The UK Court of Appeal has ruled that the government’s “immigration exemption” in the Data Protection Act 2018 (DPA 18) is unlawful, overturning a High Court decision from 2019.
The immigration exemption, which is found in Schedule 2 of the DPA 18, allows the Home Office and other organisations or companies involved in “immigration control” to refuse access to personal data held about individuals if it might “prejudice the maintenance of effective immigration control”.
Digital campaigning organisation Open Rights Group (ORG) and the3million, which represents EU citizens living in the UK, argued to the High Court in July 2019 that the exemption was too broad and undermined the European Union’s (EU) General Data Protection Regulation (GDPR), as well as its Charter of Fundamental Rights.
The exemption, which is the first derogation of its kind in 20 years of UK data protection law, not only affects EU nationals, but anyone who has dealings with any of the state bodies or companies involved in “immigration control”. This includes people seeking refuge in the UK or those affected by the Windrush scandal.
While the court rejected the groups’ arguments and deemed the exemption lawful – finding “the purposes for which, and the categories of data to which, it may be applied were…appropriately delineated” – a legal appeal was heard by three judges on 23 and 24 February 2021, who unanimously overturned the decision on 2 June 2021.
“This is a momentous day. The Court of Appeal has recognised that the Immigration Exemption drives a huge hole through data protection law, allowing the government to restrict access to information that may be being used to deny people their rights,” said Sahdya Darr, immigration policy manager at ORG.
“If the government holds information about you, it should only be in the most exceptional circumstances that it is denied to you, such as during a criminal investigation.
“The treatment of immigrants as criminals and suspects is simply wrong. The suffering of the Windrush generation shows that Home Office use of data is poor. The court has today found that proper safeguards should be put in place to help prevent future abuses and to ensure that people are treated fairly and lawfully.”
Lord Justices Underhill, Singh and Warby ruled it was “clear that the Immigration Exception is non-compliant” with Article 23 of GDPR, adding it “is an unauthorised derogation from the fundamental rights conferred by the GDPR, and therefore incompatible…For that reason, it is unlawful.”
Article 23 states that any derogation from the regulation must be done through legislative measures, and that these measures must set out a number of specific provisions.
“The GDPR says member states can restrict these rights, but if they do then it must be by way of a legislative measure,” Waleed Sheikh, an associate solicitor at Leigh Day representing ORG and the3million, told Computer Weekly.
“That legislative measure has to have addressed certain safeguards – for example, the purpose of the processing of the data, the scope of the restriction, or safeguards to prevent abuse.
“What the court has said is that these two things are missing from the immigration exemption: one, there isn’t a legislative measure, and two, these points are not addressed.”
He added while the Information Commissioner’s Office (ICO) has previously released guidance on how to apply the exemption, the point of a legislative measure is that it has the force of law behind it, which the ICO’s guidance does not.
According to Darr, the government now has until 9 June to apply for the Court of Appeal to appeal the Supreme Court.
“It’s expected that any such application will be considered alongside relief at the hearing. If the Court of Appeal refuses permission to appeal, the government then has the opportunity to make an application to the Supreme Court directly, which must be done within 28 days,” she said.
“Regardless of whether an appeal is sought or not, the question of relief will be decided at the hearing to take place sometime in the summer. If the government does not appeal, then all that’s left is for us to prepare for the relief hearing.”
The case has revealed that the government has used the clause to deny data subjects access to some or all of their data in 60% of immigration-related cases.
In January 2021, then Scotland director at ORG Matthew Rice told Computer Weekly that there was no way of really knowing when the exemption has been applied, as the Home Office does not tell people when responding to their subject access requests (SARs).
“We found in pre-litigation…that the Home Office were not informing people of when the exemption was being engaged, so people were just receiving their response from the SARs and having data removed from it, but it wouldn’t say, ‘This data has been removed because of this exemption’,” he said, adding that while there are mechanisms in place for people to appeal against a data controller’s decision to withhold data, they are essentially meaningless if you do not know that data has been withheld in the first place.
The non-disclosure of personal data under the immigration exemption therefore not only interferes with the individual’s access rights, but a host of other digital rights granted by the GDPR as well, including the rights to rectification, erasure and restriction of processing.
Sheikh added: “It hasn’t yet been decided what the remedy will be, so until we know exactly what the court says should be done, it is quite difficult to talk about what the potential, or the practical, implications of this judgment will be.
“In terms of the judgment as it is, it’s a very positive judgment and recognises important concerns that we had in relation to the problems with the immigration exemption.”