The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2022 came into force on 26th January 2022. It amends Schedule 2 of the DPA 2018 to include a revised “immigration exemption”. The exemption disapplies many data subject rights in the GDPR (now UK GDPR), such as subject access and the right to erasure, where personal data is processed for “the maintenance of effective immigration control” or “the investigation or detection of activities that would undermine the maintenance of effective immigration control”.
The amendment follows the May 2021 Court of Appeal judgement, in The Open Rights Group & Anor, R (On the Application Of) v The Secretary of State for the Home Department & Anor (2021) EWCA Civ 800, where it was held that the immigration exemption, as it was originally drafted in the DPA 2018, was unlawful and incompatible with the EU GDPR (and now consequently the UK GDPR).
Article 23 of the EU GDPR allows Member States to create exemptions to restrict data subjects’ rights in certain circumstances (e.g. for the purposes of crime prevention).
Such exemptions must respect the “essence of the fundamental rights and freedoms” and be “necessary and proportionate… in a democratic society”. Article 23(2) also includes a list of “specific provisions” that any legislative measure creating a restriction to data subjects’ rights must contain e.g. the purpose of the processing, the relevant categories of personal data, the scope of the restriction introduced and details of the accompanying safeguards. The Court of Appeal found that the immigration exemption, as originally drafted, did not contain any of these provisions; nor were they covered in any separate legally binding legislation.
The 2022 regulations amend the immigration exemption to make clear that it may only be relied on by the Secretary of State and only if the Secretary of State has in place an immigration exemption policy document. This is a document which explains the Secretary of State’s polices and processes for determining whether, and the extent to which, the exemption applies in any particular case, and for ensuring that any personal data covered by the exemption is not abused or accessed or transferred in a manner contrary to the UK GDPR. Additional safeguards are also added to the exemption to require the Secretary of State:
(a) to decide whether the immigration exemption applies on a case by case basis, and to have regard to the immigration exemption policy document when making such decisions;
(b) to keep a record of any decision that the immigration exemption applies and the reasons for that decision;
(c) to inform a data subject of any such decision, unless doing so may be prejudicial to any of the matters mentioned in paragraph 4(1)(a) and (b) of Schedule 2 to the 2018 Act.
Following the Court of Appeal judgement, questions now arise (though not specifically addressed by the court) about the legality of other GDPR exemptions set out in the DPA 2018. Many of them also appear not to have the “specific provisions” required under Article 23(2).
Act Now’s UK GDPR Handbook has been updated to include the revised wording for the immigration exemption, as well as new guidance from the ICO and European Data Protection Board. This is now available to purchase although delegates on our forthcoming GDPR Practitioner Certificate course and Advanced Certificate in GDPR Practice course will receive a complimentary copy.