would seem to be requirements of the “legal certainty” mentioned in Recital (7). We are directed by Recital (41) to look to the case-law for the content of these requirements.”
The case law stipulates that any legislative measure must have the characteristics of accessibility and foreseeability and must provide adequate protection against arbitrary interference. It must be clear and precise, legally binding under domestic law, and must lay down the substantive and procedural conditions (including safeguards) in respect of the relevant processing. We refer you to the Court of Justice’s decisions in Tele 2 Sverige EU:C:2016:970 and HK v Prokuratuur EU:C:2021:152, as well as to the Advocate General’s Opinion in Tele2 Sverige EU:C:2016:572.
We consider that the draft statutory instrument does not meet these requirements. The basic problem is simple to identify. The Court of Appeal decided that Article 23(2) of the UK GDPR required additional safeguards. The draft Regulations do not contain those safeguards.
At paragraphs 53 and 54 of the first judgment, Lord Justice Warby expresses his provisional view that the legislative measure in question should be ‘part and parcel’ of the legislation that creates the derogation. The proposed regulations do nothing to expand the safeguards applying to the existing exemption; it retains its imprecise and unclear wording. No changes have been made to adopt the above observations of the court.
The draft legislation instead makes reference to guidance (draft immigration exemption policy document) that is removed from the legislation, and which cannot be said to be ‘part and parcel’ of the legislation. Such guidance has no force in law and can be changed with ease and no scrutiny. Nor has the guidance been approved by Parliament. It does not have, for example, the status of a Code of Practice that is approved by Parliament. This undermines the principles set out for legislative measures to be clear, precise and foreseeable.
The draft policy document itself is wholly inadequate. It does not impose any additional safeguards beyond those already imposed by the general law or those already in place in respect of Home Office data. It is also internally inconsistent in that under Heading 7 at the top of page 8 it correctly refers to the application of any exemption having to be ‘strictly necessary’, but then under Heading 9 on page 9 it is referred to as having to be only ‘necessary’. The Guidance does not therefore satisfy the requirements of the judgment of the Court of Appeal.
In light of the above, we invite you the Committee to draw Parliament’s attention to these draft Regulations, note that they are of doubtful vires, note the special context that they are passed to implement a judgment of the Court of Appeal, note that they do not appear to implement the requirements of the judgment and invite Parliament to debate and consider whether to reject them.
Open Rights Group Dated: 6 January 2022