R (Supperstone J at first instance in JR1)

The claim challenged the lawfulness of the immigration exemption in paragraph 4, Part 1 of Schedule 2 to the Data Protection Act 2018 (the "Immigration Exemption") as contrary to Article 23 of the GDPR and incompatible with Articles 7 and 8 of the Charter. The court considered whether the exemption was "in accordance with the law" and a proportionate implementation of Article 23.

The court held that the exemption is confined to personal data processed for the maintenance of effective immigration control or for investigating or detecting activities that would undermine that maintenance, and applies only where compliance with the listed GDPR provisions would be "likely to prejudice" those purposes. The "likely to prejudice" formulation, together with the established necessity and proportionality test, and the enforcement and remedial regime in the GDPR/DPA 2018 (including recourse to the Information Commissioner, the First-tier Tribunal (Information Rights) and the courts), provide adequate safeguards against arbitrary interference.

The court rejected submissions that the exemption was unlawful because it was open-ended, available to any controller, or lacked statutory guidance. It accepted that guidance may be helpful in practice but held that the absence of statutory guidance did not render the exemption "not in accordance with the law" or disproportionate in principle. All grounds of challenge were dismissed.

Background and parties: The Open Rights Group and the3million (claimants) sought judicial review of the Immigration Exemption in paragraph 4, Part 1 of Schedule 2 to the Data Protection Act 2018. The defendants were the Secretary of State for the Home Department and the Secretary of State for Digital, Culture, Media and Sport. Liberty and the Information Commissioner intervened. Permission was granted by Ouseley J on 21 January 2019.

Nature of the claim and relief sought: The claim challenged the introduction of the Immigration Exemption on two main grounds: (i) that it was contrary to Article 23 GDPR and incompatible with Articles 7 and 8 of the Charter, and (ii) that it was discriminatory contrary to Article 21 of the Charter. The second ground was abandoned at the hearing as adding nothing to the first.

Issues framed by the court:

• Whether the Immigration Exemption is "in accordance with the law" for the purposes of Article 23 and Charter Articles 7 and 8 (accessibility and foreseeability; protection against arbitrariness);
• Whether the exemption contains or is accompanied by adequate safeguards required by Article 23(2) of the GDPR (purposes, categories, scope, safeguards, specification of controllers, storage periods, risks and notification);
• Whether the exemption is a proportionate and necessary derogation from the data-subject rights listed in Articles 12 to 22 of the GDPR.

Facts relevant to assessment: The Home Office explained why a specific immigration exemption was adopted in DPA 2018 rather than relying on prior crime exemptions. The Home Office provided examples of scenarios where the exemption might be used (for instance to avoid tipping off subjects, to protect profiling and automated processing used for immigration control, and to prevent erasure that would impede immigration decision-making). The Home Office reported that in the first year it received 27,984 new subject access requests relating to the border and immigration system, 18,332 were progressed for response and the Immigration Exemption was relied on in 10,823 responses (about 59%), usually to redact limited elements of a case file.

Court’s reasoning: The court applied the established four-part approach drawn from authority considering interferences with Article 8/ECHR rights: the nature of the interests engaged; whether there is interference; whether it is "in accordance with the law" (accessible and foreseeable, with safeguards against arbitrariness); and whether it is proportionate to the legitimate aim. The court concluded that the Immigration Exemption is sufficiently precise and foreseeable: it defines the purposes and is limited by the threshold that application is only where compliance "would be likely to prejudice" effective immigration control (a test previously construed as requiring a substantial risk of prejudice). The necessity and proportionality requirements in the GDPR operate to constrain the exercise of the exemption in individual cases. The availability of enforcement and remedies under the GDPR and DPA 2018 (Commissioner, tribunals, courts) form part of the safeguards. The court rejected the submission that the state was required to justify the enactment of the exemption by evidence of "strict necessity" at the legislative stage; a margin of appreciation applies and the question of necessity is one for the state within that margin. While non-statutory guidance from the Information Commissioner and internal Home Office guidance may be practically important, their absence in statutory form did not render the exemption unlawful.

Disposition: All grounds of challenge were dismissed and the claim was dismissed.

The claim is dismissed. The court held that paragraph 4, Part 1 of Schedule 2 to the Data Protection Act 2018 (the Immigration Exemption) is "in accordance with the law" and constitutes a proportionate implementation of Article 23 GDPR. The exemption is limited to processing for the maintenance of effective immigration control or the investigation/detection of activities undermining that maintenance, applies only where compliance would be "likely to prejudice" those purposes, and is constrained by the necessity and proportionality requirements of the GDPR and by existing enforcement remedies; the absence of statutory guidance did not render the exemption unlawful.