Court of Appeal finds DPA exemption is unlawful under GDPR

The Court of Appeal’s judgment in R (Open Rights Group and the3million) v Secretary of State for the Home Department and Others [2021] EWCA Civ 800, handed down this morning, concludes that the ‘immigration exemption’ in Schedule 2 to the DPA 2018 is not compliant with the GDPR. That is a very significant conclusion in its own right, from the perspectives of both immigration and data protection law. But the Court’s analysis also applies to a more general question: what does a valid (i.e. GDPR-compliant) exemption from data protection rights and duties look like?

A quick reminder of the architecture: the GDPR sets out a raft of rights and duties (in Chapters II and III in particular). Article 23 creates scope for ‘restrictions’ on those rights, i.e. exemptions. Article 23(1) says what the grounds can be (national security, public interest grounds and so on). Member states then go an implement those exemptions in national legislation (the UK did so mainly via Schedule 2 to the DPA 2018).

Article 23(1) also contains the headline test for what a valid (GDPR-compliant) exemption under national law looks like: a valid restriction is one that “respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society”. Article 23(2) supplements that broad test with prescriptions about what the exemption created by domestic law needs to include:

In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:

(a) the purposes of the processing or categories of processing;

(b) the categories of personal data;

(c) the scope of the restrictions introduced;

(d) the safeguards to prevent abuse or unlawful access or transfer;

(e) the specification of the controller or categories of controllers;

(f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;

(g) the risks to the rights and freedoms of data subjects; and

(h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

The question for the Court of Appeal was whether those tests for a GDPR-compliant domestic law exemption were met for the immigration exemption in paragraph 4 of Schedule 2 DPA 2018, which applies to personal data processed for “(a) the maintenance of effective immigration control, or (b) the investigation or detection of activities that would undermine the maintenance of effective immigration control” to the extent that complying with the GDPR provisions would prejudice those purposes.

The answer given by Warby LJ (with whom Singh LJ and Underhill LJ agreed) was “clearly” no. The appeal against Supperstone J’s dismissal of the judicial review challenge was allowed.

The appellants’ core arguments were that the immigration exemption is over-broad and that the features required by Article 23(2) were absent. The ICO (intervening) agreed. The key arguments were that the overarching test under Article 23(1) was one of strict necessity (see Tele2, for example) and that the broad coverage of the immigration exemption failed the proportionality test. Further, the requirements of Article 23(2) had to be satisfied in legislation itself, or at least in guidance that had statutory status.

In contrast, the government advocated an approach of greater deference to Parliament, as per The Christian Institute v The Lord Advocate (Scotland) [2016] UKSC 51: the legislature’s decision that such a measure is necessary may only be impugned if unreasonable; the measure will be proportionate if it is capable of being operated in all or most cases without giving rise to an unjustified interference with Article 8; it must be in accordance with the law, which includes a requirement for relevant safeguards against abuse.

In allowing the appeal, Warby LJ summarised the rationale for Article 23 as follows (see para 50):

“… broad legal provisions, such as those that require a measure to be necessary and proportionate in pursuit of a legitimate aim, are insufficient to protect the individual against the risk of unlawful abrogation of fundamental rights. The legal framework will not provide the citizen with sufficient guarantees that any derogation will be strictly necessary and proportionate to the aim in view, unless the legislature has taken the time to direct its attention to the specific impacts which the derogation would have, to consider whether any tailored provisions are required and, if so, to lay them down with precision. This approach will tend to make the scope and operation of a derogation more transparent, improve the quality of decision-making, and facilitate review of its proportionality…”

The prescriptive requirements of Article 23(2) could not be downplayed or trivialised: this was a deliberate aspect of the drafting of the GPDR (see para 48).

Overall (see para 53):

“… On my reading of Article 23 as a whole, it seems clear that the Immigration Exception is non-compliant. The Exemption itself contains nothing, specific or otherwise, about any of the matters listed in Article 23(2). Even assuming, without deciding, that it is permissible for the “specific provisions” required by Article 23(2) to be contained in some separate legislative measure, there is no such measure. It has not been suggested that the draft internal guidance produced by the Home Office qualifies as such. The ICO’s present guidance is doubtless of some value, but it is somewhat vague and, critically, it does not have the force of law. Its provisions might be a relevant consideration for a public law decision-maker, as Sir James Eadie submits, but I am not at all persuaded that this would be enough to comply with Article 23(2). It is not to be forgotten that the Immigration Exemption applies to a range of private bodies and individuals. In any event, the term “legislative measure”, whatever its precise scope, must refer to something other than a non-binding code promulgated by a regulator that counts as a relevant consideration for the purposes of administrative decision-making.”

Arguments on relief are to follow. But aside from the effective death of the immigration exemption, a big take-away from this judgment is that Courts will scrutinise DP exemptions strictly for compliance with both Article 23(1) (the broad test) and Article 23(2) (the detailed features) of the GDPR.

Chris Knight appeared for the ICO.

Robin Hopkins