The UK Court of Appeal has ruled that the government’s “immigration exemption” in the Data Protection Act 2018 (DPA 18) is unlawful, overturning a High Court decision from 2019.
The immigration exemption, found in Schedule 2 of the DPA 18, allows the Home Office and other organizations or companies involved in “immigration control” to refuse access to personal data held about individuals if it might “prejudice the maintenance of effective immigration control”.
Digital campaigning organization Open Rights Group (ORG) and the3million, which represents EU citizens living in the UK, argued to the High Court in July 2019 that the exemption was too broad and undermined the European Union’s (EU) General Data Protection Regulation (GDPR), as well as its Charter of Fundamental Rights.
The exemption, which is the first derogation of its kind in 20 years of UK data protection law, affects affects not only EU nationals but anyone who has dealings with any state bodies or companies involved in “immigration control”. This includes people seeking refuge in the UK or those affected by the Windrush scandal.
While the court rejected the groups’ arguments and deemed the exemption lawful – finding “the purposes for which, and the categories of data to which, it may be applied were…appropriately delineated” – three judges heard a legal appeal on 23 and 24 February 2021. They unanimously overturned the decision on 2 June 2021.
“This is a momentous day. The Court of Appeal has recognized that the Immigration Exemption drives a huge hole through data protection law, allowing the government to restrict access to information that may be being used to deny people their rights,” said Sahdya Darr, immigration policy manager at ORG.
“If the government holds information about you, it should only be in the most exceptional circumstances that it is denied to you, such as during a criminal investigation.
“The treatment of immigrants as criminals and suspects is wrong. The suffering of the Windrush generation shows that the Home Office’s use of data is poor. The court has today found that proper safeguards should be put in place to help prevent future abuses and to ensure that people are treated fairly and lawfully.”
Lord Justices Underhill, Singh, and Warby ruled it was “clear that the Immigration Exception is non-compliant” with Article 23 of GDPR, adding it “is an unauthorized derogation from the fundamental rights conferred by the GDPR, and therefore incompatible…For that reason, it is unlawful.”
Article 23 states that any derogation from the regulation must be done through legislative measures and that these measures must set out several specific provisions.
“The GDPR says member states can restrict these rights, but if they do, then it must be by way of a legislative measure,” Waleed Sheikh, an associate solicitor at Leigh Day representing ORG and the3million, told Computer Weekly.
“That legislative measure has to have addressed certain safeguards – for example, the purpose of the data processing, the scope of the restriction, or precautions to prevent abuse.
“What the court has said is that these two things are missing from the immigration exemption: one, there isn’t a legislative measure, and two, these points are not addressed.