The UK’s data protection immigration exemption erodes fundamental rights

This blog was written by Matthew Rice, Scotland Director of the Open Rights Group, a charity that protects the digital rights of people in the UK including privacy and free speech online. Open Rights Group is challenging the “immigration exemption” in the UK 2018 Data Protection Act before the national courts, which prevents people from accessing and checking their personal data when collected for vague immigration purposes.

Context: the “hostile environment”

The United Kingdom’s hostile environment policy towards migrants is a set of administrative and legislative measures designed to make staying in the country as difficult as possible for people without leave to remain. It has been a pernicious issue, seeping into areas of housing, education, and healthcare. Immigration enforcement has been gathering data from all these areas, in sometimes undeclared data sharing agreements.

In this climate, the right of access to data is a crucial, essential right. Any mistake could have drastic effects on an individual’s right to remain in the country. In a context where data from multiple sources are used to make important decisions, the immigration exemption in the UK’s 2018 Data Protection Act is yet another blow to the fundamental rights of migrants.

Hollowing out fundamental rights

The immigration exemption allows an entity with the power to process data (known as a “data controller”) to circumvent the right of an individual to access data held about them if it would “prejudice effective immigration control”.

The inclusion in the 2018 Data Protection Act of an immigration exemption is unprecedented in the UK’s history of legislating in this field. No such provision existed in the previous Data Protection Acts (1984 and 1998 ones). It was debated during the 1983 Bill negotiations but never made it further, and was described by the then-chair of the Data Protection Committee as “a palpable fraud upon the public if … allowed to become law.”

The exemption restricts other data rights, such as the right to:

– object to the processing of one’s data

– restrict the processing of one’s data

– have one’s personal data deleted.

In addition, the exemption frees data controllers from their responsibility to provide information to the person concerned when their data is collected, or to inform them when information is collected from other sources, like a school, employer, or local authority.


Open Rights Group, a human rights campaigning organisation focused on the protection of privacy in the digital age, and the3million, a grassroots campaign representing the interests of EU citizens living in the United Kingdom, have very real concerns that the breadth and opacity of the immigration exemption represent a threat to the rights of foreigners living in the country. In an immigration environment that is both hostile and error-prone, the fundamental right to data protection, contained in the EU Charter of Fundamental Rights, needs to be safeguarded. This exemption strikes directly at the essence of this fundamental right. That is why our organisations are challenging the Data Protection Act before the High Court of Justice in England and Wales, under a judicial review procedure.

This exemption is not the type of exemption contemplated by the EU General Data Protection Regulation (GDPR). It is a derogation that the UK Government has chosen to exercise and formulate themselves. While derogations are possible under the General Data Protection Regulation, they must satisfy a series of strict tests.

Under Article 23(1) of the GDPR, national law may restrict the scope of obligations and rights when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society.

Further, under Article 23(2), the measures must contain specific provisions, where relevant as to:

  • The purposes of the processing or categories of processing
  • The categories of personal data
  • The scope of the restrictions introduced
  • The safeguards to prevent abuse or unlawful access or transfer
  • The specification of the controller or categories of controller
  • The storage periods
  • The risks to the rights and freedoms of data subjects; and
  • The right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

The Essence of the Right to Data Protection

There is growing consensus among scholars about the “essence” of a fundamental right. Tuomas Ojanen, Professor of Constitutional law at the University of Helsinki, refers to three crucial components. First, the essence of a fundamental right cannot be determined based on the text of the Charter alone. Instead, the identification of the essence is a matter of contextual interpretation. Second, the same fundamental right can give rise to more than one legal norm: for instance, the right to privacy includes at the same time the responsibility to refrain from interfering with an individual’s privacy, and the right to access one’s data. Third, all fundamental rights, including those that allow for derogations, such as the right to privacy, possess an inviolable essence that cannot be restricted.

Taking the immigration exemption and its effect on the right to data protection under Article 8 of the Charter of Fundamental Rights, we can peel away to try and understand what is the essence of the right to data protection.

Article 8(2) explains that the right to data protection includes the right of access to data that has been collected, and the right to have it corrected. When considering immigration enforcement, it is worth remembering that mistakes happen, and happen often. The Home Office has incorrectly sent letters to EU nationals informing them that they were to be deported from the UK. In addition, back in 2017 the Independent Chief Inspector of Borders and Immigration found error rates of 10%, where the Home Office were denying individuals bank loans after immigration checks.

No system is foolproof; that is why access to information, and the ability to rectify inaccuracies are all the more important. By removing the right of access to data, the immigration exemption risks undermining the very goal it is trying to achieve: effective immigration control. Effective control should allow individuals to correct inaccurate information and thus prove their right to remain.

Another legal norm that may flow from that fundamental right is the right to good administration. While the right to data protection has permissible limitations, a right of access to data is at the essence of this fundamental right. The importance of access to data held about you – and, in the immigration context in particular, access to data that is used to make decisions about you – is one of the overarching arguments in the challenge against the exemption.

The exemption also fails to satisfy the Article 23(2) tests under the GDPR. The test of “prejudice” requires assessing whether a measure has clear boundaries. The UK Government, however, have been reluctant throughout to explain what it aims to achieve, concretely, with the exemption. Add to this the fact that there is no limitation on the type of data that entities, public or private, that can rely on the immigration exemption and the scope of the exemption is suddenly as wide as the broader hostile environment – touching on areas like health, social care, education, or private actors involved in immigration services.

Open Rights Group and the3million are seeking to have the exemption removed from the Data Protection Act by demonstrating that it is unlawful and plainly incompatible with fundamental rights.

This exemption is a blunt instrument serving a policy that has tainted Britain’s reputation as a tolerant and welcoming country. It is an intolerable departure from the essence of fundamental rights, and has none of the clear limitations that are required by the General Data Protection Regulation.

Challenging this exemption is a matter of resisting the erosion of protections that are fundamental to our democracy and to our privacy in an increasingly digital world.