GPS tagging of migrants UNLAWFUL, UK authority finds after PI complaint

In a significant and forceful decision, on 1 March 2024 the UK's Data Protection Authority found that the UK Government's GPS tagging of migrants arriving to the UK by small boats and other "irregular" routes was unlawful.

The decision comes as a result of Privacy International's complaint filed in August 2022 against the GPS tagging policy, which alleged widespread and significant breaches of privacy and data protection law. Our complaint relied extensively on anonymous testimonies of individuals who recounted the debilitating impact that tagging was having on their private and family life, as well as physical and mental health. These were clients of Bail for Immigration Detainees, Public Law Project, Duncan Lewis Solicitors and Wilsons Solicitors. This is a significant win for all of them, as a first legal recognition of the lack of necessity and proportionality of such significant intrusions.

The Information Commissioner's Office (ICO) issued an Enforcement Notice and a formal warning against the UK's borders and immigration ministerial department (Home Office). An Enforcement Notice declares previous or existing data processing unlawful, and can require data controllers to stop processing data, delete it, change the way they process it, etc, in order to comply with the law. It is a binding decision, and the strongest form of enforcement available to the authority under data protection law. A formal warning is forward-looking, recognising previous failures and requiring the controller not to replicate them in the future - such that "any future processing on the same basis will be in breach of data protection law and will attract enforcement action".

Background to our complaint: GPS tagging of migrants since 2021

Since January 2021, the Home Office has been placing migrants released on immigration bail under GPS ankle tagging, subjecting them to 24/7 surveillance. This results in vast amounts of highly sensitive, sometimes intimate, data being collected by immigration authorities.

GPS tagging can be imposed as one of the conditions of granting immigration bail, amongst others such as restrictions on individuals' occupation, curfews or movement restrictions. Anyone subject to immigration control, including asylum seekers in the course of their asylum claim or other proceedings, can be subject to GPS tagging. In addition, since August 2021 the Home Office has a "mandatory duty" to tag anyone potentially facing deportation or subject to a deportation order (under Schedule 10 of the Immigration Act 2016).

In June 2022, the Home Office expanded GPS tagging through a 12-month "Expansion Pilot" whereby "all asylum claimants who arrive in the UK via unnecessary and dangerous routes" could be tagged. The Pilot was renewed for a further 6 months to 15 December 2023, as the data collected during the first 12 months "did not provide sufficient evidence".

The number of people GPS tagged under immigration enforcement powers increased exponentially since the January 2021 roll-out - from 0 in January 2021, to roughly 300 in August 2021, to 4,360 in December 2023. Between June 2022 and June 2023, the number of tagged individuals increased by 86%.

What the ICO found

The ICO found the Expansion Pilot was unlawful, for it failed to comply with data protection law in a number of ways:

• The Home Office failed to adequately assess:

  • the privacy intrusion of GPS tracking, which is a highly intrusive type of processing and requires a strong justification;
  • the impact on people in vulnerable positions, and therefore did not mitigate the risks to them;
  • the necessity and proportionality of 24/7 location tracking, "taking into consideration people's vulnerabilities and how such processing could put them at risk of further harm"; and 
  • the impact of GPS tagging on individuals and on their fundamental rights and freedoms, and in particular did not take into account that relevant data subjects might be in vulnerable positions.

• The data processing involved in GPS tagging was of such a particularly intrusive nature that it should have been accompanied by robust guidance and procedures - existing ones were insufficient.

• Data subjects were not sufficiently informed of the extent of processing of their personal data, in light again of its particularly intrusive nature.

These findings are significant as they go to the systemic features of the GPS tagging policy. Necessity and proportionality are key principles that run throughout data protection law, and when invoked are telling of the problematic nature of the scheme as a whole, instead of discrete and specific data issues or breaches. The failure to assess the impact on people and risks to their fundamental rights is similarly systemic.

The ICO also issued a warning to the Home Office about all future data protection compliance of the GPS tagging policy, in light of past failure to properly turn their mind to their privacy and data protection obligations.

Implications of the decision

This is a significant, systemic and unprecedented blow to the Home Office's GPS tagging of migrants, which has been a key part of the UK's "hostile environment" policy. By putting up obstacles for migrants to access basic rights and goods such as work, public services and even bank accounts, the UK aimed to create a hostile environment for migrants, thereby deterring entry and encouraging "voluntary" departures.

Throughout this policy, a running thread seemed to emerge: migrants would be undeserving of the same human rights and protections as British citizens. This became evident in the increasingly relentless deployment of invasive surveillance and control measures, such as GPS tagging, signaling a further step in the criminalisation of migration. The extension of GPS tracking to people who arrive by small boats, many of whom have fled persecution, is the latest chapter in this escalation.

The ICO's decision is a powerful reminder that migrants have the same data protection rights as everyone else, and that immigration authorities are not above the law. Data protection legal safeguards are not provided to people based on their citizenship status, but based on whose jurisdiction they are under. Immigration authorities in the UK and elsewhere have for far too long, and exponentially in recent years, been abusing migrants' privacy in a bid to exercise performative power and control over a vulnerable population. This clearly shows how privacy and data protection law can be a powerful tool in the protection and defence of migrants' rights.

The ICO did not order deletion of the data that was unlawfully collected, for various practical reasons. It warned that while the pilot scheme ended in December 2023, data unlawfully collected would still be available to the Home Office and could still be shared with other third-party organisations. But it made clear that such a blanket policy to tag asylum seekers arriving in the UK must be abandoned. This is a significant win for all those who were subject to this vindictive, costly and cruel policy. It will also require the Home Office to think harder about the necessity and proportionality of tagging individuals, and the wider model of blanket and discriminate surveillance.

This is not the end - the Home Office will continue to tag migrants (albeit a smaller cohort), as data protection law is not all-powerful against absurd, racialised, costly and harmful anti-migrant policies. But the GPS tagging policy as a whole is facing multiple challenges in the courts where judgements are awaited in two court challenges. In one of these cases, the tag of the Claimant, Mark Nelson, hadn't been functioning for months, and yet the Home Office argued that it was lawful for him to wear a broken device.

You can listen to Mark's story in this podcast with him and his lawyer Katie Schwarzmann. Judges in these cases will have to consider the lawfulness and human rights impact of GPS tracking as a whole and will hopefully restrict this degrading practice further.