PICUM (the Platform for International Cooperation on Undocumented Migrants) have issued a press release saying they have “filed a formal complaint to the European Commission against the UK for flouting the EU’s regulation on data protection (General Data Protection Regulation, GDPR) by including a broad immigration control exemption in its new Data Protection Act.”
The derogations under question relate to Schedule 2, Part 1, para 4 of the Data Protection Act 2018 which states that a number of GDPR individuals’ rights (including the right to be informed, right of access (subject access requests), right to erasure, right to restrict processing and the right to object to processing) don’t apply to immigration data, when the data is processed for “the maintenance of effective immigration control” or “the investigation or detection of activities that would undermine the maintenance of effective immigration control“.
Alyna Smith, Advocacy Officer at PICUM, said:
The UK Data Protection Act’s “immigration control exemption” runs exactly counter to the EU’s efforts to reinforce individuals’ right to the protection of their personal data. It carves out a space where public and private actors have wide discretion to access, use, share, and gather personal data, without the knowledge of affected individuals and with virtually no accountability. All this for immigration enforcement goals which are worringly vague and broad
The filing is supported by 10 other organisations (including Privacy and Liberty) who have co-signed it.
Article 23 of the GDPR allows EU member states to apply exemptions to GDPR for some types of processing where the data controller or processor maybe restricted by national law, but the filing says these derogations undermine the GDPR’s approach to ensure the rights and freedoms of data subjects are upheld.