Press releases

Press releases

Controversial 'immigration exemption' used in 60% of cases, court case reveals

A legal challenge to the immigration exemption in the Data Protection Act 2018 has revealed that the Government has used this controversial GDPR opt-out in response to 60% of its immigration-related data requests since the beginning of 2019. This will have resulted in data subjects being denied access to some or all of their data.

The figure was confirmed on the first day of a High Court challenge brought by the Open Rights Group and the3million.

It was further confirmed that individuals were not being informed when the immigration exemption is applied. Ben Jaffey QC, representing the Open Rights Group and the3million, argued that the lack of explicit notification leaves many without the ability to challenge the use of the exemption.

The exemption has never existed in UK law before its introduction last year. It allows data controllers, including public bodies such as the Home Office or a school or hospital and private bodies such as employers or private landlords, to restrict access to personal data if releasing the information would “prejudice effective immigration control.”

Matthew Rice, Scotland Director for Open Rights Group, said:

“The number of times this exemption has been used confirms the fears we had when we brought the case forward. This vague exemption provides a wide open opportunity for the Home Office to restrict access to data and avoid accountability for the mistakes it is regularly found to make.

The fact that no-one is even informed that the exemption applies adds insult to injury. This is a blunt force exemption being used in opaque circumstances to restrict individuals fundamental right to access to personal data."

Maike Bohn, Co-Founder of the3million, said:

“GDPR is about transparency and protection of our data rights. Today we found out that the Government have not told people when their rights have been curtailed - on a surprising scale of 60% of cases.”

Notes to editors:

The case is being heard in the High Court of Justice. The second day of the case on Wednesday 24 July will see the Government responding to the arguments put forward by the claimants.

For further information please contact Federica Dadone at

An earlier press release explaining the hearing is available here -

[Read more]

High Court to hear judicial review of the immigration exemption for data protection rights

A judicial review of the government’s immigration exemption for data protection rights will be heard at the High Court in London on Tuesday 23 and Wednesday 24 July 2019. The hearing on Tuesday 23 July will take place at Court 18, before Mr. Justice Supperstone, at half past ten.

The legal challenge has been brought by the Open Rights Group and the3million who argue that the immigration exemption, which passed into law in May 2018 as part of the Data Protection Act 2018, is unlawful.

The immigration exemption allows the Home Office, and other organisations or companies involved in “immigration control” to refuse access to personal data held about individuals if it might prejudice “effective immigration control”.

The immigration exemption affects the three million EU citizens who will have to submit their applications for a new immigration status after Brexit. It also affects anyone who has dealings with the Home Office, other state bodies and several companies who are involved in “immigration control”, such as those seeking refuge in the UK and those impacted by the Windrush scandal.

By blocking access to data, the groups argue that mistakes by the Home Office will go unchecked, important decisions about an individual’s immigration status could be made based on incorrect or incomplete information and it could even lead to wrongful deportations. This is of particular concern given that the Chief Inspector of Borders and Immigration has acknowledged the Home Office has a ten percent error rate in immigration status checks.
Both organisations argue that the exemption is unlawful because it amounts to an unlawful, unnecessary and disproportionate interference with fundamental data protection rights.

Matthew Rice, Open Rights Group, said:

"The fundamental right to data protection includes a right to access information held about you. The immigration exemption removes that right for millions of people for the vague purpose of effective immigration control. This restriction is available to all data controllers, it could be your school, your Doctor, your local authority or your employer that exercise the exemption and restricts your access to your data while continuing to share it with the Government for immigration enforcement.
“This is against human rights standards and we are seeking that the exemption is removed, or restricted in its scope. At this crucial time we need an immigration system that treats all parties fairly, this exemption tips the scales too much in favour of the powerful and leaves many powerless.”

Co-founder of the3million Maike Bohn said:

“EU citizens will need their personal records to prove that they are entitled to live in the UK. They need to know how the Home Office and other government agencies are using those records so they can call out mistakes that could have disastrous consequences for their lives. That is why we support removing this shocking exemption.”

Rosa Curling, solicitor at Leigh Day, said:

“We look forward to presenting this case to the High Court on behalf of our clients. The discriminatory, two tier data protection regime created by our government is unlawful and we hope the Court will agree it must be reconsidered on an urgent basis. Individuals must have access to their personal data so they know what information is held about them by the Home Office and others, how this information is being processed and shared and to allow them to correct any errors made. Without access to the data, their right to rectify is meaningless.”

For more information contact Federica Dadone, ORG Communications Officer,

Federica Dadone
Communications Officer
Tel: +44 (0)74 4689 6115


[Read more]

DCMS urged to make porn privacy scheme compulsory

Open Rights Group has today sent an open letter to DCMS Secretary of State, Jeremy Wright, calling on him to introduce legislation requiring the British Board of Film Classification (BBFC) to make their privacy certification scheme compulsory.

The letter notes that the BBFC privacy standard contains broadly-worded provisions that allow age verification providers to write their own rules and that there are no penalties for providers who sign up to the scheme and fail to meet its requirements.

Jim Killock, ORG Executive Director, said:

"Highly sensitive sexual data should be protected to the highest standards; instead, the vague and voluntary BBFC scheme leaves consumers unable to know who they can trust. DCMS needs to act now to fix this disaster."

Open Rights Group has also today launched an age verification advice site for individuals and organisations at:

Killock added:

“Millions of UK adults and teenagers are likely to be looking for answers on what the law means and how they can keep their personal data safe. Our site offers practical guidance to Internet users and site owners on how age verification works and what the risks are for their personal privacy.”




For more information, please contact - 07749 785 932

Notes to editors:

Letter available here:

The age verification scheme under Part 3 of the Digital Economy Act 2017 was due to come into force today. It has been delayed for a period of six months as it had not been properly notified to the European Commission.

The BBFC’s Age verification standard was published in April 2019:

ORG's analysis of the standard is here:

Open Rights Group’s age verification advice site for Internet users and site owners is freely available at


[Read more]

“Futurebook” parody site shows a dystopian digital future

Launched today, Open Rights Group’s website starkly shows how the UK online landscape might look if a post-Brexit government decides to roll back on citizens’ digital rights.

Futurebook is a parody social media website designed to warn users about how changes in Government policy could negatively impact rights to freedom of expression and privacy and disrupt user experiences online.

The website features disabled comments, invasive advertising, blocked content and throttled streaming. These are all potential outcomes of UK digital policy developments after leaving the European Union.

Matthew Rice, Open Rights Group Scotland Director, said:

“If we lose rights to free expression and privacy, the online world will begin to look a lot more like Futurebook - creepy, annoying and bland. Futurebook is a nightmare that Open Rights Group is determined to fight against.”


Notes to editors:

Futurebook is freely accessible at

The United Kingdom is due to leave the European Union on 31 October.

Both candidates in the Conservative Party leadership contest have stated they will renegotiate the current Withdrawal Agreement creating uncertainty regarding the status of fundamental rights

Open Rights Group policy briefings on Brexit and fundamental rights are available here:

Report: Privacy and Brexit

Report: Freedom of Expression and Brexit

The E-Commerce Directive 2000 prevents EU Member States from imposing liability on platforms such as Twitter and Facebook for content posted thereon. The EU Open Internet Regulation 2015 enshrines the principle of net neutrality: that internet traffic shall be treated without discrimination, blocking, throttling or priorisation. The EU General Data Protection Regulation and EU Privacy and Electronic Communications Regulation set the rules for the way companies and services can market to individuals and track people online.
ORGCon organised by Open Rights Group, the largest digital rights event in the United Kingdom will be taking place on Saturday 13 July 2019, with keynote speaker Edward Snowden. Tickets are available here

[Read more]

Online Harms White Paper - “Duty of care not the right approach” experts agree

The government needs to convene a comprehensive meeting with all relevant stakeholders to map a way forward on its Internet regulation plans, says a leading group of experts in an open letter to the Secretary of State for Digital, Culture, Media and Sport (DCMS).

This call, made jointly by the Oxford Internet Institute (part of the University of Oxford), Open Rights Group, The Coalition for a Digital Economy (Coadec), Global Partners Digital and Index on Censorship, responds to the government's Online Harms White Paper.

It follows the findings of a multi-stakeholder workshop convened in June 2019 by these organisations, at which participants unanimously agreed that whilst a systematic approach is needed to dealing with problematic content online, a “duty of care” is not the right approach. 

Many participants noted that the concept of duty of care does not translate well from the offline to the online context, and as such it provides little clarity as to what duties can and should be expected of companies within scope of the OHWP.

Amy Shepherd, Open Rights Group’s Legal and Policy Officer, said:

“The government’s proposals are underpinned by the notion of a “duty of care” but they’ve never actually asked stakeholders if this is the right approach. The complete lack of support for the duty of care at our workshop suggests that a fundamental rethink and more extensive consultation are needed if this policy is going to succeed. 

Prof. Victoria Nash, Deputy Director at the Oxford Internet Institute, added:

“The government needs to take a more collaborative approach to policy formation and delivery, by actively engaging all key stakeholders together.”

Organisations represented at the workshop included human rights NGOs, social media platforms, telecoms and media companies, news media, industry associations, parenting and child rights organisations, academia, think tanks, government departments and independent regulators. The aim was to bring together representatives from all the relevant sectors, discuss differences of opinion in relation to the government’s regulatory proposals and find areas of consensus.

Notes to editors:

A full record of the workshop is available online at:

The text of the open letter is available at:,-culture,-media-and-sport

The government’s open consultation on the Online Harms White Paper closes today.


[Read more]

NEWS RELEASE Complainants call on ICO to take action against adtech sector

The ICO has responded to a complaint brought by Jim Killock and Dr Michael Veale in Europe’s €12 billion real-time bidding adtech industry. Killock and Veale are now calling on the ICO to take action against companies that are processing data unlawfully.

The ICO has agreed in substance with the complainants’ points about the insecurity of adtech data sharing. In particular, the ICO states that:

“Processing of non-special category data is taking place unlawfully at the point of collection”

“[The ICO has] little confidence that the risks associated with RTB have been fully assessed and mitigated”

“Individuals have no guarantees about the security of their personal data within the ecosystem”

However the ICO is proceeding very cautiously and slowly, and not insisting on immediate changes, despite the massive scale of the data breach.

Jim Killock said:

“The ICO’s conclusions are strong and very welcome but we are worried about the slow pace of action and investigation. The ICO has confirmed massive illegality on behalf of the adtech industry. They should be insisting on remedies and fast.”

Dr Michael Veale said:

“The ICO has clearly indicated that the sector operates outside the law, and that there is no evidence the industry will correct itself voluntarily. As long as it remains doing so, it undermines the operation and the credibility of the GDPR in all other sectors. Action, not words, will make a difference—and the ICO needs to act now.”

Ravi Naik, solicitor for the complaints and for Dr Johnny Ryan’s simultaneous complaint before the Irish DPC, said:

“Between the ICO’s report and the actions of the DPC, there can no longer be any question; AdTech cannot comply with the GDPR. We welcome the ICO’s findings and look forward to the Commissioner taking concrete steps to prevent further violations of individual rights. It is time for action.”

For more information and interviews, contact, 07749 785 932.

Notes to Editors

The ICO Report is available here:

The ICO concludes:

Overall, in the ICO’s view the adtech industry appears immature in its understanding of data protection requirements. Whilst the automated delivery of ad impressions is here to stay, we have general, systemic concerns around the level of compliance of RTB:

  • Processing of non-special category data is taking place unlawfully at the point of collection due to the perception that legitimate interests can be used for placing and/or reading a cookie or other technology (rather than obtaining the consent PECR requires).
  • Any processing of special category data is taking place unlawfully as explicit consent is not being collected (and no other condition applies). In general, processing such data requires more protection as it brings an increased potential for harm to individuals.
  • Even if an argument could be made for reliance on legitimate interests, participants within the ecosystem are unable to demonstrate that they have properly carried out the legitimate interests tests and implemented appropriate safeguards.
  • There appears to be a lack of understanding of, and potentially compliance with, the DPIA requirements of data protection law more broadly (and specifically as regards the ICO’s Article 35(4) list). We therefore have little confidence that the risks associated with RTB have been fully assessed and mitigated.
  • Privacy information provided to individuals lacks clarity whilst also being overly complex. The TCF and Authorized Buyers frameworks are insufficient to ensure transparency and fair processing of the personal data in question and therefore also insufficient to provide for free and informed consent, with attendant implications for PECR compliance.
  • The profiles created about individuals are extremely detailed and are repeatedly shared among hundreds of organisations for any one bid request, all without the individuals’ knowledge.
  • Thousands of organisations are processing billions of bid requests in the UK each week with (at best) inconsistent application of adequate technical and organisational measures to secure the data in transit and at rest, and with little or no consideration as to the requirements of data protection law about international transfers of personal data.
  • There are similar inconsistencies about the application of data minimisation and retention controls.
  • Individuals have no guarantees about the security of their personal data within the ecosystem.

FixAdTech campaign website includes the complaints and details of other complaints made across the EU.

The complaints are being made by Dr Gemma Galdon Clavell (Eticas Foundation) and Diego Fanjul (Finch), David Korteweg (Bits of Freedom), Dr Jef Ausloos (University of Amsterdam), Pierre Dewitte (University of Leuven), Jose Belo (Exigo Luxembourg), Katarzyna Szymielewicz, President of the Panoptykon Foundation, Jim Killock, Executive Director of the Open Rights Group, Dr Michael Veale of University College London, and Dr Johnny Ryan of Brave, the private web browser. The complainants in Ireland and in the UK have instructed Ravi Naik, Partner at ITN Solicitors.

[Read more]

NEWS RELEASE Age Verification delay is an opportunity to fix privacy in porn block

The Open Rights Group has responded to reports that government plans to force online porn companies to verify the age of users have been delayed again. According to reports by Sky journalists, DCMS had failed to notify the European Commission about the measures in the Digital Economy Act.

Executive Director Jim Killock said:

“While it’s very embarrassing to delay age verification for the third time, this is an opportunity for the Government to address the many problems that this ill-thought through policy poses.

“Age verification providers have warned that they are not ready; the BBFC’s standard to protect data has been shown to be ineffective.

“The Government needs to use this delay to introduce legislation that will ensure the privacy and security of online users is protected.”

Last week, Open Rights Group published a report into the BBFC’s Age-verification Certificate Standard, which outlines measures for AV providers to demonstrate that they will keep users’ data safe. ORG’s report shows that the Scheme provides little assurance to the 20 million adults that are estimated to watch porn in the UK. You can read the key criticisms of the report here:,-misleading-and-potentially-dangerous

Since the report, one Age Verification provider, the 18+ App has declined to the use the scheme so that they can monetise their product through what they call “digital wallets".

For more information, contact Pam Cowburn, 07749 785 932,

[Read more]

ORG report: BBFC age verification standard is pointless, misleading and potentially dangerous

  • From July 15, people in the UK are expected to prove they are 18 if they want to watch porn online.
  • Open Rights Group report warns that voluntary BBFC Age-verification Certificate Standard gives consumers little privacy protection as it is vague, imprecise and largely a ‘tick box’ exercise.
  • ORG believes consumers do not know enough about age verification scheme to make informed and safe choices.
  • ORG's report is available here:

Just one month until age verification for online pornography is launched in the UK, the Open Rights Group has warned that the Government is failing to protect the privacy and security of adults who watch pornography online.

Open Rights Group has analysed the BBFC’s Age-verification Certificate Standard, which outlines measures for AV providers to demonstrate that they will keep users’ data safe. ORG’s report shows that the Scheme provides little assurance to the 20 million adults that are estimated to watch porn in the UK.

Executive Director Jim Killock said:

“On July 15, millions of Internet users in the UK will have to make a decision about which age verification providers they trust with data about their personal pornography habits and preferences.

“Due to the sensitive nature of age verification data, there needs to be a higher standard of protection than the baseline which is offered by data protection legislation.

“The BBFC’s standard is supposed to deliver this. However, it is a voluntary standard, which offers little information about the level of data protection being offered and provides no means of redress if companies fail to live up to it. Its requirements are vague and a ‘tick box’ exercise. This renders it pointless, misleading and potentially dangerous as advice to consumers seeking safe products.”

ORG’s key criticisms of the BBFC standard:

  • The Standard is voluntary, which means that age verification providers are under no obligation to apply it. 
  • There are no penalties for AV providers who sign up to the standard and then fail to meet its requirements. 
  • The Standard is very broadly drafted and there are not enough specific rules for providers to follow. Instead, providers must state they have considered problems and choose their own way to deal with them.
  • Those providers that meet the Standard will have an identifier mark. However, because of the vague criteria and wording within the standard, consumers will have little idea about the level of data protection being applied. 
  • Age verification providers have not been given enough time to apply the Standard, which was only published in April.

Privacy timebomb
Porn companies will have to apply age verification to UK users from July 15, 2019. As far as Open Rights Group is aware, there has been no government advertising to make the millions of UK porn users aware that the law has changed and there appears to be very little public awareness of the scheme.

A YouGov poll from March 2019 showed that 74% of the British public are unaware of that age verification is being introduced.

Killock added:
“Age verification will affect millions of people in the UK, yet the Government has done little to advertise this change, nor offered advice to consumers about what they need to do to keep their sensitive data safe.

“A DCMS impact assessment outlined that this scheme could put UK citizens at risk of fraud and blackmail, which could have a devastating impact on individuals. We urge the Government to delay age verification until there are proper mechanisms in place to protect privacy."

Protecting under 18s
The requirement to verify the age of porn users aims to prevent under 18s from accessing pornographic content. However, it only applies to companies that provide pornographic content on a commercial basis. This means that young people will still be able to access pornography on free sites, through file sharing or on social media platforms, such as Twitter. A DCMS impact assessment of the scheme stated that it created, “a risk that both adults and children may be pushed towards ToR where they could be exposed to illegal activities and more extreme material."

For more information, please contact, 07749 785 932.

Notes to Editors
The BBFC’s Age verification standard was published on April 2019:
ORG's analysis of the standard is here:

[Read more]

Amazon enforcement action forces ink cartridge sellers to close

Patent-trolling techniques deployed by printer manufacturing giant Epson have escalated in severity this week with small ink cartridge resellers being informed that due to excessive numbers of takedown notices, their Amazon marketplace accounts have been indefinitely suspended. Resultant loss of sales is expected to lead to business closures.

Epson has long used online platform content removal procedures as a form of privatised patent enforcement. Strict application of notice-and-takedown policies allows Epson to hide behind Amazon and rely on the pure existence of its patent to silence competition. Affected resellers have no opportunity to challenge the removal of their marketplace listings or assert their right to post content. This damages online free speech and unfairly restricts independent small business activity.

Other manufacturers such as Canon have behaved similarly in this market. Affected small businesses have in some cases been forced to lay off employees or close entirely.

Open Rights Group (ORG) calls on Amazon to reinstate and protect these seller accounts. Amy Shepherd, Legal and Policy Officer, said:

“Clumsy takedowns at Amazon are damaging British businesses. Amazon’s decision to suspend seller accounts is disappointing, as it takes Epson’s word that British cartridge resellers are at fault. Epson is using patents to bully small businesses, but if it really believes the patents stand up it should instead take the import companies to court.”

Adrian Meakin, Director of The Ink Squid Ltd, said:

“After 10 years in business we, along with many other long-established sellers, are being forced out of the compatible ink cartridge market by Epson’s actions. Consumers want the option to use third-party cartridges and this freedom of choice is now being taken away.”



Amy Shepherd
Legal and Policy Officer at Open Rights Group

Adrian Meakin
Director of The Ink Squid Ltd.


Note to editors:

Further information from Open Rights Group on this issue is available at

[Read more]

Regulating Online Political Advertising Needs Data Use Transparency

Electoral Commission Director of Regulation Louise Edwards called for new laws requiring online adverts to show clearly who has paid for them.

Pascal Crowe, Data and Democracy Project Officer at Open Rights Group responded saying:

“Effectively regulating online political advertising needs to go beyond campaign spending and require greater transparency over parties’ use of personal data. The Information Commissioner’s Office must be involved.

“Transparency is critical. Political actors using online advertising need to be forced to report with more specificity on their sources of personal data and how their targeting works."


Open Rights Group media enquiries: 0207 0961079




[Read more]