Privacy International is joining migrant organisations to challenge the UK's "immigration control" data protection exemption - find out why!

News & Analysis
Uk immigration

Increasingly every interaction migrants have within the immigration enforcement framework requires the processing of their personal data. The use of this data and new technologies are today driving a revolution in immigration enforcement which risks undermining people's rights and requires urgent attention.

This is why Privacy International, and several migrant and digital rights organisation, joined a formal complaint filed by the Platform for International Cooperation on Undocumented Migrants (PICUM) against the United Kingdom for failing to respect, the General Data Protection Regulation (GDPR), by including an "immigration control" exemption in the Data Protection Act adopted in 2018.

Data processing for immigration purposes

At the border and beyond, vast amounts of data are being collected and processed to track and identify people for immigration purposes, from utility data to people's social media accounts, and even the entire contents of people's phones.

Within borders, government bodies - those with and those without mandates related to immigration enforcement - are collecting, analysing, sharing and accessing vast amounts of personal data and inferring intelligence, on the basis of which life-changing decisions are made including eligibility for entry and residence and to access public benefits amongst others. All of this is supported by an industry making millions from selling data, analysis, and infrastructure to immigration enforcement authorities. 

These practices impact all foreign residents of a country, including economic migrants, asylum seekers, refugees, seasonal workers, and undocumented migrants. Not only does it interfere with their rights, it potentially allows government authorities to interfere with the rights of UK citizens as long as they can claim they are doing so for immigration control purposes.

In view of existing and expanding data processing policies and practices for immigration purposes, there is an urgent need to regulate and monitor entities who undertake or are involved in the processing of migrants' data to ensure they comply with internationally recognised data protection principles and standards, as well as human rights.

What does the complaint challenge?

Schedule 2, Part 1, paragraph 4 of the UK's Data Protection Act includes a broad exemption for the “the maintenance of effective immigration control” or “the investigation or detection of activities that would undermine the maintenance of immigration control.” This was one of the main shortcomings of the Bill as it was being passed through the UK parliament which Privacy International and other Civil Society Organisations (CSOs) challenged during the various stages of the drafting of the law.

This clause provides for a broad and wide-ranging exemption which is open to abuse and should be removed altogether. Instead, there already exist other exemptions within the Act that the immigration authorities can seek to rely on for the processing of personal data in accordance with their statutory duties or in the case of an offence.

Fundamentally, the GDPR was drafted to strengthen the rights of individuals with regard to the protection of their data, impose more stringent obligations on those processing personal data, and provide for stronger regulatory enforcement powers. This broad exemption goes against these core principles and the standards of data protection and human rights. It curtails the rights of individuals and removes the obligations data processors should be subject to in their data processing activities.

What should the UK do?

In order for the United Kingdom to be in compliant with the GDPR and other internationally recognised data protection standards, as well as respect its obligations governed by other national and international frameworks upholding the rights of migrants, it must strike out this broad exemption.

We look forward to working with PICUM, other co-submitters, and UK organisations working on the rights of migrants and on digital rights issues as part of this complaint, and other advocacy and legal initiatives on-going in the UK.

As we wait to hear back from the European Commission about the complaint, PI will continue to research, raise awareness, and help bring change to make sure fairness, human rights, and security are built into the next generation of data-driven immigration enforcement.