Amendments made: 93, in schedule 2, page 135, line 7, at end insert—
( ) Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);”
This amendment adds Article 19 of the GDPR (notification obligation regarding rectification or erasure of personal data or restriction of processing) to the list of GDPR provisions that are disapplied by provisions in Part 1 of Schedule 2 to the Bill.
Amendment 94, in schedule 2, page 135, line 19, after “provisions” insert
“and Article 34(1) and (4) of the GDPR (communication of personal data breach to the data subject)” —
This amendment adds Article 34 of the GDPR (communication of personal data breach to the data subject) to the list of GDPR provisions that are disapplied by paragraph 2(1) of Schedule 2 to the Bill (crime and taxation: general).
I beg to move amendment 156, in schedule 2, page 136, line 30, leave out paragraph 4.
This amendment would remove immigration from the exemptions from the GDPR.
We are trying to provide some careful and considered constraints on the exemptions that the Government are asking for, in particular the exemptions that Ministers seek for the purposes of immigration control.
The Bill has been drafted essentially to enable the Home Office to do two things: win cases and create a hostile environment for those who are here illegally, where it has no capacity to trace and deport individuals. In conducting its work, the Home Office draws on a wide range of private providers, from G4S to Cifas. They have a mixed record, including on data protection. The carve-out that the Government seek for immigration purposes has caused widespread concern. It has drawn concern from the other place, the Information Commissioner and the Joint Committee on Human Rights.
The Minister will try to assure us by saying there are safeguards wrapped around the exemption and that there are limits on the way it can be used, but those limits are drawn so vaguely and broadly that they are not safeguards at all. They have been drafted to apply where matters are likely to prejudice immigration control. Who gets to judge the likelihood of prejudicing immigration control is not terrifically clear. In my Home Office days, we used to call that carte blanche.
Through the powers and exemptions in the Bill, the Home Office seeks to collect data for one purpose and then use it without informed consent. Where the rubber hits the road is that, crucially, the effect will be to ensure that subject access requests are basically put beyond the scope of someone seeking information that they might be able to use either in representations that we all might make to Ministers or, more importantly, in an immigration tribunal.
I want to sound a warning note to the Minister, as I hinted on Second Reading. I was brought into the Home Office as a Minister in 2006 and, after a glorious fortnight as Minister for Police and Counter-terrorism, I was moved by my boss John Reid to become Immigration Minister, where I was asked to conduct the biggest shake-up of our immigration system for 40 years.
I created the UK Border Agency; I took UK visas out of the Foreign Office; I took Customs out of the Treasury. We created a Border Agency that could run a biometric visa programme abroad, checking fingerprints against police national computers before anyone got on a train, plane or boat to our country. We introduced much stronger controls at the border, increasing those nice new blue signs, creating smart uniforms for immigration officials, and we increased immigration policing by around £100 million a year
I said earlier that to err is human but it takes a computer really to foul things up. That is a lesson that I learned with some force during my time at the Home Office. The dedicated, fantastic officials in the Home Office and the extraordinary officers who work in what was the UK Border Agency—it has since been revised a couple of times—do an amazing job. They are dramatically underfunded by the Treasury. They have been underfunded by the Treasury under this Government and, in my view, we did not get enough out of the Treasury in my day.
However, they are human and make mistakes. That is why we have such a complicated immigration tribunal system, where people can take their complaints to a first tier tribunal but very often need to seek a judicial review down the line. The challenge is that, if the Home Office wants to create a process and an administration for making the right decision, which can be defended in a tribunal and in a judicial review case, that process must be robust. When we streamlined the immigration tribunal system, we realised that we had to change, improve and strengthen the way that we took decisions in the Home Office because too many were made in a way that was not JR-proof. We were losing JRs and therefore denying justice to those who brought a legitimate claim against the Crown.
There were occasions when I lost cases because of information that was disclosed to the applicant through a subject access review. SARs are one of the most powerful instruments by which anybody in this country, whether a citizen or someone applying to become a citizen, or applying for a legal right to remain, can acquire information that is crucial to the delivery of justice. Many of us are incredibly sympathetic to the job that the Home Office does. Many of us will want a tougher regime in policing immigration, in particular illegal immigration, but I suspect every member of the Committee is also interested in the good conduct of justice and administrative justice. As someone who served in the Home Office for two years, I had to take some very difficult decisions, including to release subject access request information that I absolutely did not want to go into the public domain. Sometimes it was right to release that information because it helped ensure that justice was done in the courts of this land.
The Minister has some very strong safeguards in the Bill. There are strong safeguards that create exemptions for her where the interest is in crime prevention, such as, for example, illegal immigration. However, the power that the provision seeks, at which we take aim in our amendments, is a step too far and risks the most terrible injustices. It risks the courts being fouled up and our being challenged in all sorts of places, including the European Court of Human Rights in the years to come. It is an unwise provision. If I were a Home Office official, I would have tried it on—I would have tried to get it through my Minister and through the Houses of Parliament, but it is unwise and a step too far. I hope the Minister will accept the amendment and delete the provisions.
I will speak in favour of amendment 156. On Second Reading, I said that I would raise this matter again in Committee and I make no apologies for doing so. We regard this new exemption as extremely concerning. It permits the Government to collect and hold data for the purposes of what they describe as “effective immigration”.
It also concerns me that nowhere in the Bill does there seem to be a legal definition of effective immigration control. I am worried that “effective immigration control” is highly subjective and highly politicised. It exposes individuals, weakens their rights and makes them vulnerable to whatever change in the political tide happens to come along next. This broad-ranging exemption is fundamentally unfair. It is open to abuse and runs contrary to safeguarding basic human rights. I believe that the UK’s proposed immigration exemption goes much further than the scope of restrictions afforded to member states under GDPR, with all the consequences of that, which we discussed in such great detail this morning around adequacy decisions.
The exemption would introduce a new and unprecedented removal of an individual’s data protection rights and it is as unnecessary as it is disproportionate. Under this exemption, the Government will remove any obligation they have under data protection to inform an individual that their data has been transferred to the Home Office for immigration control purposes. That individual would not know if their data was being held or whether they were under investigation. That individual would have no right to know what data was being held by the Home Office or why. They would have no way of checking the accuracy of the information being held and therefore no way of correcting any mistakes in the information, which could then be used by the Home Office to decide whether they could live in this country or not.
The hon. Gentleman makes a powerful case against this particular exemption. He will know as well as me as a constituency Member of Parliament that one of the first things checked when someone comes to seek our advice is whether the Home Office has the correct information on an individual. Nine times out of 10, because of sheer workload, the Home Office just has it wrong. Then the visas and so on can be processed. Am I right in saying that, under this exemption, we would be unable to do that?
The hon. Gentleman is absolutely correct; I was just getting on to the point about the information held by the Home Office. If it cannot be checked and if it is wrong at source, it is wrong at the end of the process. As far as I can see, there are no safeguards against that. He is absolutely correct that one early error in data collection and processing becomes an irrefutable and indisputable fact by the time it reaches the Home Office. The Home Office could then base its case against an individual on that wrong information.
The hon. Gentleman is right—as constituency MPs, there is not one of us, I am sure, who is not painfully aware of wrong information being held not just by the Home Office, but by a whole range of Departments. That makes the exemption fundamentally unfair. This is an issue of basic fairness and there is little wonder it has been so loudly and roundly condemned by civil liberties groups and many in the legal profession. If we go ahead with the schedule as it stands, it fundamentally changes how we can operate and how we can help people who require our assistance.
At the moment, we have subject access requests. As matters stand, the Home Office and the subject or their legal representative have a right to access the same information, on which legal claims and challenges are based. Surely, if both sides do not have access to the same information, the fairness of any legal proceedings is inevitably compromised. Subject access requests are often the only route through which a legal professional can make representations on very complicated issues on behalf of their client. Indeed, for clients who have been victims of domestic abuse and are fleeing an abusive partner, sometimes a subject access request is all that stands between them and a successful application to remain.
This exemption will reduce legal representatives’ ability to best represent their clients and it removes a fundamental tool for holding the Home Office to account when it either gets things wrong or chooses to ignore or misrepresent the facts. The exemption is fundamentally unfair and as unnecessary as it is disproportionate. I urge the Government to reconsider.
I support the amendment tabled by my right hon. and hon. Friends, because there are some harsh realities about this exemption for effective immigration control, including the harsh reality that such an exemption right does not exist under the GDPR. Indeed, it is a new exemption compared with the law that exists today under the Data Protection Act 1998.
This broad, undefined exemption really must be restricted. I declare an interest. My wife is Australian and is here on a spousal visa. I therefore assume that, as a British citizen, I too could be subject to my rights being exempted for the effective control of immigration in order to understand what my wife is up to. I should declare for the record that her staying here in the UK is perfectly legitimate. This is a wide-ranging exemption that could apply to EU citizens, non-EU citizens and, as I say, British citizens who are connected with those who are subject to immigration controls.
This is not just an issue for the Home Office; there is data across various Departments that could be of use to the Home Office for the effective control of immigration. Indeed, we have been waiting for quite some time for the Government to publish the biometric strategy, setting out how they intend to use lots of biometric data across Government Departments. We have been waiting for a couple of years to see how the Government intend to do that.
My understanding is that if all the photographs held on our passports and driving licences were collated, in essence the Government would have the power to have a virtual ID card for the bulk of the adult population in this country. How on earth would that information be used for the effective control of immigration, which would potentially be applied to so many people here in the UK?
This exemption creates a derogation for many rights: the right to information, the right to access, the right to explanation, the right to erasure, the right to restriction of processing, the right to data portability, the right to object, and all the principles set out in article 5 of the GDPR. This is an enormous derogation from rights that our colleagues in Europe think are important. Again, this relates to the risk of failing to seek adequacy in our negotiations with the EU.
I seek not only to support the amendment but to ask the Minister to clarify something. If the Government do not support the amendment, how does the exemption fit within the language of article 23 of the GDPR, which states that it can only exist
“when such a restriction respects the essence of the fundamental rights”— which we have already noticed today are being repealed by this Government—
“and freedoms and is a necessary and proportionate measure in a democratic society”?
My assertion is that this exemption goes too far and, therefore, that the amendment tabled by my right hon. and hon. Friends is perfectly sensible. I look forward to it receiving Government support.
We have already heard three very good speeches in support of the amendment. I will not take too long to support pretty much everything that has been said so far. As a former troublesome immigration lawyer from back in the day—in fact, when the right hon. Member for Birmingham, Hodge Hill was busy making his reforms in the Department—I do not think that I could have lived it down if I had not said a few words in support of the amendment.
We must remember that the context for all this is that we have a Department—the Home Office—where, as the most recent statistics show, half of all immigration decisions that are challenged in a tribunal are overturned, which is a record high. The Home Affairs Committee has recently expressed grave concerns about the poor quality of decision making in far too many areas and the functioning of a hostile environment, for example in the area of bank checks, where there is something like a 10% error rate. We also live in a world where the creeping reach of the Home Office’s information tentacles is almost being seen to put off migrants from accessing necessary public services such as health, creating a public health danger.
To provide a massive and almost unlimited exemption from many of the key protections, as has been described, is not only unjustified but counterproductive, because rather than fixing the fundamental problems with Home Office decision making, it will make them worse by hiding them from view and from scrutiny. The Home Office, not for the first time, is being pretty greedy with the powers that it seeks, because even if we take out the exemption, as this amendment proposes, the Home Office will still have plenty of scope—perhaps too much scope—to do what it wants to do. Recent immigration Acts have created myriad criminal offences in the sphere of immigration law, so the Home Office can already rely on other exemptions within the Bill where necessary. What is absolutely lacking is any explanation of why the exemption is needed. Will the Minister explain what it is about current data protection laws that has unacceptably hindered Home Office operations? I have seen no evidence of that at all.
Another concern is that it is not just the Home Office that will benefit from this exemption but other organisations that are involved in immigration control, such as G4S in its operation of detention centres. There is no justification for that, but there are serious risks, harms and injustices that might be created by the proposed exemption.
As we have heard, subject access requests are regularly a crucial part of representing a migrant caught up in the immigration system. They can be used to establish statuses that have not been communicated or have been lost. They can be used to establish other crucial facts that have not been known to that individual or their representatives. They can, of course, be absolutely crucial in establishing that the Home Office has made errors, as all too many hon. Members will have experienced.
Members of the Committee have been provided with a host of examples by the Law Society, the Bar Council, the Immigration Law Practitioners’ Association and others. Those are real-life examples occurring day in, day out. Quite simply, the failure to allow those individuals access to data protection rights is not only a denial of those rights but a denial of access to justice altogether. This part of the Bill desperately needs reconsideration by the Government.
I do not think anybody on the Committee would disagree with the statement that the staff work incredibly hard. Would it not be a show of solidarity with those staff to give them the resources they require to do the job properly?
I didn’t start it. The point is that, when people talk obliquely about the Home Office, it is people working in the Home Office who have to make these decisions day in, day out and who have to apply the law and do their best. I think we need to bear that in mind when we are talking about the Home Office system and how bad it is.
The provision relating to data processing for the purposes of immigration control in paragraph 4 of schedule 2 has been the subject of much debate. I would like to address some of the misunderstandings that have clearly arisen during the course of the Bill around both the purpose and scope of the provision. I hope I can persuade the Committee that this is a necessary and proportionate measure to protect the integrity of our immigration system.
Very much so. I will take it slowly because it is complicated and I want to ensure that the points raised today have been addressed. First, I was asked who decides the definition of effective immigration control in the schedule. That is an established term of art. It is used, for example, in the Immigration Act 2014. The Freedom of Information Act 2000 uses a similar term, namely
“the operation of the immigration controls”.
In the context of the schedule, we have adopted a wraparound term such as that, rather than set out a detailed list of specific immigration-related functions to which the exemption might be applied. Given the undoubted complexity of immigration legislation, there is a danger that any such list would be incomplete and would need to be regularly reviewed and updated. The term is either the precise term or similar to those already in law, such as in the Freedom of Information Act, which has been law for 18 years.
The hon. Member for Argyll and Bute seems concerned that once the Home Office system has accessed some of this information, it is lost forever and will not be revealed to the person whom it concerns. I will give case examples later, but I reassure him that the way in which we describe this exemption in the Home Office is that it is a pause on two of the data protection principles. Once the pause is lifted, because the end has been achieved—the person has been found or whatever—all those rights kick back in again, and they are able to make requests for the information that the hon. Gentleman set out. We see it as a pause, not as a long-standing and permanent exemption. It is just for the precise circumstances of enabling the immigration system and its protections.
The Under-Secretary of State will know better than anybody that there are very tight time limits over the windows within which people can ask for entry clearance officer reviews or reconsideration, either by an immigration official or, in extremis, by the Minister. How long will the pause last, and can she guarantee the Committee today that the pause will never jeopardise the kick-in of time limits on an appeal or a reconsideration decision?
The reason for the pause is—I will give case studies of this—to enable the immigration system to operate. If someone has gone missing, requests for data will be required to find that person. Once that person is found, and there is no longer a need to apply the exemption, it will be lifted.
That is not an answer to my question. I am asking for a guarantee to the Committee this afternoon that the pause will never jeopardise somebody’s ability to submit a valid request for a reconsideration or an appeal with the information that they need within the time windows set out by Home Office regulations—yes or no.
I am asked whether this will have an impact on someone’s application, either at appeal or reconsideration. Of course, information is obtained so that a person can be brought in. As I say, I will make it clear with case studies, so perhaps I can answer the right hon. Gentleman in more detail when I give such an example, but the purpose of this is generally to find a person. When the need, as set out under the exemption, no longer exists, the rights kick back in again. This relates only to the first two data protection principles under the GDPR. Again, I will go into more detail in a moment, but this is not the permanent exemption from rights as perhaps has been feared by some; it is simply to enable the process to work. Once a person has been brought into the immigration system, all the protections of the immigration system remain.
The circumstances that the Minister describes for using the exemption are much narrower than the way the exemption is actually drawn. It seems to me that if that is the only way in which the Home Office wants to use the exemption, it could frame it in a much narrower way and possibly gain cross-party support.
I will move on to the case studies in a moment, as I have given way several times. First, I will lay out the titles, then I will come on to article 23. Again, our analysis is that the provision fits within one of the exemptions in article 23. That is precisely the reason that we have drawn it in this way.
We very much welcome the enhanced rights and protections for data subjects afforded by the GDPR. The authors of the GDPR accepted that at times those rights need to be qualified in the general public interest, whether to protect national security, the prevention and detection of crime, the economic interests of the country or, in this case, the maintenance of an effective system of immigration control. Accordingly, a number of articles of the GDPR make express provision for such exemptions, including article 23(1)(e), which enables restrictions to be placed on certain rights of data subjects. Given the extension of data subjects’ rights under the GDPR, it is necessary to include in the Bill an explicit targeted but proportionate exemption in the immigration context.
The exemption would apply to the processing of personal data by the Home Office for the purposes of
“the maintenance of effective immigration control, or…the investigation or detection of activities that would undermine the maintenance of effective immigration control”.
It would also apply to other public authorities required or authorised to share information with the Department for either of those specific purposes.
Let me be clear on what paragraph 4 of schedule 2 does not do. It categorically does not set aside the whole of the GDPR for all processing of personal data for all immigration purposes. It makes it clear that the exemption applies only to certain GDPR articles. The articles that the exemption applies to are set out in paragraph 4(2) of schedule 2. They relate to various rights of data subjects provided for in chapter 3 of the GDPR, such as the rights to information and access to personal data, and to two of the data protection principles—namely the first one, which relates to fair and transparent processes, and the purpose limitation, which is the second one.
As I understand it, the derogations that are sought effectively remove the right to information in article 13; the right to information where data is obtained from a third party in article 14; the right of subjects’ access in article 15; the right to erasure in article 17; the right to restriction of processing in article 18; the right to object in article 21(1); the principle of lawful, fair and transparent processing in article 5; the principle of purpose limitation in article 5(1)(b); and the data protection principles in article 5 of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability to the extent that they correspond to the rights above. That is a pretty broad set of rights to be cast out.
Those are not the data protection principles. If one continues to read on to paragraph 4(2)(b) of schedule 2, it sets out the two data protection principles that I have just highlighted. The provisions set out in sub-paragraph (2)(a) relate to the data protection principles of fair and transparent processing and the purpose limitation. As I say, this is not a permanent removal. This is, as we describe it, a pause. There is not a free hand to invoke the permitted exception as a matter of routine.
All of the data protection principles, including those relating to data minimisation, accuracy, storage limitation and integrity and confidentiality, will continue to apply to everyone. So, too, will all the obligations on data controllers and processors, all the safeguards around cross-border transfers, and all the oversight and enforcement powers of the Information Commissioner. The latter is particularly relevant here, as it is open to any data subject affected by the provisions in paragraph 4 of schedule 2 to make a complaint to the Information Commissioner that the commissioner is then under a duty to investigate. Again, I hope that that addresses some of the concerns that the hon. Member for Argyll and Bute raised.
Contrary to the impression that has perhaps been given or understood, paragraph 4 does not give the Home Office a free hand to invoke the permitted exceptions as a matter of routine. The Bill is clear that the exceptions may be applied only to the extent that the application of the rights of data subjects, or the two relevant data protection principles, would be likely to prejudice
“the maintenance of effective immigration control, or…the investigation or detection of activities that would undermine the maintenance of effective immigration control”.
That is an important caveat.
The Minister will know that in paragraph 2(1)(a) we already have a set of exemptions that relate to the prevention or detection of a crime, including, presumably, all of the crimes that fall into the bucket of organising or perpetrating illegal immigration. Despite constant pressing during the debate in the other place and here, we have not yet had a clear answer as to why additional powers and exemptions are needed, over and above the powers expressly granted and agreed in paragraph 2(1)(a).
I am grateful to the right hon. Gentleman for raising that issue, because it allows me to get to the nub of how we approach the immigration system. We do not see the immigration system as some form of criminality or as only being open to the principles of criminal law. He will know that we deal with immigration in both the civil law and criminal law contexts. The exemption he has raised in terms of paragraph 2 of the schedule deals with the criminal law context, but we must also address those instances where the matter is perhaps for civil law.
We know that in the vast majority of immigration cases, people are dealt with through immigration tribunals or through civil law. They are not dealt with through criminal law. That is the point; we must please keep open the ability to deal with people through the civil law system, rather than rushing immediately to criminalise them. If, for example, they have overstayed, sometimes it is appropriate for the criminal law to become involved, but a great number of times it is for the civil law to be applied to deal with that person’s case either by way of civil penalty or by finding an arrangement whereby they can be given discretion to leave or the right to remain. We have the exemption in paragraph 4 so that we do not just focus on the criminal aspects that there may be in some immigration cases. We must ensure that we also focus on the much wider and much more widely used civil law context.
It is important to recognise that the exemptions will not and cannot be targeted at whole classes of vulnerable individuals, be they victims of domestic abuse or human trafficking, undocumented children or asylum seekers. The enhanced data rights afforded by the GDPR will benefit all those who are here lawfully in the United Kingdom, including EU citizens. The relevant rights will be restricted only on a case-by-case basis where there is evidence that the prejudice I have mentioned is likely to occur.
The Minister specifically mentioned EU citizens. There have been concerns that the exemption will impact those EU nationals who are already here and who, as we have already heard, are contributing hugely to the UK. Can she assure us that the exemption is not targeted at them?
Absolutely. The exemption will not be enacted on the basis of nationality. It is enacted on a case-by-case basis to uphold the integrity of the immigration system. There will be no question of EU nationals being in any way targeted by it. Indeed, we know the great effect that EU nationals and other people from other countries have had in this country, and we certainly would not be looking to target them on the basis of nationality.
Is it not right to say that EU citizens will be part of the immigration system? They will be immigrants with immigration rights as part of the Brexit process. These rules could therefore apply to them, could they not? Secondly—
I will answer the first one—yes. The hon. Gentleman asked whether EU citizens would be targeted. Once we leave the European Union, we will have our own immigration policy. There will clearly be no distinction between EU and non-EU, because everyone will be outside of the UK, if I may put it that way, very inelegantly.
But they would still be subject to the right to exempt them from their data protection rights. I welcome the Minister’s comments on the time-limited nature of the intention of using the rules, but can she point me to the section of the Bill that defines that time limit, because I am struggling to find it?
If I may, I will come back to that point in a moment. In the case of subject access requests, each request would need to be considered on its own merits. For example, we could not limit the information given to visa applicants on how their personal data would be processed as part of that application. Rather, the restrictions would be applied only where there was a real likelihood of prejudice to immigration controls as a result of disclosing the information concerned.
It is equally important to shed light on another concern that has been voiced. Some of the briefing that has been circulated suggests that the Bill creates new information sharing gateways. That is simply not the case. As I have indicated, schedule 2 sets out certain exceptions from GDPR. It does not of itself create new powers to share data between data controllers. However, where personal data is shared between controllers for the limited immigration purposes specified in paragraph 4, it means that the data subject does not need to be notified, if to do so would be prejudicial to the maintenance of effective immigration control.
It may assist the Committee if I explain the kind of information that it may be necessary to withhold from data subjects. The classes of information that the Home Office may wish to withhold include a description of the data held, our data sources, the purposes for which that data is being processed, and the details of the recipients to whom the data has been disclosed. There will be circumstances in which the disclosure to a data subject of such information could afford him or her the opportunity to circumvent our immigration controls. A couple of examples will serve to illustrate where the disclosure of such information may have precisely that adverse effect.
In the case of a suspected overstayer, if we had to disclose, in response to a subject access request, what we are doing to track their whereabouts with a view to effecting administrative removal—that is the difference from the paragraph 2 point that the right hon. Member for Birmingham, Hodge Hill highlighted—evidently, that would tip them off, and thus undermine such enforcement action.
If someone has overstayed, they have committed a crime. Therefore, paragraph 2(1)(a) absolutely bites. We are seeking to prevent that crime. Someone who has overstayed their visa has committed a crime. It is kind of as simple as that.
In that scenario, we may well effect their removal administratively. It does not mean that it is going through the criminal courts.
By way of a second example, take a case where the Home Office is considering an application for an extension of leave to remain in the UK. It may be that we have evidence that the applicant has provided false information to support his or her claim. In such cases, we may need to contact third parties to substantiate the veracity of the information provided in support of the application. If we are then obliged to inform the claimant that we are taking such steps, they may abscond and evade detection.
If someone has submitted false information in support of an application to the Government, and signed it, as they must, that is called fraud. That is also a crime, and is covered by paragraph 2(1)(a).
I take the right hon. Gentleman’s point, particularly in relation to the overstayer, but as the purpose of processing personal data in many immigration areas is not generally the pursuit of criminal enforcement action, it is not clear that it would be appropriate in all cases to rely on crime-related exemptions, where the real prejudice lies in our ability to take administrative enforcement action. It may well be that in some cases a crime has been committed, but that will not always be the case.
Criminal sanctions are not always the correct and proportionate response to people who are in the UK without lawful authority. It is often better to use administrative means to remove such a person and prevent re-entry, rather than to deploy the fully panoply of the criminal justice system, which is designed to rehabilitate members of our communities. As the purpose of processing personal data in such cases is not generally the pursuit of a prosecution, it is not clear that we could, in all cases, rely on that exemption relating to crime.
So far we have had some hypothetical examples about what might happen in the future, but given that we have a data protection regime in place already, it would be useful to know whether the Minister can give us examples of situations that have arisen in which the Home Office has been hindered by the current data protection regime. We have not heard anything like that so far.
If I may, I will continue with my speech, because I have more information to give. Perhaps at the end I can deal with the hon. Gentleman’s point.
I just want to dissolve one confusion in the Minister’s remarks. The nature of the Home Office response, whether it is a prosecution through a civil court, a civil sanction or a civil whatever else, does not affect the nature of the offence that is committed. The Home Office has a range of sanctions and choices in responding to an offence, but that does not stop the offence being an offence. The offence is still a crime, and is therefore covered by paragraph 2(1)(a).
The right hon. Gentleman is assuming that each and every immigration case that will be covered by these provisions necessitates the commission of a crime.
I would not make that assumption. The vast majority of immigration cases are dealt with in a civil context.
No, forgive me. I have been very generous with interventions. I am going to make some progress, and then no doubt others will intervene on me in due course.
I turn to the charge that the exemption has no basis in EU law. Article 23 of the GDPR allows member states to restrict the application of certain provisions of the regulation to safeguard important objectives of general public interest. Immigration control constitutes one such objective. We see immigration as an important matter of public interest, and the GDPR allows member states to exempt rights where that is the case. We are not alone in our belief that immigration is an important matter of general public interest. The Irish Government clearly stated that in their own Data Protection Bill. Clause 54 of the Irish Bill gives powers to make regulations restricting certain rights and obligations under the GDPR to safeguard important objectives of general public interest. The list of such objectives in the Bill includes matter relating to immigration.
Opposition Members have talked about their concerns about the fact that these provisions may be covered by paragraph 2 of the schedule. I want to reflect on the outcome of the debate on this provision in the House of Lords, which contains many noble Lords who are extremely learned in the law, have much experience of campaigning on immigration rights and so on. We listened very carefully to the concerns raised at Lords Committee stage, and as a result the Government tabled amendments at Lords Report stage to narrow the scope of the exemption so that it no longer covers the right to rectification and data portability. In response to those amendments, Lord Kennedy of Southwark said:
“The amendments tabled by the Government provide important clarification on what is exempt, limit the power in Bill and seek to address the concerns highlighted during the previous debate and today…I am happy to support their amendments.”—[Official Report, House of Lords,
Furthermore, in a Division on a Liberal Democrat amendment to strike out the immigration exemption, the official Opposition abstained. I wonder what has changed between their abstaining on that amendment and accepting that the Government’s amendments were sufficient, and today. Nothing has changed since the Bill left the Lords, so perhaps the right hon. Member for Birmingham, Hodge Hill can help us with why their position has changed.
I hope I have been able to satisfy the Committee that this provision is necessary and important.
It is a pleasure to serve under your chairmanship, Mr Hanson. Will the Minister give a tangible example, as she has done in other cases, of where an immigration case may require exemption under paragraph 4—in other words, a case in which a crime has not been committed and therefore would not be covered under paragraph 2(2)? The cases she has mentioned so far would, on the face of it, be covered by paragraph 2(2), because a criminal act had taken place or was about to take place.
There may be occasions when there is a person we have lost track of whose status is irregular. If we know they have a child, we will seek from the Department for Education assistance to find the whereabouts of the child. That child has not committed a criminal offence, so I would be very concerned to ensure that the Home Office, Border Force or whoever else acted lawfully when seeking that data in order to enable them to find the parent or whoever is the responsible adult, as part of the immigration system.
No—the child is not missing, but the parent is; so we seek advice from the Department for Education about where the child is. It may be that cleverer lawyers than me in the Home Office will find an exemption for that, but the point of this exemption of paragraph 4 is to cover the lawfulness of the Home Office in seeking such information in order to find parents or responsible adults who may have responsibility, and either to regularise their stay or to remove them.
I encourage the right hon. Member for Birmingham, Hodge Hill to withdraw his amendment, as we believe that it is not the wholesale disapplication of data subjects’ rights, and it is a targeted provision wholly in accordance with the discretion afforded to member states by the GDPR and is vital to maintaining the integrity and effectiveness of our immigration system.
First, we were invited to believe that we could safeguard due process and the rights of newcomers to this country by suspending those rights and pursuing people through civil court. We were then asked to believe that the Home Office’s ambition to deal with these cases with civil response rendered inoperable the powers set out in paragraph 2(1)(a), confusing the response from the Home Office and the nature of the offence committed up front. Then, we were invited to believe that this was not a permanent provision—even though that safeguard is not written into the Bill—but a temporary provision. What is not clear is when those temporary provisions would be activated and, crucially, when they would be suspended.
I am happy to give way in a moment. Most of us here who have done our fair share of immigration cases—I have done several thousand over the last 14 years—know that on some occasions, the Home Office interpretation of time is somewhat different from a broadly understood interpretation of time. I have cases in which a judge has ordered the issue of a visa, and six months later we are still chasing the Home Office for the issue of the visa. I will not be alone in offering these examples.
Perhaps when the Minister intervenes, she could set out what “temporary” means, where it is defined and where are the limits, and she still has not answered my question whether she will guarantee that the implementation of this pause will not jeopardise someone’s ability to submit either a request for an entry clearance officer review or an appeal within the legally binding time windows set out in Home Office regulations.
The key to this is the purpose for which we are processing the data. Even if there are criminal sanctions, that does not mean that we are processing for that purpose, particularly where we are not likely to pursue a prosecution. The primary purpose is often immigration control—that does not fit under paragraph 2 as he has described it—rather than enforcing the criminal justice system. That is the point. It is for the purpose of processing the data. The crime-related provisions in the Bill refer to the importance of identifying the purposes of the processing. Where the primary purpose is immigration related, it is not clear that we could rely on the crime-related exemptions. That is why paragraph 4 is in the schedule.
I am really sorry to have to say this, but that is utter nonsense. The idea that the Home Office will seek to regularise someone’s immigration status by denying them access to information that might support their case is, frankly, fanciful.
This is not a new debate; we last had it in 1983. The Home Office tried to sketch this exemption into legislation then, it failed, and we should not allow the exemption to go into the Bill, especially given that all the explanations we have heard this afternoon are about cases where paragraph 2(1)(a), or the safeguarding provisions drafted by the Government, would provide the necessary exemptions and safeguards in the contingencies that the Minister is concerned about.
I feel for the Under-Secretary, because she is on a bit of a sticky wicket given the Government’s drafting, but does my right hon. Friend agree that it is concerning that I asked twice to be pointed to specifics—I asked first how the pause is drafted in the Bill, and secondly where the word “immigration” appears under article 23 of the GDPR—but on neither occasion was I was pointed to them? We ought also to draw the Committee’s attention to the report on the Bill by the Joint Committee on Human Rights, which states:
“The GDPR does not expressly provide for immigration control as a legitimate ground for exemption.”
All rights are reinstated once the risk to prejudice is removed. The wording is in line 35 of paragraph 4:
“to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) and (b).”
To reassure the hon. Member for Bristol North West, that is the end point.
I am grateful to the Under-Secretary for clarifying a point that was not at issue. No one is concerned about what rights kick back in at the end of a process. We are worried about how long the process will last, who will govern it, what rights newcomers to this country or courts will have to enforce some kind of constraint on the process and how we will stop the Home Office embarking on unending processes in a Jarndyce v. Jarndyce-like way, which we know is the way these cases are sometimes prosecuted. The Home Office is full of some of the most amazing civil servants on earth, but perhaps, a little like the Under-Secretary, they are sometimes good people trapped in bad systems and, dare I say it, bad arguments.
Amendments made: 95, in schedule 2, page 138, line 15, at end insert—
“( ) Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);”
This amendment adds Article 19 of the GDPR (notification obligation regarding rectification or erasure of personal data or restriction of processing) to the list of GDPR provisions that are disapplied by provisions in Part 2 of Schedule 2 to the Bill.
Amendment 96, in schedule 2, page 139, leave out lines 17 to 27 and insert—
“2. The function is designed to protect members of the public against—
(a) dishonesty, malpractice or other seriously improper conduct, or
(b) unfitness or incompetence.
The function is—
(a) conferred on a person by an enactment,
(b) a function of the Crown, a Minister of the Crown or a government department, or
(c) of a public nature, and is exercised in the public interest.”
This amendment extends the exemption provided for in paragraph 7 of Schedule 2. It amends the second entry in the table (functions designed to protect members of the public against dishonesty etc) by removing the requirement that the function relates to people who carry on activities which bring them into contact with members of the public. It also amends column 2 of the table to bring the second entry into line with the first and third entries.
Amendment 97, in schedule 2, page 140, line 42, at end insert—
7A (1) The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function listed in sub-paragraph (2) to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.
(2) The functions are any function that is conferred by an enactment on—
(a) the Comptroller and Auditor General;
(b) the Auditor General for Scotland;
(c) the Auditor General for Wales;
(d) the Comptroller and Auditor General for Northern Ireland.”
This amendment inserts a new paragraph into Schedule 2 to provide for an exemption from “the listed GDPR provisions” (defined in paragraph 6 of Schedule 2) where personal data is processed for the purposes of discharging statutory functions of certain auditors.
Amendment 98, in schedule 2, page 140, line 42, at end insert—
7B (1) The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a relevant function of the Bank of England to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.
(2) ‘Relevant function of the Bank of England’ means—
(a) a function discharged by the Bank acting in its capacity as a monetary authority (as defined in section 244(2)(c) and (2A) of the Banking Act 2009);
(b) a public function of the Bank within the meaning of section 349 of the Financial Services and Markets Act 2000;
(c) a function conferred on the Prudential Regulation Authority by or under the Financial Services and Markets Act 2000 or by another enactment.”
This amendment inserts a new paragraph into Schedule 2 to provide for an exemption from “the listed GDPR provisions” (defined in paragraph 6 of Schedule 2) where personal data is processed for the purposes of discharging specified functions of the Bank of England.
Amendment 99, in schedule 2, page 141, line 18, leave out “body” and insert “person”.
This amendment and Amendment 100 amend paragraph 9 of Schedule 2 to replace the reference to a “body” with a “person” for consistency with the table at paragraph 9, which includes functions that are conferred on individuals.
Amendment 100, in schedule 2, page 141, line 19, leave out “body” and insert “person”.
See the explanatory statement for Amendment 99.
Amendment 101, in schedule 2, page 142, line 7, column 2, at end insert—
“() section 244 of the Investigatory Powers Act 2016;”
This amendment amends column 2 of the table at paragraph 9 of Schedule 2 so that functions conferred on the Commissioner by section 244 of the Investigatory Powers Act 2016 will be included within the scope of the exemption provided for by paragraph 9.
Amendment 102, in schedule 2, page 142, line 37, at end insert—
“1A. The Scottish Information Commissioner.
By or under—
(a) the Freedom of Information (Scotland) Act 2002 (asp 13);
(b) the Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520);
(c) the INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440).”
This amendment amends the table at paragraph 9 of Schedule 2 so that functions conferred on the Scottish Information Commissioner by the legislation listed in column 2 of the table will be included within the scope of the exemption provided for by paragraph 9.
Amendment 103, in schedule 2, page 143, line 7, leave out “or under any” and insert “an”.
This amendment amends the reference to functions conferred by or under any enactment in entry 5 of the table at paragraph 9. The words “or under” are not necessary because the definition of “enactment” in Clause 198 includes subordinate legislation.
Amendment 104, in schedule 2, page 143, line 7, at end insert—
“5A. The Financial Conduct Authority.
By or under the Financial Services and Markets Act 2000 or by another enactment.”
This amendment amends the table at paragraph 9 of Schedule 2 so that functions conferred on the Financial Conduct Authority by the legislation listed in column 2 of the table will be included within the scope of the exemption provided for by paragraph 9.
Amendment 105, in schedule 2, page 143, line 22, at end insert—
“12. The Charity Commission.
By or under—
(a) the Charities Act 1992;
(b) the Charities Act 2006;
(c) the Charities Act 2011.”
This amendment amends the table at paragraph 9 of Schedule 2 so that functions conferred on the Charity Commission by the legislation listed in column 2 of the table will be included within the scope of the exemption provided for by paragraph 9.
Amendment 106, in schedule 2, page 146, line 22, leave out “16(4)(a) or (b)” and insert “16(4)(a), (b) or (c)”.
This amendment is consequential on Amendment 112.
Amendment 107, in schedule 2, page 149, line 23, leave out
“with the date on which”
and insert “when”.
This amendment is consequential on Amendment 71.
Amendment 108, in schedule 2, page 149, line 25, leave out “the date of”.
This amendment is consequential on Amendment 71.
Amendment 109, in schedule 2, page 150, line 45, at end insert—
“( ) Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);”
This amendment adds Article 19 of the GDPR (notification obligation regarding rectification or erasure of personal data or restriction of processing) to the list of GDPR provisions that are disapplied by paragraph 24 of Schedule 2 to the Bill (journalistic, academic, artistic and literary purposes).
Amendment 110, in schedule 2, page 151, line 1, after “processor)” insert “—
(i) Article 34(1) and (4) (communication of personal data breach to the data subject);
This amendment adds Article 34 of the GDPR (communication of personal data breach to the data subject) to the list of GDPR provisions that are disapplied by paragraph 24 of Schedule 2 to the Bill (journalistic, academic, artistic and literary purposes).
I beg to move amendment 170, in schedule 2, page 151, line 8, at end insert—
“(f) in Chapter IX of the GDPR (provisions relating to specific processing situations), Article 89(1) (safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes).”
This amendment adds the restrictions imposed on archiving by the GDPR and the Bill to the list of matters in the Bill that benefit from the Journalism, Art and Literature exemption.
The purpose of this amendment is to protect some of our important national archives. We in this country are some of the greatest collectors on earth; the tradition established by Sir Hans Sloane all those centuries ago inspired many generations that followed him. Our ability and our tradition of collecting mean that this country is now home to some of the greatest collections on the planet.
It is fantastic to see many of these institutions now rapidly digitalising those archives. I was privileged to be able to visit the Natural History Museum recently, which I think is home to something like 83 million different specimens. It is now beginning to digitalise those archives in a way that opens them up not only to our schoolchildren, but to citizens of this country and those around the world who are keen on science.
The point of this amendment is that we cannot simply preserve those archives in aspic. They must be dynamic resources; they must be added to, and our success or failure in that task has a crucial bearing on the health of our democracy and our ability to, dare I say it, reflect on past mistakes and do better. I think it was the legendary Karl Popper who once said, “To err is human, to correct divine.”
We make mistakes. It is important that we reflect on the mistakes we have made in the past, in order to do better next time around. Many of the more contemporary archives, particularly news archives, have had a crucial bearing on inquiries into historical child abuse, the injustices perpetrated at Hillsborough and at Orgreave, and HIV-contaminated blood. All those inquiries relied on records that were not necessarily historical; many were contemporary.
A range of crucial organisations entrusted with the delicate task of keeping our archives up to date are seriously worried about the provisions in the GDPR. In fact, they believe the inadequacy of the derogations and exemptions in the GDPR, as it is proposed that we draft it into law, means that they will be quickly put out of business. In particular, that will bite on thousands of smaller archives.
The point they have consistently made to us is that, although we have such great collections and archives in this country and a public interest culture around protecting some of those archives, we do not have any of the kind of legal protections that they enjoy in countries such as France. We do not have the defendable protections around archives that those abroad benefit from.
The challenge in this Bill is a lack of precision. I do not want to pretend that this is a black-and-white case. Sometimes news archives in particular will be required to draw something of a grey line, and I am afraid the Minister has to earn her pay and be the one to decide where to draw that grey line. Sometimes there will be information stored in those archives that absolutely should be subject to the GDPR provisions. But if we are in effect granting a carte blanche for people to make requests of archives that require those archives to dip deep into the historical record, correct things and go through challenging processes to ensure they are right, I am afraid it will put a number of our archives out of business, and that will damage the health of our democracy.
We have drafted this amendment with a number of aims. We want to try to create a statutory definition for organisations that archive in the public interest. We have had a first attempt at drawing that in a narrow way, so it does not infringe on material that is stored that absolutely should be subject to general GDPR provisions. We have done our best to ensure that the archiving exemptions are proportionate to the public interest nature of the material being archived. We wanted to offer an amendment worded hopefully in such a way that, frankly, it excludes Google, Facebook and others from enjoying the exemptions sought here.
This is the first place in the Bill where the debate rears its head. I am grateful to the range of museums, archives and the BBC that have helped us to craft this amendment. It should not be particularly controversial. There should be agreement across the Committee on the need to protect our great collections, yet keep some companies, such as Google and Facebook, subject to the provisions in the Bill.
We offer the amendment as a starter for 10. Obviously, we would be delighted if the Government accepted it; we would be even more pleased if they could perfect it.
Thank you, Mr Hanson. I agree with the tribute paid by the right hon. Member for Birmingham, Hodge Hill to the custodians of some of the most wonderful archives in the world. I will comment on his proposals with regard to such archives shortly, but I hope that recent debates have left no doubt in hon. Members’ minds that the Government are absolutely committed to preserving the freedom of the press, and maintaining the balance between privacy and freedom of expression in our existing law, which has served us well for so many years.
As set out in the Bill, media organisations can already process data for journalistic purposes, which includes media archiving. As such, we believe that amendment 170 is unnecessary and could be unhelpful. I agree with the right hon. Gentleman that it is crucial that the media can process data and maintain media archives. In the House of Lords, my noble Friend Lord Black of Brentwood explained very well the value of media archives. He said:
“Those records are not just the ‘first draft of history’; they often now comprise the only record of significant events, which will be essential to historians and others in future, and they must be protected.”—[Official Report, House of Lords,
However, recital 153 indicates that processing for special purposes includes news archiving and press libraries. Paragraph 24 of schedule 2 sets out the range of derogations that apply to processing for journalistic purposes. That includes, for example, exemption from complying with requests for the right to be forgotten. That means that where the exemption applies, data subjects would not have grounds to request that data about them be deleted. It is irrelevant whether the data causes substantial damage or distress.
However, if media organisations are archiving data for other purposes—for example, in connection with subscriber data—it is only right that they are subjected to the safeguards set out in article 89(1), and the Bill provides for that accordingly. For that reason, I hope that the right hon. Gentleman agrees to reconsider his approach and withdraw his amendment.
I am happy to withdraw the amendment, although I would say to the Minister that the helpful words we have heard this afternoon will not go far enough to satisfy the objections that we heard from organisations. We reserve the right to come back to this matter on Report. We will obviously consult the organisations that helped us to draft the amendment, and I urge her to do the same. I beg to ask leave to withdraw the amendment.