Caselaw Digest
Caselaw Digest

The 3Million & Anor, R (on the application of) v Secretary of State for the Home Department & Anor

11 December 2023
[2023] EWCA Civ 1474
Court of Appeal
The government tried (twice!) to make an exception to data protection rules for immigration. The court said the government's rules weren't clear enough or properly checked by parliament, so they are illegal. The court gave the government three months to fix it.

Key Facts

  • The appeal concerns the lawfulness of the Government's second attempt to create an immigration exemption from UK GDPR data subject rights.
  • The first attempt was deemed unlawful by the Court of Appeal in [2021] EWCA Civ 800.
  • The second attempt was also challenged and deemed unlawful by Saini J in [2023] EWHC 713 (Admin).
  • The main issue is whether the exemption complies with Article 23(2) and (3) of the UK GDPR.
  • The exemption was introduced through regulations (SI 2022 No. 76) and includes an Immigration Exemption Policy Document (IEPD).
  • The High Court found the exemption deficient in several aspects relating to specific safeguards required by Article 23(2) of the UK GDPR.

Legal Principles

The UK GDPR is superior to the Immigration Exemption in the domestic legal order, requiring the exemption to comply with the GDPR.

UK GDPR and European Union (Withdrawal) Act 2018

Article 23(2) of the UK GDPR sets out mandatory requirements for any legislative measure restricting data subject rights, including specific provisions on various aspects of processing.

Article 23(2) UK GDPR

CJEU jurisprudence requires any derogation from fundamental rights to be justified by strict necessity and proportionality, with appropriate safeguards built into the legislative measure.

CJEU case law (summarized in Warby LJ's judgment)

Article 23(2) requires safeguards to be included in the legislation itself and not merely in a separate policy document.

Judge's interpretation of CJEU case law and Article 23(2)

A 'have regard' duty to a policy document is not sufficient to satisfy the requirement for legally binding safeguards.

Judge's interpretation and R (Good Law Project Ltd) v Prime Minister [2022] EWCA Civ 1580

Parliamentary scrutiny is crucial for measures restricting fundamental rights, particularly when safeguards are not explicitly defined in the legislation.

Section 16(3) DPA 2018 and judicial reasoning

Outcomes

The Court of Appeal dismissed the appeal.

The Immigration Exemption fails to comply with Article 23(2)(d) of the UK GDPR because the required safeguards are not specified in the Regulations themselves but are instead delegated to a changeable policy document (IEPD). Further failings were identified with respect to Article 23(2)(g).

The declaration that the Immigration Exemption is incompatible with Article 23 of the UK GDPR is upheld.

The exemption's failure to meet the requirements of Article 23(2)(d) and (g) renders it unlawful under the UK GDPR.

The declaration's effect is suspended for three months to allow the Government time to amend the legislation.

This suspension is granted exceptionally, considering the need for legal certainty and the history of the case, but the court rejects a longer period.

Similar Cases

Caselaw Digest Caselaw Digest

UK Case Law Digest provides comprehensive summaries of the latest judgments from the United Kingdom's courts. Our mission is to make case law more accessible and understandable for legal professionals and the public.

Stay Updated

Subscribe to our newsletter for the latest case law updates and legal insights.

© 2025 UK Case Law Digest. All rights reserved.

Information provided without warranty. Not intended as legal advice.