The Government moves to address unlawful immigration exemption under the Data Protection Act 2018

The Government moves to address unlawful immigration exemption under the Data Protection Act 2018

Following up on our piece dated 3 April 2023, which discussed the Government’s attempts to safeguard the immigration exemption under the Data Protection Act 2018, recent developments indicate significant progress in addressing legal challenges surrounding this exemption.

The original exemption

The UK GDPR (which is the EU retained law for data protection) provides an exemption that allows for certain rights to be restricted if they are likely to have a negative impact on immigration matters. The exemption can apply to; the right to be informed including the transparency principle, data subject access requests, the rights to erasure, restrict and object to processing. As such, the application of this exemption could have far-reaching impacts on individuals such as refugees who are seeking to exercise their data protection rights and genuinely seeking asylum because they are at risk of being returned to nations where they may encounter persecution and significant danger.

This exemption applies specifically to data processing related to the maintenance of effective immigration control, or the investigation and detection of activities that could undermine effective immigration control therefore, the Secretary of State (which includes the Home Office and its agencies) is the only entity authorised to apply this exemption. Other controllers, such as employers, universities, and police, who collaborate with the Home Office on immigration matters are not eligible to use this exemption.

The judgment 

The exemption is defined in the Data Protection Act 2018 under Schedule 2 Part 1 Paragraph 4, and was updated in 2022. These updates were made in response to the first judicial review challenge by the3million and Open Rights Group which resulted in the Government making amendments to the legislation. Such amendments included additional measures to safeguard the exemption, such as confining its application to the Secretary of State, mandating the existence of an immigration exemption policy document, and necessitating the maintenance of records and notification of individuals if the exemption is used.

Despite the amendments made to the exemption, the3million and the Open Rights Group argued that the changes were insufficient in safeguarding individuals subject to immigration laws. As a result, they pursued a second judicial review. The judgment deems the exemption to be unlawful; however, the High Court has suspended this declaration for a period of three months, allowing the Government time to modify the Data Protection Act 2018 to rectify its non-compliance.

The Government’s latest attempt to rectify its non-compliance 

The draft Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2024 (“Regulations”), laid before Parliament on 31 January 2024, marks a pivotal response to the Court of Appeal’s ruling in the Open Rights Group case.

The Regulations introduced by the Government aim to rectify the unlawful aspects of the immigration exemption, ensuring that decisions made by the Secretary of State are conducted in accordance with legal standards. Notably, these amendments reinforce the need for transparent and accountable decision-making processes.

The draft Regulations propose several key changes to the immigration exemption framework, including:

  • Case-by-case decision-making: Immigration exemption decisions must now be made on a case-by-case basis, allowing for a nuanced assessment of individual circumstances.
  • Consideration of all relevant circumstances: Decision-makers are required to consider all relevant circumstances of the case, particularly focusing on the potential vulnerabilities of data subjects, such as refugees and asylum seekers.
  • Explicit consideration of data subject rights: The amendments explicitly require decision-makers to consider the rights and freedoms of data subjects under various legal frameworks, including the European Convention on Human Rights and international conventions such as the Refugee Convention and Trafficking Convention.
  • Transparency and accountability: The Regulations mandate the maintenance of records detailing decisions applying the immigration exemption, providing transparent documentation of the rationale behind each determination. Additionally, data subjects must be informed of any decision to apply the exemption, except in cases where doing so may jeopardise immigration control objectives.

In conclusion, the Government’s attempts to rectify the immigration exemption represents a significant step forward in the ongoing evolution of data protection law in the UK. Especially noting that, on 07 February 2024, a running list of all amendments in the House of Lords Grand Committee was published which includes a carry-over extension request to extend the period during which proceedings can take place on the new Data Protection and Digital Information (DPDI) Bill to 12 December 2024. This means the DPDI Bill can carry over into the next Parliamentary session if not passed in the 2023-2024 session.

If you would like to keep up to date on the latest in data protection, please get in touch to subscribe to our newsletter, The Data Download.

Recent posts

Previous
Next
The UK's data protection regulator publishes a new code of conduct for UK private investigators and litigation services
Read more
Unable to row the distance: No copyright in a rowing machine as a work of artistic craftsmanship (WaterRower v Liking)
Read more
The wait is over – Sky v SkyKick decision handed down today
Read more
Autumn Budget 2024: Headlines
Read more
The Final Word
Read more
The UK's new Data (Use and Access) Bill has been introduced into Parliament
Read more
New reforms but a long wait for change: government publishes Employment Rights Bill draft
Read more
The UK's Data Protection Regulator begins its modernisation plans
Read more
A cautionary tale of lessons learnt in cases involving crypto fraud from D'Aloia v Persons Unknown Category A & Ors [2024]
Read more
‘This is a true story’: A lesson learnt from ‘Baby Reindeer’ for shows dramatising the lives of real people
Read more

More from this author

Previous
Next
The UK's data protection regulator publishes a new code of conduct for UK private investigators and litigation services
Read more
The UK's new Data (Use and Access) Bill has been introduced into Parliament
Read more
Facial Recognition Technology: skip the DPIA and face the consequences
Read more
The new UK government announce the Digital Information and Smart Data Bill
Read more
What businesses should consider before implementing monitoring
Read more
'Consent or pay’: the EDPB’s two cents on the right model
Read more
Byte by Byte: The progress of the UK Data Protection and Digital Information Bill
Read more
The UK Government bridges the gap for UK-US personal data transfers
Read more
DATA DEFENCE IN THE METAVERSE: IT'S NOT A GAME
Read more
The Government’s attempts to safeguard the immigration exemption under the Data Protection Act fails in the High Court
Read more
Navigating the grey areas of AI ethics: ICO's updated guidance provides clarity on utilising AI
Read more
EDPB releases lukewarm opinion on the EU-US Data Privacy Framework
Read more

Share this page