PRESS RELEASE – Advocates bring first GDPR complaint to EU against UK data protection law for violating data rights of foreigners

The Platform for International Cooperation on Undocumented Migrants (PICUM) has filed a formal complaint to the European Commission against the UK for flouting the EU’s regulation on data protection (General Data Protection Regulation, GDPR) by including a broad immigration control exemption in its new Data Protection Act. The complaint has been joined by several migrant and digital rights organisations.

The 2018 UK Data Protection Act includes a section that allows the government and others to ignore the EU’s data protection rules when those rules get in the way of “the maintenance of effective immigration control” or “the investigation or detection of activities that would undermine the maintenance of immigration control.”

Alyna Smith, Advocacy Officer at PICUM, said:

“The UK Data Protection Act’s “immigration control exemption” runs exactly counter to the EU’s efforts to reinforce individuals’ right to the protection of their personal data. It carves out a space where public and private actors have wide discretion to access, use, share, and gather personal data, without the knowledge of affected individuals and with virtually no accountability. All this for immigration enforcement goals which are worringly vague and broad”.

The exemption does not include safeguards for sensitive data or for vulnerable groups like children. Smith added: “This exemption risks worsening existing violations of fundamental rights and freedoms, under the UK’s “hostile environment” policy”.”

The UK, even as a non-EU country post-Brexit, cannot trade with the EU if its data protection laws are not up the EU’s standards.

Gracie Bradley, Policy & Campaigns Manager at Liberty, said: “The immigration exemption will make it even easier for the Home Office to hoover up people’s data from schools, hospitals and other vital services without their knowledge, further entrenching the hostile environment. It’s oppressive, unnecessary, and strips people of the rights the Government said the Data Protection Act would uphold. The UK cannot call itself a world leader on human rights while its data laws fall far short of the European standard.”

Nazek Ramadan, Director of Migrant Voice, a UK-based and migrant-led charity advocating for the rights of migrants, said: “This exemption disproportionately interferes with fundamental rights of privacy, data protection, equality and non-discrimination of millions of UK foreign residents.”



Notes to the editors:

  • The complaint is brought to the European Commission by the Platform for International Cooperation on Undocumented Migrants and has been co-signed by:
    • EU Rights Clinic
    • Campaign to Close Down Campsfield and End of All Immigration Detention in the UK
    • Joint Council for the Welfare of Immigrants (JCWI)
    • Latin America Women’s Rights Service (LAWRS)
    • Liberty
    • Migrant Rights Network (MRN)
    • Migrant Voice
    • Maternity Action
    • Privacy International
    • Praxis
  • The UK’s Data Protection Act entered into force on 25 May 2018. The immigration exemption clause is included in Schedule 2, Part 1, paragraph 4 of the law.
  • The GDPR is the EU set of rules on data protection, which apply to all EU Member States. It entered into force on 25 May 2018.
  • The European Commission has a process that allows individuals and organisations to submit a complaint about any measure (law, regulation or administrative action) or practice by a country of the European Union that they think is against European Union Law.

Press contact

Gianluca Cesaro, Communications Officer, PICUM,