Thursday, May 27, 2021

Court of Appeal Declare Data Protection Act Immigration Exemption Unlawful

On Wednesday, 26 May, 2021, the UK Court of Appeal issued a decision in The Open Rights Group & Anor, R (On the Application Of) v The Secretary of State for the Home Department & Anor [2021] EWCA Civ 800 declaring the unconscionable immigration exemption in the 2018 Data Protection Act (Paragraph 4 of Part 1, Schedule 2) unlawful.

The case was brought by the Open Rights Group and the3million and supported by the ICO.

The result brought some cheer to a week in which the European Court of Human Rights effectively accepted, in the case of Big Brother Watch & others v UK, that mass surveillance was compatible with the European Convention on Human Rights. The thin edge of a substantial fundamental rights offending wedge. The sole exception, among the 18 judges was Portuguese justice, Paulo Pinto de Albuquerque who, in concluding his dissenting judgment, said:

59. This judgment fundamentally alters the existing balance in Europe between the right to respect for private life and public security interests, in that it admits non-targeted surveillance of the content of electronic communications and related communications data, and even worse, the exchange of data with third countries which do not have comparable protection to that of the Council of Europe States. This conclusion is all the more justified in view of the CJEU’s peremptory rejection of access on a generalised basis to the content of electronic communications , its manifest reluctance regarding general and indiscriminate retention of traffic and location data and its limitation of exchanges of data with foreign intelligence services which do not ensure a level of protection essentially equivalent to that guaranteed by the Charter of Fundamental Rights . On all these three counts, the Strasbourg Court lags behind the Luxembourg Court, which remains the lighthouse for privacy rights in Europe. 

60. For good or ill, and I believe for ill more than for good, with the present judgment the Strasbourg Court has just opened the gates for an electronic “Big Brother” in Europe. If this is the new normal that my learned colleagues in the majority want for Europe, I cannot join them, and this I say with a disenchanted heart, with the same consternation as that exuding from Gregorio Allegri’s Miserere mei, Deus."

I hope to get round to a more detailed assessment of the Big Brother Watch case another time but having been partly consoled by the thought that at least the immigration exemption was toast, a close reading of the Court of Appeal decision led to the unfortunate conclusion that it is still very much alive and kicking.

The short version of the story is that Lord Justices Warby, Singh and Underhill have indeed declared the immigration exemption unlawful but only on a technicality. Essentially the government didn't get all their legislative ducks in a row when passing the law and didn't follow the UK GDPR rules on how to implement a contemptible measure like this. The immigration exemption itself was not thrown out on principle. 

Basically, if the UK government want to implement something like the immigration exemption circumventing data protection rights, they have to do so according to specific GDPR Article 23 rules. They failed to follow the rules, so the exemption is unlawful. 

"29. The argument has been wide-ranging but I would suggest that, if my Lords agree, this appeal can and should be decided on the following short and straightforward basis. There presently exists no legislative measure that contains specific provisions in accordance with the mandatory requirements of Article 23(2) of the GDPR. In the absence of any such measure, the Immigration Exemption is an unauthorised derogation from the fundamental rights conferred by the GDPR, and therefore incompatible with the Regulation. For that reason, it is unlawful. The appeal succeeds on this aspect of Ground 2, and it is unnecessary to reach conclusions on the other issues raised."

For the Brexiters, btw, shouting we are no longer in the EU, the GDPR is indeed directly applicable in EU member states only and applied from 25 May 2018. The UK has exited the EU but the UK parliament decided to keep substantially the same law in place in the UK. As the appeal court judges say at paragraph 12,

"(1) Sections 2, 3 and 6 of the European Union (Withdrawal) Act 2018 (“EUWA”) provided for certain aspects of EU law to remain in force, as part of English law, notwithstanding withdrawal. This is known as “retained EU law”. The GDPR, DPA 2018, and relevant CJEU case-law pre-dating IP completion day all fell into this category. 

... 

” The Immigration Exemption is “pre-exit domestic legislation”. 

(3) A statutory instrument of 2019 made amendments to the GDPR and DPA 2018 with effect from IP completion day. 1 As a result the GDPR, as it applies domestically, is now known as “the UK GDPR”. But the UK GDPR has the same legal status today as the GDPR had before IP completion day. Article 23 is now in slightly amended terms, but the amendments are not material. In Article 23(1), references to “the Union” and “Member State” are deleted and the power to restrict is now conferred on the Secretary of State. There is no change to Article 23(2). The Immigration Exemption is unamended."

So, the judges were free to declare the immigration exemption incompatible with article 23 of the GDPR and article 23 of the UK GDPR and to strike it out.

In paragraphs 14 to 18 the judgment is not exactly complementary on Home Office activities in this area, referring to their extensive use of the immigration exemption to deny people access to their data in 10,823 cases, "authoritative reports that cast doubt on the accuracy and reliability of the Home Office decision-making in the arena of immigration and data protection"  and that "it is clear that the Immigration Exemption plays a significant role in practice as a brake on access to personal data".

When dealing with the original judge's decision approving the immigration exemption, the Court says he relied on UK domestic case law to side with the government and say they were not obliged to follow the black letter requirements of GDPR article 23. In other words he felt the technicalities of article 23 were irrelevant in this context.

The appeal court decided he got this wrong. A clear line of judgments from the Court of Justice of the European Union supports the Open Rights Group, the3million and the ICO argument that the government do have to follow the rules of article 23 if they want to ignore data protection rights in connection with immigration cases. In the Digital Rights Ireland (2014), Tele 2 & Watson (2016), EU-Canada PNR (2017), Privacy International and La Quadrature du Net (2018, decided on the same day), the CJEU was "alert to the risk of over-broad derogations from fundamental rights; requires any derogation from fundamental rights to be justified by proof of strict necessity; and does not consider that this, or the requirement of proportionality, can be satisfied unless the appropriate safeguards are built into the legislative measure."

The CJEU was aware that member states would make end runs around fundamental rights when they felt like it and wanted to set up some hurdles to negotiate if that was the aim. And the UK government's argument that we should not worry our little heads about them taking away the rights of people because, like, they can always try another law if they are worried, didn't pass muster with Lord Justice Warby and his two colleagues.

"48. As I have indicated, however, I would prefer to decide this case on a narrower basis. I do not believe Article 23 should be construed as merely requiring the state to provide a general legal framework that contains guarantees of necessity and proportionality, and other safeguards. That might be a legitimate interpretation of Article 23(1), if it stood alone. But our analysis must reflect the fact that when updating and strengthening EU data protection law in the GDPR the legislature chose to depart from the approach to derogation that it had adopted in Article 13 of the Data Protection Directive. It particularised the requirements of Article 23(1), at some length, and in some detail, in Article 23(2). It seems to me that the respondents’ argument fails to explain or account for this and, in the process, leaves Article 23(2) with no significant purpose or function. In one sense, Article 23(2) clearly does provide a checklist. But I do not consider it plausible that Article 23(2) was intended to amount to nothing more than a sort of high level aide-memoire to the state about the kinds of matters it should have in mind when deciding whether to derogate from fundamental rights, in pursuit of one of the specified aims. The checklist is cast in mandatory terms, and calls for “specific” provisions. Sir James’s submission that these “specific provisions” can be found in general principles of human rights or administrative law, or in existing Articles of the GDPR is unconvincing. Article 23(2) itself – on the face of it – requires them to be contained in “any legislative measure referred to in paragraph 1

49. It may be that this wording is not to be read entirely literally; but it is remarkably specific and surely must be given some meaning. At any rate, in my judgment the better view, in the light of the CJEU jurisprudence, is that Article 23(2) requires any derogation to be effected by a “legislative measure” that is tailored to the derogation, legally enforceable, and contains provisions that are specific to the listed topics - to the extent these are relevant to the derogation in question - precise, and produce a reasonably foreseeable outcome. It can, I think, be said that this interpretation follows from the CJEU decision in La Quadrature. As I read that decision, the Court adopted and applied in the context of Article 23 of the GDPR the body of jurisprudence it had built up over the preceding years when dealing with Article 15 of the e-Privacy Directive and the Data Retention Directive. More generally, in this respect the Luxembourg jurisprudence and the language of Article 23(2) seem to me to be broadly if not precisely in step. The CJEU has repeatedly rejected submissions to the effect that domestic legislation should be held to pass muster on the basis that sufficient safeguards could be found elsewhere in the overall legal framework. The language of Article 23(2) seems to me to reflect the lines of reasoning enunciated in Digital Rights Ireland [54] and Tele2 [117-118], and the legislature may properly be considered to have intended an outcome on the same lines. 

50. The essence of the reasoning, as I see it, is that broad legal provisions, such as those that require a measure to be necessary and proportionate in pursuit of a legitimate aim, are insufficient to protect the individual against the risk of unlawful abrogation of fundamental rights. The legal framework will not provide the citizen with sufficient guarantees that any derogation will be strictly necessary and proportionate to the aim in view, unless the legislature has taken the time to direct its attention to the specific impacts which the derogation would have, to consider whether any tailored provisions are required and, if so, to lay them down with precision. This approach will tend to make the scope and operation of a derogation more transparent, improve the quality of decision-making, and facilitate review of its proportionality. To my mind the evidence to date as to the relevant decision-making tends to emphasise the importance of characteristics such as these." 

The good judge also takes comfort to note his conclusions "are consistent with paragraphs 45-46 of the Guidelines 10/2020 on restrictions under Article 23 GDPR published by the European Data Protection Board (“EDPB”)".It is clear that the immigration exemption in the Data Protection Act does not comply with GDPR article 23.

"The Exemption itself contains nothing, specific or otherwise, about any of the matters listed in Article 23(2). Even assuming, without deciding, that it is permissible for the “specific provisions” required by Article 23(2) to be contained in some separate legislative measure, there is no such measure."

What happens next remains to be seen. The Court has declared the immigration exemption unlawful but stopped short of striking it out, declaring the next steps the "subject of separate argument" for another day.

"55. The claim form seeks a declaration that the Immigration Exemption is incompatible with the Charter and the GDPR, and an order that it be disapplied, or alternatively a more limited form of declaration, specifying the conditions under which the Exemption might be lawfully applied. But at the conclusion of the hearing it was common ground that if we were in favour of the appellants the question of what relief should follow our decision would need to be the subject of separate argument...

56. The appropriate remedy in a case of incompatibility is a sensitive matter... Here, I have identified an omission that is, in principle, capable of remedy by measures that amend or supplement the existing provision. In the circumstances, I see merit in the cautious approach of both sides. I would defer a decision on relief, inviting further submissions on that issue in the light of these reasons."

The bottom line is that the reprehensible immigration exemption in the 2018 Data Protection Act is unlawful in its current form but it lives to fight another day. So, with the highest of plaudits due to the Open Rights Group and the3million for pursuing the case (and kudos to the ICO for supporting them), the knowledge that the exemption remains and the government essentially gets a license to reshape it, in a more legally acceptable form, is depressing.

No comments: