Your World of Legal Intelligence
 United Kingdom | +44 (0) 20 7284 8080

R (Open Rights Group) v Secretary of State for the Home Department

Judgment Weekly Law Reports Cited authorities 26 Cited in 7 Precedent Map Related
Vincent
JurisdictionEngland & Wales
JudgeMr Justice Supperstone
Judgment Date03 October 2019
Neutral Citation[2019] EWHC 2562 (Admin)
CourtQueen's Bench Division (Administrative Court)
Docket NumberCase No: CO/3386/2018
Categories

The Queen on the application of

Between:
(1) Open Rights Group
(2) The3million
Claimants
and
(1) Secretary of State for the Home Department
(2) Secretary of State for Digital, Culture, Media and Sport
Defendants

and

(1) Liberty
(2) The Information Commissioner
Interveners

[2019] EWHC 2562 (Admin)

Before:

THE HONOURABLE Mr Justice Supperstone

Case No: CO/3386/2018

IN THE HIGH COURT OF JUSTICE

QUEEN'S BENCH DIVISION

ADMINISTRATIVE COURT

Royal Courts of Justice

Strand, London, WC2A 2LL

Ben Jaffey QC and Julianne Kerr Morrison (instructed by Leigh Day) for the Claimants

Sir James Eadie QC and Holly Stout (instructed by GLD) for the Defendants

Hugh Tomlinson QC and Aidan Wills (instructed by Liberty) for the 1st Intervener

Christopher Knight (instructed by Information Commissioner) for the 2nd Intervener

Hearing dates: 23 and 24 July 2019

Approved Judgment

Mr Justice Supperstone

Introduction

1

The Claimants challenge the lawfulness of the immigration exemption in paragraph 4, Schedule 2, of the Data Protection Act 2018 (“ DPA 2018”), which was brought into force on 25 May 2018 (“the Immigration Exemption”).

2

The Immigration Exemption applies to the data protection rights in the General Data Protection Regulation 2016/679 (“the GDPR”).

3

By a claim form filed on 24 August 2018 the Claimants seek to challenge the introduction of the Immigration Exemption on two grounds: first, that the immigration exemption is (i) contrary to Article 23 of the GDPR, and (ii) incompatible with the rights guaranteed by Articles 7 (privacy) and 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union (“the Charter”); and second, it is discriminatory, contrary to Article 21 of the Charter.

4

The Open Rights Group is a UK-based digital campaigning organisation working to protect the rights to privacy and free speech online. The3million is an organisation of EU citizens in the UK that campaigns for EU citizens who have made their home in the UK to be able to continue their life here after Brexit. EU citizens will be required to apply for settled status should they wish to continue living in the UK after Brexit. A particular concern is that, as acknowledged by the Chief Inspector of Borders and Immigration, there is a 10% error rate in immigration status checks.

5

The Information Commissioner (“the Commissioner”) is the independent statutory regulator under the DPA 2018, and the supervisory authority for the UK under the GDPR.

6

On 21 January 2019 Ouseley J granted permission.

7

During the course of his oral submissions Mr Ben Jaffey QC, for the Claimants, accepted that the second ground of challenge adds nothing to the first ground. It is therefore only necessary to consider the first ground.

The Legal Framework

The Charter of Fundamental Rights of the European Union (“the Charter”)

8

Article 7 of the Charter provides that:

“Everyone has the right to respect for his or her private and family life, home and communications.”

9

Article 8 of the Charter provides that:

“1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.”

10

Article 52, so far as is relevant, provides:

“1. Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.

3. In so far as this Charter contains rights which correspond to rights guaranteed by the Convention for the Protection of Human Rights and Fundamental Freedoms, the meaning and scope of those rights shall be the same as those laid down by the said Convention. This provision shall not prevent Union law providing more extensive protection.”

The General Data Protection Regulation 2016/679 (the “GDPR”)

11

The GDPR, which was made pursuant to Article 16 of the Treaty on the Functioning of the European Union (“TFEU”), is binding in its entirety and directly applicable in all member states by virtue of Article 288 TFEU.

12

By Article 2(1) the GDPR “applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system”.

13

By Article 2(2)(d) the GDPR does not apply to the processing of personal data “by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and the prevention of threats to public security”. Cross-border law enforcement processing which is within the competence of the EU is subject to a different regime under the Law Enforcement Directive 2016/680 (“the LED”).

14

Chapter III of the GDPR which is headed “Rights of the data subject” includes the following rights set out in Articles 12–22:

• Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject)

• Article 13 (Information to be provided where personal data are collected from the data subject)

• Article 14 (Information to be provided where personal data have not been obtained from the data subject)

• Article 15 (Right of access by the data subject)

• Article 16 (Right to rectification)

• Article 17 (Right to erasure (“right to be forgotten”))

• Article 18 (Right to restriction of processing)

• Article 19 (Notification obligation regarding rectification or erasure of personal data or restriction of processing)

• Article 20 (Right to data portability)

• Article 21 (Right to object)

• Article 22 (Automated individual decision making, including profiling).

15

Article 23 is headed “Restrictions” and makes provision for the circumstances in which Member States may enact restrictions on the rights in Articles 12–22. It provides:

“1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

(a) national security;

(b) defence;

(c) public security;

(d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

(e) other important objectives of general public interest of the Union or of a Member State, in particular on important economic or financial interest of the Union or a Member State, including monetary, budgetary and taxation matters, public health and social security;

(f) the protection of judicial independence and judicial proceedings;

(g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

(h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);

(i) the protection of the data subject or the rights and freedoms of others;

(j) the enforcement of civil law claims.

(2) In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least where relevant as to:

(a) the purposes of the processing or categories of processing;

(b) the categories of personal data;

(c) the scope of the restrictions introduced;

(d) the safeguards to prevent abuse or unlawful access or transfer;

(e) the specification of the controller or categories of controllers;

(f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;

(g) the risks to the rights and freedoms of data subjects; and

(h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.”

The Data Protection Act 2018 (“ DPA 2018”)

16

Section 15 of the DPA refers to Schedules 2, 3 and 4 of the DPA which make provision for exemptions from, and restrictions and adaptations of the application of, rules of the GDPR. Part 1 of Schedule 2 makes provision adapting or restricting the application of rules contained in Articles 13 to 21 and 34 (requirement to communicate to the data subject where there has been a personal data breach) of the GDPR in specified circumstances, as allowed for by Article 6(3) and Article 23(1) of the GDPR.

17

The Immigration Exemption is included in paragraph 4 of Part 1 of Schedule 2. It is a new exemption, which was not contained in the previous legislation. It provides:

“(1) The GDPR provisions listed in sub-paragraph (2) do not apply to personal data processed for any of the following purposes—

(a) the maintenance of effective immigration control, or

(b) the investigation or detection of activities that would undermine the maintenance of effective immigration control,

to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) and (b).

(2) The GDPR provisions referred to in sub-paragraph (1) are the following provisions of the GDPR...

To continue reading

Request your trial
3 cases
  • The Open Rights Group v The Secretary of State for the Home Department
    • United Kingdom
    • Court of Appeal (Civil Division)
    • 26 May 2021
    ...APPEAL (CIVIL DIVISION) ON APPEAL FROM THE HIGH COURT OF JUSTICE QUEEN'S BENCH DIVISION ADMINISTRATIVE COURT Mr Justice Supperstone [2019] EWHC 2562 (Admin) Royal Courts of Justice Strand, London, WC2A 2LL Covid-19 Protocol: This judgment was handed down remotely by circulation to the parti......
  • The King on the application of the 3 Million and Open Rights Group v Secretary of State for the Home Department
    • United Kingdom
    • King's Bench Division (Administrative Court)
    • 29 March 2023
    ...the purposes for which, and categories of data to which, it may be applied are, in my view, clear and appropriately delineated”: [2019] EWHC 2562 (Admin); [2020] 1 WLR 811 at 50 I put to one side whether there is any form of issue estoppel on the basis that the Court of Appeal left this p......
  • Open Rights Group v Secretary of State for the Home Department
    • United Kingdom
    • Court of Appeal (Civil Division)
    • 29 October 2021
    ...APPEAL (CIVIL DIVISION) ON APPEAL FROM THE HIGH COURT OF JUSTICE QUEEN'S BENCH DIVISION ADMINISTRATIVE COURT Mr Justice Supperstone [2019] EWHC 2562 (Admin) Royal Courts of Justice Strand, London, WC2A 2LL Covid-19 Protocol: This judgment was handed down remotely by circulation to the parti......

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT