Following up on our piece dated 3 April 2023, which discussed the Government's attempts to safeguard the immigration exemption under the Data Protection Act 2018, recent developments indicate significant progress in addressing legal challenges surrounding this exemption.

The original exemption

The UK GDPR (which is the EU retained law for data protection) provides an exemption that allows for certain rights to be restricted if they are likely to have a negative impact on immigration matters. The exemption can apply to; the right to be informed including the transparency principle, data subject access requests, the rights to erasure, restrict and object to processing. As such, the application of this exemption could have far-reaching impacts on individuals such as refugees who are seeking to exercise their data protection rights and genuinely seeking asylum because they are at risk of being returned to nations where they may encounter persecution and significant danger. 

This exemption applies specifically to data processing related to the maintenance of effective immigration control, or the investigation and detection of activities that could undermine effective immigration control therefore, the Secretary of State (which includes the Home Office and its agencies) is the only entity authorised to apply this exemption. Other controllers, such as employers, universities, and police, who collaborate with the Home Office on immigration matters are not eligible to use this exemption. 

The judgment 

The exemption is defined in the Data Protection Act 2018 under Schedule 2 Part 1 Paragraph 4, and was updated in 2022. These updates were made in response to the first judicial review challenge by the3million and Open Rights Group which resulted in the Government making amendments to the legislation. Such amendments included additional measures to safeguard the exemption, such as confining its application to the Secretary of State, mandating the existence of an immigration exemption policy document, and necessitating the maintenance of records and notification of individuals if the exemption is used.

Despite the amendments made to the exemption, the3million and the Open Rights Group argued that the changes were insufficient in safeguarding individuals subject to immigration laws. As a result, they pursued a second judicial review. The judgment deems the exemption to be unlawful; however, the High Court has suspended this declaration for a period of three months, allowing the Government time to modify the Data Protection Act 2018 to rectify its non-compliance.

The Government’s latest attempt to rectify its non-compliance 

The draft Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2024 (“Regulations”), laid before Parliament on 31 January 2024, marks a pivotal response to the Court of Appeal's ruling in the Open Rights Group case. 

The Regulations introduced by the Government aim to rectify the unlawful aspects of the immigration exemption, ensuring that decisions made by the Secretary of State are conducted in accordance with legal standards. Notably, these amendments reinforce the need for transparent and accountable decision-making processes.

The draft Regulations propose several key changes to the immigration exemption framework, including:

• Case-by-case decision-making: Immigration exemption decisions must now be made on a case-by-case basis, allowing for a nuanced assessment of individual circumstances.
• Consideration of all relevant circumstances: Decision-makers are required to consider all relevant circumstances of the case, particularly focusing on the potential vulnerabilities of data subjects, such as refugees and asylum seekers.
• Explicit consideration of data subject rights: The amendments explicitly require decision-makers to consider the rights and freedoms of data subjects under various legal frameworks, including the European Convention on Human Rights and international conventions such as the Refugee Convention and Trafficking Convention.
• Transparency and accountability: The Regulations mandate the maintenance of records detailing decisions applying the immigration exemption, providing transparent documentation of the rationale behind each determination. Additionally, data subjects must be informed of any decision to apply the exemption, except in cases where doing so may jeopardise immigration control objectives.

In conclusion, the Government's attempts to rectify the immigration exemption represents a significant step forward in the ongoing evolution of data protection law in the UK. Especially noting that, on 07 February 2024, a running list of all amendments in the House of Lords Grand Committee was published which includes a carry-over extension request to extend the period during which proceedings can take place on the new Data Protection and Digital Information (DPDI) Bill to 12 December 2024. This means the DPDI Bill can carry over into the next Parliamentary session if not passed in the 2023-2024 session.

If you would like to keep up to date on the latest in data protection, please get in touch to subscribe to our newsletter, The Data Download.