With both the Illegal Migration Bill and the Data Protection and Digital Information (No. 2) Bill currently before Parliament, it is clear that both immigration control and data protection are high on the UK political agenda.  Both areas have also been prominent before the courts.

Moreover, litigation by the Open Rights Group and the The3million challenging the UK data protection’s so-called ʻimmigration exemptionʼ (DPA 2018, Sch. 2, para. 4) has brought these areas together in a materially impactful way.  This is a far-reaching provision which, insofar as its conditions are satisfied, disapply all of the General Data Protection Regulation (GDPR)’s transparency rights and the rights to erasure, restriction and objection (as well as the overarching data protection principles insofar as these correspond to these rights).

The first round of litigation resulted original version of this exemption being found by the England and Wales Court of Appeal to be incompatible with the UK General Data Protection Regulation (GDPR)’s restrictions clause (art 23), with an (albeit suspended) declaratory order being issued to this effect.  Using secondary law powers set out in section 16 of the DPA, the Secretary of State subsequently published draft statutory regulations (adopted by Parliament through the affirmative resolution procedure) which also made reference to an Immigration Exception Policy Document which was published in draft at the same time.  In a recent piece in the Modern Law Review (at pp. 794-5), I expressed doubt about whether the Government’s response – which undoubtedly introduced some further specifications and limitations including limiting the use of the exemption to the Secretary of State alone – fully met the standards set down in article 23.

Such doubts were confirmed by the High Court on 29 March 2023 in The3Million and Open Rights Group v Home Secretary [2023] EWHC 713, a judgment which resulted from follow-up litigation by the same groups (who as before were in general supported by the Information Commissioner who intervened as an interested party).  The judgment’s detailed findings will be further considered below.

However, a more fundamental issue, also analysed in my previous piece, is whether article 23’s standards even apply to this exception since, with Brexit implemented, the EU GDPR has been replaced by the UK GDPR which, as regards the scope of article 23, refers only to restrictions by Secretary of State regulations as opposed to those established by any “legislative measure”.  That, in turn, raises the question as to whether the amending regulations which transformed the EU into the UK GDPR went beyond addressing one or more technical legal ʻdeficienciesʼ arising from Brexit and so were ultra vires section 8 of the EU (Withdrawal) Act 2018.  That fundamental issue was left unaddressed in the judgment just handed down, presumably because it was not raised by either party and potentially also from some understanding that the courts might be estopped from addressing it in this litigation as it had not been raised in earlier proceedings.  However, given the fundamental issues at stake any estoppel argument would appear weak.  In any case, this issue needs to be addressed as the logic of the courts’ construction places in jeopardy other important primary exemptions set out in the DPA 2018 itself, notably as regards crime and taxation (DPA 2018, Sch 2, para 2).

The judgment’s analysis of how the amended immigration exemption measured up against GDPR article 23 standards can broadly be divided into two parts.

Firstly, it was held that no reliance could be placed on the Immigration Exception Policy Document as it was not subject to sufficiently robust publication requirements, could be changed without Parliamentary procedure (or indeed any formality) and there was only a duty to have regard to, as opposed to being bound by, its stipulations.  Any one of these limitations was held to void any claim that this Document was, or formed part of, a legislative measure.

Secondly, the exemption as set down in statute, even as amended by the post-litigation statutory regulations, was found to fail to specify as relevant necessity and proportionality standards (cf. art. 23(1)), safeguards to prevent abuse (cf. art. 23(2)(d)) and risks to the rights and freedoms of data subjects (cf. art. 23(2)(g)) although, as regards the latter, it was suggested that coverage in the Explanatory Memorandum of the regulation may have proved sufficient.  Appropriate declaratory orders, suspended for a short period, were to be issued (at [76]).  On the other hand, Mr Justice Saini found that the purposes of processing (cf. art. 23(2)(a)), the exemption’s scope (cf. 23(2)(c)) and the specification of controller (cf. 23(2)(e)) were sufficiently detailed and finally that it was not necessary to specify storage periods (cf. 23(2)(g)) as there was no attempt under the exemption to extend such periods beyond what would otherwise be applicable.

No case law was cited which conclusively supports either limb of these holdings which makes Mr Justice Saini’s findings both novel and potentially vulnerable to challenge.  Turning to the first limb, the understanding of legislative measure in C-201/14 Bara (2015) was cited but is not determinative as it only excluded a protocol agreed between government departments which was ”not the subject of an official publication” (at [40)) whereas here it was clear that there was a statutory obligation under the regulations to publish the Policy Document.  Mr Justice Saini’s attempt to distinguish article 23 restrictions from those applicable to the special data rules under article 9(2)(g) on the basis that only the former was derogatory (at [64]) was also not convincing as article 9(2)(g) is also a derogation (in this case from the prohibition on processing special data set out in article 9(1)).  It is also unfortunate that no mention was made of recital 40 of both the UK and EU GDPR which states that a “legislative measure … does not necessarily require a legislative act adopted by a parliament” but “should be clear and precise and its application should be foreseeable”.

Turning to the second limb, it is evident that there is applicable Court of Justice Grand Chamber jurisprudence indicating that restrictions should have clear and precise provisions on scope, application and safeguards (see e.g. C-511/18 La Quadrature du Net (2020)).  However, there is no binding case law which explicitly holds that these provisions must explicitly refer to the matters specified by article 23(2) to be potentially relevant (and the reference to storage period was anyway subject to a different analysis by Mr Justice Saini himself).  If the judgment’s holding is valid then it would render illegitimate many other restrictions which are currently unspecified in this regard including those applicable to crime and taxation here in the UK (DPA 2018, Sch 2, para 2) as well as potentially many others in EU States such as Ireland and Netherlands (see here at pp. 795-96).  Nevertheless, the justification for this recent judgment’s holdings remains strong and so what is important is that this issue is clarified and then consistently applied.

An even more weighty matter to clarify is whether the standards set down in article 23 of the UK GDPR even apply to the DPA 2018’s immigration exemption.  This issue was left entirely unaddressed in the judgment and Mr Justice Saini even wrongly stated that “Parliament exercised the power under Article 23(1) of the UK GDPR to make the original Immigration Exemption” (at [17]).  In fact, the exemption itself dates back to 2018 and so, although falling within article 23 of the EU GDPR whilst the UK was subject to this instrument, it predates the UK GPDR by several years.  Moreover, the scope of the amended version of article 23 as set down in the UK GDPR doesn’t refer to a “legislative measure” (as in the EU GDPR) but only to restriction resulting from action by the Secretary of State.  It would therefore appear not to cover restrictions established through primary legislation, which includes the immigration exemption itself, as the restrictions themselves derive from the DPA 2018 even though some further limitations and specifications have been layered on top through regulations made by the Secretary of State.  However, as the amended wording in the UK as opposed to EU GDPR was adopted under section 8 of the EU (Withdrawal) Act 2018, which was restricted to the addressing of technical legal deficiencies arising from the UK’s EU withdrawal, it would appear to be ultra vires and so itself invalid (see here at pp. 798—800).

It seems likely that this High Court judgment will be appealed.  Assuming this is so, it is important that the higher courts not only clarify the standards set down in article 23 but also consider the scope of their application under not the EU but the UK GDPR.  They should then analyse whether the revisions of wording in the UK GDPR are or are not ultra vires.  Only such an approach can ensure that the fundamental constitutional values of the separation of power between the Government and Parliament and the rule of law are consistently and fully upheld.

Many thanks to Michael Gordon and Paul Scott for their useful comments on a previous draft.  Any errors remain my own.  This post originally appeared on the UK Constitutional Law Association Blog and is reproduced with thanks.

David Erdos is Professor of Law and the Open Society and Co-Director of the Centre for Intellectual Property and Information Law in the Faculty of Law and also WYNG Fellow at Trinity Hall, University of Cambridge.  He is an associate member of Matrix Chambers.