The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

Back to the drawing board: High Court rejects Home Office’s second attempt at a GDPR immigration exemption

26 April 2023

In R (the3million & Open Rights Group) v Secretary of State for the Home Department [2023] EWHC 713 (Admin), Saini J dealt with a second challenge to the Home Office’s attempt to craft a lawful exemption from the GDPR for matters relating to immigration. The first attempt at an exemption was ruled unlawful by the Court of Appeal in a case of the same name, reported at [2021] EWCA Civ 1573; [2022] QB 166, on the basis that it was not a ‘legislative measure’ containing specific provisions, as required by Article 23 UK GDPR (which is the enabling provision for the exemptions familiar from Schedule 2 of the Data Protection Act 2018).

The SSHD would like the exemption to apply where application of UK GPDR rights ‘would be likely to prejudice the maintenance of effective immigration control’. The new scheme was enacted by a statutory instrument amending Sch 2 of the DPA. It created the relevant exemptions and then required the SSHD to have ‘an immigration exemption policy document [IEPD] in place’, which would contain the detail.

There was no dispute that such an exemption could serve an important public interest, and the SSHD advanced evidence that immigration control is heavily dependent on data processing. The UK GDPR rights can operate to frustrate that – for example, subject access requests may lead to tipping off about ongoing enforcement action or enable individuals to edit or fabricate their accounts. The issue was over how the safeguards to that exemption should be identified and applied.

Saini J held that the revised scheme did not meet the requirement of proportionality contained within Article 23: putting that requirement into the IEPD was insufficient. He also held that there were insufficient safeguards to prevent abuse: again, it was not sufficient for the safeguards to be within the IEPD, they needed to be in the legislation itself. A policy document did not provide an adequate set of safeguards. It also did not make any provision regarding the risks to the rights and freedoms of the data subject. Saini J declined to provide anything bar the broadest guidance on what a compliant scheme might look like.

The Home Office is accordingly going back to the drawing board. This case illustrates the extent to which the enabling provisions in the UK GDPR have real teeth – and also the difference between the approach taken under the ECHR when considering whether a measure is ‘in accordance with the law’ (when policies and guidance may have the quality of law for those purposes) and that taken under the GDPR, when it seems only black letter law will do.

Further reading: R (the3million & Open Rights Group) v Secretary of State for the Home Department [2023] EWHC 713 (Admin)

The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.

Visit the Information Law, Data Protection and AI area

Search The Data Brief

Portfolio Builder

Select the practice areas that you would like to download or add to the portfolio

Download    Add to portfolio   
Title Type CV Email

Remove All


Click here to share this shortlist.
(It will expire after 30 days.)