The UK data protection law will have to be ‘fixed’ so that people can access their personal records held by the Home Office and other entities involved in “immigration control”, the Court of Appeal decided on Tuesday. The ruling concludes a legal challenge brought by two citizens’ rights groups represented by Leigh Day solicitors.
Introduced in 2017, the UK law allows public and private organisations to bypass data protection obligations for “the effective maintenance of immigration control.” In essence, it permits the government and other public and private entities to use personal data of migrants without letting the concerned individuals know. On the same basis, migrants can be denied access to their personal data.
The exemption raised concerns among citizens’ rights groups, as access to personal information is crucial when challenging Home Office decisions regarding, for instance, residence rights or deportations.
Members of the European Parliament have also criticised the British government for the way it intends to handle personal data of EU citizens.
A three-year legal battle
In 2018 the Open Rights Group, an organisation promoting privacy and data protection rights, and the3million, which defends the rights of EU citizens in the UK, launched a legal challenge against such restrictions.
The UK has a ‘hostile environment policy’ which requires citizens and public servants to check the immigration status of individuals when offering jobs, renting accommodation, providing medical care, opening bank accounts or offering similar services.
Under the data protection law, employers, landlords, GPs, banks are all “data controllers” that can withhold the information they have about a person, campaigners said.
Campaigners argued that limits to data protection are permitted under the GDPR, but these have to be “narrow” and include safeguards to protect individuals.
In October 2019, however, the High Court ruled that the immigration control provision in the UK data protection act was not unlawful. The groups therefore decided to appeal the decision.
The Court of Appeal has now ruled that the immigration exemption is disproportionate and incompatible with the General Data Protection Regulation, the EU law on digital rights that forms the basis of the UK act. The Court said that law will have to change and will determine what remedies are needed to fix the problem at a hearing planned in summer.
“We welcome today’s judgment, especially as we represent millions of EU citizens who for the first time have to hand their personal data to the Home Office and its contractors to be able to stay in the UK,” said the3million co-founder Maike Bohn.
Millions of people are affected by the decision, including EU citizens who have to apply for settled status by June 30th to secure their post-Brexit rights in the UK. “Winning the appeal means we can hopefully reintroduce much-needed scrutiny so errors and data misuse cannot go undetected,” Bohn continued.
At an online event on Tuesday, Catherine Barnard, Professor of EU law at the University of Cambridge, noted many EU citizens, especially from Eastern Europe, do not trust state institutions and concerns about the possible misuse of their personal data has been cited in reseach as a reason why people are avoiding to apply for settled status.
“If the Government holds information about you, it should only be in the most exceptional circumstances that it is denied to you, such as during a criminal investigation. Treating all immigrants like criminals and suspects is simply wrong,” added Sahdya Darr, Open Rights Group’s immigration policy manager.
UK law ‘adequate’ for EU data transfer
From the name and address to bank and health records, the protection of personal data in the European Union is recognised under the Charter of Fundamental Rights and regulated by the GDPR.
Personal data can be transferred from EU to non-EU countries such as the UK if their legislation is deemed “adequate”, meaning it guarantees a similar level of protection. Otherwise extra safeguards, such as encryption, contractual clauses and codes of conduct, are required.
As the UK has withdrawn from the Union, the EU is preparing to declare that British law guarantees “adequate” protection of personal information.
Because of concerns about the way data will be used, however, the European Commission has proposed for the first time to review the adequacy decision every four years.
Claudia Delpero © all rights reserved
Europe Street News is an online magazine covering citizens’ rights in the EU and the UK. We are fully independent and we are committed to providing factual, accurate and reliable information. As citizens’ rights are at the core of democracy, our website and newsletter are available for free. If you found this article useful, please consider making a contribution so we can continue and expand our coverage. Thank you!