the3million & Anor, R (on the application of) v Secretary of State for the Home Department & Anor

This judicial review concerned the lawfulness of the Immigration Exemption in §4 of Schedule 2 to the Data Protection Act 2018, as amended by the Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 (SI 2022/76), in light of Article 23 of the UK GDPR. The court held that the Regulations fail to satisfy mandatory Article 23(2) requirements because key substantive and procedural safeguards have been delegated to a non‑legislative policy document (the Immigration Exemption Policy Document or IEPD) rather than being set out in legislation or a binding parliamentary‑endorsed code.

Material legal findings: (i) the exemption must be made by way of legislation and contain specific provisions required by Article 23(2); (ii) the Regulations lack an express statutory requirement to carry out the balancing/proportionality exercise required before derogating from rights under Article 23; (iii) safeguards to prevent abuse (Article 23(2)(d)) cannot be satisfied by an IEPD to which the Secretary of State is only required to "have regard"; and (iv) no adequate assessment or legislative recognition of the risks to data subjects (Article 23(2)(g)) was provided. The court found Article 23(2)(f) (storage periods) not engaged in the way argued by the claimants. The claim succeeded and declaratory relief was granted that the Immigration Exemption is unlawful, with the declaration suspended briefly to allow the Government to remedy the defects.

This judicial review was brought by the3million and Open Rights Group challenging the lawfulness of the Government's second iteration of an immigration exemption from certain data subject rights under the retained UK GDPR. The first version of the exemption had been declared unlawful by the Court of Appeal in R (Open Rights Group and the3million) v SSHD and SSDCMS [2021] EWCA Civ 800 (JR1) for failing to satisfy Article 23(2). The present challenge targeted the amendments made by SI 2022/76 which (among other changes) limited the exemption to data processed by the Secretary of State and required the existence of an Immigration Exemption Policy Document (IEPD) to which the Secretary of State must "have regard".

The claimants sought declarations that the amended Immigration Exemption remained incompatible with Article 23 of the UK GDPR and therefore unlawful. The principal issues framed by the court were whether the Regulations (i) constituted a sufficiently "legislative measure" and (ii) contained the specific provisions mandated by Article 23(2) (the court examined sub‑items (a)–(h), focusing notably on (b), (d), (f) and (g)). The court also considered evidence adduced by the Home Office for why an exemption was needed, contextual issues (including the likelihood of special category data, claimant vulnerability and historical rates of reliance on the exemption), and submissions by the Information Commissioner as interested party.

The court's reasoning: it accepted that the Immigration Exemption served legitimate public interests but concluded that outsourcing the substantive content of safeguards to the IEPD — a non‑statutory, changeable policy to which only regard must be had — did not satisfy Article 23(2). In particular, the Regulations did not: (i) impose an express statutory requirement to perform a proportionality/balancing test before invoking the exemption; (ii) set out binding safeguards to prevent abuse or unlawful access or transfer (Article 23(2)(d)) because the IEPD's content was not prescribed and is not binding law; and (iii) provide any adequate legislative assessment or recognition of risks to data subjects' rights (Article 23(2)(g)). The court rejected the contention that Article 23(2)(f) required further legislative storage‑period rules in this prejudice‑based exemption. The court therefore concluded the Regulations failed to meet the mandatory requirements of Article 23(2).

Remedy and practical note: the court made declarations that the Immigration Exemption is unlawful but suspended them for a short period to allow the Secretary of State to introduce compliant legislation or a binding, parliamentary‑endorsed code. The judge explained that remedies must ensure safeguards and balancing requirements appear in law and not merely in a policy document to which only "regard" must be had.

The claim succeeded. The court declared that the Immigration Exemption in Schedule 2 (as amended by SI 2022/76) is unlawful because the Regulations outsource essential safeguards and balancing requirements mandated by Article 23(2) UK GDPR to a non‑legislative policy document (the IEPD) to which the Secretary of State is only required to "have regard", and do not contain required provision addressing risks to data subjects. The declaration was suspended briefly to permit remedial legislation or a binding parliamentary‑endorsed code to be put in place.

Earlier related proceedings: R (Open Rights Group and the3million) v Secretary of State for the Home Department and Secretary of State for Digital, Culture, Media and Sport [2021] EWCA Civ 800; [2021] 1 WLR 3611 (Court of Appeal) (JR1) which held the original exemption unlawful for failing to satisfy Article 23(2). A remedies decision following JR1 appears at R (Open Rights Group and the3million) v SSHD and SSDCMS [2021] EWCA Civ 1573; [2022] QB 166. The current decision is a first‑instance High Court judicial review ([2023] EWHC 713 (Admin)).