Skip to Main Content

Find Case LawBeta

Judgments and decisions from 2001 onwards

The 3Million & Anor, R (on the application of) v Secretary of State for the Home Department & Anor

[2023] EWCA Civ 1474

Neutral Citation Number: [2023] EWCA Civ 1474
Case No: CA-2023-000763
IN THE COURT OF APPEAL (CIVIL DIVISION)

ON APPEAL FROM THE HIGH COURT OF JUSTICE

KING’S BENCH DIVISION

ADMINISTRATIVE COURT

Mr Justice Saini

[2023] EWHC 713 (Admin); [2023] 1 WLR 3011

Royal Courts of Justice

Strand, London, WC2A 2LL

Date: 11 December 2023

Before :

LORD JUSTICE LEWISON

LORD JUSTICE SINGH
and

LADY JUSTICE ELISABETH LAING

Between :

THE KING on the application of

(1) THE 3MILLION

(2) OPEN RIGHTS GROUP

Claimants/

Respondents

- and -

(1) SECRETARY OF STATE FOR THE HOME DEPARTMENT

(2) SECRETARY OF STATE FOR SCIENCE, INNOVATION AND TECHNOLOGY

(formerly SECRETARY OF STATE FOR DIGITAL, CULTURE, MEDIA, AND SPORT)

THE INFORMATION COMMISSIONER

Defendants/

Appellants

Interested Party

Aidan Eardley KC (instructed by the Treasury Solicitor) for the Appellants

Ben Jaffey KC and Nikolaus Grubeck (instructed by Leigh Day) for the Respondents

Christopher Knight (instructed by the Information Commissioner’s Office) for the Interested Party

Hearing dates: 21-22 November 2023

Approved Judgment

This judgment was handed down remotely at 10.a.m. on 11 December 2023 by circulation to the parties or their representatives by e-mail and by release to the National Archives.

.............................

Lord Justice Singh:

Introduction

1.

The issue on this appeal is whether the Government’s second attempt to produce an immigration exemption (“the Immigration Exemption”) from certain rights of data subjects conferred by the United Kingdom General Data Protection Regulation (“the UK GDPR”) was unlawful as it did not comply with the requirements of Article 23(2) and (3) of that Regulation.

2.

The UK GDPR is a part of “retained” law, i.e. it was derived from European Union (“EU”) law but, since the UK’s departure from the EU, is now part of domestic law. The UK GDPR was derived from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation or “the GDPR”). It is common ground that, in the hierarchy of norms in the domestic legal order, the UK GDPR is superior to the Immigration Exemption, even though that exemption is part of primary legislation, as it is to be found in Schedule 2 to the Data Protection Act 2018 (“the DPA” or the “DPA 2018”). Accordingly, the Immigration Exemption must comply with the UK GDPR and, to the extent of any inconsistency with it, is not lawful. It is again common ground that this consequence is the result of the will of Parliament, as expressed in the European Union (Withdrawal) Act 2018.

3.

The first attempt to introduce the Immigration Exemption was held by this Court (Underhill, Singh and Warby LJJ) to be unlawful: [2021] EWCA Civ 800; [2021] 1 WLR 3611. After a further hearing to consider remedies, the Court suspended the effect of its declaration until 31 January 2022, so that the Government would have adequate time to amend the relevant provisions of the DPA by way of secondary legislation: [2021] EWCA Civ 1573; [2022] QB 166.

4.

The second attempt to introduce the Immigration Exemption was also the subject of proceedings for judicial review brought by the present Respondents. On 29 March 2023 it was held to be unlawful by Saini J (“the Judge”), who suspended his declaration to that effect for a period of three months. That order was stayed by this Court (Singh LJ) on 9 May 2023, when permission to appeal was granted.

5.

At the hearing of this appeal, we heard submissions from Mr Aidan Eardley KC, who appeared for the Appellants; Mr Ben Jaffey KC, who appeared with Mr Nicolaus Grubeck for the Respondents; and Mr Christopher Knight, who appeared for the Interested Party, the Information Commissioner (or “the Commissioner”). I express the Court’s gratitude to them all for their written and oral submissions.

The UK GDPR

6.

The main rights in the UK GDPR which are in issue are as follows.

7.

Article 5 contains the fundamental principles relating to processing of personal data. Para 1 provides that personal data shall be (a) processed lawfully, fairly and in a transparent manner in relation to the data subject.

8.

Article 9 deals with processing of special categories of personal data. Para 1 provides that:

“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”

9.

Para 2 provides that para 1 shall not apply if one of the following applies, including sub-para (g):

“Processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;”

10.

Articles 13 and 14 relate to general duties which are imposed on the data controller. Article 13 requires information to be provided where personal data are collected from the data subject; and Article 14 requires information to be provided where personal data have not been obtained from the data subject.

11.

Article 15 is often described as the “gateway” right, because it concerns the right of access by the data subject and, therefore, provides a gateway to other rights in the UK GDPR. Para 1 provides that:

“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(a)

the purposes of the processing;

(b)

the categories of personal data concerned;

(c)

the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

(d)

where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(e)

the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(f)

the right to lodge a complaint with the Commissioner;

(g)

where the personal data are not collected from the data subject, any available information as to their source;

(h)

the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.”

12.

Para 2 provides that:

“Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.”

13.

Para 3 provides that the controller shall provide a copy of the personal data undergoing processing. But para 4 provides that the right to obtain a copy in that paragraph shall not adversely affect the rights and freedoms of others.

14.

Article 17 relates to the right to erasure or “the right to be forgotten”.

15.

Article 18 relates to the right to restriction of processing.

16.

Article 21 relates to the right to object to the processing of personal data which is based on paras (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data “unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.”

17.

For the Appellants Mr Eardley points out that most of the above rights are qualified rights, i.e. they admit of limitations, restrictions and exceptions. But that is true of most rights: few rights, even those which are described as fundamental rights, are in truth absolute. What is significant, as Mr Jaffey observes for the Respondents, is that what is in issue in the present case is not whether the Appellants can rely on the inherent qualifications which are contained within the rights themselves, but whether they can derogate from even those qualified rights: that is why they need the Immigration Exemption. Even without the Immigration Exemption, the Appellants would be able to rely on the qualifications which are inherent in the rights in any event, because they will often be able to point to some public interest, such as the risk that an immigrant might abscond, in order not to comply (fully) with one of those rights.

18.

I therefore turn to Article 23, which lies at the heart of this appeal, because in principle it permits derogation from the rights in issue. It provides as follows:

“1.

The Secretary of State may restrict the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

a

b

c public security;

d the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

e other important objectives of general public interest, in particular an important economic or financial interest of the United Kingdom, including monetary, budgetary and taxation a matters, public health and social security;

f the protection of judicial independence and judicial proceedings;

g the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

h a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);

i the protection of the data subject or the rights and freedoms of others;

j the enforcement of civil law claims.

2

In particular, provision made in exercise of the power under paragraph 1 shall contain specific provisions at least, where relevant, as to:

a the purposes of the processing or categories of processing;

b the categories of personal data;

c the scope of the restrictions introduced;

d the safeguards to prevent abuse or unlawful access or transfer;

e the specification of the controller or categories of controllers;

f the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;

g the risks to the rights and freedoms of data subjects; and

h the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

3

The Secretary of State may exercise the power under paragraph 1 only by making regulations under section 16 of the 2018 Act.” (Emphasis added)

The original version of the Immigration Exemption

19.

The terms of the original version of the Immigration Exemption were set out in para 4 of Schedule 2 to the DPA:

“4 Immigration

(1)

The GDPR provisions listed in sub-paragraph (2) do not apply to personal data processed for any of the following purposes– (a) the maintenance of effective immigration control, or (b) the investigation or detection of activities that would undermine the maintenance of effective immigration control, to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) and (b).

(2)

The GDPR provisions referred to in sub-paragraph (1) are the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of article 23(1) of the GDPR)–– (a) article 13(1) to (3) (personal data collected from data subject: information to be provided); (b) article 14(1) to (4) (personal data collected other than from data subject: information to be provided); (c) article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers); (d) article 18(1) and (2) (right to erasure); (e) article 18(1) (restriction of processing); (f) article 21(1) (objections to processing); (g) article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (f). (That is, the listed GDPR provisions other than article 16 (right to rectification), article 19 (notification obligations regarding rectification or erasure of personal data or restriction of processing) and article 20(1) and (2) (right to data portability) and, subject to sub-paragraph (2)(g) of this paragraph, the provisions of article 5 listed in paragraph 1(b).)”

The judgment of the Court of Appeal in the first claim for judicial review

20.

On 26 May 2021 this Court allowed the claimants’ appeal from the decision of Supperstone J, which had dismissed their claim for judicial review, challenging the original version of the Immigration Exemption. The only substantive judgment was given by Warby LJ, with whom Underhill and Singh LJJ agreed. The ratio of the case is helpfully set out at para 29:

“… I would suggest that … this appeal can and should be decided on the following short and straightforward basis. There presently exists no legislative measure that contains specific provisions in accordance with the mandatory requirements of article 23(2) of the GDPR. In the absence of any such measure, the Immigration Exemption is an unauthorised derogation from the fundamental rights conferred by the GDPR, and therefore incompatible with the Regulation. For that reason, it is unlawful. The appeal succeeds on this aspect of ground 2, and it is unnecessary to reach conclusions on the other issues raised.”

21.

It is important, however, to quote some other passages from Warby LJ’s judgment, both because they summarise the jurisprudence of the Court of Justice of the European Union (“CJEU”), so that it is unnecessary to set it out here, and because they have a bearing on the issues which arise on this appeal.

22.

At paras 32-33, Warby LJ said:

“32.

The language and structure of article 23(2) are not familiar from the Charter or the ECHR. Nor is any comparable provision to be found in the Data Protection Directive. This is new. It is, by common consent, a provision that particularises the requirements of article 23(1). That is clear from the opening words. As is also obvious, article 23(2) sets out details of what a ‘legislative measure’ must do, if it is to comply with the more broadly stated requirements of article 23(1). The legislative measure has to ‘contain specific provisions’ about the eight listed matters ‘at least, where relevant’. As a matter of grammar, and on a natural reading, this would seem to mean that the legislative measure must at least include specific provision about each of the eight listed matters, where or to the extent that the listed matter in question is relevant; it may need to include specific provision about other matters as well.

33.

Putting this another way, it seems to me that on the face of it article 23(2) contains a condition precedent to the validity of any ‘legislative measure’ purporting to fall within article 23(1): the measure can only satisfy the requirements of article 23(1) if it contains specific provision as to each matter that (a) is listed in article 23(2) and (b) is, in the circumstances, relevant to an assessment of whether the measure (i) respects the essence of the right in question and is (ii) necessary and proportionate for one or more of the listed purposes or objectives. The language clearly suggests that the legislative measure must have some binding force.”

23.

At para 36, Warby LJ summarised the jurisprudence of the CJEU in the following way:

“… In my judgment, this body of jurisprudence, progressively built up over the years, justifies several of the headline submissions of Mr Jaffey. I would accept that the cases show that the CJEU has been alert to the risk of over-broad derogations from fundamental rights; requires any derogation from fundamental rights to be justified by proof of strict necessity; and does not consider that this, or the requirement of proportionality, can be satisfied unless the appropriate safeguards are built into the legislative measure.”

24.

At paras 49-50, Warby LJ said:

“49.

… in my judgment the better view, in the light of the CJEU jurisprudence, is that article 23(2) requires any derogation to be effected by a ‘legislative measure’ that is tailored to the derogation, legally enforceable, and contains provisions that are specific to the listed topics – to the extent these are relevant to the derogation in question – precise, and produce a reasonably foreseeable outcome. …

50.

The essence of the reasoning, as I see it, is that broad legal provisions, such as those that require a measure to be necessary and proportionate in pursuit of a legitimate aim, are insufficient to protect the individual against the risk of unlawful abrogation of fundamental rights. The legal framework will not provide the citizen with sufficient guarantees that any derogation will be strictly necessary and proportionate to the aim in view, unless the legislature has taken the time to direct its attention to the specific impacts which the derogation would have, to consider whether any tailored provisions are required and, if so, to lay them down with precision. This approach will tend to make the scope and operation of a derogation more transparent, improve the quality of decision-making, and facilitate review of its proportionality. To my mind the evidence to date as to the relevant decision-making tends to emphasise the importance of characteristics such as these.”

25.

At paras 53-54, Warby LJ said:

“53 I would agree with the judge that the Immigration Exemption addresses an important aspect of the public interest, that falls within the scope of article 23(1)(e). But I have concluded that he was wrong to reject the appellants’ submissions as to article 23(2) … On my reading of article 23 as a whole, it seems clear that the Immigration Exception is non-compliant. The exemption itself contains nothing, specific or otherwise, about any of the matters listed in article 23(2). Even assuming, without deciding, that it is permissible for the ‘specific provisions’ required by article 23(2) to be contained in some separate legislative measure, there is no such measure. It has not been suggested that the draft internal guidance produced by the Home Office qualifies as such. The ICO’s present guidance is doubtless of some value, but it is somewhat vague and, critically, it does not have the force of law. Its provisions might be a relevant consideration for a public law decision-maker, as Sir James Eadie submits, but I am not at all persuaded that this would be enough to comply with article 23(2). It is not to be forgotten that the Immigration Exemption applies to a range of private bodies and individuals. In any event, the term ‘legislative measure’, whatever its precise scope, must refer to something other than a non-binding code promulgated by a regulator that counts as a relevant consideration for the purposes of administrative decision-making.

54.

I have indicated a provisional view that the legislative measure in question must be part and parcel of the legislation that creates the derogation, but I do not think that this is the point at which to decide what form the ‘specific provisions’ should take. I merely note Mr Knight’s observation that, on the face of it, section 16 of the DPA 2018 confers wide-ranging powers on the respondents to vary the terms of provisions made under Schedule 2. It is certainly not for us to prescribe the content of any of the specific provisions which the Regulation requires. It may be open to the legislature to conclude that one or more of the matters listed in article 23(2) is not relevant to this particular exemption. It may even be entitled to conclude that although a particular matter is relevant it is unnecessary to set limits any narrower than those contained in the GDPR itself. But that is not the way the respondents have put their case at this stage. The reason there are no specific provisions is not that the legislature has gone through any reasoning process of this kind. On the contrary, the respondents’ stance has been consistent throughout: that as a matter of principle no such process is required, as it is enough for individual decisions to comply with the general requirements of the GDPR itself, extraneous legislation such as the Human Rights Act 1998, and other measures of legal control. That stance, in my judgment, is legally wrong.”

26.

After a further hearing to consider the question of remedies, the Court gave judgment on 29 October 2021. The Court granted a declaration that the original version of the Immigration Exemption was incompatible with retained EU law in that it did not satisfy the requirements of Article 23(2) of the UK GDPR. But that declaration was suspended until 31 January 2022 in order to provide a reasonable time for the DPA to be amended so as to remedy the incompatibility. That was a period of suspension of just over three months.

The amended version of the Immigration Exemption

27.

The amended version of the Immigration Exemption was introduced by the Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 (SI 2022 No. 76) (“the Regulations”).

28.

The Appellants shared a draft copy of the draft Regulations with the Respondents and the Information Commissioner on 28 October 2021. The Appellants then met the Respondents to discuss their concerns about the draft on 9 November 2021. On that day the Commissioner responded by letter, setting out why he felt that the draft Regulations were not compatible with Article 23(2) of the UK GDPR. The First Appellant responded to the Commissioner and provided a draft of the Explanatory Memorandum on 25 November 2021. The Commissioner in turn responded on 7 December 2021, confirming his view that safeguards which the First Appellant was intending to include in an Immigration Exemption Policy Document (“IEPD”) should be included in the Regulations themselves.

29.

On 10 December 2021 the First Appellant laid the draft regulations before Parliament. After approval by both houses of Parliament under the affirmative resolution procedure, the Regulations were made on 26 January 2022 and came into force on 31 January 2022.

30.

The amended version of the Immigration Exemption is in the following terms:

“4 Immigration

(1)

The GDPR provisions listed in sub-paragraph (2) do not apply to personal data processed by the Secretary of State for any of the following purposes–– (a) the maintenance of effective immigration control, or (b) the investigation or detection of activities that would undermine the maintenance of effective immigration control, to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) and (b).

(1A) But sub-paragraph (1) does not apply unless the Secretary of State has an immigration exemption policy document in place.

(1B) For the purposes of sub-paragraph (1A), the Secretary of State has an immigration exemption policy document in place if the Secretary of State has produced a document which explains the Secretary of State’s policies and processes for–– (a) determining the extent to which the application of any of the GDPR provisions listed in sub-paragraph (2) would be likely to prejudice any of the matters mentioned in sub-paragraph (1)(a) and (b), and (b) where it is determined that any of those provisions do not apply in relation to personal data processed for any of the purposes mentioned in sub-paragraph (1)(a) and (b), preventing–– (i) the abuse of that personal data, and (ii) any access to, or transfer of, it otherwise than in accordance with the GDPR.

(1C) Paragraphs 4A and 4B make provision about additional safeguards in connection with the exemption in this paragraph.

(2)

The GDPR provisions referred to in sub-paragraphs (1) and (1B) are the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of article 23(1) of the GDPR) (a) article 13(1) to (3) (personal data collected from data subject: information to be provided); (b) article 14(1) to (4) (personal data collected other than from data subject: information to be provided); (c) article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers); (d) article 17(1) and (2) (right to erasure); (e) article 18(1) (restriction of processing); (f) article 21(1) (objections to processing); (g) article 5 (general principles) so far as its
provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (f). (That is the listed GDPR provisions other than article 16 (right to rectification), article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing), article 20(1) and (2) (right to data portability) and, subject to sub-paragraph (2)(g) of this paragraph, the provisions of article 5 listed in paragraph 1(b)).

4A Immigration: additional safeguard: decisions for the purposes of paragraph 4(1) and requirement to have regard to immigration exemption policy document

(1)

The Secretary of State must–– (a) determine the extent to which the application of the relevant GDPR provisions would be likely to prejudice any of the matters mentioned in paragraph 4(1)(a) and (b) on a case by case basis, and (b) have regard, when making such a determination, to the immigration exemption policy document.

(2)

The Secretary of State must also–– (a) review the immigration exemption policy document and (if appropriate) update it from time to time; (b) publish it, and any update to it, in such manner as the Secretary of State considers appropriate.

(3)

In this paragraph and paragraph 4B ‘the relevant GDPR provisions’ means the provisions of the GDPR listed in paragraph 4(2).

4B Immigration: additional safeguard: record etc of decision that exemption applies

(1)

Where the Secretary of State determines in any particular case that the application of any of the GDPR provisions would be likely to prejudice any of the matters mentioned in paragraph 4(1)(a) and (b), the Secretary of State must–– (a) keep a record of that determination and the reasons for it, and (b) inform the data subject of that determination.

(2)

But the Secretary of State is not required to comply with sub-paragraph (1)(b) if doing so may be prejudicial to any of the matters mentioned in paragraph 4(1)(a) and (b).”

31.

At para 22 of his judgment, the Judge helpfully summarised the changes which had been made to the Immigration Exemption in the following way:

“Standing back from the detail, I note that the Regulations introduced a number of qualifications to the original version of the Immigration Exemption:

(1)

Limiting the scope of the exemption to personal data processed ‘by the Secretary of State’, and only if she ‘has an immigration exemption policy document in place’ (the IEPD).

(2)

Introduction of the IEPD, which must be kept under review, updated as appropriate, and published (along with any updates) ‘in such manner as the Secretary of State considers appropriate’. It must explain the Secretary of State’s ‘policies and processes’ for:

(a)

determining the extent to which the application of any GDPR provisions affected by the Immigration Exemption ‘would be likely to prejudice’ the immigration purposes identified in sub- paragraphs (1)(a) and (b) of paragraph 4 of Schedule 2 to the 2018 Act (the ‘immigration purposes’); and

(b)

where the Immigration Exemption is applied, preventing the abuse of the relevant personal data and any access to or transfer of it otherwise than in accordance with the GDPR.

(3)

In applying the Immigration Exemption, the Secretary of State must make a case-by-case assessment of the extent to which the relevant GDPR provisions liable to be exempted ‘would be likely to prejudice’ the immigration purposes. In doing so, she must ‘have regard’ to the IEPD.

(4)

Where the Secretary of State determines in any particular case that the application of any relevant provision of the GDPR ‘would be likely to prejudice any of the [immigration purposes]’, she must:

(i)

‘keep a record of that determination and the reasons for it’; and

(ii)

‘inform the data subject of that determination’, unless that would prejudice any of the immigration purposes.”

32.

At para 23 of his judgment, the Judge summarised the terms of the IEPD as follows:

“An IEPD, dated January 2022, has been published on the Home Office website. The terms of the IEPD are instructive as to its purposes and the work it is intended to do when being applied in practice. So, it records:

‘The key topics covered by this guidance are:

The policies and processes for determining the extent to which the application of certain GDPR provisions would be likely to prejudice the immigration purposes;

Where it is determined that any of those provisions do not apply in relation to personal data processed for any of those purposes, preventing––

the abuse of that personal data (see section 8 below), and any access to, or transfer of, it otherwise than in accordance with the GDPR.

Scope of the immigration exemption;

When the immigration exemption may be used;

What the prejudice test is, including the rights and obligations that are affected;

How a restriction may be applied;

The rationale for applying the exemption;

The need for it to be applied on an individual case by case basis;

The time constraints on any such use; and

Retention schedules.’ ”

The judgment of the High Court

33.

The Judge allowed the claim for judicial review, although he did not accept all of the grounds of challenge.

34.

At paras 36-44, the Judge set out the principles which he derived from the case law of the CJEU, as interpreted by this Court in the first claim for judicial review. He summarised the position at paras 42-43:

“42.

By way of summary, the GDPR and CJEU retained case law, as interpreted by the Court of Appeal … (and as supplemented by more recent case law), provides that a measure restricting rights under article 23(2) of the GDPR must satisfy the following tests:

(i)

be made way of legislation (here, regulations);

(ii)

be clear and precise;

(iii)

be legally binding under domestic law;

(iv)

be accessible and foreseeable; and

(v)

provide substantive and procedural conditions (including safeguards) in respect of the relevant processing.

43.

I emphasise that these criteria are basic rule of law requirements in this context. The CJEU case law could not be clearer in this regard when derogations from fundamental rights are sought to be adopted. These requirements (where relevant) are matters to be satisfied within and by the legislation and are to be assessed prior to any analysis of the necessity and proportionality of a particular restriction, although the matters are closely related and seen as part of an holistic exercise …” (Emphasis in original)

35.

At para 45, the Judge set out the relevance and role of the IEPD as follows:

“45.

Before I turn to the grounds, I must address a general submission put at the forefront of the arguments made by leading counsel for the claimants on ground 1. I substantially accept that submission but how it applies to the specific terms of the Immigration Exemption will be a matter to be addressed in more detail below. The claimants say that, given the central role given to the IEPD in the new version the Immigration Exemption lacks certain substantive and procedural safeguards to ensure Parliamentary scrutiny, a key component of any legislative measure. I note that the defendants rely on Parliamentary scrutiny by way of the affirmative resolution procedure. I agree with the claimants that this is, in practice, absent given the reliance the Regulations place on the IEPD as containing safeguards. The IEPD is separate from the legislation and is not approved or voted on by Parliament (cf a code of practice under e.g. the Investigatory Powers Act 2016 or the Police and Criminal Evidence Act 1984). I note also that the Regulations do not prescribe any of the substantive content of the IEPD. The IEPD itself is not subject to Parliamentary scrutiny under the affirmative resolution procedure. The IEPD can be changed without formality or any Parliamentary procedure. The IEPD is not a legislative measure but is in the form of a readily changeable government policy. That may be said to be an attraction (to be ‘nimble’ as leading counsel for the defendants put it), but it is simply a policy document subject to a well-known form of public law ‘have regard to’ duty. I will return to this point further below.”

36.

The Judge then considered each of the six complaints made on behalf of the claimants before him. He rejected the first complaint, that the Immigration Exemption does not satisfy Article 23(2)(a) of the GDPR in that it does not contain specific provisions prescribed in “the purposes of the processing”: see paras 48-50 of his judgment.

37.

He accepted the second complaint to the extent that the requirement of a balancing exercise needs to be made clear on the face of the legislation and cannot be regarded simply as implicit in the “likely to prejudice” test: see paras 51-57 of his judgment.

38.

The Judge rejected the third complaint, that the Immigration Exemption does not contain specific provision as to the “scope of the restrictions introduced” or the “specification of the controller or to categories of controllers to which it applies”: see paras 58-60 of his judgment.

39.

The Judge accepted the fourth complaint, which was the focus of the oral submissions before him, that the Immigration Exemption does not comply with Article 23(2)(d), because it does not contain specific provision as to “the safeguards to prevent abuse or unlawful access or transfer”: see paras 61-65 of his judgment.

40.

The Judge rejected the fifth complaint, that the Immigration Exemption does not comply with Article 23(2)(f), which requires specific provision as to “the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing”: see paras 66-68 of his judgment.

41.

The Judge accepted the sixth and final complaint before him, that there was a breach of Article 23(2)(g), because the Immigration Exemption does not contain specific provision as to the “risks to the rights and freedoms of the data subject”: see paras 69-74 of his judgment.

Fundamental principles

42.

Before I address the Appellants’ four grounds of appeal and the Respondents’ Notice, I will set out certain fundamentals, which provide the important context in which the specific grounds should be seen.

43.

The first point is that there can be no dispute that the Immigration Exemption has a legitimate aim and indeed seeks to advance important public interests. At paras 25-28 of his judgment, the Judge summarised the Appellants’ evidence, which explains why an Immigration Exemption is needed. No real issue was taken with that summary. The Appellants’ evidence points out that the Government’s policy is in general to deal with immigration matters through civil and administrative means rather than the criminal law (e.g. voluntary removals and civil penalties). The consequence is that the relevant data protection regime is that in the UK GDPR rather than Part 3 of the DPA, which implemented the EU Law Enforcement Directive.

44.

The Appellants’ evidence also identifies the risks which the unrestricted exercise of data protection rights might have on effective immigration control, e.g. the risk of tipping off, so that an individual may be able to frustrate the investigation or enforcement of immigration control. Similarly, there is a risk that a person may tailor their evidence or frustrate steps taken to corroborate their account. Furthermore, it is pointed out on behalf of the Appellants that it would be unrealistic to attempt to define in advance all the situations which it would be necessary to restrict data subject rights. It is therefore argued that this is a paradigm example of a situation in which there is a need for operational flexibility.

45.

Secondly, this case is, as the Judge observed, about the rule of law. The rule of law has been recognised by Parliament to be a “constitutional principle”: see section 1(a) of the Constitutional Reform Act 2005. The exact requirements of that principle are not always clear, although a magisterial analysis of the concept is to be found in Lord Bingham’s book, The Rule of Law (2010). It seems to me that of particular relevance in the present context are three fundamental principles which can be discerned in the jurisprudence, including the judgment of this Court in the first claim for judicial review.

46.

The first is the need for “specific” provisions rather than general principles of human rights or administrative law. This requirement of specificity is important in this context to reduce the risk of abuse of broad powers. But it might be said that this first principle could be satisfied by having a non-statutory policy document provided it has a sufficient degree of precision. This leads me to the second fundamental principle in this context.

47.

This is that it is necessary in this context for there to be binding rules of law rather than simply policies. This will be true even if in general the policy must be complied with as a matter of public law.

48.

At the time of this Court’s judgment in the first claim for judicial review, the Court was concerned with the EU GDPR, which referred to “the legislature”. This explains the references to “the legislature” in the judgment of Warby LJ, for example at para 50. The UK GDPR refers instead to “the Secretary of State”. At first sight this might be thought to indicate that the Secretary of State is free to enact the safeguards required in any form that he chooses. That, however, would be inconsistent with the express language of Article 23(3), which makes it clear that the Secretary of State may exercise the power in Article 23(1) “only by making regulations under section 16 of the 2018 Act.”

49.

Furthermore, section 16(3) provides that regulations under that section are subject to the affirmative resolution procedure. This leads me to the third fundamental principle in this context, the importance of the role of Parliament.

50.

Taken together, these provisions make it clear that Parliament has an important role to play in this context. They provide for democratic scrutiny by Parliament of the measures which the Executive invites it to approve. If it were open to the Executive to acquire powers in this context without setting out the safeguards in a document which also has to be approved by Parliament, that would risk undermining both the effective democratic scrutiny of the measure and the rule of law. If, for example, the safeguards could simply be contained in a policy document such as the IEPD, those safeguards could be amended or even abrogated subsequently without the need for the Executive to return to Parliament for its approval. This is the fundamental reason why I believe that the Judge was correct in his conclusion that the Immigration Exemption does not comply with the requirements of the UK GDPR.

51.

This does not lead to the consequence that there must be undesirable rigidity in this context. Mr Eardley was right to submit that there is a need for operational flexibility in this context. That, however, can satisfactorily be achieved by drafting the legislation itself in suitable terms which cater for that need for flexibility. This was made clear by the CJEU in Case C-817/19 Ligue des droits humains v Conseil des ministres EU:C:2022:65; EU:C:2022:491; [2022] 1 WLR 4395, at para 114:

“It should be added that the requirements that any limitation on the exercise of fundamental rights must be provided for by law implies that the act which permits the interference with those rights must itself define the scope of the limitation on the exercise of the right concerned, bearing in mind, on the one hand, that the requirement does not preclude the limitation in question from being formulated in terms which are sufficiently open to be able to adapt to different scenarios and keep pace with changing circumstances (see, to that effect, Republic of Poland v European Parliament (C-401/19) EU:C:2022:297, paras 64 and 74 and the case law cited) and, on the other hand, that the court may, where appropriate, specify, by means of interpretation, the actual scope of the limitation in the light of the very wording of the EU legislation in question as well as its general scheme and the objectives it pursues, as interpreted in view of the fundamental rights guaranteed by the Charter.” (Emphasis added)

52.

Against that important background of principle, I turn to the Appellants’ four grounds of appeal.

Ground 1: is there a need for a balancing test to be expressed in the Regulations?

53.

Under Ground 1 Mr Eardley criticises the conclusion of the Judge at paras 55-57 of his judgment, where he held that the Regulations are deficient because there is no express legislative basis for any balancing test, even though it was common ground that a balancing exercise must be conducted to comply with Article 23(2) of the UK GDPR.

54.

Mr Eardley submits that the need for a balancing exercise to be conducted is implicit in the requirement that there must be an assessment of the “extent” to which there is likely to be prejudice to the maintenance of effective immigration control. He submits that the true construction of a statutory provision is not necessarily to be found in its express terms but also includes what it has been held by the courts to mean.

55.

In this context he relies on the decision of Green J in Zaw Lin v Commissioner of Police for the Metropolis [2015] EWHC 2484 (QB), in particular at para 78:

“Although section 29 DPA 1998 and Article 13 use different language they are in my view consistent. They require a balancing exercise to be performed between the individual’s right to access and the data processor’s right to refuse. In my judgment this calls for a classic proportionality balancing exercise to be performed.”

56.

Section 29 of the DPA 1998, which had the sidenote ‘Crime and taxation’, used the formula “to the extent to which the application of those provisions to the data would be likely to prejudice any of the matters mentioned”. Article 13 was a reference to the EU Directive on Data Protection of 1995: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, which was the predecessor to the EU GDPR of 2016.

57.

Mr Eardley also draws attention to the fact that there are numerous other provisions in Schedule 2 to the DPA 2018 which contain the same formula. He submits, therefore, that the Judge’s reasoning, in which he sought to distinguish Zaw Lin, is capable of being read across to other places in the same Act where the same formula is used; and that this would have a detrimental impact on what had been understood to be the law, in other words that there is an implicit requirement to conduct a balancing or proportionality exercise when that formula is used in the DPA.

58.

For reasons that will become apparent, I do not consider that it is either necessary or advisable to decide Ground 1 on the present appeal. This is in brief because I have concluded that the fundamental defect in the Regulations is that they do not comply with Article 23(2)(d) of the UK GDPR. This was in essence the reasoning of the Judge at para 57 of his judgment (which is criticised by Mr Eardley under Ground 1), since there he found that the existence of a non-binding IEPD requiring a balance does not improve the Appellants’ position because the obligation needs to be identified with legislative force in the Regulations themselves. This lies at the heart of this case and I therefore turn to it in addressing Ground 2.

Ground 2: Article 23(2)(d) of the UK GDPR

59.

Ground 2 lies at the heart of this case. It was the fundamental reason why the Judge found the Immigration Exemption to be incompatible with the requirements of Article 23(2) of the UK GDPR, in particular para (d).

60.

The Judge dealt with this issue at paras 61-65 of his judgment. Mr Eardley criticises his reasoning in specific respects. Before I address those criticisms, it is important to emphasise what is common ground on this appeal, that the IEPD is not itself relied upon for its content. In other words Mr Eardley does not submit that account can be taken of the IEPD as filling some or all of the gap which may otherwise exist in the requirement that the safeguards have to be in legislation. It is common ground that the safeguards do indeed have to be in the legislation. What Mr Eardley submits is, as the Judge summarised at para 62 of his judgment:

“… that the safeguards, which are clear and precise on the face of the Immigration Exemption, are (1) that the Exemption may only be invoked if there is an IEPD in place; (2) that, to be a qualifying IEPD, it must exhibit specified features (including provision as to how unlawful access/transfer should be guarded against in respect of data to which the exemption applies); (3) the IEPD must be kept under review and updated as appropriate; (4) the IEPD must be published; (5) a record must be made, with reasons, every time the Exemption is invoked, and (6) unless self-defeating, the data subject must be informed that the Exemption has been applied. They also rely on the fact that the obligation to ‘have regard’ to the IEPD satisfies the requirement that the safeguards are provided by law.”

61.

As the Judge went on to say at para 63, it is clear that, on the Appellants’ own case, the IEPD is central to compliance with the requirement in Article 23(2)(d). However, the Appellants emphasise “that the content of the IEPD was not relied upon but only the safeguards created by the fact that it exists, must be published and that regard must be had to it.” (Emphasis in original) The Judge rejected that submission. He set out his reasons at para 64(1)-(5). I turn to each of those reasons and the criticisms made of them by Mr Eardley.

62.

First, in essence, the Judge emphasised that nothing in the Regulations themselves specifies what safeguards are to be set out in the IEPD. All that it requires is that the IEPD must “explain” such “policies and processes” as the Secretary of State has in place for applying the Immigration Exemption. I agree with the Judge that this is fundamentally deficient and does not satisfy the requirement of Article 23(2)(d), that the “safeguards” must be set out in the legislation. In essence, what the Secretary of State is saying to Parliament is that there will be additional safeguards but is not willing to tell Parliament what they are. They will be set out in another document, which the Secretary of State can change at will.

63.

Secondly, counsel for the Appellants drew an analogy with the requirement on a controller of special category data to have in place an “appropriate policy document”: see paras 5 and 38-40 of Schedule 1 to the DPA. The Judge held that this analogy was not a good one because the legislative formulation in Article 23(2) is different and requires that regulations must contain “specific provisions” as to the safeguards to prevent abuse of the exemption. I respectfully agree.

64.

Thirdly, the Judge said that the requirement to “have regard” to the IEPD was only a “soft” obligation in public law terms. It was not even a duty as strong as a duty to have “due regard”, which itself requires only that the Secretary of State have a proper and conscientious focus on any relevant part of the policy, but does not permit a court to interfere with the balance struck: see (in the context of the Public Sector Equality Duty in section 149 of the Equality Act 2010) the decision of this Court in R (Bracking) v Secretary of State for Work and Pensions [2013] EWCA Civ 1345; [2014] Eq LR 60, at para 25(8) (McCombe LJ). The Judge noted that, in consequence, “a public law body may lawfully undertake actions wholly opposite to what a policy states it should do, as long as the policy has been taken into account.” He also said that the duty to have regard to a policy is not the same as the public law duty to follow the terms of a published policy unless there is good reason not to do so; “the more limited duty has been prescribed instead”: the Judge cited the decision of this Court in R (Good Law Project Ltd) v Prime Minister [2022] EWCA Civ 1580; [2023] 1 WLR 785, at para 61.

65.

Mr Eardley criticises that reasoning in several respects.

66.

First, he complains that the Judge did not refer to the decision of Collins J in Royal Mail Group plc v Postal Services Commission [2007] EWHC 1205 (Admin), although it was cited to him. That case arose from the requirement in section 31(1) of the Postal Services Act 2000, which required the relevant public authority (known as Postcomm) to prepare and publish a statement of policy in relation to the imposition of penalties and the determination of their amount.

67.

Collins J was referred to a number of authorities concerned with an obligation to “have regard to guidance”: see paras 29-32 of his judgment. These included the decision of this Court in R (Khatun) v Newham LBC [2004] EWCA Civ 55; [2005] QB 37, at para 47 (Laws LJ); and the decision of the House of Lords in R (Munjaz) v Mersey Care NHS Trust [2005] UKHL 58; [2006] 2 AC 148, at para 21 (Lord Bingham of Cornhill). This led Collins J to conclude as follows, at para 33:

“Guidance cannot bind a public authority to act in accordance with it whatever the circumstances. To suggest otherwise would be to distort the concept of guidance. Equally, an obligation to have regard to a policy is not the same as an obligation to follow it. However, the context and statutory provisions in question are vitally important. A policy cannot normally be applied without the possibility of departure because it would mean that the body in question had fettered its discretion to act as the justice of a particular case demanded. But in this case s.31(1) of the Act requires Postcomm to ‘Prepare and publish a statement of policy in relation to the imposition of penalties and the determination of their amount’. It must consult and may revise its statement from time to time. The policy will explain to those affected what they are to expect if they are guilty of any anti-competitive behaviour. Thus Parliament has expressly required Postcomm to approach the task of deciding whether to impose a financial penalty and, if so, what the amount should be in accordance with a published policy. To a very large extent Parliament has indicated how Postcomm’s discretion should be exercised. The obligation to have regard to the policy recognises that there may be circumstances when it does not have to be applied to the letter but in my view there must be very good reasons indeed for not applying it.” (Emphasis added)

68.

Mr Eardley also criticises the reasoning of the Judge insofar as it referred to the decision in Good Law Project. He points out that in that case there was not even a duty to take into account the policies and guidance which were relied upon: see para 61 in the judgment of this Court.

69.

In my view, these submissions are something of a “red herring”. This is because, as Mr Eardley accepts, this is not a case in which the Appellants rely upon the contents of the IEPD at all. It is not therefore a case in which the policy can be said to fill the gap in the legislation. Whether there is a duty to comply with the IEPD unless there is good reason not to do so, or there is some lesser duty than that, is ultimately immaterial. The crucial question, as it seems to me, is whether the safeguards required by Article 23(2)(d) are set out in the Regulations themselves or not.

70.

Returning to the Judge’s reasoning at para 64, fourthly, he said that the nature of a “policy document” to which only regard need be had affects the type of document produced. He said that the very wording of the Regulations encourages a “generalised, non-prescriptive document, rather than one of detail and specificity.” In my view, this point is closely related to the first reason which the Judge gave and is correct.

71.

The fifth point which the Judge made was that the IEPD is of little use as a safeguard unless it is published in a manner which ensures it is readily accessible to everyone who may need to consider its terms. He noted that the Regulations do not require that, despite an assertion made in correspondence to the Information Commissioner that there would be a requirement to publish it on the website gov.uk. The Judge noted that publication duties in legislation are frequently complied with, for example, by inclusion of a notice in the London Gazette but that would not be adequate in the present context. Mr Eardley criticises that reasoning and notes that, in practice, the IEPD has been published on the gov.uk website. He submits that the Judge was wrong to say that publication of the type which might be required for formal measures in other legal contexts, by publication in the London Gazette, would be compliant with the Regulations in this context. Be that as it may, again it seems to me this is something of a “red herring”. The fundamental defect which the Judge rightly perceived is that the safeguards are not set out in the legislation itself but rather in a policy document. Where that policy document is published is, in my view, ultimately immaterial.

72.

Accordingly, I would dismiss the appeal on ground 2.

Ground 3: Article 23(2)(g) of the UK GDPR

73.

Ground 3 on this appeal concerns Article 23(2)(g) of the UK GDPR, which the Judge addressed at paras 69-74 of his judgment.

74.

It is common ground that Article 23(2)(g) does not necessarily require that the Immigration Exemption in the Regulations themselves must make provision as to the “risks to the rights and freedoms of the data subject”.

75.

In this context reliance is placed by all parties on the guidance given by the European Data Protection Board (“EDPB”), which was also referred to by Warby LJ in the first claim for judicial review, at para 51. The EDPB’s ‘Guidelines 10/2020 on restrictions under Article 23 of the GDPR’, at para 63, state that the necessary assessment of risks to rights and freedoms must be included in “the recitals or explanatory memorandum of the legislation”. As the Judge acknowledged at para 72 of his judgment, the drafting technique used in this country is not to use recitals in this way but it is common to use an Explanatory Memorandum. There is no reason in principle why an Explanatory Memorandum would not suffice in this context, provided it adequately sets out the risks to the rights and freedoms of the data subject.

76.

Like the Judge, at para 73 of his judgment, I consider that it is not for the courts to engage in a drafting exercise: it is for the Government to produce both legislation and an Explanatory Memorandum which comply with the requirements of the GDPR. That said, like the Judge, I accept the submissions made on behalf of the Information Commissioner by Mr Knight, that there needs to be express reference to the existence of risks not only to the rights in the GDPR itself but to other rights, for example those in the ECHR (Articles 6 and 8 but also Articles 3 and 4 may be relevant); rights in the 1951 Refugee Convention (in effect made part of domestic law by section 2 of the Asylum and Immigration Appeals Act 1993); and the potential vulnerability of the data subject in all the circumstances. Mr Knight’s submission derives support from Recitals (73), (75) and (76) of the UK GDPR, which refer, for example, to the rights in the ECHR.

77.

The fundamental defect, as the Judge noted at paras 72-73 of his judgment, is that the only document in which any assessment of risks appears is in the unpublished Rationale and Reasoning Note. Accordingly, Parliament did not have the benefit of knowing what the Secretary of State’s reasoning was on this issue. Even if the document had been published at that time, the second defect in the only version of the Note which pre-dated the making of the Regulations in January 2022 (the version of 6 September 2021) is that it did not refer to the risks to the rights of the data subject other than those in the GDPR alone. Later versions of the Note did refer to other risks but they came after the Regulations had been made (dated 27 January 2022 and 30 March 2022). Even if, as Mr Christophe Prince says in his evidence, the later versions of the Note reflected what was already the thinking of the Secretary of State at the time of the first version, that does not detract from the fact that this thinking was not drawn to the attention of Parliament when it was invited to approve the Regulations.

78.

Accordingly, I have reached the conclusion that the Judge was also correct in deciding this case on the basis that there was a failure to comply with Article 23(2)(g) of the UK GDPR. I would therefore dismiss the appeal on ground 3.

Ground 4: Procedural fairness

79.

There are two aspects to ground 4. The first is a complaint by the Appellants that an insufficient amount of time was allowed by the Judge for remedial legislation to be put in place. The Judge suspended the declaration which he made for a period of three months in order to allow the Appellants time to place remedial legislation before Parliament using the affirmative resolution procedure and for that legislation to be brought into force. As was common ground before this Court, this aspect of ground 4 has become academic in view of the grant of the stay pending this appeal.

80.

The second aspect of ground 4 is that there was a “serious irregularity” which rendered the decision as to the period of suspension “unjust”. Mr Eardley complains that the Judge did not allow sufficient time for submissions to be made as to the length of time which would be required. The Judge circulated the draft of his judgment to the parties on the usual confidential basis at 11.21 on 27 March 2023. An agreed draft order, or suggested alternatives in the absence of agreement, was required by 2pm on the following date. Mr Eardley submits that it was not possible to agree a draft order by that time and the Appellants therefore sent in written submissions, in which they requested until 26 April 2023 to make submissions on the draft proposed by the Respondents, which would only have suspended the declaration until 29 May 2023. The Appellants made the submission that, amongst other things, they needed time to take instructions from Ministers.

81.

In view of subsequent events, it is unnecessary to lengthen this judgment by addressing ground 4 in detail. I recognise that the decision which the Judge took fell within the broad ambit afforded to him in relation to case-management. I do, however, think that it would have been preferable to allow a greater amount of time for submissions (and, if appropriate, evidence) to be filed with the Court, in view of the importance of the issues, which were far from routine.

The Respondents’ Notice

82.

At paras 58-60 of his judgment, the Judge dismissed one of the complaints made by the Respondents before him, that, contrary to Article 23(2)(c) and (e) of the UK GDPR, the Immigration Exemption does not contain specific provision as to the “scope of the restrictions introduced” or the “specification of the controller or categories of controllers to which it applies”.

83.

In the Respondents’ Notice this ground was revived. During the hearing before us, however, it became clear that the controller is specified to be the Secretary of State and no-one else. For that reason and others, Mr Jaffey made it plain to this Court that he no longer pursues this ground. I need say no more about it here.

84.

There remain two grounds of complaint which are maintained in the Respondents’ Notice.

85.

The first of these grounds is that, contrary to Article 23(2)(a), the term “effective immigration control” is undefined and is too vague to amount to a sufficiently specific provision, in effect amounting to an open-ended exemption. The Judge rejected this ground of complaint, at paras 48-50 of his judgment. He concluded that the phrase “effective immigration control” is a clear concept, used without difficulty in other statutes: see section 117B of the Nationality, Immigration and Asylum Act 2002. The Judge said that the purposes of processing and categories of processing are identified on the face of the legislation. He also considered that it would be hard to identify how it could be defined more narrowly given the evidence as to the differing contexts in which the exemption might need to be applied.

86.

I respectfully agree with the Judge and would dismiss this ground of complaint for the reasons that he gave.

87.

The second ground of complaint which is maintained by the Respondents is that, contrary to Article 23(2)(f), there are insufficient safeguards relating to the “storage” of the data concerned; that such records may be held for longer than the Immigration Exemption applies; and there are no provisions specifying the storage periods or safeguards to which that storage might be necessary or proportionate.

88.

The Judge rejected this ground of complaint, at paras 66-68 of his judgment. In particular, he held that the Immigration Exemption is a “prejudice-based exemption”: see para 68. It applies only when, and for long as, the “likely to prejudice” test is satisfied. Accordingly, he said, there is no need for any further limitation to be imposed on the length of time that the Secretary of State may hold data to which the exemption applies.

89.

At the hearing before us, Mr Jaffey complained that what the Judge omitted to mention is that there is no review period which must be complied with, and so personal data may be kept for longer than is necessary. Mr Eardley submitted that this is a new complaint, which was not made before the Judge.

90.

In any event, I am persuaded by submissions that were made at the hearing before us by Mr Eardley. First, the Secretary of State is subject to the ordinary storage principle in Article 5(1)(e) of the UK GDPR, which provides that personal data shall be:

“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitations’)”. (Emphasis added)

91.

Secondly, it is open to the data subject to make another request under Article 15 of the UK GDPR. That request would then have to be treated on its own merits as at the time when it is considered. It is therefore unnecessary for there to be an express “review period” on the face of the legislation, since this is in substance achieved in any event.

92.

I would therefore reject both of the grounds in the Respondents’ Notice which are still live before this Court.

Remedy

93.

In the circumstances I would uphold the declaration granted by the Judge that the Immigration Exemption is incompatible with Article 23 of the UK GDPR. The question then arises whether, and for how long, this Court should now suspend that declaration in order to give the Government sufficient time to introduce amending legislation, bearing in mind that it will have to be approved by Parliament under the affirmative resolution procedure.

94.

That the Court has the exceptional jurisdiction to suspend an order or declaration where otherwise it would disapply legislation to give effect to retained EU law is not in doubt. In giving the remedies judgment in the first claim for judicial review, this Court held, following the jurisprudence of the CJEU, that the power to grant a temporary suspension is to be exercised “only exceptionally”, on the basis of “overriding considerations of legal certainty”. As Warby LJ put it, at para 32:

“… the interests of legal certainty must be so compelling that it is necessary for them to take priority over the need to implement the dominant legal provision, and disapply the subordinate law. The strictness of this test reflects the key point, that any suspension represents a disapplication of legal rights which the legislature has conferred on natural or legal persons.”

95.

At para 33, Warby LJ added that, again in accordance with CJEU jurisprudence, the interference with the normal order of things must last no longer than is “strictly necessary”. He said that it is not enough that the Government would find it convenient to have more time, or that the period sought would be reasonable from an administrative point of view. “The Court must be satisfied that the period of suspension imposed is really needed, to avoid legal uncertainty.” Further, “[i]t must be shown that the party concerned (here, the Government) has acted in good faith and that immediate disapplication would cause ‘serious difficulties’.”

96.

In that case itself, given that the Government had had the time since the first judgment in May 2021, the Court was of the view that what was proposed was a “relatively leisurely pace”: see para 44. Nevertheless, in view of the fact that the other parties were prepared to concede a date of 31 January 2022, this Court suspended its order until that date (i.e a little over three months).

97.

Against that background, I turn to the evidence in the present case.

98.

With the Court’s permission, the Appellants have filed evidence after the hearing before us, addressing the timetable which would be required should this Court dismiss their appeal so that there has to be amending legislation. The witness statement of Mr Prince dated 23 November 2023 follows an earlier statement dated 19 April 2023, which was filed in support of the Appellants’ then applications for permission to appeal and for a stay of the order made by the High Court. In that statement Mr Prince had indicated that the minimum amount of time that would be required for amending legislation was three months. He now considers that a “safe” period in which the Appellants could amend the Immigration Exemption would be “around six months from judgment”: see para 20 of his most recent witness statement. He says that it may be possible to amend the Immigration Exemption in four to five months by expediting timings for consultation with the Information Commissioner and requesting expedition from the Parliamentary authorities. He states that this is what the Appellants consider to be a realistic timetable but that it still represents a considerable measure of expedition compared to the usual recommended timetable for making affirmative statutory instruments, which is recommended to last six months. He also emphasises that the three month timetable set out in his earlier witness statement was devised in order to try to avoid a period where the Home Office would have been unable to rely on the Immigration Exemption had the High Court declaration come into effect. He remains of the view that this was not a sufficient period to allow proper consideration and implementation of the High Court judgment.

99.

Both the Respondents and the Information Commissioner resist the suggestion that a period of suspension longer than three months should be granted by this Court.

100.

The Respondents point out that, given the history of this case, the urgency of effective relief is all the greater, since this is the second occasion on which the Immigration Exemption has been found to be unlawful. They submit that any suspension of relief is an exceptional measure of retained EU law, only available in those true situations of urgency and need identified in this Court’s earlier remedy judgment. Where such a suspension is sought, they submit that the Appellants should act with “real resolve and dispatch.” The Respondents would not object to the inclusion of a provision for liberty to apply in the event of any unexpected difficulties.

101.

On behalf of the Information Commissioner it is submitted that the timetable ought not to take as long as is suggested by Mr Prince. In particular, it is observed that policy formulation of the preferred options should be materially completed already. Further, the Commissioner accepts that the statutory consultation with his office under section 182 of the DPA can be very short (as it was in 2021). The Appellants have had extensive input from the Commissioner throughout the litigation and his office is very familiar with the issues. They also submit that the Parliamentary authorities would no doubt accept a court-ordered deadline to be an appropriately exceptional case for expedition. Finally, the Commissioner agrees with the Respondents that any unexpected interruptions to Parliamentary sitting time, such as a prorogation or dissolution of Parliament, can be dealt with by way of liberty to apply.

102.

In the circumstances I accept the submissions which have been made on behalf of the Respondents and the Information Commissioner. Given the history of this case, which includes (i) the fact that the Immigration Exemption has now twice been held to be unlawful by this Court, and (ii) the fact that the Appellants must have been contemplating the possibility that their appeal might be dismissed since 9 May 2023 (or that their application for permission to appeal might be refused up to that date), and in view of the exceptional nature of the power to suspend what is otherwise a requirement of the law, I consider that the declaration made by this Court should be suspended for a period of three months from the date of judgment. If unexpected circumstances arise which necessitate an extension of that deadline, there will be liberty to apply on written notice.

Conclusion

103.

For the above reasons, I would dismiss the appeal.

104.

In the circumstances I would suspend the effect of the declaration made by the High Court for a period of three months from the date of the order of this Court.

Lady Justice Elisabeth Laing:

105.

I agree.

Lord Justice Lewison:

106.

I also agree.

The 3Million & Anor, R (on the application of) v Secretary of State for the Home Department & Anor

[2023] EWCA Civ 1474

Download options

Download this judgment as a PDF (452.7 KB)

The original format of the judgment as handed down by the court, for printing and downloading.

Download this judgment as XML

The judgment in machine-readable LegalDocML format for developers, data scientists and researchers.