There are big changes afoot in data protection law. The EU General Data Protection Regulations (GDPR) is scheduled to come into force in May 2018. At the time of writing the Data Protection Bill has just been through the committee stage in the House of Commons.
The Data Protection Bill is intended to keep the UK in line with the GDPR but buried in a schedule to the Bill is a provision to exclude migrants from the protection of data protection and privacy measures.
The GDPR allows Member States a margin of appreciation within which to adapt it to national circumstances and the Government has taken full advantage of this margin of appreciation. Through the derogation provision in article 23(1) of the GDPR, the Government has introduced a new exemption to data protection which would remove the fundamental right for individuals to access their personal data when it would prejudice “effective immigration controls” or “the investigation or detention of activities that would undermine the maintenance of effective immigration control.”
This exemption will significantly impact the data protection rights of migrants in the UK.
Under the proposed immigration exemption any agency, including private companies like Serco, handling data for immigration purposes will no longer be required to protect an individual’s personal information. There are concerns that the exemption will make it easier for Government departments to share migrants’ data with other departments or private companies without consent. Migrants will lose their right to know what information these bodies have on them and will be prevented from erasing or objecting to that information, even though as we will see, the State in the past has made substantial errors with people’s data.
A major concern with the exemption is the impact on the right of ‘subject access’ to an individual’s data under s7 Data Protection Act 1998. Our public law team frequently undertakes challenges against local authorities over support to migrant families and we often need to apply careful scrutiny to the data the Council holds regarding our clients. Similarly, our firm undertakes civil claims against the State and in a situation, for example challenging an unlawful detention in an immigration setting, detailed review of the Home Office files is often needed.
The bill provision also carries serious risks for access to justice and accountability.
It is not unheard of for the Government to play fast and loose with the data rights of migrants in the UK. In 2016, in the case of TLT & Ors v (1) Secretary of State for the Home Department (2) The Home Office  EWHC 2217 (QB), the Home Office was ordered to pay damages ranging from £2,500 to £12,500 to individuals named in a spreadsheet listing families returned to their country of origin. The Home Office erroneously posted an unredacted version of this sensitive document online.
It is highly likely that the exemption is unlawful. The immigration exemption creates a discriminatory two‐tier system for data protection rights. The exemption is not only incompatible with the GDPR but also with EU law and the European Convention on Human Rights.
Politically the exemption is unworkable. If the Data Protection Bill is implemented as it stands, it is highly likely that it will fall short of meeting EU data protection requirements and could therefore prevent free exchange of data between the UK and EU states. The EU has already struck down the Safe Harbour data arrangements between the UK and the US and it would be highly probable that they would do the same in relation to them and the UK.
Many migrants in the UK rely on data protection legislation to enforce and vindicate their fundamental rights. It is essential that the Data Protection Bill does not erode those rights.