Blog post by Martin Kwan, London School of Economics

In the very recent judgement of AAA (Syria) & Ors, R (On the Application Of) v Secretary of State for the Home Department [2023] EWCA Civ 745 where the Rwanda policy was challenged, the majority Court of Appeal held that there is a real risk that asylum seekers sent to Rwanda will be returned to their home countries. This highly topical and important judgement has been, and will surely continue to be, analysed from various angles. This commentary wishes to focus on the subsidiary argument regarding data protection breaches raised in this case.

One of the asylum seekers alleged that the relocation decision involved data protection breaches. The relevance of this argument was rejected by both the High Court and the Court of Appeal, but arguably they have yet explored its full potential.

The Home Office sent the asylum seeker’s personal details (such as name, date of birth, etc.) to the Rwandan authorities ([381]) when seeking Rwanda’s consent to transfer the asylum seekers. The complainant contended that the Home Office failed to comply with the relevant data protection laws, such as putting in place a data controller and properly preparing a data protection impact assessment (“DPIA”) (at [381]). He suggested that these breaches invalidate the relocation decision ([382]).

The High Court rejected this mainly because the compliance with data protection law is not an integral matter to the relocation decision under the relevant Immigration Rules. Thus, the consent obtained from the Government of Rwanda remains in effect.

In other words, the central issue is whether data protection breaches are, in general, relevant to the validity of any public law decisions ([385]). This was argued again before the Court of Appeal.

The Court of Appeal agreed with the High Court. They explained the “general principle” by way of a thought-provoking analogy:

“To take an obvious example, if a person being removed from the United Kingdom was assaulted by a Home Office official on his way to the airport, that assault would be unlawful but would not in itself compromise the legality of the immigration decision that was the reason for removal.”

But then the complainant immediately raised the crucial distinction with assault—that the act of sending personal information over is mandatory for obtaining consent from the Government of Rwanda. Despite being a “necessary prerequisite” to the removal decision, the Court of Appeal did not agree that its breach is integral to its validity (at [390]).

The Court of Appeal’s reasoning was rather dismissive and brief without explaining very clearly why the illegality/breaches will not invalidate the decision. Judging from the tenor of the judgement, it seems they dwelled on the fact that the data protection laws are separate from the main relocation provisions of rules 345A-345D of the Immigration Rules, which list criteria such as whether the third country is safe for the asylum seeker concerned (listed at [403]).

Why the manner of implementation should matter?

In other words, the manner of “making or executing” (the term used at [389]) a public law decision, generally, does not matter. But this view is undesirable and unpersuasive.

First, data protection laws are relevant on the facts, even though it is a separate regime to the Immigration Rules. Just because they are not the central/integral criteria, like whether the third country is safe, their actual relevance has been understated.

The Immigration Rules require the consent of the Government of Rwanda. The Court of Appeal was certainly right that the sovereign’s consent was “effective”/valid, but this does not justify underplaying the fact that it was obtained unlawfully in breach of the data protection rules.

The Courts apparently are open to reasoning by way of analogy on this subject matter. On top of the assault analogy quoted above, the High Court (with whom the Court of Appeal agreed at [383], [388]) notably tried to reinforce the irrelevance of data breaches to validity by suggesting that “past transactions” which violate the data protection laws have not been invalidated.

In reply, public law decision cannot be analogized to private “transactions” as the public authority has a duty to act lawfully.

Furthermore, the Courts’ reasoning can be challenged by a counter analogy. An unlawfully obtained evidence of fact, in substance, is just as informative or “effective” (which is the description used by the Court of Appeal for the consent given by the Government of Rwanda). But such evidence cannot be accepted, and decisions cannot be made based on it. In this sense, it goes to the validity.

Given that adhering to the data protection law is a “necessary prerequisite” to making a relocation decision (which the Court of Appeal at [390] was prepared to accept its necessity), it is therefore relevant and inseparable to the relocation decision-making and executing process. The data protection law has formed part of the process of the public law decision. To put it in another way, it has integrated as a procedural safeguard. It is trite that serious procedural impropriety will affect the validity of a decision. Arguably, the Courts have wrongly treated it as a standalone requirement.

At [389], the present legal issue was framed as whether the manner of “making or executing” a public law decision is relevant to its validity. But “making” and “executing” involve very different considerations and should be distinguished. The former is pre-decision whilst the latter is post-decision. On the facts, the obtaining of consent from the Rwandan Government is a “prerequisite” so it is about the “making” of the decision. And this is not the only pre-decision breach, but also others like the failure to conduct a DPIA (see [392]-[393], [396]). The court should have insisted on examining the validity of a decision procured through unlawful means, because this constitutes an abuse of power—not just the power under the data protection laws—but also the power under the Immigration Rules. In addition, this provides sufficient basis for pondering on further legitimate questions that should be explored by the court: e.g. why would the government obtain the consent in breach of the data protection requirements? Is this an indication of pre-decision bias or bad faith—something that the administrative law and due process would not allow?

Legally speaking, the governmental act of obtaining consent is an exercise of public power. Accordingly, it should be more then obvious that it has to be done lawfully. The Supreme Court in R (on the application of Roberts) v Commissioner of Police of the Metropolis [2015] UKSC79 at [42] has unanimously laid down the starting point:

“It cannot be too often stressed that, whatever the scope of the power in question, it must be operated in a lawful manner.”

Albeit this was said in another public law context (stop and search), it is arguably relevant as it is framed generally (“whatever the scope of the power”), and the Courts in the present relocation case was open to analogy. This Supreme Court case was particularly analogous because the power of stop and search under section 60 of the Criminal Justice and Public Order Act 1994 is subject to many separate regimes of safeguards such as the Equality Act 2010, the Human Rights Act 1998, the Code of Practice for Police, etc. (Roberts at [7], [42]). This is just like the Immigration Rules which are subject to the separate data protection laws. Despite the separateness, the Supreme Court said that the power has to be “read in conjunction” with these (Roberts at [42]), and the “result of breaching” will not just be liability, but will also render the public act “itself unlawful” ([43]).

Besides, the common law doctrine of legitimate expectation would similarly require any power to be exercised lawfully (see e.g. the seminal case of ex parte McCoughlan [1999] EWCA Civ 1871 at [66] which emphasised decision making “by lawful process”). If a government bypasses the legal bounds (here, the data protection law) to achieve an outcome (obtaining the consent from Rwanda, and failing to conduct a DPIA, etc.), it constitutes an abuse of power.

In any event, exercising any public power in a lawful manner should be the basic starting point under the rule of law. But this decision unfortunately seems to suggest that this needs not always be the case.

The views expressed in this article belong to the author/s and do not necessarily reflect those of the Refugee Law Initiative. We welcome comments and contributions to this blog – please comment below and see here for contribution guidelines.