Northern Ireland – High Court: Court rejects unvaccinated man’s objection to vaccine passports

Irish Legal News reports

Northern Ireland’s High Court has dismissed an application for judicial review arguing that so-called “vaccine passports” breached GDPR and data protection laws, finding that the unvaccinated applicant had insufficient standing for such a claim.

This decision was one of a series surrounding recent judicial review applications regarding Covid-19 regulations.


The applicant, Darren Williams, was concerned about vaccine passports required for entry to certain hospitality services. He was unvaccinated, and sought to challenge regulations made by the Department of Health under section 25Q (Emergency Procedure of the Public Health Act) (Northern Ireland) 1967.

These regulations, The Health Protection (Coronavirus, Restrictions) Regulations (Northern Ireland) 2021 (Amendment No: 19) Regulations (Northern Ireland) 2021 introduced provisions requiring Covid-Status certification at high risk settings.

These settings included indoor events with 500 or more attendees, outdoor events with 4,000 or more attendees, nightclubs, cinemas, theatres and conference halls.

These settings could only admit “qualifying persons” who could prove evidence of the following pursuant to Regulation 16C:

  1. Proof of full vaccination by paper or electronic form more than 14 days prior.
  2. A negative Covid-19 Rapid Antigen Test proven by the NHS Covid-19 Reporting App or onsite taken within the previous 48 hours.
  3. Valid notification of proof of recovery from a positive Covid-19 PCR test within the previous 30-180 days.
  4. Confirmation in writing of participation in a clinical trial for vaccination against Coronavirus.
  5. Evidence of medical exemption.

Regulation 16F(6) required that “the responsible person” (the venue owner) process personal data of those who wish to enter, either by use of the COVIDCert NI app, a paper QR Code, or a vaccination card along with a photo.

The applicant’s case

The applicant argued that the use of the Cert NI App by responsible persons was unlawful, on three separate grounds.

Firstly, he argued that this approach failed to comply with GDPR and the Data Protection Act 2018 (DPA) in allowing the unlawful processing of sensitive special category personal data where it was not necessary to process personal data at all to achieve the regulations’ legitimate aims.

It was the applicant’s case that the processing of data via the COVIDCert NI app was not “necessary” as understood by European jurisprudence. Necessary here, it was argued, should be construed as reasonably necessary, rather than absolutely or strictly necessary.

Secondly, the proposed respondents failed to comply with GDPR and the DPA as they did not carry out an adequate data protection impact assessment prior to the regulations being brought into operation.

Article 9 GDPR sets out special categories of personal data which attract a higher level of protection and impose a complete prohibition on processing data in those categories, subject to specified exceptions. The prohibition applies to data concerning health.

Thirdly, the proposed respondents failed to consult pursuant to the implied statutory duty under section 64 DPA and/or at common law.

It was argued that people could establish their vaccination status by the use of visual inspection by using a vaccination card. This approach would have satisfied the legitimate aims of the Covid-Status Certification Scheme, but would not have required the processing of data in any circumstances.

Consideration of the issues

The court noted that the “obvious issue” related to the applicant’s standing. He was not vaccinated, meaning that the processing about which he complained would never apply to him. In those circumstances, he sought to argue standing on the grounds of the “public interest.”

The court considered Order 53 Rule 3(5):

“The court shall not, having regard to section 18(4) of the Act, grant leave unless it considers that the applicant has a sufficient interest in the matter to which the application relates.”

The applicant was not a data subject in respect of the provisions about which he complained. He had not been prohibited from entering the various venues referred to in the regulations, as there was an alternative means for him to certify his status.

It was further noted that the applicant only filed his affidavit on 21 January 2022, after the majority of the restrictions had been removed. The regulations had been introduced as emergency measures in the midst of a public health emergency.

The court went on to specify that it had not received any legal challenge to these regulations from any vaccinated people about the personal data processing complained of here.


The key question for the court in exercising its discretion to grant leave for judicial review in this case related to the utility of the court hearing and determining the matter, given that the situation had largely resolved itself.

However, the court was also conscious that it would be slow to interfere in a decision as to what is reasonably necessary in the context of a public health emergency when decisions are taken by elected representatives, who are best placed to assess the public interest.

Notwithstanding the legal issues raised, the court was not persuaded that this was an appropriate case in which to grant leave for judicial review.