Key Facts
- •Judicial review of the UK government's second attempt at an immigration exemption from the UK GDPR.
- •The exemption allows restriction of data protection rights when likely to prejudice effective immigration control.
- •Challenge based on the exemption's alleged non-compliance with Article 23 of the UK GDPR.
- •Claimants: The3Million and Open Rights Group; Defendants: Secretary of State for the Home Department and Secretary of State for Digital, Culture, Media and Sport; Interested Party: Information Commissioner.
- •Previous unsuccessful attempt (JR1) led to a Court of Appeal order to amend the exemption.
Legal Principles
Article 23 UK GDPR permits restrictions on data protection rights if necessary and proportionate to safeguard public interest, but requires specific provisions (Article 23(2)).
UK GDPR, Article 23
Restrictions must be a 'legislative measure' containing specific provisions on purposes, categories of data, scope of restrictions, safeguards against abuse, controller specification, storage periods, risks to data subjects' rights, and the right to be informed.
UK GDPR, Article 23(2); CJEU case law (La Quadrature du Net, SS SIA, Bara, HK v Prokuratuur)
Derogations from fundamental rights must be clear, precise, legally binding, accessible, foreseeable, and provide substantive and procedural safeguards.
CJEU case law
Data protection rights are not 'second-order' rights; right of subject access is crucial.
CJEU case law (YS v Minister voor Immigratie, RW v Österreichische Post AG)
Outcomes
The Immigration Exemption is unlawful.
It fails to comply with Article 23(2) by outsourcing safeguards to a non-legislative policy document (IEPD). Specifically, it lacks sufficient detail regarding safeguards to prevent abuse, and doesn't adequately address risks to data subjects' rights.