BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | ||
High Court of Justice in Northern Ireland Queen's Bench Division Decisions |
||
You are here: BAILII >> Databases >> High Court of Justice in Northern Ireland Queen's Bench Division Decisions >> Williams, Re Application for Judicial Review [2022] NIQB 12 (16 February 2022) URL: http://www.bailii.org/nie/cases/NIHC/QB/2022/12.html Cite as: [2022] NIQB 12 |
[New search] [Printable PDF version] [Help]
Neutral Citation No: [2022] NIQB 12
Judgment: approved by the Court for handing down (subject to editorial corrections)* |
Ref: COL11756
ICOS No: 21/99126/01
Delivered: 16/02/2022 |
IN THE HIGH COURT OF JUSTICE IN NORTHERN IRELAND
___________
QUEEN’S BENCH DIVISION
(JUDICIAL REVIEW)
___________
IN THE MATTER OF AN APPLICATION BY DARREN WILLIAMS
FOR LEAVE TO APPLY FOR JUDICIAL REVIEW
AND IN THE MATTER OF THE HEALTH PROTECTION (CORONAVIRUS, RESTRICTIONS) REGULATIONS (NORTHERN IRELAND) 2021 (AMENDMENT No. 19) REGULATIONS (NORTHERN IRELAND) 2021
Between:
DARREN WILLIAMS
Applicant
and
1. MINISTER OF HEALTH FOR NORTHERN IRELAND
2. DEPARTMENT OF HEALTH FOR NORTHERN IRELAND
Proposed Respondents
___________
Mr Conan Fegan (instructed by McIvor Farrell Solicitors) for the Applicant
Dr Tony McGleenan QC with Mr Philip McAteer (instructed by the Departmental Solicitor’s Office) for the Proposed Respondents
___________
COLTON J
Introduction
[1] The applicant is concerned about what he describes as “Vaccine Passports” required for entry to certain hospitality services. In his affidavit filed on 21 January 2022 in support of this application he indicates that he did not avail of vaccinations in respect of the Coronavirus pandemic. By this application he seeks to challenge regulations that were made by the Department of Health and laid before the Assembly under section 25Q (Emergency Procedure of the Public Health Act) (Northern Ireland) 1967. These regulations, The Health Protection (Coronavirus, Restrictions) Regulations (Northern Ireland) 2021 (Amendment No: 19) Regulations (Northern Ireland) 2021 (“the Regulations”) came into operation at 5pm on 29 November 2021 in Northern Ireland. The effect of the Regulations was to introduce provisions requiring Covid-Status certification at the following settings which were deemed high risk:
[2] These settings may only admit “qualifying persons” who can evidence the following pursuant to Regulation 16C:
(a) Proof of full vaccination by paper or electronic form more than 14 days prior.
(b) A negative Covid-19 Rapid Antigen Test proven by the NHS Covid-19 Reporting App or onsite taken within the previous 48 hours.
(c) Valid notification of proof of recovery from a positive Covid-19 PCR test within the previous 30-180 days.
(d) Confirmation in writing of participation in a clinical trial for vaccination against Coronavirus.
(e) Evidence of medical exemption.
[3] Regulation 16F(6) requires that “the responsible person” (the venue owner) process personal data of those who wish to enter:
“(6) The requirement to have a system in place for the purposes of this regulation includes a requirement to process any personal data necessary for the system to operate.”
[4] As is well-known the respondents have confirmed that proof of full vaccination could be shown in three ways:
(a) Digitally using the Covid Cert NI App;
(b) Using the paper QR Code; or
(c) Presenting a vaccination card along with photo.
[5] The latter two provide a non-digital solution for those who may struggle with or lack access to technology based solutions.
[6] The regulations themselves do not allow for presentation of the vaccination card and its use was announced as a temporary measure by the Health Minister on 3 December 2021, although the Regulations have not been amended to include the use of the vaccination card.
[7] In these proceedings the applicant’s focus is on the use of the Cert NI App by responsible persons.
[8] The Covid Cert Check NI App was developed to help businesses check their customers’ vaccination status. When originally brought in, it facilitated “voluntary use” of vaccine checks in hospitality and entertainment venues. The App is used in co-operation with the “Covid Cert NI App” which allows an individual to obtain an international or domestic digital certificate of proof of vaccination.
[9] Venues and other businesses are encouraged to download the Covid Cert Check NI App on smart phones or tablets, which allows them to scan certificates produced by the Covid Cert NI App and verify an individual’s vaccination status to allow entry to the premises/event.
[10] It is the applicant’s case that the use of this App is unlawful. Essentially he relies on three grounds.
[11] Firstly, the proposed respondents have failed to comply with Article 5(1) of the General Data Protection Regulations (“GDPR”) and section 68 of the Data Protection Act 2018 (“DPA”) and Article 6 GDPR/section 8 of, and Schedule 9 to, the DPA in allowing the unlawful processing of sensitive special category personal data in relation to data subjects in circumstances where it was not necessary to process personal data at all to achieve their legitimate aims.
[12] Secondly, the proposed respondents failed to comply with Article 35 GDPR and section 64(3)(d) DPA in that they did not carry out an adequate data protection impact assessment (“DPIA”) prior to the regulations being brought into operation.
[13] Thirdly, the proposed respondents failed to consult pursuant to the implied statutory duty under section 64 DPA and/or at common law.
[14] In his commendable focused and direct challenge Mr Fegan develops his arguments in the following way.
First Ground
[15] When used, the scanning of the QR Code on the digital certificate constitutes the processing of “sensitive special category personal data” that being the individual’s medical data, irrespective of whether the responsible person keeps a record of it and makes a responsible person a “data controller.”
[16] Article 5 of the GDPR sets out six data protection principles. The relevant principle for the purpose of this application is Article 5(1)(a):
“Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject.”
[17] The applicant’s focus is on the lawfulness requirement.
[18] Article 6 GDPR provides that processing is lawful (within the meaning of the first principle) only if one or more of the specific conditions is satisfied:
“(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
[19] Article 9 GDPR sets out special categories of personal data which attract a higher level of protection and impose a complete prohibition on processing data in those categories, subject to specified exceptions. The prohibition applies to, inter alia, data concerning health.
[20] It is the applicant’s case that the processing of data via the Covid-19 NI Cert App is not “necessary” as understood by well-established European jurisprudence. Necessary is to be construed as reasonably necessary, rather than absolutely or strictly necessary. As was held by the Supreme Court in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 “reasonably necessary” means more than desirable but less that indispensable or absolutely necessary. In short, Mr Fegan argues that the regulations do not meet this test as it is clear that persons can establish their vaccination status by the use of visual inspection by way of digital proof or production of a vaccination card (although the latter is not included in the regulations). In other words the legitimate aims outlined by the proposed respondents for the Covid-Status Certification Scheme could have been achieved by alternative measures which would not have required the processing of data in any circumstances. The fact that an individual may present proof by way of their vaccination card and accompanying photograph is demonstrable of the fact that there is a verification method which meets this legitimate aim but does not require the processing of data. Thus, it is argued that the process of data by scanning QR codes as required by the regulations is not “reasonably necessary.”
Second Ground
[21] The applicant’s second ground is that there has been an inadequate DPIA carried out by the proposed respondents.
[22] Article 35(3) GDPR and recital 75 GDPR require a DPIA to be carried out where there is, inter alia, processing on a large scale of special categories of data referred to in Article 9(1) GDPR which includes data concerning health.
[23] Article 35(7)(d) GDPR and section 64(3)(d) DPA set out the requirements of an adequate DPIA.
[24] In the course of these proceedings the proposed respondents have produced an up-to-date version of the DPIA which is as a result of ongoing engagement between the proposed respondents and the Information Commissioner’s Office (“ICO”).
[25] On this issue the applicant submits that the proposed respondents have failed to assess the proportionality of the processing operations pursuant to Article 35(7) GDPR in considering any other alternative solutions which meet the stated legitimate aim without creating the same data protection risks that have been created by the regulations.
Third Ground
[26] The third ground relates to a failure to consult. The applicant argues that there is an implied statutory duty to consult under DPA 2018.
[27] Data controllers are required as part of the DPIA to take into account the rights and the legitimate interests of the data subjects and other persons concerned; section 64(3)(d) DPA 2018. The applicant argues that this creates an implied statutory duty to consult. The obligation is, however, qualified and there are circumstances in which a consultation does not need to be conducted. It is only required “where appropriate” and “without prejudice to the protection for commercial and public interest or the security of the processing operation”: at Article 35(9) GDPR. The proposed respondents’ DPIA at section 3, “Consultation Process” outlines that:
“Due to the urgent requirement to establish and operationalise the service a form of consultation was not undertaken. However, informal engagement is ongoing with a range of stakeholders by key departments across the NICS. The Executive Covid Task Force will continue to engage with all departments and key stakeholders.
It has not been possible at this time to undertake a full consultation, the introduction of Domestic Certification for certain venues had been agreed by the Executive to support the emergency response for COVID-19. However, for the first two weeks no enforcement action will be taken, therefore venues and stakeholders will have opportunity to engage with us on issues of operational or policy concern in advance of this.”
[28] The applicant also argues that there is an obligation to consult at common law.
Consideration of the Issues
[29] The first and obvious issue that arises in this case relates to the applicant’s standing. Because he is not someone who is vaccinated then the processing about which he complains will never apply to him. In those circumstances he seeks to argue standing on the grounds of the “public interest.” Dr McGleenan reminds the court of the provisions of Order 53 Rule 3(5) to the effect that:
“The court shall not, having regard to section 18(4) of the Act, grant leave unless it considers that the applicant has a sufficient interest in the matter to which the application relates.”
[30] The applicant is not a data subject in respect of the provisions about which he complains. He has not been prohibited from entering the various venues referred to in the Regulations as there is an alternative means for him to certify his status.
[31] Ultimately, in these circumstances the granting of leave in judicial review is a matter of judgement for the court. In addition to the question of standing the court considers the overall context of this case. The regulations were introduced on 29 November and are subject to two weekly reviews by the Executive Committee. As of 20 January 2022 the regulations only apply to nightclubs and venues providing indoor events where some or all of the audience are not normally seated with 500 or more attendees. It will be noted that the applicant only filed his affidavit in this matter on 21 January 2022 after the majority of the restrictions were removed. Furthermore, it is anticipated that these remaining restrictions will be removed as of 10 February 2022.
[32] These regulations had been introduced as emergency measures by the respondents in the midst of a public health emergency. They were discussed by the Executive Committee on 17, 23 and 26 November when the regulations were approved. They have subsequently been debated in the Northern Ireland Assembly on 13 and 14 December 2021.
[33] Furthermore, it is clear that throughout this process there has been ongoing engagement between the proposed respondents and the ICO, although the court has not seen the entirety of the documentation generated by this engagement.
[34] What is clear is that the ICO have not vetoed or opposed the scheme.
[35] The court notes that it has not received any legal challenge to these regulations from any person actually affected by the complaint here, namely those who are vaccinated. This is in the context when according to a survey by the Department of Health published on 27 October 2021 it is estimated that 93.8% of the adult population in Northern Ireland has been vaccinated (at least one dose) and 82% of adults have received two or more doses. There was another challenge brought to these regulations by Risteard O’Murchu who was also unvaccinated. The court has rejected his application and this judgment should be read in conjunction with the judgment in that case.
[36] The key question for the court in exercising its discretion to grant leave for judicial review in this case relates to the utility of the court hearing and determining the matter. The court accepts that there is a legal argument about whether or not the data processing complained about in this case is “necessary” within the context of the statute and regulations. However, the court is also conscious that it will be slow to interfere in a decision as to what is reasonably necessary in the context of a public health emergency when decisions are taken by elected representatives, who are best placed to assess the public interest.
[37] Notwithstanding the legal issue raised by Mr Fegan in his able submissions the court is not persuaded that this is an appropriate case in which to grant leave for judicial review.
[38] In coming to this conclusion the court is influenced by the fact that the applicant himself is not affected by the illegality he alleges and has insufficient standing. Furthermore, in reality, there is little or no real live issue to be determined by the court in light of the much reduced application of the regulations, which may well be fully removed at the time of delivering of this ruling. It does not consider that there is a public interest in conducting a review of the regulations in this context and considers that a review would be of no utility. The court also notes the ongoing engagement between the proposed respondents and the ICO which is a further factor in ensuring compliance with Data Protection obligations.
[39] Accordingly, leave to apply for judicial review is refused.