The 3Million & Anor, R (on the application of) v Secretary of State for the Home Department & Anor

The Court of Appeal dismissed the Secretary of State’s appeal and upheld the High Court’s declaration that the Immigration Exemption in Schedule 2 to the Data Protection Act 2018 was incompatible with Article 23(2) of the UK GDPR. The court held that Article 23(2) requires the legislative measure authorising derogations to contain specific, binding and foreseeable provisions about key safeguards; those safeguards could not properly be delegated to a non‑statutory policy document (the IEPD) which was not itself subject to Parliamentary approval or to clear statutory content. In particular the Regulations failed to satisfy Article 23(2)(d) (safeguards to prevent abuse or unlawful access or transfer) and Article 23(2)(g) (an assessment of risks to the rights and freedoms of data subjects). The court suspended the effect of the declaration for three months to permit remedial legislation to be made.

Background and parties: The claimants were The 3Million and Open Rights Group; the defendants were the Secretary of State for the Home Department and the Secretary of State for Science, Innovation and Technology. The Information Commissioner intervened as an interested party. The appeal was from the High Court (Saini J: [2023] EWHC 713 (Admin)) and followed earlier Court of Appeal litigation in which the first version of the Immigration Exemption was held unlawful ([2021] EWCA Civ 800; remedial decision [2021] EWCA Civ 1573).

Nature of the claim and relief sought: The claimants sought judicial review declarations that the amended Immigration Exemption (introduced by SI 2022 No. 76 amending Schedule 2 to the Data Protection Act 2018) was unlawful because it did not comply with Article 23(2) and (3) of the UK GDPR. The High Court declared the Regulations incompatible and the Secretary of State appealed.

Issues framed:

• whether Article 23(2) requires the statutory measure authorising derogation to contain specific provisions on matters listed in Article 23(2) rather than leaving material detail to a non‑statutory policy document;
• whether the Regulations provide sufficient statutory safeguards to prevent abuse or unlawful access/transfer (Article 23(2)(d));
• whether the Regulations adequately set out the assessment of risks to the rights and freedoms of data subjects (Article 23(2)(g)); and
• ancillary issues about balancing/proportionality, controller specification, storage periods and procedural fairness/remedy.

Court’s reasoning and conclusions: The court reiterated that the UK GDPR, as retained EU law, has primacy over inconsistent primary legislation. Article 23(2) was interpreted as imposing a condition that, where relevant, the legislative measure authorising derogations must contain specific, precise and binding provisions on the listed topics so that derogations are foreseeable, reviewable and compatible with the rule of law and Parliamentary scrutiny. The Regulations introduced an Immigration Exemption which limited its scope to processing by the Secretary of State and required that an Immigration Exemption Policy Document (IEPD) be in place; however, the Regulations did not themselves specify the content of the statutory safeguards. The court found that leaving essential safeguards to a separate non‑statutory IEPD (not approved by Parliament and capable of unilateral change) failed Article 23(2)(d). Similarly, Parliament had not been provided with the necessary assessment of risks to the rights and freedoms of data subjects when invited to approve the Regulations, so Article 23(2)(g) was not satisfied. The court rejected other remaining challenges (for example as to scope wording and storage principles) and emphasised that operational flexibility can be accommodated by suitably drafted primary or secondary legislation. The court dismissed the appeal and suspended the effect of the High Court’s declaration for three months to allow remedial legislation, with liberty to apply if needed.

Wider context: The court emphasised the constitutional importance of Parliamentary scrutiny and rule of law safeguards where fundamental rights are derogated from, and the CJEU jurisprudence requiring strict necessity, proportionality and built‑in safeguards.

The appeal is dismissed. The Court of Appeal agreed with the High Court that the Immigration Exemption is incompatible with Article 23(2) of the UK GDPR because the Regulations failed to include the specific, binding safeguards required by Article 23(2)(d) and did not provide Parliament with an adequate assessment of the risks to data‑subject rights required by Article 23(2)(g). The effect of the High Court declaration was suspended for three months to allow remedial legislation to be made.

Appeal from the High Court (Saini J) [2023] EWHC 713 (Admin). The judgment follows earlier Court of Appeal decisions holding the original Immigration Exemption unlawful: [2021] EWCA Civ 800 (substantive) and [2021] EWCA Civ 1573 (remedies/suspension). This appeal arises from the claim challenging the Regulations made by SI 2022 No. 76 which amended Schedule 2 to the Data Protection Act 2018.