Key Facts
- •The appeal concerns the lawfulness of the Government's second attempt to create an immigration exemption from UK GDPR data subject rights.
- •The first attempt was deemed unlawful by the Court of Appeal in [2021] EWCA Civ 800.
- •The second attempt was also challenged and deemed unlawful by Saini J in [2023] EWHC 713 (Admin).
- •The main issue is whether the exemption complies with Article 23(2) and (3) of the UK GDPR.
- •The exemption was introduced through regulations (SI 2022 No. 76) and includes an Immigration Exemption Policy Document (IEPD).
- •The High Court found the exemption deficient in several aspects relating to specific safeguards required by Article 23(2) of the UK GDPR.
Legal Principles
The UK GDPR is superior to the Immigration Exemption in the domestic legal order, requiring the exemption to comply with the GDPR.
UK GDPR and European Union (Withdrawal) Act 2018
Article 23(2) of the UK GDPR sets out mandatory requirements for any legislative measure restricting data subject rights, including specific provisions on various aspects of processing.
Article 23(2) UK GDPR
CJEU jurisprudence requires any derogation from fundamental rights to be justified by strict necessity and proportionality, with appropriate safeguards built into the legislative measure.
CJEU case law (summarized in Warby LJ's judgment)
Article 23(2) requires safeguards to be included in the legislation itself and not merely in a separate policy document.
Judge's interpretation of CJEU case law and Article 23(2)
A 'have regard' duty to a policy document is not sufficient to satisfy the requirement for legally binding safeguards.
Judge's interpretation and R (Good Law Project Ltd) v Prime Minister [2022] EWCA Civ 1580
Parliamentary scrutiny is crucial for measures restricting fundamental rights, particularly when safeguards are not explicitly defined in the legislation.
Section 16(3) DPA 2018 and judicial reasoning
Outcomes
The Court of Appeal dismissed the appeal.
The Immigration Exemption fails to comply with Article 23(2)(d) of the UK GDPR because the required safeguards are not specified in the Regulations themselves but are instead delegated to a changeable policy document (IEPD). Further failings were identified with respect to Article 23(2)(g).
The declaration that the Immigration Exemption is incompatible with Article 23 of the UK GDPR is upheld.
The exemption's failure to meet the requirements of Article 23(2)(d) and (g) renders it unlawful under the UK GDPR.
The declaration's effect is suspended for three months to allow the Government time to amend the legislation.
This suspension is granted exceptionally, considering the need for legal certainty and the history of the case, but the court rejects a longer period.