Open Rights Group are a digital rights campaigning organisation. Campaigning for a world where we each control the data our digital lives create, deciding who can use it and how, and where the public’s rights are acknowledged and upheld.
the3million is the largest grassroots organisation of EU citizens in the UK, and campaigns for all EU citizens living here to be able to continue life as usual after Brexit.
The government has introduced legislation on a new exemption to data protection which would remove the fundamental right for individuals to access their personal data when it would prejudice “effective immigration controls” or “the investigation or detention of activities that would undermine the maintenance of effective immigration control.”
This would remove:
The right for EU citizens in the UK to be informed about what data is being used about them in relation to immigration, and their right to access the data.
The ability of citizens, lawyers and caseworkers to understand decisions and
errors made by immigration authorities.
The obligation on public authorities and companies to process the data
lawfully, fairly and in a transparent manner with regards to immigration. The exemption would also allow the Home Office and collaborating organisations:
To remove key data protection obligations from any new database of EU citizens.
To share immigration related data without restraint or safeguards outside of the EU.
To use automated decision-making and population-scale monitoring without safeguards.
This creates particular concern for EU citizens in the UK because:
The UK government has proposed creating a new registration system for EU citizens living in the UK on Brexit day, so they are able to claim the rights established by a Withdrawal Agreement.1 This will potentially create a database administered by the Home Office with personal details from over three million people.
After Brexit, EU citizens may need access to their data as part of contesting Home Office decisions on residence and making other claims.
The Home Office has a tendency of using any available data for immigration surveillance, such as the National Pupil Database, this exemption would remove the right of those affected by this data sharing to hold to account the Home Office or schools involved. (almost 2,500 requests to the National Pupil Database for information between July 2015 and September 2016).
Mistakes and administrative errors are commonplace in immigration cases, with reports of mistakes in 1 out of 10 cases from the Chief Inspector of Borders and Immigration.
The exemption is modelled on existing exemptions for criminal cases. The government may attempt to justify the exemption under the same kind of principle of ensuring that ‘investigations’ are not ‘endangered’ through releasing data to wrongdoers.
However, people making immigration claims are not criminals, nor are they attempting anything unlawful - they are merely trying to claim their right to remain in the UK. Three million EU citizens may need to assert these rights, and should not be treated as if they are criminals.
This blanket exemption has nothing to do with crime. If an offence has been committed - such as working illegally, providing false information or trafficking - there are appropriate exemptions for law enforcement elsewhere in the Bill. This exemption will have the effect of removing the legitimate power to challenge administrative decisions and practices that may be the result of errors.
1 This proposal is currently (December 2017) under negotiation with the EU
Requests for information under data protection (subject access requests) are an integral part of most immigration cases, and will be critical for the future of three million EU citizens resident in the UK if current government proposals are implemented.
The exemption is driven by the Home Office, but will cover any organisation processing information that is used in relation to immigration controls. The current immigration regime extends the responsibility to control immigration to schools, GPs, hospitals, landlords or employers, and even the DVLA.
The exemption may be unlawful and create problems for the UK’s continuing collaboration with the EU, as:
EU citizens enjoy a right to data protection under the Charter of Fundamental Rights. By implementing a blanket exemption, their rights will be curtailed in a disproportionate manner as it potentially affects every EU citizen living in the UK. The measure is also discriminatory towards non-UK EU nationals by creating a two-tier data protection regime. While the UK remains an EU member, such a blanket exemption appears likely to contravene Union law.
After the UK exits the EU, the EU will want to understand that privacy and data protection rights are available in order to conclude agreements, including on law enforcement and immigration co-operation. This clause will endanger any such agreements.
The EU will also have an interest in ensuring that EU citizens in the UK are able to effectively claim their rights after Brexit, such as the right to appeal. Denying them access to personal data related to their individual cases would severely impact on being able to exercise those rights in practice.
During the first data protection debates in the UK, in 1984, the Home Office pushed for a similar exemption, but proposals were eventually dropped.
A generalised exemption for immigration-related data is too wide and disproportionately interferes with fundamental rights of privacy, access to information, and data protection. The clause is not needed. Criminal investigations can already be exempted from data protection requests. International data sharing arrangements for terrorism and other criminal purposes exist in other legislation.