A legal appeal to remove the UK government’s controversial “immigration exemption” from the Data Protection Act 2018 (DPA 18) will be heard by the Court of Appeal on 23 February 2021.
The immigration exemption, which is found in Schedule 2 of the DPA 18, allows the Home Office and other organisations or companies involved in “immigration control” to refuse access to personal data held about individuals if it might “prejudice the maintenance of effective immigration control”.
Digital campaigning organisation Open Rights Group (ORG) and the3million, which represents EU citizens living in the UK, previously argued to the High Court in July 2019 that the exemption was too broad and undermined the European Union’s (EU) General Data Protection Regulation (GDPR), as well as its Charter of Fundamental Rights.
The exemption not only effects EU nationals, but anyone who has dealings with any of the state bodies or companies involved in “immigration control”, including people seeking refuge in the UK or those affected by the Windrush scandal.
While the court rejected the groups’ arguments and deemed the exemption lawful – finding “the purposes for which, and the categories of data to which, it may be applied were…appropriately delineated” – the challenge revealed the government used the clause to deny data subjects access to some or all of their data in 60% of immigration-related cases.
“The3million and Open Rights Group are looking forward to once again standing up for an accountable immigration system and a fair data protection framework that respects everyone’s right to access their personal data, regardless of nationality or country of origin,” wrote Nicolas Hatton, a founding member of the3million, in a post on fundraising site Crowd Justice.
Speaking to Computer Weekly about the appeal, Scotland director at ORG Matthew Rice said the exemption, which is the first derogation of its kind in 20 years of UK data protection law, has been justified by the UK government on the grounds it needs to “stop people from learning that they’re about to be removed from the country” and consequently absconding.
“There was no evidence to suggest that under previous data protection law…people were making subject access requests [SARs], getting back that they were due to get a visit from the immigration services, and then running away,” he said.
“The other thing to bear in mind is that the exemption is blunt because immigration control isn’t defined in the act or in any part of UK law, and it’s not just about the Home Office or borders. Any data controller can apply this exemption – it’s available to your doctor, your landlord, your school, your local authority, any number of persons that might hold personal data about you.”
As a specific example, Rice said healthcare records are often included in data sharing agreements between the NHS and the Home Office, preventing people from seeking medical help out of fear their information will be handed to immigration services.
A lack of transparency and accountability
Rice said there was also no way of really knowing when the exemption has been applied, as the Home Office does not tell people when responding to their SARs.
“We found in pre-litigation…that the Home Office were not informing people of when the exemption was being engaged, so people were just receiving their response from the SARs and having data removed from it, but it wouldn’t say this data has been removed because of this exemption,” he said, adding that while there are mechanisms in place for people to appeal against a data controller’s decision to withhold data, they are essentially meaningless if you do not know that data has been withheld in the first place.
The non-disclosure of personal data under the immigration exemption therefore not only interferes with the individual’s access rights, but a host of other digital rights granted by the GDPR as well, including the rights to rectification, erasure and restriction of processing.
Rice added that ORG, in collaboration with lawyers experienced in making SARs, found “errors occurring in people’s records that, without access to that personal data, could have led to them being removed from the country”.
Responses to freedom of information (FoI) requests submitted by ORG also indicate that use of the exemption has actually gone up since the challenge was heard by the High Court in July 2019, from being used in 60% of immigration-related cases to being used in 70%.
However, Rice said while ORG and the3million now have a better of understanding around how much the exemption is being applied, “we can’t understand the criteria or categories of personal data it’s being applied to”, or whether it is being applied disproportionately against certain nationalities.
“If we’re seeing the use of it increase, that suggests that it’s becoming easier to apply…so we’re continuing to hope the court sees the errors in the government’s way of constructing this law and begin to change it,” he said.
The immigration exemption and data adequacy
Rice added while it likely will not be touched on in the courtroom, the exemption has “potential political repercussions for the UK as well”.
As the UK’s negotiations with the EU continue to be mired in disagreement, concerns are growing over the ability to exchange data freely between the two, which rests on the UK government’s ability to secure a data adequacy decision from the EU.
Without such a decision, UK companies could face difficulties in exchanging data with their EU subsidiaries, or with customers and suppliers.
However, the immigration exemption presents a stumbling block to the UK gaining this adequacy, as it directly affects EU citizens in the country and stops them from enjoying “essentially equivalent” levels of protection as they would in the bloc.
In the mandate given to the European Commission by the European Parliament for Brexit negotiations, MEPs specifically cited the exemption as an area of major concern.
“If information and access to one’s file is denied, one can also not effectively exercise one’s rights to correct incorrect data; and in any case the rights to object and restrict contested data are removed,” wrote Ian Brown, a visiting CyberBRICS professor at Fundação Getulio Vargas Law School in Rio de Janeiro, and Douwe Korff, an emeritus professor of international law at London Metropolitan University who specialises in human rights and data protection.
“And that, in turn, fundamentally affects one’s rights to fair proceedings in immigration cases, including in cases relating to the rights of EU nationals, In our view, the UK cannot be granted a positive adequacy decision…unless the application of the immigration exemption in the Data Protection Act is significantly tightened, made clear and foreseeable in its application, and is limited to what is objectively necessary and proportionate in a democratic society,” they added.
Rice told Computer Weekly he expects a judgment from the Court of Appeal within four to six months of the case being heard.