The UK’s data protection bill is facing fresh controversy and the threat of legal action if the government does not ditch an amendment which removes data protection rights in instances where the Home Office deems it could prejudice “effective immigration control”. Or the “investigation or detection of activities that would undermine the maintenance of effective immigration control”.
Digital civil rights group the Open Rights Group (ORG) and the3million, a post-Brexit referendum organization advocating for the rights of European Union citizens living in the UK, have said today they are launching formal legal action over the inclusion of the clause.
They argue the exemption means at least three million people across the UK would be unable to find out what personal data the Home Office or other related organizations hold on them, with the government able to shield the data behind a claim of “effective immigration control” — risking cementing errors in the processing of applications that could lead to immigrants being unfairly denied entry or deported from the UK.
They also argue the clause is incompatible with the incoming EU General Data Protection Regulation (GDPR) — which the data protection bill is intended to transpose into UK law ahead of the May 25 deadline for applying the regulation. (Although the government is making these specific provisions in a section listing exemptions from GDPR.)
The Home Office has a reputation for data processing errors and for taking a very heavy-handed approach where immigration is concerned. ORG’s executive director, Jim Killock, argues it is trying to use a sweeping exemption to data protection law to cover up its own mistakes.
“This is an attempt to disguise the Home Office’s mistakes by making sure that their errors are never found. When people are wrongly told to leave, they would find it very hard to challenge,” he said in a statement.
“Data protection is a basic safeguard to make sure you can find out what organisations know about you, and why they make decisions. Sometimes, during criminal investigations, that isn’t appropriate: but immigrants aren’t criminals, nor should they be treated as such.”
The government has also proposed setting up a new registration system for EU citizens once the UK leaves the EU, as is currently slated to happen in March 2019 — meaning there would be a new Home Office database containing the personal details of more than three million people. And where there’s data, there’s the inevitable risk of errors and inaccuracies.
Which is exactly why GDPR has provisions for data subjects to be able to view data held about them and have any errors corrected. An exemption for immigration seems intended to impede such visibility, however.
“We need safeguards in place to ensure that these citizens have access to the information held about them, so they are able to appeal Home Office decisions or correct mistakes,” said Nicolas Hatton, chairman of the3million, in another supporting statement. “Everyone should be entitled to know how the Home Office and other government agencies are using their records, and that is why we want this exemption removed.”
Lawyers from Leigh Day, the firm acting on behalf of ORG and the3million, have written to UK home secretary Amber Rudd outlining their concerns and asking for the clause to be removed from the bill, which gets its second reading debate later today in parliament.
Rosa Curling, a human rights solicitor from Leigh Day, said the exemption risks creating a “discriminatory two-tier system” for data protection rights.
“The clause is incompatible with GDPR, as well as EU law generally and the European Convention on Human Rights,” she said in a statement. “If the exemption is made law, our clients will apply for judicial review. They have written to the government today to urge it to reconsider and to remove the immigration exemption from the bill without further delay.”
We’ve contacted the Home Office for comment and will update this story with any response.
It’s not the first controversy for the 2017 data protection bill. In January concerns were raised, including by the UK’s information commissioner, over the implications of a new ethics regime for processing public sector data.
Consumer groups have also voiced unhappiness that the government has not taken up another GDPR provision that allows for collective redress for victims of data breaches.
On the data retention side, the government is also facing several ongoing legal challenges to its surveillance regime under European law — and has lost multiple times including in December 2016 when Europe’s top court dealt a major blow to “general and indiscriminate” data retention directives.