This is a busy period for data protection law. The General Data Protection Regulation (GDPR) becomes effective on 25 May, and on 5 March, the Data Protection Bill receives its second reading in the House of Commons.
These should be complimentary legislative processes. After all, the Data Protection Bill is intended to supplement and further implement the GDPR. But they are not. In what appears to be a case of Brexit-inspired tinkering with EU data protection law, the government has taken advantage of the derogation provision in Article 23(1) of the GDPR to alter and in some cases, remove, key data protections in several contexts, including immigration. Schedule 2, Part 1, para 4 of the bill removes data protection rights from persons where ’it would be likely’ to prejudice immigration control.
Data protection rights are extremely important in an asylum context. Asylum seekers routinely disclose information which could cost them or their family their lives were it to fall into the wrong hands. Whether it be details of a same-sex relationship, a minority religious belief, criminal offending or political affiliation, it is paramount that personal data provided in the course of an asylum application is managed carefully and regulated by stringent data protection standards.
Many other aspects of data protection law would be seriously affected by the government’s proposed change. For example, the right of ‘subject access’ to an individual’s data under s7 Data Protection Act 1998/Article 15 GDPR is essential in challenging the unlawful detention of immigration detainees, where careful scrutiny of Home Office files is invariably required. It is similarly used by trafficking victims to corroborate their cases. Immigration advisers will often need to see a client’s Home Office file before making applications for their clients. Other rights, such as the right to prevent unfair processing of information, are also an important bulwark against the disproportionate sharing of migrants’ data between public authorities.
The bill provision also carries serious risks for access to justice and accountability, as illustrated by a recent case, in which my client obtained substantial compensation from the Home Office for the unlawful sharing of his data. My client sued the Home Office for damages after it shared records of his persecution in his country of origin with those same authorities, in a misguided attempt to verify the documents’ authenticity, potentially putting his and his family’s life at risk.
The Home Office eventually agreed to pay him £15,500 in damages. But this came after a long period of denying liability. The Home Office also refused to apologise even though it admitted breaching domestic and international instruments requiring confidentiality of asylum processes.
The Home Office also refused to answer freedom of information requests seeking the numbers of similar incidents, on the basis that: 'to identify the required information would require the detailed manual interrogation of every asylum claim lodged over the last five years. This equates to more than 100,000 cases'.
Concerns therefore remain that this was not an isolated case. Clearly, there is no central monitoring of this issue. Victims may not even be aware that they have been put at risk in this way.
There are parallels to the case of TLT & Ors v (1) Secretary of State for the Home Department (2) The Home Office  EWHC 2217 (QB), in which the High Court awarded damages ranging from £2,500 to £12,500 to people named in a Home Office spreadsheet listing families returned to their country of origin that was mistakenly posted online for two weeks.
The government’s planned ‘migrant exemption’ would make bringing such cases in the future much more difficult. The incentive that they create: to manage asylum information carefully and confidentially, would be lost.
Of course, victims would still – currently – have the Human Rights Act 1998 and the common law (equitable breach of confidence; tortious misuse of private information). But these less-specific bodies of law compliment and are informed by data protection rights, they do not replace them.
If the ‘migrant exemption’ becomes law, it could create a discriminatory two-tier data protection regime, further marginalising some of the most vulnerable people. It is important therefore, that the representations of organisations such as Liberty, Open Rights Group, the Immigration Law Practitioners Association and Big Brother Watch in opposition to the bill are heeded.
Not only does the ‘migrant exemption’ represent bad law from the point of view of victims; it would be highly likely to be found to be unlawful: it strains the GDPR’s derogation provision to breaking point and would therefore violate EU law and, most likely, the Human Rights Act. Nor does it appear to be good politics: it would mean that the UK’s data protection regime fell short of providing equivalent data protections post-Brexit and may thus prevent the free exchange of data between the UK and EU member states.
My client needed the Data Protection Act to vindicate his fundamental human rights. There are many others like him. The Data Protection Bill must not take those rights away from them.
Daniel Carey is a solicitor at human rights firm Deighton Pierce Glynn.