The government has denied data subjects access to some or all of their data in 60% of immigration-related cases by using a controversial clause in the Data Protection Act (DPA) 2018, a legal challenge in the High Court has revealed.
They argue that the immigration exemption, which passed into law in May 2018, is unlawful, is in conflict with the EU’s Charter of Fundamental Rights and undermines the General Data Protection Regulation (GDPR), which states that everyone, regardless of their nationality or residence, should have their fundamental rights and freedoms protected – in particular, their right to the protection of personal data.
The immigration exemption affects the three million EU citizens who will have to submit their applications for a new immigration status after Brexit. It also affects anyone who has dealings with the Home Office, other state bodies and several companies who are involved in “immigration control”, such as those seeking refuge in the UK and those affected by the Windrush scandal.
The immigration exemption under Schedule 2, Part 1, paragraph 4 in the DPA allows the Home Office, and other organisations or companies involved in “immigration control”, to refuse access to personal data held about individuals if it might “prejudice the maintenance of effective immigration control”.
The first day of the two-day hearing also revealed that individuals were not being informed when the immigration exemption is applied.
Ben Jaffey QC, representing the Open Rights Group and the3million, argued that the lack of explicit notification leaves many without the ability to challenge the use of the exemption.
Matthew Rice, Scotland director for Open Rights Group, said: “The number of times this exemption has been used confirms the fears we had when we brought the case forward.
“This vague exemption provides a wide open opportunity for the Home Office to restrict access to data and avoid accountability for the mistakes it is regularly found to make.
“The fact that no-one is even informed that the exemption applies adds insult to injury. This is a blunt force exemption being used in opaque circumstances to restrict individuals fundamental right to access to personal data,” he said.
Read more about UK data protection legislation
- DPA 2018 makes the UK one of the first countries to implement the GDPR in local law, but some have criticised it as a “lost opportunity”.
- Security industry welcomes planned UK Data Protection Bill.
- UK Data Protection Bill vs EU General Data Protection Regulation.
- The Data Protection Bill is about securing UK data leadership.
Read more on Privacy and data protection
Security Think Tank: ‘Legitimate interest’ crucial for vaccine passports
UK border surveillance regime highly privatised, says Privacy International
Immigration exemption in data protection law faces further legal challenge
What does Brexit mean for the future of UK digital policy? A view from Europe