The immigration exemption in Schedule 2 (paragraph 4) of the Data Protection Act 2018 (DPA2018) has always been controversial; it is subject to a judicial review by the High Court, in London, on July 23 & 24.
The controversy arises because an exemption that was not needed by the immigration authorities under the DPA1984, nor under the DPA1998, has nothing to do with crime, tax, any compulsory court order, any mandatory disclosure requirement or national security issue. However, suddenly this exemption became an urgent necessity from May 26, 2018.
Judicial review is a legal challenge to the decision-making process, in this case how the decision to implement the immigration exemption was reached. This blog explores what is known about the decision-making process and explores what is meant by “the general public interest”. As will be seen, “the general public interest” (whatever it means) is a key consideration when a Government legislates for data protection exemptions such as the immigration exemption (and several others in the DPA2018).
In the absence of any convincing explanation for the immigration exemption, many allege that the exemption forms part of the Government’s “hostile environment” immigration policy whose main effect is to deny the rights of vulnerable data subjects seeking refuge in the UK.
Exemptions under the GDPR (Article 23(1))
A.23(1) allows Member States to legislate for a “restriction” (or “exemption” to use DPA2018 speak) from data subject rights and relevant Principles “when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard…” (my emphasis).
A.23(1) then sets out a list of matters that can be safeguarded by a restriction (or exemption). These matters are:
- (a) national security; (b) defence; (c) public security;
- (d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
- (e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security (my emphasis);
- (f) the protection of judicial independence and judicial proceedings;
- (g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
- (h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
- (i) the protection of the data subject or the rights and freedoms of others;
- (j) the enforcement of civil law claims.
Note that the immigration exemption is not explicitly listed in (a) to (j) above, so it falls within the “important objectives of general public interest …. of a Member State” criteria as emphasised in paragraph (e) above.
Also note that all exemptions justified by A.23(1) exist to “safeguard” a special interest from the data subject (e.g. from the right of access or the right to object).
Finally note that A.23(1)(e) provides for a non-exhaustive list of exemptions if they comprise “important objectives of general public interest” (whatever that means). As stated previously the exemption has to be a “necessary and proportionate measure” to safeguard a special interest in paragraphs (a) to (j).
Necessary and proportionate measure in a democratic society
First to the requirement that any exemption has to be “a necessary and proportionate measure”, a phrase that resonates with Article 8 of the European Convention on Human Rights (ECHR). As all exemptions in A.23(1) interfere with private and family life, the care the Government takes to determine “necessity” and “proportionality” is likely to be central to a judicial review. Very little is known about this process.
However, there is a statement on each Government Bill when it starts the legislative process to become an Act. Under the heading “European Convention on Human Rights”, this statement reads:
“Secretary XXX (XXX=name of Secretary of State) has made the following statement under section 19(1)(a) of the Human Rights Act 1998: In my view the provisions of the YYY (YYY=title of Bill) are compatible with the Convention rights”
However, this statement does not provide details of how Government arrived to its conclusion of compatibility; it is merely an assertion of compatibility. Any member of the public trying to obtain detailed information about the decision-making process (e.g. the legal advice substantiating that an exemption is compatible with Article 8 of the ECHR) will probably find the requested information is exempt (e.g. via Section 42 of FOIA).
Obviously, Parliament can debate and ask for justifications with respect to any “necessary and proportionate measure” or probe why or how “the general public interest” arises in an exemption.
However, these activities are to facilitate Parliament’s role in scrutinising a decision; it does not relate the consideration of how the Government arrived at its decision (which of course is the subject matter of the judicial review).
The “interests of the state” and the “general public interest”
Now to the phrase “in the general public interest” and what it means. I do so by reference to the Judge’s summing up in the prosecution of Clive Ponting in early 1985 (see references). Ponting was a Civil Servant who leaked classified information to Tam Dalyell MP about the location of the General Belgrano, a World War II Argentinian Cruiser; the ship was torpedoed with the loss of 323 lives at the start of the Falklands War in May 1982.
In explaining its military action, the Government informed Parliament that the Belgrano was sunk because its location was a threat to the Task Force; the leaks showed otherwise. Ponting was identified as the leaker and prosecuted under the Official Secrets Act 1911; he ran a “public interest” defence.
The Official Secrets Act 1911 does not have a “public interest” defence but it does use the phrase “in the interest of the State” to define the offence. The Judge, in his summing up, equated (as a matter of law) the phrase “in the interest of the State” with “the policies of the State” and thence (alarmingly) to “the policies of the Government then in power”.
It is my concern that “the general public interest” in A.23(1)(e) may follow a similar logical path and be equated to “the policy interests of the Government of the day”. The argument that supports this conclusion is as follows: “the general public interest” is identified by the support a particular political party gains when it wins a General Election. It is in the “general public interest” for the winning political party with a democratic majority mandate to be able implement its policies when in government.
So, if government policy is for a “hostile environment” for immigrants (a policy which has been well documented from 2012), it follows that this policy is in the “general public interest”.
Indeed, this policy was placed before the electorate at the last General Election. The Conservative Party Manifesto 2017 outlines a policy whereby asylum claims of those who reach UK shore (i.e. data subjects in the UK) are treated differently from those claims of data subjects not in the UK. The 2017 Manifesto stated:
“….the government will offer asylum and refuge to people in parts of the world affected by conflict and oppression, rather than to those who have made it to Britain. We will work to reduce asylum claims made in Britain…” (my emphasis; page 40)
The Government was elected in 2017. Therefore, if the processing of personal data requires an immigration exemption from data subject rights to achieve a manifesto policy objective, then such an exemption would be in “the general public interest” - so the argument goes.
Exemptions under the GDPR (Article 23(2))
A.23(2) provides legislative safeguards for data subjects with respect to each exemption. It requires that any legislative measure relating to an exemption (or restriction) “shall contain specific provisions at least, where relevant, as to:
- (a) the purposes of the processing or categories of processing;
- (b) the categories of personal data;
- (c) the scope of the restrictions introduced;
- (d) the safeguards to prevent abuse or unlawful access or transfer;
- (e) the specification of the controller or categories of controllers;
- (f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
- (g) the risks to the rights and freedoms of data subjects; and
- (h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction”.
There are 34 pages of exemptions in the DPA2018 (Schedules 2 to 4); there is no explicit legislative description of any “specific provisions” as required by A.23(2) in the context of any exemption. Hence one can conclude that the government has considered that the “where relevant” emphasised above, extends to every exemption and that it is not relevant to implement the provision.
The fact that there are no explicit “specific provisions” limiting the reach of each exemption (nor document in the public domain that explains such limitations) thus places more importance on the processes within government that conclude “the general public interest” is served by having an exemption.
However, having said that, there are cases where “the specific provisions” are not relevant as they are met implicitly by their absence. For example, the “safeguards to prevent abuse” could be the fact that the processing would be subject to independent regulation by the ICO who is tasked with safeguarding data subjects from abuse. The “categories of personal data” safeguard in A.23(2)(b) arises because the Data Minimisation Principle applies to the processing; for instance, any personal data disclosed to the immigration authorities have to be relevant to the (immigration) purpose.
However, the point being made is that the obligation in A.23(2) suggests that each exemption has to “contain specific provisions” that limits the scope of that exemption. This is not the same as having exemptions that do not “contain specific provisions” where the absence of a provision limits the scope of an exemption.
At the very least, one would have expected the Government to explicitly describe how the protections in A.23(2) have been implemented to reassure the public that each exemption is limited, necessary and proportionate. This has not happened.
Consideration of “the general public interest” without “the general public”
Further evidence that the “general public interest” has been assumed to be “the policy interests of the Government of the day” arises because no attempt has been made, concerning the immigration exemption, to assess what the general public view is of the "general public interest".
Indeed, the Government informed the general public that an immigration exemption was not being considered. For instance:
- In the Government’s factsheet on the Data Protection Bill (March 2018) there are statements that the DPBill is to “preserve existing tailored exemptions that have worked well in the Data Protection Act, carrying them over to the new law” and is to “provide appropriate restrictions to rights to access and delete data to allow certain processing currently undertaken to continue where there is a strong public policy justification…”. The highlighted words do not relate to the immigration exemption as it is not “existing” or comprises “processing currently undertaken”.
- In the document “Call for views on the General Data Protection Regulation derogations” (April 2017), the document states “The scope of Article 23 effectively continues similar restrictions that exist under the Current Directive and which were used in the Data Protection Act 1998 (DPA) to shape appropriate exemptions from the requirements of the DPA where that was permissible”. There again, the use of the words continues similar restrictions relates mainly to processing under the DPA1998; it does not directly relate to the new immigration exemption in the DPA2018 (which is not "similar" at all).
- In “New Data Protection Bill: Our planned reforms” (August 2017), border control/immigration is only mentioned in the context of the Law Enforcement parts of the DPA2018. There is no mention of the need for an immigration/border control exemption in the context of the GDPR (e.g. a controller disclosing to Immigration authorities);
Finally, I suspect the Department for Work and Pensions response to the “Call for views..” consultation exercise (April 2017) lets the cat out of the bag. It states that “We have already shared our thoughts on Article 23 directly” (with DCMS); this suggests that Government Departments had a back-channel (or a separate consultation?) which was different to the public consultation.
Government departments are separate, very large controllers with vested interests; so is a back-channel approach a proper way of holding a consultation on a law that effects all data subjects, controllers and processors? What is the point of a public consultation process if there is a wholly private route for rather special controllers to promote their specific processing needs (e.g. an exemption for administrative convenience)?
Concluding comments
The judicial review will hopefully answer some important questions.
- Can exemptions supporting immigration policy be assumed to be in the “general public interest” merely because the Government is elected?
- Should the determination of whether the immigration exemption is in the “general public interest” need some kind of interaction with the general public?
- How can one measure general public interest over the immigration exemption if the general public is excluded from the official consultations concerning this exemption?
- Does the “general public interest” as far as the Government is concerned equate to the “the interests of the government of the day”?
If the judicial review returns an answer of “yes” to any of the above then I would argue that the protection afforded to data subjects by the DPA2018 is much reduced from the DPA1998. This is because exemptions can be introduced, dependent on what the Government of the day is, or what its policy is.
Scary thought: I wonder what exemptions are needed to meet the policy objectives of some of today’s politicians who are on the extremes of right and left?
References
The Ponting summing up (see page 3 for “interests of the State” etc) on: https://www.documentcloud.org/documents/1386622-ponting-summing-up-as-sent-by-lslo-to-pm.html
Further background to the immigration exemption on: https://amberhawk.typepad.com/amberhawk/2017/10/dp-bills-new-immigration-exemption-can-put-eu-citizens-seeking-a-right-to-remain-at-considerable-dis.html
Government’s factsheet on the Data Protection Bill (March 2018) on: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/685647/2018-03-05_Factsheet01_Bill_overview.pdf
Call for views on the General Data Protection Regulation derogations (April 2017) is one of the documents on: https://www.gov.uk/government/consultations/general-data-protection-regulation-call-for-views
DWP response quoted in the blog is part of another document on the URL immediately above.
New Data Protection Bill: Our planned reform (August 2017) on: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/635900/2017-08-07_DP_Bill_-_Statement_of_Intent.pdf
Upcoming Data Protection qualification courses (July-Sept)
- BCS Data Protection Practitioner, (6 days; London, starts July 16).
- BCS Data Protection Practitioner Upgrade/Conversion (2 days; London, July 23 & 24).
- BCS Data Protection Foundation (3 days; London, starts September 2-4)
Details on www.amberhawk.com or by emailing [email protected]