November 2018 Global Immigration Update

Feature Article

DATA PROTECTION IN INDIA: AN OVERVIEW – This article provides an overview of data protection in India.

Country Updates

CANADA – Canada has expanded biometric information collection for foreign nationals.

HONG KONG – A landmark decision by Hong Kong’s highest court means that same-sex spouses and partners may now receive dependent visas.

ITALY – A security and immigration decree, making substantial changes to the immigration and citizenship law, has been signed.

SPAIN – Spain has implemented an EU directive on research and student permits.

TURKEY – Turkey has lowered financial thresholds for Citizenship by Investment.

UNITED KINGDOM – The UK’s Migration Advisory Committee has published its long-awaited recommendations for work migration post-Brexit, following a call for evidence from employers and other stakeholders.

Back to Top

Feature Article

DATA PROTECTION IN INDIA: AN OVERVIEW

This article provides an overview of recent developments in India with respect to data protection.

India has not yet enacted specific legislation on data protection. Until now, the accepted legal framework for the Indian technology sector is the Information Technology Act, 2000 (ITA). The ITA was amended in 2008 to include Section 43A and Section 72A, which came into force on October 27, 2009 and stipulated a right to compensation for improper disclosure of personal information. Under Section 43A of the ITA, the Indian central government subsequently issued the Information Technology (Reasonable Security Practices and Procedures and Personal Sensitive Data or Information) Rules, 2011 (Rules), which came into force on April 11, 2011. The Rules have imposed additional requirements on commercial and business entities in India relating to the collection and disclosure of sensitive personal data or information. While the Rules apply only to a body corporate or any person located within India, the provisions of the ITA also apply to any offense committed by a person outside India using a computer, computer system, or computer network located in India. Entities in regulated sectors such as financial services and telecommunications are subject to obligations of confidentiality under sectoral laws that require them to keep personal information of customers confidential and use it only in the manner agreed upon with the customer for prescribed purposes.

Personal data under the Indian laws and rules is termed “personal information.” Personal information has been defined under the Rules as “any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.”

Sensitive personal data exists as the concept of sensitive personal data or information under the Rules. It means personal information that consists of: (i) passwords; (ii) financial information such as bank account, credit or debit card, or other payment instrument details; (iii) physical, physiological, and mental health conditions; (iv) sexual orientation; (v) medical records and history; (vi) biometric information; (vii) any detail relating to the above items provided to a body corporate for providing services; and (viii) any of the information received under the above items by a body corporate for processing that is stored or processed under a lawful contract or otherwise. Sensitive personal data or information does not include information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005, or any other applicable law.

The Rules contain specific provisions regarding the collection of sensitive personal data or information. The key rules on collection are: (i) it is necessary to obtain the consent of the provider of information prior to the collection. The provider of information must be given an option not to provide the requested sensitive personal data or information and to withdraw its consent by informing the body corporate in writing; (ii) sensitive personal data or information can only be collected where necessary for a lawful purpose that is connected with a function or activity of the body corporate or any person on its behalf; and (iii) the body corporate should provide additional information to the provider of information. The body corporate must also comply with other general requirements, such as not keeping sensitive personal data or information for longer than is required and ensuring it is kept secure or applying reasonable security practices and procedures which contain managerial, technical, operational and physical security control measures to protect sensitive personal data and information.

Additional rules apply to the disclosure of sensitive personal data and information. The body corporate and any person acting on its behalf are not allowed to publish any sensitive personal data or information. Further, the disclosure of sensitive personal data or information to any third party requires the prior permission of the provider of information. The only two exceptions to this requirement are: (i) when such disclosure has been agreed upon in the contract between the body corporate and the provider of information; or (ii) when it is necessary to disclose the information in compliance with a legal obligation. The third party that receives such sensitive personal data or information shall not disclose it further and must be based in a country offering the same levels of data protection as India. The body corporate is allowed to share information with government agencies mandated under the law to obtain information.

Indian courts have developed indirect safeguards relevant to the protection of personal data. In a landmark judgment, Justice K. S. Puttaswamy vs Union of India, delivered on August 24, 2017, the Supreme Court of India recognized the right to privacy as a fundamental right under Article 21 of the Constitution of India as a part of the right to life and personal liberty. The court held that informational privacy is a facet of the right to privacy and, thus, information about a person and the right to access that information should be given the protection of privacy. The court stated that every person should have the right to control commercial use of his or her identity and that “the right of individuals to exclusively commercially exploit their identity and personal information, to control the information that is available about them on the internet and to disseminate certain personal information for limited purposes alone” emanates from this right. This is the first time that the Supreme Court has expressly recognized the right of individuals concerning their personal data and overruled its previous judgements in Kharak Singh vs The State Of U. P. & Others and M. P. Sharma And Others vs Satish Chandra, which had held that there is no fundamental right to privacy under the Indian Constitution. Moreover, this landmark judgement has opened the gates for far-reaching implications with respect to the daily lives of Indians. On September 6, 2018, the Supreme Court of India in Navtej Singh Johar v. Union of India unanimously struck down a 157-year-old law criminalizing gay sex, further reaffirming the right to privacy.

In July 2017, the Indian Ministry of Electronics and Information Technology (MEIT), recognizing the importance of data protection and keeping the personal data of citizens secure and protected, constituted a Committee of Experts under the chairmanship of Justice B. N. Srikrishna, Former Judge of the Supreme Court of India. The Committee of Experts has submitted its 176-page report and draft Personal Data Protection Bill, 2018. MEIT solicited feedback from the public on the draft until October 10, 2018.

The key recommendation made by the Committee of Experts is that companies processing large amounts of data might have to register themselves as significant data fiduciaries to the Data Protection Authority for greater accountability. This will most likely increase compliance costs that include periodic company audits and the need for data protection specialists, among others. The draft bill borrows significantly from the recently implemented General Data Protection Regulation (GDPR) in Europe and, as experts claim, “comes with ambiguities and has its own pain points.”

Today India is one step closer to having its own data protection law. Even as recommendations and the draft bill continue to stir debate, all stakeholders are united in their stance for a law that should safeguard customers and support India’s fast-growing digital economy.

Back to Top

Country Updates

CANADA

Canada has expanded biometric information collection for foreign nationals.

On July 31, 2018, amendments to the Immigration and Refugee Protection Regulations providing for the expansion of biometric information collection for foreign nationals seeking to enter or remain in Canada entered into force.

As such, since July 31, 2018, the Canada Border Services Agency; the Royal Canadian Mounted Police; Shared Services Canada; and Immigration, Refugees and Citizenship Canada have begun collecting biometric information for all foreign nationals between the ages of 14 and 79 applying for work permits, study permits, temporary resident permits, temporary resident visas, or Canadian permanent residence, regardless of whether visas are required. regardless of whether they are visa-requiring or visa-exempt nationals. These rules do not apply to U.S. nationals seeking to enter Canada on a temporary status (permanent residence applications will require biometrics for U.S. nationals) as well as visa-exempt nationals seeking to enter Canada solely as visitors with valid Electronic Travel Authorization (eTA) documents.

The expansion of biometric collection is being rolled out in two phases. Since July 31, 2018, citizens of most countries in Europe, Africa, and the Middle East (and some Asian countries) must provide biometric information. The second phase is set to begin on December 31, 2018, and will add countries from both Asia and the Americas (including Australia and New Zealand). In practice, biometric information is being collected directly at Canadian ports of entry for visa-exempt nationals eligible to present their temporary resident applications upon arrival in Canada and at Visa Application Centers for visa-requiring nationals presenting their temporary resident applications from abroad.

To facilitate this increased biometric collection, the government of Canada has announced the implementation of “biometric collection service points” at approximately 57 ports of entry across Canada (which includes all major airports) as well as the addition of numerous biometric collection service points around the world. The biometric information collected is valid for a 10-year period. Foreign nationals who have already provided biometric information will not be subject to this new regulation until their biometric information expires. Similarly, applicants applying to renew their temporary resident status from within Canada will not need to provide biometric information until the implementation of in-Canada enrollment services expected some time in February 2019.

The objective behind this biometric expansion project is to help Canada protect the safety of its borders and the security of all Canadians by providing the relevant authorities with the tools necessary to effectively screen temporary and permanent resident applicants before they enter Canada. It is unclear whether the benefits of the Biometric Expansion Project will outweigh potential frustrations associated with a more cumbersome application process, especially for visa-exempt nationals who may be unaccustomed to these types of increased security measures.

Back to Top

HONG KONG

A landmark decision by Hong Kong’s highest court means that same-sex spouses and partners may now receive dependent visas.

In a landmark decision on July 4, 2018, the Court of Final Appeal, Hong Kong’s highest court, ruled that the Hong Kong Immigration Department must issue a dependent visa to a same-sex partner for immigration purposes. Accordingly, while the definition of “marriage” as between a man and a woman under Hong Kong law remains unchanged, marital status and civil union partnerships of same-sex couples entered into in a jurisdiction that recognizes such relationships are now recognized in Hong Kong for the purpose of applying for a dependent visa if the other partner holds permanent resident status or an employment visa.

The ruling was welcomed by a host of global financial institutions, law firms, executive search firms, and other businesses. This ruling strengthens Hong Kong’s ability to attract global talent and its competitiveness as recruiting and relocating talent to Hong Kong had sometimes been hampered because of the immigration restrictions on same-sex couples.

Back to Top

ITALY

A security and immigration decree, making substantial changes to the immigration and citizenship law, has been signed.

After being approved by the Italian government, a new Law Decree was signed by the President and published in the Italian Official Gazette (n. 113) on October 4, 2018. The Law Decree entered into force October 5, 2018.

The decree must be converted into law by the Parliament within 60 days of its publication. Failure to do so will result in the decree becoming retroactively ineffective from the publication date. The Parliament may introduce amendments to the decree upon conversion into law.

Main Changes to Immigration Law

• A permit for humanitarian reasons (granted to those who cannot obtain refugee or subsidiary protection status but are recognized to be in danger if repatriated) will no longer be issued. Instead, “special reasons” permits can be issued to certain categories of applicants, such as victims of exploitation and domestic violence, people from countries hit by natural disasters, people in need of medical care. and those performing “acts of civic value.”
• The decree widens the range of criminal offenses that can result in revocation of international protection and refugee status.
• Migrants can be kept in pre-removal detention centers (CPR) up to 180 days (instead of 90 days).
• More funds will be available for repatriating migrants who have no right to stay in the country.

Main Changes to Citizenship Law

• The decree increases the processing time for citizenship by marriage and naturalization applications (48 months).
• It introduces the possibility for citizenship by marriage applications to be rejected after the 48-month period.
• The application fee has been increased (from €200 to €250).
• Citizenship acquired by marriage or naturalization will be revoked for people convicted of terrorism-related offenses or offenses related to public security.

Back to Top

SPAIN

Spain has implemented an EU directive on research and student permits.

Spain has finally implemented, or “transposed,” European Union (EU) Directive 2016/801/EC through the Royal Decree-Law 11/2018, effective September 4, 2018. The Directive’s goal is to continue to attract talented and skilled people to the EU.

The transposition introduces into the Spanish legal framework the regulation of an EU research permit granting the right to intra-EU mobility, with validity for 12 months to enable researchers to seek employment once the research permit has expired.

Regarding students, the transposition introduces a permit valid for 12 months for students to seek employment once their student permits have expired, the possibility of their obtaining student permits through an in-country process (skipping the visa step process), and sponsoring of the student permit application by the Study Center instead of by the student. Also, a new training permit for students is valid for up to two years after obtaining a university degree.

In a nutshell, new permits have been implemented under Spain’s legal framework to facilitate foreign nationals’ research activity in Spain and their intra-EU mobility and to facilitate the training of foreign students and, under certain circumstances, their incorporation into the Spanish labor market.

Back to Top

TURKEY

Turkey has lowered financial thresholds for Citizenship by Investment.

On September 18, 2018, Turkey announced a lowering of the financial thresholds for Citizenship by Investment in Turkey. For a comparison with the previous levels for each type of investment (e.g., real estate, bank deposit, government bonds), please see the chart below.

It is hoped that these new lower thresholds will allow the investment program to lead to more citizenship filings and approvals.

Turkish Citizenship by Investment Level
(5627 Regulation on the Implementation of the Turkish Citizenship Law)

Action	Old Amount	Current Amount	Determined By
Make a fixed capital investment	$2 million USD or other currency/TRY equivalent	$500,000 USD or other currency/TRY equivalent	Ministry of Industry and Technology
Purchase immovable property with the annotation to the deed records of “not sold for at least 3 years”	$1 million USD or other currency/TRY equivalent	$250,000 USD or other currency/TRY equivalent	Ministry of Environment and Urbanisation
Provide/generate employment for Turkish nationals	100 people	50 people	Ministry of Family, Labor and Social Services
Deposit money in banks operating in Turkey for at least 3 years	$3 million USD or other currency/TRY equivalent	$500,000 USD or other currency/TRY equivalent	Banking Regulation and Supervision Agency
Purchase Turkish government stocks/bonds held for at least 3 years	$3 million USD or other currency/TRY equivalent	$500,000 USD or other currency/TRY equivalent	Ministry of Treasury and Finance
Retain at least 3 years of participation in venture capital investment fund or real estate investment fund participation share	N/A	$500,000 USD or other currency/TRY equivalent	Capital Markets Board

Back to Top

UNITED KINGDOM

The Migration Advisory Committee (MAC) has published its long-awaited recommendations for work migration post-Brexit, following a call for evidence from employers and other stakeholders during the summer of 2017.

The key recommendations of the United Kingdom’s (UK) MAC include:

1. The general principle behind migration policy changes should be to make it easier for higher-skilled workers to migrate to the UK than lower-skilled workers. This is in line with proposals in a leaked government document publicized in 2017, where the government indicated it was in favor of granting long-term visas for highly skilled European Union (EU) migrants and shorter-term visas for low skilled migrants, subject to a salary cap.
2. There should be no preference for EU citizens unless this forms part of an agreement between the UK and the EU. As the UK government and the EU are still in negotiations to determine the nature of a future UK/EU agreement, it is possible the UK government will concede some preferential treatment for EU citizens as part of any final agreement.
3. Abolish the cap on the number of migrants under Tier 2 (General). For more on this, see https://www.kingsleynapley.co.uk/insights/blogs/immigration-law-blog/scrap-the-cap-why-its-time-for-the-tier-2-immigration-cap-to-go.
4. Tier 2 (General) should be open to all jobs at RQF3 and above. This would bring many more non-graduate-level, medium-skilled occupations back into the SOC codes (occupation list), which have been excluded since the threshold for inclusion in the occupation list was raised first to RQF level 4 and later to RQF level 6. The Shortage Occupation List will be fully reviewed in the MAC’s next report in response to the SOL Commission. If a job appears on the SOL, there is no requirement for employers to advertise the role before offering a job to a non-EU migrant. Furthermore, extra points are awarded to migrants under the Tier 2 cap if they will be performing shortage occupation roles.
5. Maintain existing salary thresholds for all migrants in Tier 2. The MAC believes that this will avoid downward pressure on salaries.
6. Retain but review the Immigration Skills Charge (ISC). This is currently set at £1,000 per annum and was set to double to £2,000 at some point.
7. Consider abolition of the Resident Labour Market Test (RLMT). If not abolished, extend the numbers of migrants who are exempt through lowering the salary required for exemption.
8. Review how the current sponsor licensing system works for small and medium-sized businesses.
9. Consult more systematically with users of the visa system to ensure it works as smoothly as possible.
10. For lower-skilled workers, avoid Sector-Based Schemes (with the potential exception of a Seasonal Agricultural Workers scheme). The government has already introduced a visa scheme for fruit and vegetable growers on a pilot basis to run until the end of December 2020.
11. If a SAWS scheme is reintroduced, ensure upward pressure on wages via an agricultural minimum wage to encourage increases in productivity.
12. If a “backstop” is considered necessary to fill low-skilled roles, extend the Tier 5 Youth Mobility Scheme.
13. Monitor and evaluate the impact of migration policies.
14. Pay more attention to managing the consequences of migration at a local level.

Although the report does contain some positive recommendations, particularly regarding the scrapping of the Tier 2 cap, some observers say it is difficult to see how the government can entertain the prospect of bringing EU migrants within Tier 2 without massively increasing its resourcing of the Home Office.

Currently, EU migrants can come to the UK and immediately take up a job with minimal bureaucracy and no involvement of the immigration services. Even if the government were to introduce a more simple and streamlined application process with no RLMT and no Tier 2 cap, this would still be a substantial administrative burden for many employers.

Now that the government has the MAC’s recommendations, it is expected that a White Paper will be published shortly on the architecture of the UK’s post-Brexit immigration system.

Back to Top