Immigration Exemption From Data Protection Rights Unlawful

The case of R (on the application of The3Million and another) v Secretary of State for the Home Department and others (2023) EWHC 713 concerned a judicial review claim challenging the legality of statutory restrictions on data protection rights in the context of immigration controls.

Statutory restrictions

The immigration exemption to data protection rights was introduced in 2018 as part of the Data Protection Act 2018 (DPA). Under the offending provision, it allows data controllers, including public bodies such as the Secretary of State for the Home Department (SSHD), to restrict access to personal data where this would ‘prejudice effective immigration control’.

R (on the application of The3Million and another) v Secretary of State for the Home Department and others

Case background

The case was brought on behalf of two organisations: The3Million; and Open Rights Group, against the Government, specifically the SSHD and the Secretary of State for Digital Culture Media and Sport (SSDCMS). The Information Commissioner also appeared as an interested party and supported part of the Claimants’ challenge.

In the Claimants’ initial judicial review claim before the Administration Court, the claim initially failed but succeeded on appeal to the Court of Appeal. The Court found that the immigration exemption was unlawful because the Government had failed to create a legislative measure that contained the safeguarding requirements prescribed by Article 23(2) of the Retained Regulation (EU) 2016/679, the UK GDPR.

The Court of Appeal found that in the absence of such a legislative measure, the exemption constituted an unlawful derogation from fundamental data protection rights provided for by the UK GDPR.

Following the initial challenge, the Government sought to remedy the defects by amending Schedule 2 of the DPA 2018 through the Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022, SI 2022/76. The Regulations required the Secretary of State to have an immigration exemption policy document in place before the exemption could be used.

Key considerations

The issue before the Court was whether the defendants had successfully remedied the defects highlighted by the Court of Appeal. The Claimants specifically argued that the exemption failed to comply with Article 23 of the Retained Regulation (EU) 2016/679, the UK GDPR as it had firstly failed to be a ‘legislative measure’, and, secondly, failed to comply with the safeguarding requirements set out in Article 23(2) of the Retained Regulation (EU) 2016/679, the UK GDPR.

Courts decision

The Court held that the immigration exemption was in breach of Article 23 of the Retained Regulation (EU) 2016/679, the UK GDPR. They upheld three of the six complaints made by the Claimants.

It found that the ‘overriding matter’ was the Government’s use of a policy document to provide the mandatory safeguards, those set out in Article 23(2) of the Retained Regulation (EU) 2016/679, the UK GDPR and the obligation to consider proportionality and conduct a balancing exercise between the right of the individual and their prejudice to immigration control.

The Court upheld the Claimants’ challenges, supported by the Information Commissioner, that the immigration exemption:

Comment

The data protection legislation we have in place allows individuals rights over the retention and use of their personal data. In the case of migrants, the provisions relating to their ability to request data retained on their person by public bodies such as SSHD is paramount. The judicial review has found that the immigration exemption has frequently been used to decline full responses to Subject Access Requests made by migrants.

In the context of data protection legislation, the decision has been helpful guidance, particularly in relation to the lawfulness of the Government’s attempts to create exemptions from data protection rights.