By which we mean: some that we did miss blogging about. With apologies and better late than nevers, here’s a round-up of three recent(ish) cases worthy of note. In R (Open Rights Group) v SSHD digital campaigners Open Rights Group and The3million (campaigning on behalf of so many EU Citizens living in the UK) challenged the immigration exemption – one of the few new features in the DPA 2018 that strengthens the controller’s hand – as incompatible with fundamental charter rights to privacy and protection of personal data. They also contended that it was too broad, vague and lacking in the safeguards required by the parent Article 23 GDPR (which enables Member States to enact domestic exemptions).The exemption follows a formula which is familiar from other exemptions, old and new – processing of personal data relating to some public good is exempt from data subject rights, to the extent that the public good is jeopardised by execise of those rights. The immigration-specific exemption is new – as the Secretary of State’s witness explained , ‘where an exemption was required in an immigration context, reliance was placed on the crime exemption contained latterly in s.29 of DPA 1998’. In other words, the Home Office was getting by OK under the old regime, and one aspect of the challenge to the exemption was that the introduction of a measure infringing fundamental rights must be ‘strictly necessary’.
Panopticon, 5th December 2019