Caselaw Digest
Caselaw Digest

the3million & Anor, R (on the application of) v Secretary of State for the Home Department & Anor

29 March 2023
[2023] EWHC 713 (Admin)
High Court
The government tried to make a rule letting them ignore some privacy rules for immigration. A court said that rule was illegal because it didn't clearly explain how people's privacy would be protected. The court said the government needs to make a new, clearer rule.

Key Facts

  • Judicial review of the UK government's second attempt at an immigration exemption from the UK GDPR.
  • The exemption allows restriction of data protection rights when likely to prejudice effective immigration control.
  • Challenge based on the exemption's alleged non-compliance with Article 23 of the UK GDPR.
  • Claimants: The3Million and Open Rights Group; Defendants: Secretary of State for the Home Department and Secretary of State for Digital, Culture, Media and Sport; Interested Party: Information Commissioner.
  • Previous unsuccessful attempt (JR1) led to a Court of Appeal order to amend the exemption.

Legal Principles

Article 23 UK GDPR permits restrictions on data protection rights if necessary and proportionate to safeguard public interest, but requires specific provisions (Article 23(2)).

UK GDPR, Article 23

Restrictions must be a 'legislative measure' containing specific provisions on purposes, categories of data, scope of restrictions, safeguards against abuse, controller specification, storage periods, risks to data subjects' rights, and the right to be informed.

UK GDPR, Article 23(2); CJEU case law (La Quadrature du Net, SS SIA, Bara, HK v Prokuratuur)

Derogations from fundamental rights must be clear, precise, legally binding, accessible, foreseeable, and provide substantive and procedural safeguards.

CJEU case law

Data protection rights are not 'second-order' rights; right of subject access is crucial.

CJEU case law (YS v Minister voor Immigratie, RW v Österreichische Post AG)

Outcomes

The Immigration Exemption is unlawful.

It fails to comply with Article 23(2) by outsourcing safeguards to a non-legislative policy document (IEPD). Specifically, it lacks sufficient detail regarding safeguards to prevent abuse, and doesn't adequately address risks to data subjects' rights.

Similar Cases

Caselaw Digest Caselaw Digest

UK Case Law Digest provides comprehensive summaries of the latest judgments from the United Kingdom's courts. Our mission is to make case law more accessible and understandable for legal professionals and the public.

Stay Updated

Subscribe to our newsletter for the latest case law updates and legal insights.

© 2025 UK Case Law Digest. All rights reserved.

Information provided without warranty. Not intended as legal advice.