In March 2023 a High Court judge declared that the immigration exemption written into Schedule 2 of the Data Protection Act 2018 (the Exemption) is incompatible with retained EU law and does not satisfy the requirements of Article 23 of the UK General Data Protection Regulations (UK GDPR). This is the second time that this derogation has been challenged in the Courts.
What is the Immigration Exemption?
The Exemption allows for the restriction of certain data subject rights so the Home Office can maintain the integrity of UK Immigration controls. For instance, when an individual makes a subject access request to the Home Office requesting the personal data the Department holds on them, under certain conditions the Home Office can use the Exemption to withhold the personal data they hold from that individual.
The Exemption can be used if there are any grounds to believe that the release of the information requested would be likely to prejudice the maintenance of effective immigration control or the investigation or detection of activities that would undermine the maintenance of effective immigration control. An example may be that the Home Office receives a subject access request from an individual who is suspected of having committed an immigration offence and the disclosure of the data would be likely to prejudice the Home Office’s ability to plan any enforcement action, prejudice the effective operation of immigration control or reveal any system sensitivities. In these instances, the Home Office, can restrict a data subject’s rights under the GDPR. But the Exemption goes beyond just subject access requests and may also apply where the Home Office receives information from another department where they would ordinarily have to notify the data subject under Article 14 of the UK GDPR, which provides that the data subject should be provided certain details when data is obtained from someone besides the data subject. Simply, when the Exemption applies, if the Home Office receives data from another party or department and that data may prejudice immigration controls then the Home Office does not need to inform that data subject that their personal data has been shared.
In August 2018, the Exemption was challenged and went under judicial review. The claim was brought by the Open Rights Group, which is a digital rights organisation that aims to promote and uphold privacy and data protection jointly with the3million. The3million is a grassroots organisation of EU citizens that reside in the UK. In their claim, these groups argued that the Immigration Exemption was unlawful and incompatible with the General Data Protection Regulation (206/679/EU) and/or with the Charter of Fundamental Rights of the EU.
The claim was brought after it was revealed that the Home Office invoked the Exemption in 60% of the data subject access requests it received in the first year of the DPA’s operation. The High Court initially upheld the Exemption and found that it was compatible with the UK GDPR. The claimants appealed, and the Court of Appeal allowed their appeal on the basis that the Exemption does not comply with the criteria for exemptions to data subjects’ rights set out in Article 23 of the UK GDPR, which enables the Secretary of State to create exemptions to the principles in Article 5. One of the requirements under Article 23 is that the exemption should be fulfilled by a binding legislative measure. Other provisions are required regarding the purposes of the processing or categories of processing, personal data categories, the scope of the restrictions, safeguards, risks, controllers and the right of data subjects to be informed about the restriction unless that may be prejudicial to the purpose of the restriction. Not only do these provisions need to be included but some tests also must be satisfied under Article 23(2) UK GDPR. These tests require that the measure restricting rights must be made by way of legislation, be clear and precise, legally binding under domestic law, accessible, foreseeable and provide substantive and procedural conditions in respect of the relevant processing.
The Court of Appeal ruled the Exemption was indeed unlawful as there was no legislative measure with the provisions necessary under Article 23(2) and in the absence of this measure the Exemption was incompatible with the UK GDPR. The Court of Appeal also instructed the Government to amend the Exemption.
The Attempt to Correct
The amended Exemption came into force on the 31st of January 2022. The amendments introduced new qualifications that limited the scope of the Exemption by introducing the immigration exemption policy document (IEPD). Now, the Exemption may only apply if an IEPD is in place, updated and kept under review in a way that the Secretary of State sees fit. The IEPD explains the policies and processes for determining the extent to which GDPR provisions that are affected by the Exemption would be likely to prejudice the immigration purposes defined in the 2018 Act. The Secretary of State is obliged to keep a record of that determination and the reasons behind it and inform the data subjects of that determination.
Prior to implementing the amendments, the Government consulted with the groups that brought the claim and the ICO, these groups advised the Government that these changes, namely the IEPD, did not address the unlawfulness that was found by the Court of Appeal and did not comply with requirements of Article 23(2) UK GDPR. Nevertheless, the Government proceeded with the implementation.
The same claimants, the3million and the Open Rights Group applied for another judicial review on two grounds, arguing that the amendments still did not meet the requirements of being a legislative measure and the amendments omitted necessary substantive and procedural safeguards. The ICO was an interested party in the claim but did not support every complaint by the claimants. The ICO supported the claimants’ challenges to the Exemption under Article 23(2)(d) and 23(2)(g). Essentially, the claimants argued that the Government delegated the requirements under Article 23(2) UK GDPR to the IEPD, but the IEPD was still not a legislative measure.
High Court Judgement
In this second challenge presented to the Court, Mr Justice Saini noted that the IEPD was clearly not a legislative measure. The limited status of the IEPD had to be analysed under Article 23(2) UK GDPR, as its limitations then meant that the amendments to the Exemption did not go far enough. For instance, Saini J accepted the complaint that the IEPD does not fulfil the requirement under Article 23(2)(d) as a safeguard to prevent abuse or unlawful access or transfer. Saini J agreed with the Claimants, who had the support of the ICO on this complaint, that the approach of the IEPD is insufficient as it is not subject to Parliamentary approval and in the IEPD itself the Secretary of State is only required to have regard to their own policies and processes. Saini J state this “is a “soft” obligation in public law terms.” The requirements of the UK GDPR and DPA 2018 are not met by the outsourcing the safeguards to the IEPD as it is not a legislative measure or a binding code that has been approved by Parliament.
Saini J denied a few of the other claimants’ arguments but accepted their general challenge that the updated Exemption did not meet the requirements of necessity and proportionality. The Exemption did not outline any minimum requirements regarding the extent of the prejudice that could allow for the non-application of the relevant fundamental rights. Namely, the claimants argued that the amendment that requires the Secretary of State to determine the extent of the prejudice on a case-by-case basis, but the legislation still contains no express requirement for any balancing test to be carried out as between an individual’s rights and claimed prejudice to the purposes on a case-by-case basis. The Exemption may apply where the personal data “would be likely to prejudice” immigration systems or investigation, giving the Secretary of State wide discretion when choosing to implement the Exemption. The absence of a legislative based balancing test could lead to poor decision making and injustice.
The claimants argued that even when the identified prejudice is negligible the Immigration Exemption can still apply and thereby fails to be necessary and proportionate. Saini J notes that the IEPD does refer to the need to consider proportionality and whether the rights “of the individual override the prejudice to immigration control.” Saini J agreed with the claimants as “contracting out the job of complying with Article 23(2) to the IEPD rather than doing it through the legislation is not lawful.” Saini J found that the obligation needs to be identified with legislative force in the regulations themselves and opines that this would be a straightforward task to carried out. This complaint, the second ground of challenge, brought forth by the claimants was not supported by the Information Commissioner’s Office.
Saini J also accepted several of the other claimants’ arguments. He agreed that no provision considered the risks to the rights and freedoms of the data subject, required under Article 23(2)(g) UK GDPR. Saini J concluded that the claimants succeeded on both grounds of appeal. Saini J concluded that a policy such as the IEPD will not fulfil the requirements of the relevant provisions of Article 23(2) UK GDPR. It must be set out in legislation or a code that is endorsed by Parliament and have binding legal effect in domestic law. Ultimately, for the second time, the Exemption was found to be unlawful.
It is clear, that the Exemption is unlawful under the UK GDPR, this has been decided not only once but twice. After the first challenge, the Government was instructed to amend the Exemption, in the course of doing so consulted the Open Rights Group, the3million and the ICO.
However, even though the Government was advised by these groups the amended Exemption and IEPD were not enough to satisfy Article 23(2) of the UK GDPR. Yet the Government continued with implementing the amendments only for the Exemption to be found unlawful again. It is now up to the Government to ensure that the Home Office and any other companies that are to enforce immigration control comply with the UK GDPR.
When considering the use of the Exemption the immigration system must be fair and transparent. Immigration is life-altering for every individual that enters the system. It often involves highly vulnerable, and they are entitled to have their fundamental rights safeguarded under the GDPR, just as any other citizen. As a result of the Exemption, it may be that a person may not be allowed to see the data on which their immigration decision was based. Simply, this is contrary to core data protection principles and fundamental human rights and ultimately, unjust. Immigration in the political arena is a polarising one, but it appears encouraging to see that the Courts are holding the Government accountable to protect the rights of those in the immigration system according to the GDPR.
 R v Secretary of State for the Home Department  EWHC 713
 Open Rights Group & Anor, R (On the Application Of) v Secretary of State for the Home Department & Anor  EWHC 2562 (Admin)
 Open Rights Group & Anor, R (On the Application Of) v Secretary of State for the Home Department & Anor  EWCA Civ 1573
 para 64,  EWHC 713
 para 52,  EWHC 713
 para 57,  EWHC 713