The UK GDPR provides an exemption that allows for certain individual rights to be restricted if they are likely to have a negative impact on immigration matters. The exemption can apply to; the right to be informed including the transparency principle, data subject access requests, the rights to erasure, restriction and objection to processing. As such, the application of this exemption could have far-reaching impacts on individuals such as refugees who are genuinely seeking asylum and are at risk of being returned to nations where they may encounter persecution and significant danger. This exemption applies specifically to data processing related to the maintenance of effective immigration control, or the investigation and detection of activities that could undermine effective immigration control therefore, the Secretary of State (which includes the Home Office and its agencies) is the only entity authorised to apply this exemption. Other controllers, such as employers, universities, and police, who collaborate with the Home Office on immigration matters are not eligible to use this exemption.
The exemption is defined in the Data Protection Act 2018 and was updated in 2022. These updates were made in response to the first judicial review challenge by The3million and Open Rights Group which resulted in the Government making amendments to the legislation. Such amendments included additional measures to safeguard the exemption, such as confining its application to the Secretary of State, mandating the existence of an immigration exemption policy document, and necessitating the maintenance of records and notification of individuals if the exemption is used.
Despite the amendments made to the exemption, The3million and the Open Rights Group argued that the changes were insufficient in safeguarding individuals subject to immigration laws. As a result, they pursued a second judicial review. In the claim, the UK’s data protection regulator, the Information Commissioner, participated as an Interested Party and has stated that it will “continue to provide advice to the Government as they make the adjustments set out by the court, and will update the guidance”.
The judgment deems the exemption to be unlawful; however, the High Court has suspended this declaration for a period of three months, allowing the Government time to modify the Data Protection Act 2018 to rectify its non-compliance. We wait eagerly to see the further amendments the Government make to the exemption especially given this comes at a time where “the use of the Immigration Exemption by the Home Office has been extensive” as the Judge pointed out.
The full judgment can be found here
