The House of Commons has given its final approval to the Data Protection Bill, which, amongst other things, translates into national law elements the EU’s General Data Protection Regulation (GDPR). The GDPR was approved at the EU level in 2016 and will be enforced across the EU from 25 May 2018. The aim of the regulation is to standardise data protection rules across EU countries and give individuals more powers on how their data is accessed and used.

But the UK bill contains some changes, including an exemption that will allow state bodies and other organisations to use people’s data without them being aware nor having access to it if it is a matter of “effective immigration control”. An amendment that would have removed the exemption from the bill was rejected by the House.

Campaigners at Open Rights Group, an organisation working to protect the rights to privacy and free speech online, and the3million, a group defending rights of EU nationals in the UK, are taking legal action against such measure. Their objective is to force the British government to remove this exemption, and they are crowfunding to support their claim.

“This exemption will affect everyone involved in an immigration case who wishes to access their data, for example: those seeking refuge in the UK, those affected by the Windrush scandal, the three million EU citizens who will have to submit their applications for a new immigration status after Brexit,” they said in a statement.

Luke Piper, immigration law solicitor at South West Law in Bristol, explains.

What is the data protection bill and what is the exemption about?

The Data Protection Bill amongst other things transposes into UK law elements of the GDRP, which was conceived to strengthen individual data protection rights. The exemption included in the bill, however, allows the government to ignore data protection rights and deny the right to access information, if it believes by doing so will undermine immigration control. So the GDPR and the related bill are supposed to help people, but the exemption denies people access to their data when they need it the most.

Isn’t the exemption contrary to the spirit of the GDPR?

It is counter-intuitive to the purpose of the bill, as it is the opposite of strengthening individual rights. It removes power from the individual and puts it in the hands of the government.

What are the impacts of it?

The mechanism is that the Home Office, for example, can make decisions about your future immigration application without you being able to know what information they hold for that purpose. The logic is that the Home Office wants to protect information from people who intend to abuse the immigration system. For example, people who want to know what sort of investigations they are carrying out to then be able to evade immigration controls. But there are already measures in place that allow the Home Office and the government in general not to disclose data for that purpose. The government wants to expand the scope of such measures by denying people access to information held about them when it would ‘undermine immigration control’. This may seem innocent, but when you put these legal tools into the hands of an agency like the Home Office, you start seeing where problems might arise. The pattern and scale of erroneous decision made by the Home Office is well documented and has been particularly felt by the Windrush generation and other minority groups. For example, highly skilled migrants applying for settlement who have been refused for innocent tax discrepancies. The Home Office cannot be held to account if people are denied access to the very information they have relied on to reach these erroneous decisions. In this context, being denied information is just another weapon in the arsenal of the ‘hostile environment’.

Does the exemption apply only to the Home Office or to all government departments and agencies?

Potentially it can be used by any agency. But because it refers to immigration, those impacted the most are those engaging with the Home Office or the agencies they employ.

What is the position of the different parties in this regard?

There have been a lot of lobbying efforts by civil rights and legal groups. They have all been saying that this can’t work, but despite efforts nothing substantive has changed on the political front.

So what happens next?

When the Data Protection Bill becomes law it’s law, and royal assent is expected before 25 May. One way to try and change the law is a legal challenge. This is why the3million and the Open Rights Group intend to pursue a judicial review when the law is passed. They will argue that the act is not compatible with GDPR principles, as well as with EU law generally and the European Convention on Human Rights. There is always an opportunity to not go to court, if a resolution is found beforehand and the government looks at the law again. Otherwise litigation in the High Court could take months and would be costly.

Will people be impacted before that?

If there is a litigation pending, the usual practice is to put the relevant cases on hold until the outcome of the challenge is known. However, it cannot be known what course of action the government will take. Those impacted by the changes should seek legal advice.

Claudia Delpero © all rights reserved.
Photo via Pixabay.