Date of Publication: 10 Feb 2022
R (Open Rights Group and another) v Secretary of State for the Home Department and another (Liberty and another intervening)  EWCA Civ 800: enactment of The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022
In May 2021 the Court of Appeal handed down judgment ( EWCA Civ 800) in a significant case challenging the lawfulness of an immigration control exemption within the Data Protection Act 2018. The exemption was declared unlawful as being incompatible with the GDPR. A subsequent judgment in October 2021 suspended the declaration until 31 January 2022. On that date The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 came into force, as a remedial response to the declaration of incompatibility.
This article summarises the judgments and discusses the government’s legislative response.
The framework for restriction of GDPR rights
GDPR Article 23 allows member states to enact exceptions to the GDPR’s provisions further to the exceptions on the face of the GDPR.
Article 23(1) lists eight matters for which various rights under the GDPR may be restricted “by way of a legislative measure”. The matters listed include the safeguarding of public security, crime prevention and judicial independence and a more general provision for safeguarding “other important objectives of general public interest”.
Article 23(2) lists eight matters that a restricting legislative measure must provide for. These matters specify, among others, the purposes of the processing, the categories of personal data processed, the scope of the restrictions introduced and safeguards to prevent abuse or unlawful access.
The provisions challenged
Schedule 2, paragraph 4 of the 2018 Act exempted data controllers – private or public sector – from the application of various GDPR Articles for the purposes of the maintenance of effective immigration control or the investigation or detection of activities that would undermine the maintenance of effective immigration control. The Articles so restricted were 13(1) to (3), 14(1) to (4), 15(1) to (3), 17(1) and (2), 18(1), 21(1) and, on a qualified basis, Article 5.
The exemption in Schedule 2, paragraph 4 of the 2018 Act was made purportedly in compliance with Article 23, although in itself it contained no provision for any of the matters in Article 23(2) and no binding provisions had been made in that respect in other legislation.
EU law and Brexit
Post-Brexit, the GDPR has become for domestic purposes the UK GDPR.
As “retained EU law” the UK GDPR continues to enjoy the principle of supremacy of EU law against domestic legislation that pre-dates the UK’s exit from the EU.
By section 5(2) of the European Union (Withdrawal) Act 2018 (EUWA), the principle of the supremacy of EU law continues to apply “so far as relevant to the interpretation, disapplication or quashing of any enactment… passed or made before exit day”. EUWA’s Explanatory Notes say:
“Where … a conflict arises between pre-exit domestic legislation and retained EU law, subsection (2) provides that the principle of the supremacy of EU law will, where relevant, continue to apply as it did before exit. So, for example, a retained EU regulation would take precedence over pre-exit domestic legislation that is inconsistent with it.”
The exemption in Schedule 2, paragraph 4 of the 2018 Act was “pre-exit domestic legislation”.
The parties all accepted that that in these circumstances the Court could in principle make a declaration that the immigration exemption was contrary to Article 23 of the GDPR and Article 23 of the UK GDPR. They also accepted that, in principle, the Court would also have the power to disapply the immigration exemption if it found that provision to be incompatible with Article 23 of the UK GDPR.
The legal changes brought about by Brexit, including amendment to the GDPR in its transition to being the UK GDPR, were therefore not material to the issues before the Court.
Grounds of challenge
At first instance the Court had found for the Defendant Secretaries of State.
The Appellants’ challenge to compatibility was, in its fundamentals:
- that the judge below had erred by not applying a test of strict necessity to legislation such as this, which removes or restricts a right (“derogation cases”). The test applied below – one of whether the legislation could be operated lawfully – only applies to cases where legislation involves an interference with rights which requires justification (“justification cases”); and relatedly
- that the judge was wrong to approach the case by reference to principles applicable to Article 8 ECHR. The relevant CJEU jurisprudence, and the terms of Article 23(2) itself, make clear that the circumstances in which a derogation such as the immigration exemption will apply, and under what substantive and procedural safeguards, must be clearly prescribed by the legislation itself and/or appropriate guidance with the force of law. The judge was wrong to approach the case on the footing that these matters could lawfully be dealt with in other ways.
The Respondents supported the decision below and the analysis applied by the judge.
The Court held the immigration exemption at schedule 2, paragraph 4 of the 2018 Act unlawful because neither it nor any other legislative measure contained specific provisions in accordance with the mandatory requirements of Article 23(2) of the GDPR. The immigration exemption was an unauthorised derogation from the fundamental rights conferred by the GDPR, and therefore incompatible with the GDPR.
This finding obviated the need to consider other grounds of argument in respect of the immigration exemption’s incompatibility with Articles 7, 8 and 52 of the Charter of Fundamental Rights of the European Union.
Central to the analysis was the distinction between legislative “justification” – as applies to measures permitting interference with a right, such as Article 8 ECHR – and legislative “derogation” by which the scope of a right may be restricted, even to the point of removal of the right, as is provided for in Article 23 GDPR. The Court’s decision may be summarised as being that the exempting legislative measure must at least include specific provision about each of the eight matters listed in Article 23(2) GDPR so far as a listed matter is relevant, and it may need to include specific provision about other matters as well.
The Court further set out the analysis in respect of the demands of Article 23 in these alternative terms:
“Putting this another way, it seems to me that on the face of it Article 23(2) contains a condition precedent to the validity of any “legislative measure” purporting to fall within Article 23(1): the measure can only satisfy the requirements of Article 23(1) if it contains specific provision as to each matter that (a) is listed in Article 23(2) and (b) is, in the circumstances, relevant to an assessment of whether the measure (i) respects the essence of the right in question and is (ii) necessary and proportionate for one or more of the listed purposes or objectives. The language clearly suggests that the legislative measure must have some binding force.” 
The CJEU case-law showed, the Court held, that the CJEU has been alert to the risk of over-broad derogations from fundamental rights; requires any derogation from fundamental rights to be justified by proof of strict necessity; and does not consider that this, or the requirement of proportionality, can be satisfied unless the appropriate safeguards are built into the legislative measure. The domestic case-law did not assist the Respondents.
The Court considered it should hear further argument as to the Court’s powers to suspend a declaration of incompatibility, essentially because the appropriate remedy in a case of incompatibility is a sensitive matter, may depend on the nature of the incompatibility identified by the Court and because the Court had identified an omission that was, in principle, capable of remedy by measures that amended or supplemented the existing provision. A further hearing in respect of the appropriate remedy was ordered.
The second judgment
After argument at separate hearing as to the appropriate remedy, the Court held ( EWCA Civ 1573) that the power to suspend declaratory relief, and its effect of disapplying the immigration exemption, could be suspended without reference to the CJEU.
The Court reasoned that the case-law revealed two elements to the matter of suspension: (1) where a subsidiary rule of (national) law is inconsistent with a dominant rule of (EU) law and must therefore be overridden, there must be a judicial power to delay the implementation of the dominant rule, where that is necessary for compelling reasons of legal certainty; but (2) in the interests of legal certainty, that judicial power must be reserved to the CJEU. However, post-Brexit a literal application of the second element would defeat the first. To do so would be wrong.
In the domestic legal order after Brexit there cannot be a referral to the CJEU. And the courts in this jurisdiction have means that differ from those of the EU legal regime of ensuring the uniform and consistent interpretation and application of the law. The domestic courts are duty bound to decide legal issues on which there is no precedent that binds them: the higher courts are appellate courts, not courts to which inferior courts and tribunals refer a question without first deciding it. In such a system, there is no need nor any reason to adopt the principle that reserves the power to suspend to the supreme judicial authority. By that reasoning, the Court deemed the second element incapable of application in the domestic courts: that principle could not have been retained because it cannot be translated. On that analysis any first instance court or tribunal can, in principle, suspend relief.
The Court considered suspension of the declaration to be appropriate, that the suspension should be in respect of the exemption as it applies to both public and private sectors (the latter including employers, landlords, and transport operators) and that the suspension should last only until 31 January 2022.
The legislative response
The Government passed new regulations by the affirmative resolution procedure. On 31 January 2022 The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 came into force, amending the 2018 Act.
The operative changes are that:
- the exemption applies to data processed by the Secretary of State;
- the Secretary of State must have in place an immigration exemption policy document;
- the Secretary of State must determine the application of the exemption on a case by case basis with regard to the policy document;
- the Secretary of State must review the policy document, amend it as necessary and publish it and any update to it;
- as additional safeguards, if the Secretary of State determines in any particular case that the exemption should be invoked s/he must keep a record of that determination and the reasons for it and inform the data subject of that determination unless to do so may be prejudicial to the exemption’s purposes.
The 2022 Regulations specify that the immigration exemption policy document must explain the Secretary of State’s policies and processes for determining the extent to which the application of any of the UK GDPR provisions listed would be likely to prejudice any of the purposes of the exemption; and must explain the policies and processes that prevent the abuse of that personal data and any access to it, or transfer of it, if any of the UK GDPR provisions do not apply in relation to personal data processed for any of the purposes of the exemption.
Do the 2022 Regulations remedy the incompatibility?
The claimant organisations have jointly stated publicly that they believe the amendments to the 2018 Act to remain incompatible with the UK GDPR and to undermine fundamental data rights.
The objections are in summary that the policy document that forms part of the new scheme has no legal force, can be changed easily and without oversight, and being in a separate document is not part and parcel of the legislation.
The claimants point out that the policy document has not been approved by Parliament and therefore lacks the status of a Code of Practice that is approved by Parliament. This, the claimants say, undermines the principles set out by the Court of Appeal for legislative measures to be clear, precise and foreseeable.
And, together with criticism of the policy document’s drafting, the further objection is raised that it does not impose any additional safeguards beyond those already imposed by the general law or those already in place in respect of Home Office data.
Among these objections there are no doubt arguable issues. Certainly, a reasonable assessment of the Government’s approach to remedying the incompatibility is that it has sought what might be called euphemistically a ‘flexible’ solution rather than one that addresses the shortcomings in the statutory scheme of derogation wholly within the primary legislation.
But are any deficiencies quite so stark?
The first point that might be made is that it is not obvious that the policy document lacks legal force. Schedule 2, paragraph 4(1)(A) now provides that “…sub-paragraph (1) [the general disapplication provision] does not apply unless the Secretary of State has an immigration exemption policy document in place.” Paragraph 4A(1)(b) requires the Secretary of State to have regard to the policy document in any determination of restriction of data protections rights. It would seem, therefore, that the policy document does have legal force: its very existence (and promulgation – paragraph 4(A)(2) requires publication) is a condition for the lawful operation of the derogation and regard to the policy document is mandatory in law.
Further in that respect, the criticism that the policy document is not a statutory code of practice is not entirely convincing. Codes of practice are themselves intended to be adaptable instruments. Their purpose is generally to promote consistent decision making within a framework of objectives. That is, on one view at least, precisely what the policy document seeks to do. And its application must, by paragraph 4A(1)(a), be on a case by case basis.
Neither do codes of practice (of any status) necessarily offer greater clarity, precision and foreseeability than other forms of guidance or procedural direction. It all depends on the drafting.
The absence of Parliamentary approval for the policy document is a more substantial objection. Even so, the 2022 Regulations providing for it were subject to affirmative resolution and it is difficult to see why a publicly available policy document should be any easier to amend than a statutory code of practice. Perhaps the more pertinent criticism in that regard would be that the 2022 Regulations make no requirement for consultation in the creation or review of the policy.
One of the criticisms is weightier though. Warby LJ (for the unanimous Court) may have included reference to his view as to the form of the legislative measure being “provisional”, but a fair reading of the relevant paragraph of the first judgment might suggest that the Court’s mind was barely ajar on the point:
“I have indicated a provisional view that the legislative measure in question must be part and parcel of the legislation that creates the derogation, but I do not think that this is the point at which to decide what form the “specific provisions” should take. I merely note Mr Knight’s observation that, on the face of it, s 16 of the DPA 2018 confers wide-ranging powers on the respondents to vary the terms of provisions made under Schedule 2…” 
More generally, the first judgment is clear that derogation from the GDPR attracts a test of strict necessity by application of EU jurisprudence. Judged against that principle it may be an uphill argument for government in any future challenge that a combination of framework legislative provisions augmented by a policy document (or other non-legislative instrument) will provide a satisfactory mechanism for securing in every case proof of strict necessity.
One question looms over any possible challenge, however. Does the principle of supremacy of EU law – enactments and case-law – apply to the 2022 Regulations’ amendment of the 2018 Act? It would appear that the 2022 Regulations are not “pre-exit domestic legislation”.
If EU legislative provisions and case-law do not trump the Regulations and amended Act, any action seeking to strike down will be on very much shakier ground the next time around.