I beg to move,
That the Committee has considered the draft Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022.
As always, it is a pleasure to serve under your chairmanship, Ms Elliott.
Paragraph 4 of schedule 2 to the Data Protection Act 2018 outlines specific rights under the UK general data protection regulation, or UKGDPR, that can be restricted if they would likely prejudice either the maintenance of effective immigration control or the investigation or detection of activities that would undermine the maintenance of effective immigration control. That is known in shorthand as the immigration exemption.
The regulations amend the immigration exemption following the judgment handed down in the case of the Open Rights Group (and another) and the Secretary of State for the Home Department. In this case, the Court of Appeal held while there was nothing in principle unlawful about having an exemption for the purposes of maintaining effective immigration control, the legislation itself did not fully reflect the safeguards required by article 23.2 of the UKGDPR. As a result, the Home Office made a commitment to amend the immigration exemption, setting out additional safeguards, where further safeguards were considered relevant. The deadline for bringing those changes into force is 31 January 2022.
As part of the process of preparing the draft regulations, the Department has consulted with the parties to the litigation and with the Information Commissioner’s Office and has considered carefully their observations and comments, making amendments to the draft as appropriate. It may be helpful if I provide some brief details about the new safeguards.
The right of the data subject to be informed of the immigration exemption’s use, save in certain circumstances, is now on the face of the legislation, once again proving our commitment to be as open and transparent as we are able. We have also put in place an immigration exemption policy document explaining how the immigration exemption must be operationally applied and the circumstances in which data rights might be exempted. The IEPD has been published and we will, of course, keep it under review.
Publication will also give stakeholders the opportunity to offer their views on the IEPD, and where it can be improved, we will act to make it so. We are committed to addressing legitimate concerns, promoting high standards in the application of the immigration exemption, and protecting individuals’ personal data. We believe the IEPD builds on the rights and safeguards already enshrined in legislation and adds to the existing guidance the Home Office has published, and the Information Commissioner’s Office has published. As we said in court, we follow the ICO guidance and welcome the comments it will likely wish to make, and have already made, on the document.
To be clear, we are also specifically limiting use of the immigration exemption to the Secretary of State. We wanted to put beyond doubt that the immigration exemption may not be used by so-called ‘rogue landlords’ to restrict a person’s rights, a point specifically raised in court and by other parties.
I want to be clear that by laying the regulations, we are not seeking to remove anyone’s rights but to add more safeguards to them, and to increase transparency about how the immigration exemption will be used. That builds on the guidance that the ICO has issued, to which we are adhering, and will continue to do so.
I hope that I have given the Committee a good sense of why the regulations will make a positive difference to our law, and I commend them to it.
I appreciate the points raised by hon. Members. As has been said, we have not appealed the Court of Appeal’s judgment. In response to the SNP spokesperson, we felt it better to engage with the issues and seek to resolve some of the concerns. I understand the point about why not address all of the concerns in primary legislation but we felt that given concerns to do with data-processing, primary legislation raises certain issues, whereas published guidance is available, and in fact we have already published in draft and we have received comments. We expect that to be an evolving document. Of course, there would be an issue had we decided to issue private guidance, and questions would be asked about whether we were trying to avoid scrutiny.
We expect the published guidance to balance the need to give individuals access to information where appropriate and, for the sake of argument, not requiring the need to inform someone that we are taking immigration enforcement action or the details on what intelligence we may or may not have on activities, particularly on those who may be involved in potential criminal activity. Although we recognise that there is a crime exemption, we believe that there are circumstances where we need a specific immigration exemption as well, rather than try to extend the criminal exemption to cover immigration. Hence the action we have taken.
We believe that the regulations meet the objectives that were set out in the judgment. We appreciate that there will always be those who take a different view, and there will always be opportunity for oversight from the ICO and judicial oversight. We cannot change the regulations at will if that then undermined the purpose of the core legislation. We believe the regulations represent a positive step forward that will resolve the core concerns. In particular, it is made very clear that their use is restricted to the Secretary of State, given that the purpose is to maintain effective immigration control, not to give an excuse to third parties to try to withhold data that should be released. That core point has been raised by many, but we should be clear that the exercise of the power lies with the Home Secretary in terms of defence of the immigration system, and not with a landlord or agent who may seek to argue the exemption when required to declare information.
We believe that the regulations are the appropriate step forward. We recognise that we are responding to a court judgment, but we did not seek to appeal the matter to the Supreme Court because we thought that the points made in the judgment were reasonable and ones that we could accept. I repeat that the document will be an evolving one.
A very brief one, indeed. Is my hon. Friend confident then that there will not be another appeal? My hon. Friend would then be back here again coming up with another amendment. Does the SI actually meet the requirements of the court and the judgment?
We believe that it does. I can never guarantee that someone will not take legal action against the Home Office. The campaigners won and it would have been the Home Office that would look to appeal to the Supreme Court. As the hon. Member for Paisley and Renfrewshire South noted, we decided not to appeal but to engage with the judgment and introduce additional safeguards instead. The principle of having this type of legislative exemption was deemed to be perfectly rational, but it was felt that there was a need to be clearer and to have certain published safeguards on its use.
Given some of the data-sharing arrangements with the European Union on adequacy arrangements and the carve up it applied, we have engaged with the European Commission, and we are confident about our policy. Can I guarantee that no one will launch a legal challenge against the Home Office in future? No. We live in a country where people are able to do that. I have set out the purpose of the regulations, however, and the need for them. As I said, this is not about taking away anyone’s rights or weakening any protections on data access, rather the regulations are designed to strengthen those protections and to produce a living document that can respond to emerging issues and trends, and can be amended where appropriate.
Question put and agreed to.