A very notable judgment on data protection and immigration matters has been handed down in the Court of Appeal. The effect of the judgment is that part of the Data Protection Act 2018 ("DPA") is incompatible with the General Data Protection Regulation (GDPR), and, by extension, the UKGDPR (the version of GDPR which applies in the UK post-Brexit). As a result, the law may need to be amended or supplemented to bring it into compliance. More directly, the effect of the judgment may be that it becomes much easier for data subjects involved in immigration issues to access (and otherwise exercise their rights in respect of) their personal data.
The challenge, brought by civil society campaign groups Open Rights Group and "the3million", was to the lawfulness of the exemption in domestic data protection legislation (at paragraph 4 of Part 1 of Schedule 2 to the DPA). This means that many data subject rights are disapplied where personal data is processed for "the maintenance of effective immigration control" or "the investigation or detection of activities that would undermine the maintenance of effective immigration control" - at least to those matters which would be prejudiced by complying with the data subject rights, such as the right of subject access, or erasure.
Article 23 of the GDPR, which applied at the time the challenge was made, permits Member States to create their own exemptions in restricted public interest circumstances, as long as the exemption "respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society…". However, crucially, when enacting such an exemption, the Member State must make sure, under Article 23(2) that "specific provisions" are put in place about the purposes of processing, the scope of the restriction of rights and the safeguards to prevent abuse (among other things). In the High Court, the judge had found that the UK's immigration exemption was "plainly a matter of 'important public interest' and pursues a legitimate aim", and was within the "margin of appreciation" open to the UK. Moreover, the trial judge found that the "explanatory" provisions were "clear and appropriately delineated".
However, the Court of Appeal has held, to the contrary, that the UK's immigration exemption "contains nothing, specific or otherwise, about any of the matters listed in Article 23(2)", and
"There presently exists no legislative measure that contains specific provisions in accordance with the mandatory requirements of Article 23(2) of the GDPR. In the absence of any such measure, the Immigration Exemption is an unauthorised derogation from the fundamental rights conferred by the GDPR."
As Article 23(2) of the UK GDPR contains effectively the same words, and requirements, it follows (and this was accepted by DCMS and the Home Office) that the exemption is incompatible with the UKGDPR as well. Whether these findings of incompatibility relate to some or all of the other exemptions in the DPA is something which will require, and no doubt receive, further analysis.
The Court deferred a decision as to appropriate relief, pending further submissions from the parties. It may well be that the DPA will now need to be amended. The judgment does, however, raise further questions regarding the imminent decision by the European Commission as to whether the UK has an "adequate" data protection regime, for the purposes of permitting transfers of data to the UK from the EU.