The UK Court of Appeal has ruled that the government’s “immigration exemption” in the Data Protection Act 2018 (DPA 18) is unlawful, overturning a High Court decision from 2019. The immigration exemption, found in Schedule 2 of the DPA 18, allows the Home Office and other organizations or companies involved in “immigration control” to refuse access to personal data held about individuals if it might “prejudice the maintenance of effective immigration control”. Digital campaigning organization Open Rights Group (ORG) and the3million, which represents EU citizens living in the UK, argued to the High Court in July 2019 that the exemption was too broad and undermined the European Union’s (EU) General Data Protection Regulation (GDPR), as well as its Charter of Fundamental Rights.
The exemption, which is the first derogation of its kind in 20 years of UK data protection law, not only affects not only EU nationals but anyone who has dealings with any state bodies or companies involved in “immigration control”. This includes people seeking refuge in the UK or those affected by the Windrush scandal. While the court rejected the groups’ arguments and deemed the exemption lawful – finding “the purposes for which, and the categories of data to which, it may be applied were…appropriately delineated” – three judges heard a legal appeal on 23 and 24 February 2021. They unanimously overturned the decision on 2 June 2021.
“This is a momentous day. The Court of Appeal has recognized that the Immigration Exemption drives a huge hole through data protection law, allowing the government to restrict access to information that may be being used to deny people their rights,” said Sahdya Darr, immigration policy manager at ORG. “If the government holds information about you, it should only be in the most exceptional circumstances that it is denied to you, such as during a criminal investigation. “The treatment of immigrants as criminals and suspects is simply wrong. The suffering of the Windrush generation shows that the Home Office’s use of data is poor. The court has today found that proper safeguards should be put in place to help prevent future abuses and to ensure that people are treated fairly and lawfully.”
Lord Justices Underhill, Singh, and Warby ruled it was “clear that the Immigration Exception is non-compliant” with Article 23 of GDPR, adding it “is an unauthorized derogation from the fundamental rights conferred by the GDPR, and therefore incompatible…For that reason, it is unlawful.” Article 23 states that any derogation from the regulation must be done through legislative measures and that these measures must set out several specific provisions. “The GDPR says member states can restrict these rights, but if they do, then it must be by way of a legislative measure,” Waleed Sheikh, an associate solicitor at Leigh Day representing ORG and the3million, told Computer Weekly.
“That legislative measure has to have addressed certain safeguards – for example, the purpose of the data processing, the scope of the restriction, or precautions to prevent abuse. “The court has said that these two things are missing from the immigration exemption: one, there isn’t a legislative measure, and two, these points are not addressed.” He added that while the Information Commissioner’s Office (ICO) has previously released guidance on applying for the exemption, the point of a legislative measure is that it has the force of law behind it, which the ICO’s guidance does not. According to Darr, the government now has until 9 June to apply for the Court of Appeal to appeal the Supreme Court.
The case has revealed that the government has used the clause to deny data subjects access to some or all of their data in 60% of immigration-related issues. “It’s expected that any such application will be considered alongside relief at the hearing. Suppose the Court of Appeal refuses permission to appeal. In that case, the government then has the opportunity to apply directly to the Supreme Court, which must be done within 28 days,” she said. “Regardless of whether an appeal is sought or not, the question of relief will be decided at the hearing to take place sometime in the summer. If the government does not appeal, all that’s left is for us to prepare for the relief hearing.”
In January 2021, then Scotland director at ORG Matthew Rice told Computer Weekly that there was no way of knowing when the exemption was applied, as the Home Office does not mean people when responding to their subject access requests (SARs). “We found in pre-litigation…that the Home Office was not informing people of when the exemption was being engaged, so people were just receiving their response from the SARs and having data removed from it, but it wouldn’t say, ‘This data has been removed because of this exemption,” he said, adding that while there are mechanisms in place for people to appeal against a data controller’s decision to withhold data, they are essentially meaningless if you do not know that data has been withheld in the first place.
The non-disclosure of personal data under the immigration exemption, therefore, interferes with the individual’s access rights and a host of other digital rights granted by the GDPR, including the rights to rectification, erasure, and restriction of the processing.
Sheikh added: “It hasn’t yet been decided what the remedy will be, so until we know exactly what the court says should be done, it is pretty tricky to talk about the potential, or the practical, implications of this judgment will be. “In terms of the judgment, as it is, it’s a very positive judgment and recognizes important concerns that we had about the problems with the immigration exemption.”