In May this year we discussed how the Court of Appeal had ruled that the "immigration exemption" in the Data Protection Act 2018 (DPA) was unlawful. As a result, an amendment has now been made to the DPA which requires the Secretary of State to:
- put in place an "immigration exemption policy document;"
- determine, by reference to that policy document, and on a "case by case basis" whether the exemption can be applied;
- keep a record of any case where the exemption was relied upon.
The exemption purported to disapply many data subject rights (such as access to or erasure of data) where personal data was processed for "the maintenance of effective immigration control" or "the investigation or detection of activities that would undermine the maintenance of effective immigration control". The Court of Appeal held that the lack of "specific provisions" as required under Article 23(2) of the GDPR (which then applied) was an unauthorised derogation from the fundamental rights conferred by the GDPR. It was accepted by the government that, although the GDPR has – since Brexit - been replaced by the UK GDPR, the exemption would also be incompatible with Article 23(2) of the latter.
The amendments to the DPA seek to ensure that the requisite "specific provisions" are now in place. However, any reliance on the exemption before it was amended is potentially vulnerable to challenge.
What was not specifically addressed in the judgment is the extent to which any of the other exemptions in Schedule 2 to the DPA might also be unlawful. As many of them also appear not to have the "specific provisions" required under Article 23(2) of the UK GDPR, there could certainly be arguments made to that effect.