High Court Highlights Important Distinction Between Policy And Legislation, Holding Exemption To UK GDPR Unlawful

In R. (on the application of the3million and Open Rights Group) v Secretary of State for the Home Department [2023] EWHC 713 (Admin), the High Court held that the UK Government acted...
UK Privacy
To print this article, all you need is to be registered or login on Mondaq.com.

In R. (on the application of the3million and Open Rights Group) v Secretary of State for the Home Department [2023] EWHC 713 (Admin), the High Court held that the UK Government acted unlawfully in attempting to rely on a policy document as a substitute for a legislative measure to meet the requirements of the UK General Data Protection Regulation ("UK GDPR") for an immigration-related exemption to the application of data protection rights.

Key points

  • The court accepted that exemptions to the application of UK GDPR rights can only be prescribed via a "legislative measure" which satisfies certain conditions such as being clear, precise, accessible, foreseeable and legally binding.
  • The court's approach is of general relevance to situations where the Government seeks to use policy documents in a particular context rather than introducing legislation.
  • A policy document is more likely to be insufficient where a measure should be (i) legally binding; (ii) specific; and (iii) subject to Parliamentary scrutiny.


The UK GDPR governs individuals' rights in relation to their personal data. This case, heard by Saini J, concerned the Government's second attempt to introduce an exemption (the "Immigration Exemption") to these rights in cases where data is processed for "effective immigration control" by the Secretary of State ("SoS"). A claim was brought by two non-governmental organisations (the "Claimants") against the Secretaries of State for the Home Department and for Digital, Culture, Media and Sport (the "Defendants"), challenging this exemption.

Exemptions of this kind are permitted under Article 23(1) UK GDPR, but must comply with the requirements of Article 23(2) UK GDPR. The Immigration Exemption provided that certain UK GDPR rights did not apply to the SoS' data processing for effective immigration control, subject to the SoS having "an immigration exemption policy document" in place (the "IEPD"). The SoS was required by the Immigration Exemption to "have regard" to the IEPD.

Reliance on the IEPD was introduced after a previous version of the Immigration Exemption was ruled unlawful by the Court of Appeal (R. (Open Rights Group and the3million) v Secretary of State for the Home Department [2021] EWCA Civ 800). That judgment, which was not appealed by the Government, was read by Saini J as confirming that Article 23(2) UK GDPR required an exemption to be introduced through a "legislative measure". Considering the Court of Appeal's judgment and other related case law, Saini J summarised Article 23(2) UK GDPR as requiring that exemptions:

  • be made by legally binding legislation;
  • have "clear and precise" content, as well as be "accessible and foreseeable"; and
  • provide substantive and procedural conditions and safeguards.

The Claimants in the present case argued the Immigration Exemption remained unlawful, since its reliance on the IEPD meant it was not a legislative measure and did not satisfy the requirements above, which the judge described as basic Rule of Law requirements.


Saini J ruled in favour of the Claimants, holding the Immigration Exemption unlawful. It was common ground between the parties that the IEPD was not a "legislative measure", and thus could not have itself satisfied Article 23(2) UK GDPR.

Saini J agreed with the Defendants that the Immigration Exemption was sufficiently clear on certain issues even without the IEPD. However, the Claimants' case succeeded as there was no legislative measure underlying the Immigration Exemption which directed an evaluation of the proportionality of restrictions on data rights (as argued in "Complaint 2"), the implementation of safeguards to prevent abuse or unlawful data handling (as argued in "Complaint 4"), or the appropriate handling of risks (as argued in "Complaint 6").

The non-binding nature of policies

Saini J's judgment placed emphasis throughout on the non-binding nature of the IEPD. In addressing Complaint 2, Saini J noted the requirement for proportionality analysis, entailing the balancing of considerations for and against a given restriction on rights. The Immigration Exemption did not include a requirement of this kind. Although the IEPD did require a proportionality analysis, its "non-binding" nature meant it was of no assistance to the Defendants. The requirement needed "to be identified with legislative force in the [amending regulations] themselves".

A similar issue arose in Saini J's consideration of Complaint 4 on safeguards. Saini J explained that data subjects would not be able to found a claim for breach of their UK GDPR rights based on any non-adherence to the IEPD by the SoS. Moreover, the SoS was only required to "have regard" to the IEPD, which was described as a "soft obligation in public law terms" and weaker than the public law obligation to act consistently with published policies, underscoring the inadequacy of the Immigration Exemption's reliance on the IEPD to set safeguards.

Insufficient specificity

Saini J also highlighted the insufficient specificity of the Immigration Exemption's framework. Again in respect of Complaint 4, Saini J noted how the IEPD failed to dictate the processes which the SoS should have had in place when relying on the Immigration Exception. Saini J commented that "the very wording of the [amending regulations] encourages a generalised, non-prescriptive document", inadequate for safeguarding data subjects. Complaint 6 was upheld because the Immigration Exemption totally failed to include provisions on addressing the risks to data subjects arising from its use.

Parliamentary scrutiny

Additionally, Saini J's reasoning was influenced by how the IEPD was not subject to Parliamentary scrutiny. The IEPD could "be changed without formality or any Parliamentary procedure". Saini J went as far as to say that this meant that Parliamentary scrutiny of the Immigration Exemption itself was "in practice absent". Whilst the Defendants highlighted the attraction of this point, which they said allowed the policy to be "nimble", Article 23(2) UK GDPR required legislation or a code "endorsed by Parliament".


Saini J's reasoning is of interest beyond the data protection and immigration contexts. The approach adopted will be of general relevance to other situations where the Government seeks to use policy documents rather than introduce formal legislation. Where statute requires a given result to be achieved through legislation, it will not be open to the Government to justify the use of a policy document instead due to its expedience or flexibility.

In circumstances where the Government increasingly uses policy documents and there are significant constraints on Parliamentary time to pass new legislation, this judgment is a signal from the High Court that the use of vague policy documents which potentially undercut Parliamentary scrutiny will be examined particularly closely.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More