The UK’s Immigration Exemption in the Data Protection Act 2018 and data adequacy

This submission to the European Commission and European Data Protection Board seeks to assist your respective duties in relation to the assessment of the United Kingdom to determine whether it provides adequate protection under Article 45 of the General Data Protection Regulation.

The focus of this submission will be on the United Kingdom’s operation of exemptions in the Data Protection Act 2018. Specifically Schedule 2 Part 1 Para 4 that disapplies certain GDPR provisions for the purposes of “the maintenance of effective immigration control” or “the investigation or detection of activities that would undermine the maintenance of effective immigration control.” (the Immigration Exemption).

This submission is made by the Open Rights Group, a not for profit organisation operating in the United Kingdom that works to ensure the right to privacy in the United Kingdom is respected, protected, and fulfilled. We have been closely involved in the debate over the Immigration Exemption since its inclusion in the Data Protection Bill, including a currently ongoing judicial review against the exemption in the Data Protection Act 2018 with the3million, the largest campaign organisation for EU citizens in the UK.

We write to provide you with a summary of the operation of the exemption in the United Kingdom, including a recent freedom of information request from the Home Office that reveals that in 2020, the exemption had been exercised by the Home Office in 70% of requests for personal data received.

The UK’s immigration system needs proper accountability. It has been shown to regularly produce errors from poor data quality leading to actions taken against people legitimately living in the UK, through to data sharing between institutions that are found to break the law. This system now applies to EU citizens, and EU nationals that have settled in the UK even those who have lived here for many years. This is a system that undertakes large scale data processing of a highly sensitive nature, deciding people’s right to remain in a country. The Immigration Exemption could have a direct effect on the decisions made, their quality, and their legitimacy. Its scope is so broad, and safeguards so piecemeal, that it reduces the level of data protection in the United Kingdom below what is required for essential equivalence. It must be amended before adequacy can be granted to the United Kingdom.

This submission’s focus is on the operation of the immigration exemption. It should not be interpreted as an endorsement of areas not mentioned, such as national security laws, international commitments arising from legally binding conventions, or the existence and effective function of independent supervisory authorities in the United Kingdom.

Executive Summary

The paper begins with a chronology of the Immigration Exemption and how it came to enter UK law, summarising the debates when it was part of the Data Protection Bill. It then moves on to discuss the construction of the Exemption and the data subject rights it sets aside.

We then turn to the information available on the practical application of the Immigration Exemption that have been revealed by Open Rights Group through litigation and research. The most pertinent information we have is that the Immigration Exemption has been applied in over 70% of subject access requests to the Home Office in between January 2020 and December 2020. However, there is no recorded information on the number of appeals made against the application of the Exemption and the number of appeals made to the Information Commissioner’s Office against the use of the exemption by the Home Office between 2018 and 2020 were of a miniscule number (3) in comparison to the number of requests made (close to 20,000 in 2020). There is clearly something amiss in the monitoring and compliance of this Exemption, whether that be notification of its operation, or the safeguards of the Bill. We ask the Commission and the Board to carefully consider what these numbers relating to its application mean for standards of data protection, and the practice of compliance in the United Kingdom.

This briefing then sets out the principles making up an adequacy assessment, with a particular focus on principles relevant to the Exemption. We then assess the Exemption, and the information on its application, against the principles of note in an adequacy assessment. We conclude that there are particular concerns about the Exemption’s effect on rights, standards of compliance, accountability, and appropriate redress mechanisms. We ask for the Commission and the Board to seek removal of the Exemption or to ensure reforms that the Exemption and its use does not breach the standards expected of a third country. Failing that the Commission must withhold approval of the United Kingdom’s status.

We briefly touch on the concerns raised by European institutions regarding the Exemption throughout the existence of the Exemption, from 2017 through to recent comments in 2021.

We then turn to assess the United Kingdom’s Explanatory Framework for Adequacy Discussions, specifically Section E3 that provides an explanation for the Immigration Exemption’s operation and its safeguards. We conclude that some of the statements made by the United Kingdom in seeking to explain how the Exemption is applied are misleading given the facts available. We in turn make comment on the Commission’s Draft Adequacy Framework decision.

We finally conclude the paper seeking to ensure that the Commission and the Board call on the UK Government to remove the Immigration Exemption from data protection law, or reform the Immigration Exemption to bring it into line with necessary standards for adequacy. Action must be taken before a final decision is taken on the adequacy of the United Kingdom with regards to the protection of personal data. If the United Kingdom fails to implement the recommendations, the Board and Commission must reserve the right to not grant adequacy at this stage.

Chronology

The Data Protection Bill was introduced into the House of Lords by the UK Government in September 2017. The Bill as introduced contained exemptions from the GDPR at Schedule 2 under Part 1 Adaptations and Restrictions Based on Articles 6(3) and 23(1). At paragraph 4 of this schedule was an exemption that would restrict applications of ‘listed GDPR provisions’ to personal data processed for the purposes of effective maintenance of effective immigration control, or the investigation or detention of activities that would undermine the maintenance of effective immigration control”. An exemption of this type had never previously been in UK law and as a result it was met with scepticism by Parliamentarians, commentators, and concern by civil liberties groups working on digital rights and organisations representing migrants rights.

The Government justified the inclusion of the exemption by reference to examples, including that of a suspected overstayer receiving disclosure via a subject access request that the Government are preparing an administrative removal and would be able to evade enforcement action. This example was consistently returned to despite it being pointed out that the example clearly relates to a criminal offence, under which pre-existing and standard exemptions would have been available.

Throughout these debates the Government failed to articulate actual evidence of the problem that the proposed exemption sought to address. There were no facts about an individual absconding from immigration enforcement after a subject access request revealed a forthcoming administrative removal. In fact the most pertinent examples in the debate were the corrections that a subject access request had made for an individual’s right to remain in the United Kingdom while they were facing deportation. Other important facts given were the number of appeals allowed against decisions of the Home Office immigration decisions- over ten years to 2015 was at a high of 250,000 and the number of errors made by the Home Office on immigration status checks, which was revealed to be 10% in a sample of 169 cases.

The Government maintained that the systems of accountability would remain available to individuals such as appeals against the exemption, including to the UK’s Data Protection Authority, to ensure that the exemption is applied fairly. This commitment from the UK Government will be an important one to recall.

The exemption was eventually amended, but only in a small way. The ‘listed provisions’ were amended and narrowed:

The GDPR provisions referred to in sub-paragraph (1) are the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR)—

(a) Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(b) Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(c) Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(d) Article 17(1) and (2) (right to erasure);

(e) Article 18(1) (restriction of processing);

(f) Article 21(1) (objections to processing);

(g) Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (f).

(That is, the listed GDPR provisions other than Article 16 (right to rectification), Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing) and Article 20(1) and (2) (right to data portability) and, subject to sub- paragraph (2)(g) of this paragraph, the provisions of Article 5 listed in paragraph 1(b).)

The amendments meant that the immigration exemption could not be applied to Article 16 right to rectification, and the connected Article 19 notification of rectification obligation, Article 20 right to data portability, or Article 22 the right not to be subject to decision based solely on automated processing. An assessment later in this submission will discuss how the right to rectification could still be practically restricted and that ultimately setting aside these amendments does not make a difference on the overall status of the exemption as a source of concern for the UK’s respect for data protection principles. This construction of the exemption was eventually passed and become law on 23 May 2018.

Construction of the exemption

The Immigration Exemption is included in paragraph 4 of Part 1 of Schedule 2 of the 2018 Act, in full it provides:

“(1) The GDPR provisions listed in sub-paragraph (2) do not apply to personal data processed for any of the following purposes—
(a) the maintenance of effective immigration control, or (b) the investigation or detection of activities that would undermine the maintenance of effective immigration control, to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) and (b).
(2) The GDPR provisions referred to in sub-paragraph (1) are the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR )—
(a) Article 13(1) to (3) (personal data collected from data subject: information to be provided);
(b) Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);
(c) Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
(d) Article 17(1) and (2) (right to erasure);
(e) Article 18(1) (restriction of processing);
(f) Article 21(1) (objections to processing);
(g) Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (f).
(That is, the listed GDPR provisions other than Article 16 (right to rectification), Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing) and Article 20(1) and (2) (right to data portability) and, subject to sub-paragraph (2)(g) of this paragraph, the provisions of Article 5 listed in paragraph 1(b).)
(3) Sub-paragraph (4) applies where
(a) personal data is processed by a person (’Controller 1’), and
(b) another person (’Controller 2’) obtains the data from Controller 1 for any of the purposes mentioned in sub- paragraph (1)(a) and (b) and processes it for any of those purposes.
(4) Controller 1 is exempt from the obligations in the following provisions of the GDPR—
(a) Article 13(1) to (3) (personal data collected from data subject: information to be provided),
(b) Article 14(1) to (4) (personal data collected other than from data subject: information to be provided),
(c) Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers), and
(d) Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c), to the same extent that Controller 2 is exempt from those obligations by virtue of sub-paragraph (1).”

There is no definition of ‘effective immigration control’ in the Data Protection Act 2018. This issue was raised during the Bill debates and the Government contend that the phrase ‘effective immigration control’, was adopted as a “wraparound term” to avoid the need for amendment and updating. Thus, the Immigration Exemption was deliberately open-ended. Rather than seek to justify and evidence the need for a wide Exemption as enacted, the Government only attempted to identify the “sorts of situations” in which the Immigration Exemption may apply.

The “prejudice test” does not consider whether it is strictly necessary and proportionate for that prejudice to be treated as overriding the rights and interests of the individual on the facts of the particular case. No further public guidance is provided by the Government for how this test should be applied. This is important to note given that the Immigration Exemption is available to all data controllers.

The restrictions are in practice far reaching, including capturing the rights the Government had said are not covered by the Exemption. We find it hard to understand how an individual would be able to exercise their right to rectification if their core right of access to their personal data is restricted, you must first be able to see that there is an error in your personal data before you can correct that error. Also the right to data portability is not of significance in an immigration context.

Immigration enforcement in the United Kingdom

As a consequence of UK Government policies, including the hostile environment policy, the immigration system involves an array of actors. The Government has enacted measures which, for example, limit access to work, housing, healthcare, and bank accounts and revoke driving licenses in an effort to make. To achieve this policy, immigration enforcement reaches into various aspects of everyday life and includes data controllers from public bodies through to the private sector. These powers and operations are regularly found to be of poor standard, with high levels of mistakes occurring. The system needs accountability and strong safeguards to ensure a fair and accountable process. The Immigration Exemption removes key modes of accountability at a time when it is needed the most.

An inspection by the Independent Chief Inspector of Borders and Immigration of data provided by the Home Office to banks found that 10% of the 169 cases inspected had incorrectly been included on the list of ‘disqualified persons’. The Chief Inspector raised concerns that “the Home Office did not appear to appreciate the seriousness of such errors for the individuals affected, and its proposed avenue of redress for individuals who had left the UK with valid leave outstanding, and had subsequently had their licence revoked, was inadequate.”

In January 2018, the House of Commons Home Affairs Committee report explained that, “In addition to Government-led activity, employers, landlords and others providing a service to migrants are increasingly expected to help enforce immigration rules.”. That same report identified the scale of errors and delays in the immigration system. It recorded that the Home Office has the highest uphold rate in relation to complaints made to the Parliamentary and Health Service Ombudsman. In the second quarter of 2017, 47% of the 14,170 determined appeals against Home Office immigration decisions were successful. The Committee made clear that:

“…mistakes particularly those based on inaccurate data, are highly unlikely ever to be eradicated complete. However, the impact of errors can be deeply damaging and traumatic for individuals… The Home Office needs to do much more to reduce errors and to speed up accurate decision-making.”

The report also touched upon the mistaken practice of the UK Government in 2017 of sending deportation letters to EU nationals. In 2017 up to 100 EU nationals, some of whom had been resident in the UK for a decade, received letters information them that if they did not leave the court, the Home Office would give “directions for [her] removal”, adding that they were “liable to be detained under the Immigration Act. The Government apologised for this “unfortunate error” but the fact remains of serious failings in the Home Office occur.

The UK Government often involves other actors in the delivery of their immigration policy. This includes private contractors that operate detention sites, public bodies such as the data sharing between the Home Office National Health Service and the Home Office and Schools, or even private individuals such as landlords to create a legal obligation that their proposed tenants have a right to live in the country. adopts data sharing provisions.

Immigration enforcement is a sprawling system of hostile policies, data sharing and enforcement actions that reaches into the everyday life of people living in the United Kingdom. It is this system that millions of EU citizens have recently become subject to. It is a system that is fallible, and often found failing on the quality of data that it collects, and the subsequent use of that data. It is this system that the Immigration Exemption removes transparency, accountability and key rights-based safeguards.

Application of the exemption in practice

Open Rights Group and the3million challenged the Government’s inclusion of the Immigration Exemption through a judicial review initiated in March 2018. During the case the Government disclosed two important facts:

• The exemption had been applied in 60% of all subject access requests made to the Home Office.
• Up until the court case the Government were not informing individuals that the exemption was being applied.

These two facts speak directly to the Government’s rebuttals to concerns: that the exemption would only be applied in exceptional circumstances, and that the forms of accountability will be available to data subjects. We fail to understand how an application rate of the Exemption this high corresponds to a narrow exemption, applied in exceptional circumstances when it is applied more often than not. Further, the fact that the Government had failed to notify individuals that the exemption was engaged removed the ability to exercise any accountability that are a necessary part of an adequate data protection framework.

On 6 May 2020 the Information Commissioner’s Office responded to a freedom of information request from Open Rights Group regarding the number of complaints the Information Commissioner’s Office had received challenging a data controller’s use of the Immigration Exemption, and the category of that controller. The Information Commissioner’s Office was only in a position to provide statistics relating to complaints made against the Home Office. It was revealed that since 25 May 2018 only 3 complaints were received about the Home Office’s use of the Immigration Exemption.

At the end of 2020 a further request for information was made to the Home Office to understand the application of the Immigration Exemption between 1 January 2020 and December 2020, and also whether the accountability mechanisms are operating in a fair and transparent manner. Two key developments were given in that response:

• The Immigration Exemption had been used in 72.6% of Subject Access Requests between 1 January 2020 and December 2020.
• The Home Office holds no information on the number of appeals against the exemptions operation.

Principles for an adequacy assessment

Article 45(2) of the General Data Protection Regulation sets out the main matters that the Commission must take into account in its assessment of the adequacy of the law in a third country:

When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:

a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;

b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and

c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

The Working Party 29 expanded on the requirements for an adequacy decision in its “Adequacy Referential”, the final version of which was adopted in November 2017 and endorsed by the European Data Protection Board. On the concept of adequacy, it states:

“data protection rules are only effective if they are enforceable and followed in practice. It is therefore necessary to consider not only the content of the rules applicable to personal data transferred to a third country…but also the system in place to ensure the effectiveness of such rules.”

This document makes clear that it is not just the rules as they are written that matters, but the practice in compliance of those rules, the consistency of their application by data controllers, the procedures for accountability.

The Referential sets out that a third country’s systems must contain basic content and procedural/enforcement data protection principles and mechanisms, including (emphasis added):

The right of access, rectification, erasure and objection

The data subject should have the right to obtain confirmation about whether or not data processing concerning him / her is taking place as well as access his/her data, including obtaining a copy of all data relating to him/her that are processed

The data subject should have the right to obtain rectification of his/her data as appropriate, for specified reasons, for example, where they are shown to be inaccurate or incomplete and erasure of his/her personal data when for example their processing is no longer necessary or unlawful.

The data subject should also have the right to object on compelling legitimate grounds relating to his/her particular situation, at any time, to the processing of his/her data under specific conditions established in the third country legal framework. In the GDPR, for example, such conditions include when the processing is necessary for the performance of a task carried out in the public interest or when it is necessary for the exercise of official authority vested in the controller or when the processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party.

The exercise of those rights should not be excessively cumbersome for the data subject. Possible restrictions to these rights could exist for example to safeguard criminal investigations, national security, judicial independence and judicial proceedings or other important objectives of general public interest as is the case with Article 23 of the GDPR.

The data protection system must ensure a good level of compliance

A third country system should ensure a high degree of accountability and of awareness among data controllers and those processing personal data on their behalf of their obligations, tasks and responsibilities, and among data subjects of their rights and the means of exercising them. The existence of effective and dissuasive sanctions can play an important role in ensuring respect for rules, as of course can systems of direct verification by authorities, auditors, or independent data protection officials.

Accountability

A third country data protection framework should oblige data controllers and/or those processing personal data on their behalf to comply with it and to be able to demonstrate such compliance in particular to the competent supervisory authority. Such measures may include for example data protection impact assessments, the keeping of records or log files of data processing activities for an appropriate period of time, the designation of a data protection officer or data protection by design and by default.

The data protection system must provide support and help to individual subjects in the exercise of their rights and appropriate redress mechanisms.

The individual should be able to pursue legal remedies to enforce his/her rights rapidly and effectively, and without prohibitive cost, as well as to ensure compliance. To do so there must be in place supervision mechanisms allowing for independent investigation of complaints and enabling any infringements of the right to data protection and respect for private life to be identified and punished in practice. Where rules are not complied with, the data subject should be provided as well with effective administrative and judicial redress, including for compensation for damages as a result of the unlawful processing of his/her personal data. This is a key element which must involve a system of independent adjudication or arbitration which allows compensation to be paid and sanctions imposed where appropriate.

It is important to also include in this assessment the requirement of Article 23 of the General Data Protection Regulation which allow for restriction by legislative measure the scope of obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5. In particular it is vital to highlight that these restrictions are permissions when they “respect the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society”. Article 23(2) sets out the specific provisions that such a restriction will contain, where relevant, as to (emphasis added):

(a) the purposes of the processing or categories of processing;
(b) the categories of personal data;
(c) the scope of the restrictions introduced;
(d) the safeguards to prevent abuse or unlawful access or transfer;
(e) the specification of the controller or categories of controllers;
(f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
(g) the risks to the rights and freedoms of data subjects; and
(h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

The accompanying recitals should also be considered relevant, including recital 41 which sets out that references to a legal basis or legislative measure do not “necessarily require a legislative act adopted by Parliament” but it is clear that “such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union and the European Court of Human Rights”. Recital 73 also sets out that restrictions under Article 23 “should be in accordance with the requirements set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms.”

In referring back to the need to “respect the essence of fundamental rights and freedoms” we consider it also necessary to include rights contained in the Charter of Fundamental Rights, in particular Article 8, the right to the protection of personal data which grants everyone the right to protection of personal data concerning him or her, and requires that:

“Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.”

We will now to turn to analyse the Immigration Exemption, considering both the Exemption as it is written and also the information relating to the practice that we have identified against these various principles.

Guidelines 10/2020 on restrictions under Article 23 GDPR

On 15 December 2020, the EDPB adopted Guidelines on restrictions under Article 23 GDPR. These Guidelines seek to provide the criteria to apply restrictions, the assessments that need to be observed, how data subjects can exercise their rights once the restriction is lifted and the consequences for infringements of Article 23 GDPR.

Given these Guidelines were drafted by the European Data Protection Board to which this submission is addressed, we will not spend a significant amount of time setting out these areas. However we do seek to highlight prior to the analysis section a few key areas, including section 3.5 setting out the requirements of the “Necessity and proportionality test”, in particular the the relevant standard for derogations and limitations to be “strict necessity”, and that the measure should be “supported by evidence describing the problem to be addressed by that measure, how it will be addressed by it, and why existing or less intrusive measures cannot sufficiently address it”.

Separately we also draw attention to the Guidelines explanation that Article 23(2)(a) and reflecting Recital 8 GDPR that the reason for the restriction should be comprehensible to persons to whom it applies, involving a “clear understanding of how and when the restriction may apply”. Finally, the Guidelines explanation of the accountability principle and the requirement that the controller “document the application of restrictions on concrete cases by keeping a record of their application.”

Analysis against the principles

Respect for rights of access, rectification, etc.

The exemption restricts rights under Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers) including setting aside Article 5 (general principles) so far as its provisions correspond to those rights if their exercise would prejudice effective immigration control. The right of access and rectification is a core right mentioned explicitly in Article 8 of the Charter for Fundamental Rights. The right o access is of great importance as the gateway to being able to exercise other rights provided to data subjects. For example the case of YS v Minister voor Immigratie (EU:C:2014:2018) [2015] WLR 409 at para. 44 referring to the previous Directive:

“As regards those rights of the data subject, referred to in Directive 95/46, it must be noted that the protection of the fundamental right to respect for private life means, inter alia, that that person may be certain that the personal data concerning him are correct and that they are processed in a lawful manner. As is apparent from recital 41 in the preamble to that directive, it is in order to carry out the necessary checks that the data subject has, under Article 12(a) of the directive, a right of access to the data relating to him which are being processed. That right of access is necessary, inter alia, to enable the data subject to obtain, depending on the circumstances, the rectification, erasure or blocking of his data by the controller and consequently to exercise the right set out in Article 12(b) of that directive.”

By restricting the right of access, the exemption is restricting the right to rectification, one that it explicitly seeks to allow. There is no clear way that an individual, making a request for their personal data that has the Exemption applied, would be able to exercise their right to rectification for inaccurate data that they cannot see. For this reason we remain concerned that the Exemption sets aside more rights than it intends to and breaches the essence of fundamental rights and key principles found in the Adequacy Referential of the right of access, rectification, erasure and objection.

Further, where those restrictions do apply, they may also restrict general principles of data protection such as lawfulness, fairness and transparency. Considering the Exemption has been applied to over 70% of subject access requests made to the Home Office in 2020 we believe that core content principles are at a high risk of failing to be respected and encourage the Commission and European Data Protection Board to seek to understand how these rights and principles are being respected in practice.

Scope of Article 23

Article 23 of the General Data Protection Regulation allows for Member States to make restriction the scope of obligations and rights through a legislative measure “when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society”. We struggle to see how the Immigration Exemption respects the essence of the fundamental rights, the restriction on access cascades down to other rights like rectification rendering it a blunt instrument in its operation.

Necessity and proportionality

The Immigration Exemption is a derogation from the rights provided in Chapter III of the GDPR. The consistent jurisprudence of the Court of Justice of the European Union requires a derogation to be justified by reference to the standard of “strict necessity”. As the CJEU explained in Digital Rights Ireland “in view of the important role played by the protection of personal data in the light of the fundamental right to respect for private life and the extent and seriousness of the interference with that right caused by Directive 2006/24, the EU legislature’s discretion is reduced, with the result that review of that description should be strict.”

This standard was reinforced by the CJEU in Opinion 1/15 that “as regards the observance of the principle of proportionality, the protection of the fundamental right to respect for private life at EU level requires… that derogations from and limitations on the protection of personal data should apply only in so far as is strictly necessary”.

The standard of strict necessity, the European Data Protection Board’s Guidelines sets out, states that the restriction should be “supported by evidence” of its necessity. Throughout the debate on the Immigration Exemption the UK Government were pressed to provide evidence for their concerns they laid out, including tipping off over-stayers of impending enforcement action, detection of sham marriages, or avoiding the wholesale deletion of immigration history. The Government failed to come forward with any evidence that these scenarios they described were occurring in the United Kingdom at all, let alone enough to require a broad, widely drawn exemption of the type the Immigration Exemption provides.

Article 23(2) lays out a series of requirements for legislative measures restricting rights that the construction of the Immigration Exemption fails to meet:

(a)the purposes of the processing … and …(d) specification of controllers

“immigration control” is not defined in the Data Protection Act 2018, nor does it have any clear definition in UK law. This was a deliberate choice from the Government to create a “wraparound” term to avoid the need for amendment and updating. As a result there is only a vague descriptions given of the “sorts of situations” that the Exemption can be relied upon. Considering the Exemption is open to any and all controllers, to decide upon a wraparound definition without any specific definition, we are concerned that the exemption’s practice is particularly wide-ranging in practice to not give sufficient clarity as to the purposes of the processing.

In other Restrictions in Schedule 2 the UK Government had introduced categories and functions that create clearer prescriptions on the types of processing that Restrictions would apply. For example, Schedule 2 Paragraph 7 on Functions designed to protect the public has a limited range of functions listed in a table under paragraph 7. Paragraph 8 on Audit functions limits it to certain controllers such as the Auditor offices. The Exemption fails to specify across either of processes or categories creating a very wide derogation indeed.

The Guidelines for restrictions under Article 23, reflecting on Recital 8 GDPR requires the restrictions to be comprehensible to individuals to whom it applies. Considering there is no definition of “immigration control” in the Data Protection Act 2018, and the Government’s clear intention to not provide any clear definition, instead relying on the “sorts of situations” in which it might apply, we consider the Immigration Exemption distinctly lacking in this area and failing to meet the standards required for an adequacy decision.

(g) the risks to the rights and freedoms of data subjects…and…. (h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction

The Government deemed it necessary to provide guidance on how to use this restriction, which is a mitigation to the risks of the rights and freedoms of data subjects. However the guidance referred to is only for Home Office, not the wider set of all data controllers. This is a poor response to the rights and freedoms of data subjects.

Further there is an ongoing concern about the failure to notify individuals about the restrictions in place. This connects back to the risks to the rights and freedoms of data subjects. If an individual is not informed of the restriction then they cannot challenge it to uphold their rights and freedoms.

These areas should be followed up by the Board and Commission to ensure that proper processes and compliance practices are in place. At this stage we cannot see how the exemption can operate in a way compatible with the requirements of Article 23 as the Referential requires.

Procedural and Enforcement Mechanisms

Our litigation and research has shown that the procedural and enforcement mechanisms accompanying the operation of the Immigration Exemption are of concern. Firstly, the Home Office admitted that individual’s were not being informed of the exercise of this exemption when their subject access requests were being returned to them. Without notification there is no opportunity for accountability to challenge the decision. While the Home Office had committed to inform individuals that the exemption was being exercised, they hold no publicly available records of the number of appeals against the exemption. It may be there are no records of appeals kept at all. This leaves us concerned that the commitment from the Home Office to inform has not been followed through.

Add this concern to the rate of application, where a subject access request to the Home Office is more likely than not to have the exemption applied to some part of it, we feel it would be reasonable to expect that a legal representative would have challenged the operation of the exemption. But the number of appeals against the exemption that the Information Commissioner’s Office had heard between May 2018 and May 2020 was 3 in total. This adds to the concern that individual’s are not being notified in a transparent and meaningful way and thus it is restricting individuals from pursuing remedies and to enforce their rights. Mechanisms are not in place to allow for infringements of the right to data protection to be identified and punished in practice, as required by the Adequacy Referential under Procedural Guarantees.

The failure of data controllers to keep logs of data processing activities also adds to this concern about procedural mechanisms. The Home Office are not recording appeals, potentially not informing individuals of the exemption, other data controllers are applying the exemption (albeit a very small number from what our research has shown) but are not recording it to assess compliance in any meaningful way. There is no clear means of understanding whether a good level of compliance is being followed when the Exemption is being engaged. This should be a concern for the standards of protection of personal data of European citizens who are now subject to the immigration controls of the United Kingdom.

Reflecting on the requirements of the Accountability principle, while the Home Office made the number of times the Exemption was applied, where the high occurrence rate of 72% was recorded, it did not have available the number of times the Exemption was appealed. This is only a very light record of application and a full accountability principle should include an understanding of the consistency and quality of the application, evidenced by the number of appeals and its upholding. Additionally, the lack of a number for appeals obfuscates any understanding of the transparency of the application of the Exemption. We do not know whether representatives are told about the Exemption’s application.

We call on the Commission and the Board to demand removal of the Immigration Exemption in the Data Protection Act 2019. Failing that it must require reforms of the Exemption to bring it in line with the standards required for an adequate third country.

Concerns Expressed by European Institutions

Since its introduction into the Bill, the Exemption has attracted concern from European institutions.

In July 2018 the European Parliament Brexit Coordinator Guy Verhofstadt wrote to Sajd Javid, at the time the Home Secretary for the Home Department, raising concerns about the UK implementation of the General Data Protection Regulation, in particular the immigration exemption which “provides for the non-application of essential data protection principles and rights of data subjects to the processing of peronal data carried out for immigration purposes.”

Mr. Verhofstadt went on to say:

The wording of this exception is made in a board and general manner that it implies de facto that the processing of personal data of non-UK citizens will not be subject to the provisions of UK Data Protection law for this matter. The European Parliament has already expressed its doubts about the compatbility of this broad and general exception with EU data protection and of the Charter. Any derogation must be applied in exceptional individual cases where it is necessary and proportionate to safeguard a genuinely[sic] objective of general interest in a democratic society. Non legally-binding reassurances of the UK authorities would not address the concerns of the European Parliament as long as this exemption remains in the Data Protection Act.

European Parliamentarians at the time continued to speak out against the exemption including the European parliament’s civil liberties, justice and home affairs committee chair at the time, Claude Moraes.

On 7 February 2020 the European Parliament passed a resolution on the proposed mandate for a new partnership with the United Kingdom of Great Britain and Northern Ireland. In that resolution the European Parliament expressed concern regarding the “general and broad exemption from the data protection principles and data subjects rights for the processing of personal data for immigration purposes”, it went on to elaborate on those concerns: “when non-UK citizens’ data are processed under this exemption, they are not protected in the same manner as UK citizens” The resolution expressed the view that the exemption would be in conflict with Regulation (EU) 2016/79. On the 18 June 2020 the European Parliament reiterated those concerns with a further resolution providing recommendations on the negotiations for a new partnership with the United Kingdom of Great Britain and Northern Ireland.

On 5 February 2021 the Committee on Civil Liberties, Justice and Home Affairs adopted an opinion on the United Kingdom’s protection of personal data. That opinion stated that “the general and broad exemption for the processing of personal data for immigration purposes of the UK Data Protection Act….need to be amended before a valid adequacy decision can be granted.”

Civil society groups have raised concerns about the exemption with the Commission. In July 2019 a group lead by the Platform on International Cooperation for Undocumented Migrants (PICUM). PICUM raised a direct complaint with the Commission that the Exemption was a measure by a country of the European Union that was against European Union law. It is unclear what the progress made in relation to this complaint. It is important to note that there was a great deal of awareness generated by European institutions regarding the Exemption.

Response to UK’s adequacy framework explanation on the immigration exemption

The United Kingdom produced an Explanatory Framework for Adequacy Discussions in March 2020. The documents provided an overview of the UK”s legal framework underpinning data protection standards. The aim was to provide an explanation for the key legislative elements in UK data protection law, to show how the UK meets the standard of “essential equivalence”. Section E3: Schedule 2 Restrictions provided an explanation for, among other things, the Immigration Exemption.

In the introductory note explaining the exemption the Government explained the need for the exemption: “The Government must be able to restrict obligations on a case by case basis in the relatively limited number of circumstances where complying with those obligations would result in a prejudice to the maintenance of effective immigration control”.

The limitations and safeguards that were used to explain how this restriction was operated to ensure the restriction is necessary and proportionate include:

“There are enforcement mechanisms available under the DPA2018 and the wider UK legislative framework to deal with any ‘abuse’ of this restriction. Individuals can lodge a complaint with the Information Commissioner’s Office ,or pursue action through the courts, as well as making a direct request to the data controller to review a decision
In addition,the Home Office has developed guidance for its staff on how to use this restriction.This includes guidance on the prejudice test and that the restriction should not be applied in a blanket manner, as well as the need to apply a proportionality and necessity test.”

Each of these justifications have been shown to be false or misleading. The “relatively limited circumstances”, is in fact a lot more frequent. In 2020, 70% of subject access requests to UK Visas and Immigration section of the Home Office had the immigration exemption applied. 19,305 subject access requests were dispatched between January 2020 and 1 December 2020, and of those 14,027 had the exemption applied. These are not “relatively limited circumstances”.

The enforcement mechanisms mentioned only operate when individuals are informed of the exemption and are capable of challenging it . The Home Office has admitted that previously they were not informing individuals of the Exemption when it was applied, and despite the commitment to do so, there is no clear evidence that they had because they do not retain logs of such appeals. On the other hand there is evidence that the number of appeals against this exemption are relatively low, by May 2020 the Information Commissioner’s Office had only received 3 complaints since May 2018 regarding the use of the Exemption by the Home Office.

Finally, the assurance that the “Home Office has developed guidance for its staff” only speaks to one institution when the Exemption is available to all Data Controllers, something the Government was adamant needed to be the case. We know the exemption has been used by other Data Controllers, albeit a small number. Internal Home Office guidance does not speak to the scope of the exemption or the various controllers that need to demonstrate compliance against this Exemption.

These explanations and statements from the Government in the Explanatory Framework do not paint a full picture of the Exemption’s use. In practice it is relied on by institutions operating in immigration policy more often than not, there is a potential failure in compliance standards and transparency to the data subject, and the scope of who requires guidance on the exemption is misleadingly narrow.

The European Commission and European Data Protection Board should seek clarification from the UK Government about this explanation of the Immigration Exemption against the facts now available. From this they should require removal of the exemption or spell out reforms necessary to bring it into the standards required of a third country.

Comments on the Draft Adequacy Decision from the European Commission

On 19 February 2021, the European Commission produced a draft adequacy decision on the transfer of personal data to the United Kingdom. The draft adequacy decision refers to the decision in the High Court of Justice, in our judicial challenge to the Immigration Exemption from 2019. In that case, the judge, we argue, erred by concluding that the legal requirements for a lawful derogation differ depending on whether the legislation itself creates or requires interference with the data rights of individuals, or instead permits or atuthorises the use of an exemption. That conclusion was contrary to the CJEU’s judgment in Tele2 Sverige AB v. Post Och Telestyrelesn [2017] 2 CMLR 30. Further, the judge agreed that there is “no requirement for the state to justify the enactment of the provision by evidence as being “strictly necessary””. The judge goes on to assert that the CJEU authorities relied upon by our representatives to argue that the state must justify the enactment of the provision as being “strictly necessary” are “cases where the legislation itself constituted or required an interference with individual rights… The Immigration Exemption itself involves no interference with any individual rights”. With respect to the judge, this conclusion did not accurately reflect the reasoning of the Grand Chamber in Tele2 Sverige. The Grand Chamber made clear that it was applying the same legal test to the two pieces of domestic legislation at issue. The UK regime, created a regime under which the Secretary of State could grant authorisations for communications data retention. The Court found that the legislation had to meet the test of strict necessity and include relevant safeguards because it involved a derogation from the confidentiality of communications even though a further authorisation would be required.

As a result of applying this distinction, the Judge failed to apply the relevant principles laid down by Article 23 GDPR and the consistent case-law of the Grand Chamber of the CJEU. The exemption is analysed against those standards above and the European Data Protection Board’s Guidelines are clear in their explicit requirement for a derogation to satisfy a test of “strict necessity”. We invite the Commission to reconsider its reliance on the earlier case in its draft decision and we ask the Board to apply the correct standards to the Immigration Exemption.

We find other aspects of the Commission’s draft decision wanting. In particular it does not seek to find any evidence for the necessity for the Immigration Exemption in the first place. It accepts that the Exemption is formulated rather broadly but does not follow the Guidelines requirements of support for the derogation to be supported by evidence. Nor does it ask or answer whether the reason for the restriction is comprehensible to whom it applies or provides a clear understanding of how and when the Immigration Exemption may apply. Given the vague pronouncements by the UK Government in the Bill debate and its stated aim of a “wraparound” term, we ask that the Commission reconsider its assessment’s and apply the EDPB Guideline standards instead. We trust the Board to follow its clear standards for restrictions under Article 23 GDPR.

Conclusion

The standards required for an adequacy decision by the European Commission are clear. There must be respect for basic content principles such as right of access and rectification, with principles supported like transparency. There needs to be procedural and enforcement mechanisms in place such as a good level of compliance for the data protection system and accountability and support for data subject in the exercise of their rights and appropriate redress mechanisms.

In each of these areas we feel there is sufficient evidence to demonstrate that the Immigration Exemption as it is drafted and as it operates, fails to meet these standards. The fundamental right of data protection is a cornerstone of the European Union. It cannot be set aside unless in strictly necessary circumstances and as we have shown, the exemption presents an interference with that right, and the structures of accountability around it do not seem to be responding sufficiently to ensure it is done in a manner required by standards set out in GDPR and the jurisprudence of the Court of Justice of the European Union. It needs to be removed or at the very least significantly amended to bring it into the necessary standards for a third country. The Commission and the European Data Protection Board should spell out explicitly what those amendments would be, with reference to the body of case law and guidance available to it.

We hope this submission proves useful in the deliberations by the Commission and the European Data Protection Board and would be happy to provide further information if necessary.