In August 2018 the Open Rights Group, a digital rights organisation that seeks to promote and uphold privacy and data protection rights, and the3million, a grassroots organisation of EU citizens resident in the United Kingdom, brought a judicial review claim against the Secretaries of State for the Home Department and Digital, Culture, Media and Sport. They sought a declaration that the 'immigration exemption' under Paragraph 4 of Schedule 2 to the Data Protection Act 2018, which disapplies some data protection rights where their application would be likely to prejudice immigration control, was unlawful. They argued that the immigration exemption was incompatible with the EU General Data Protection Regulation (GDPR) (206/679/EU) and the Charter of Fundamental Rights of the European Union. The defendants denied both of these contentions.
The proceedings were launched when the United Kingdom was still an EU member state and judgment was given after 'exit day' (29 March 2019) but during the implementation period provided for by the Withdrawal Agreement, which ended on 31 December 2020. Therefore, the United Kingdom's withdrawal from the European Union did not materially affect the position.
The claim was dismissed at first instance on the basis that the immigration exemption fell within Article 23(1)(e) of the GDPR. Article 23(1) of the GDPR authorises an exemption from certain rights and obligations thereunder by way of a "legislative measure" where such an exemption "respects the essence of fundamental rights and freedoms" and is a "necessary and proportionate measure in a democratic society to safeguard" one of the specified objectives (eg, public security or judicial proceedings) set out in Paragraphs 23(1)(a) to 23(1)(j) of the GDPR. Article 23(1)(e) covers "other important objectives of general public interest". The judge said that the immigration exemption was a matter of "important public interest" and pursued a legitimate aim. Therefore, the judge held that it was compliant. The claimants appealed to the Court of Appeal.
The main ground of appeal focused on Article 23(2) of the GDPR, which provides that any legislative measure enacted under Article 23(1) "shall contain specific provisions at least where relevant as to" a list of eight requirements set out in Paragraphs 23(1)(a) to 23(1)(h) of the GDPR. The claimants argued that the judge had been wrong to approach the case by reference to principles applicable to Article 8 of the European Convention on Human Rights (ECHR). They said that European Court of Justice (ECJ) case law and the terms of Article 23(2) itself made it clear that the circumstances in which a derogation such as the immigration exemption will apply – and under what substantive and procedural safeguards – must be clearly prescribed by the legislation itself or appropriate guidance with the force of law. Further, the claimants held that the judge had been wrong to approach the case on the footing that these matters could lawfully be dealt with in other ways. In other words, they said that the immigration exemption was so over broad as to be in breach of the express requirements which govern derogations in Article 23(2) of the GDPR and the ECJ's case law.
Lord Justice Warby noted that although Article 23(1) had a familiar structure, reflected in the charter and the ECHR, its function was different. Whereas Article 8 of the ECHR (for example) prescribes the conditions under which state interference with the right to respect for private and family life may be justified, Article 23 is a measure that permits the state to restrict the very scope of the right, including by removing it from the citizen altogether, in specified circumstances.
Further, Warby said, the language and structure of Article 23(2) are not familiar from the charter, the ECHR or the EU Data Protection Directive (95/46/EC). On a natural reading of the words, Article 23(2) of the GDPR particularises the requirements of Article 23(1) and sets out details of what a "legislative measure" must do if it is to comply with the requirements of Article 23(1) – namely, it must "contain specific provisions" about each of the eight listed matters "at least, where relevant" to an assessment of whether the measure respects the essence of the right in question and is necessary and proportionate for one or more of the listed purposes or objectives. Warby further held that the language also clearly suggested that the legislative measure must have some binding force.
As for ECJ case law, in Warby's view this showed that the ECJ:
- had been alert to the risk of over-broad derogations from fundamental rights;
- required any derogation from fundamental rights to be justified by proof of strict necessity; and
- did not consider that this, or the requirement of proportionality, could be satisfied unless the appropriate safeguards were built into the legislative measure itself.
This supported his findings on the language of the GDPR. Further, he said, there was nothing in the cases that supported the judge's conclusion that a distinction should be drawn between different kinds of derogation and that different criteria apply to a derogation that is "permissive". The one clear and consistent theme running across the case law was that derogations in this area must be justified as strictly necessary. There was no trace of any doctrine that a less exacting standard might apply where the relevant legislation does not itself involve an abrogation or interference but merely authorises it.
Warby also said that the requirements listed in Article 23(2) of the GDPR were particularised at some length and in some detail. While Article 23(2) of the GDPR did comprise a checklist, it was cast in mandatory terms and called for "specific" provisions, which should surely be given some meaning. In any event, in Warby's judgment, in light of the ECJ case law, Article 23(2) of the GDPR should be read as requiring any derogation to be effected by a "legislative measure" that:
- is tailored to the derogation;
- is legally enforceable;
- contains provisions that are specific to the listed topics (to the extent that they are relevant to the derogation in question);
- is precise; and
- produces a reasonably foreseeable outcome.
The ECJ has repeatedly rejected submissions to the effect that domestic legislation should be held to be legitimate on the basis that sufficient safeguards could be found elsewhere in the overall legal framework.
Warby said that these conclusions were also consistent with European Data Protection Board Guidelines 10/2020 (Paragraphs 45 and 46).
Warby agreed with the judge that the immigration exemption addressed an important aspect of the public interest that fell within the scope of Article 23(1)(e) of the GDPR. However, he said that the judge had been wrong to reject the claimants' submissions on Article 23(2) of the GDPR. He held that when reading Article 23 of the GDPR as a whole, it was clear that the immigration exemption was non-compliant. He pointed out that the exemption itself contain nothing, specific or otherwise, about any of the matters listed in Article 23(2) of the GDPR. Further, Warby said that even assuming, without deciding, that it is permissible for the "specific provisions" required by Article 23(2) of the GDPR to be contained in some separate legislative measure, there was no such measure.
Warby concluded by saying that the appropriate remedy in a case of incompatibility was "a sensitive matter". He therefore deferred a decision on relief, inviting further submissions in light of his findings.(1)
Endnotes
(1) The Open Rights Group v The Secretary of State for the Home Department ([2021] EWCA Civ 800 (26 May 2021)).
