Big UK GDPR case: Court of Appeal rules in favour of the @OpenRightsGroup @the3million: Immigration Exemption to SARs is incompatible with Art 23 GDPR. This is a new exemption from 2018 the Home Office uses to withhold data rights info in 59% of cases. bailii.org/ew/cases/EWCA/…
Warby LJ is sympathetic to CJEU jurisprudence that 'the legal basis which permits the interference with those rights must itself define the scope of the limitation', noting that the Immigration E is highly discretionary, and the DPA18 does not contain limits on its scope.
However, Warby LJ judges the case more narrowly on a reading of Article 23(2), which permits Member States to restrict a GDPR right for public interest only if a 'legislative measure' contains limiting provisions. 
This is different from the DPD1995, so cannot be meaningless. He does not disapply the measure immediately but invites further evidence on relief.
It looks likely that the outcome of this case, at least at this stage, may be the Secretary of State, by regulations, amending Schedule 2 of the DPA 2018 to limit the exemption's scope in law. This has consequences for other exemptions made in the extensive DPA 2018 schedules too
Note, that although they were available to use, this judgement does *not* turn on the application of the Charter.
This is also going to interplay with current political discussions about UK adequacy. Just last week the European Parliament passed a resolution condemning the Immigration Exemption.
This judgement does not necessarily mean that the EP's concerns are resolved. Even if the scope of the limitation is defined, they may still be concerned that the newly clarified scope does not respect the essence of Charter rights and is not nec/prop in a democratic society.
Regardless, it is a victory against UK adding hugely wide-ranging exemptions which effectively render data rights meaningless. Note however that the ability to quash the law by the CoA relies on the fact that retained Regulations trump pre-exit day domestic legislation: complex.
Courts do not usually this ability to set aside contradictory parts of an Act (unless secondary legislation involved). This case is a remnant of the vanishing shadow of the supremacy of EU law in the UK. Of interest to @jeff_a_king (a teaching case for post-Brexit Public Law?)
If I understand right (calling Withdrawal Act SI experts like @alexandrasinc10), a SoS is bound by Art 23 GDPR restrictions on permissible DPA18 exemptions to data rights if adding by Regulations (EUWA 5(2)) BUT would not be if these were added through primary legislation.
Of course, they might be politically concerned it would endanger UK adequacy to make something that the CJEU might consider to disregard the essence of the right to data protection, but that's a political choice.
This would stem from the fact EU law supremacy is only between pre-exit domestic legislation and retained EU law, but a primary amendment to pre-exit domestic legislation would therefore create bubbles in the text where supremacy did not apply. @colmocinneide please help
(although it's all moot I suppose if an Act sought to selectively set aside supremacy and CJEU judgments in the case of data protection as a whole — given DRI, Tele2/Watson, PI/LQDN decisions on data retention, it would not surprise me if the UK tried that)
Not to mention Schrems II and a trade or data deal with the United States...
• • •
Missing some Tweet in this thread? You can try to
force a refresh
