For most of us, data protection law is a shield, not a sword. It works away in the background, keeping our data private when we need it to be. But for vulnerable groups, including migrants, data protection often plays a much more active role.
Asylum seekers routinely disclose to the Home Office information which could cost them or their family their lives were it to fall into the wrong hands. This could be details of a same-sex relationship, a minority religious belief, a criminal offence, or a political affiliation.
That is why civil society groups and lawyers are extremely concerned about the government’s proposal to remove key data protections from individuals where they are “likely…to prejudice immigration control”. Almost by definition, these are likely to be some of the most vulnerable and marginalised people in our society. The proposal is hidden away in a Schedule to the Data Protection Bill, which receives its important Second Reading in the House of Commons on 5 March 2018.
A case I recently worked on illustrates how dangerous allowing the government to play fast and loose with data can be. As reported elsewhere, my client successfully sued the Home Office for damages. In a misguided attempt to verify the authenticity of certain documents, the Home Office shared records of his persecution in his country of origin with those same persecuting authorities. The Home Office’s actions potentially put his and his family’s life at risk, and made future return to his country of origin more difficult.
The Home Office eventually agreed to pay my client £15,500 in damages. The central plank of that claim was the Data Protection Act 1998. Unfortunately, the Home Office’s conduct of the case did not instil confidence that this breach was a one-off: it denied liability for a very long period, and still refuses to apologise. When we asked the Home Office under Freedom of Information laws whether there were other similar cases, its response was worrying:
“to identify the required information would require the detailed manual interrogation of every asylum claim lodged over the last five years. This equates to more than 100,000 cases..”
It seems reasonable, then, to be concerned that the data of many more asylum seekers may have been misused by the Home Office.
This is not the first such case. In 2016, the Home Office was ordered to pay damages ranging from £2,500 to £12,500 to persons named in a spreadsheet listing families returned to their country of origin. The Home Office had mistakenly posted this sensitive document online.
These may be eye-catching examples, but data protection law is a day-to-day essential in thousands of immigration-related cases. For example, where an individual is being detained in an immigration removal centre and wishes to challenge their detention, their lawyers will almost always need to obtain the Home Office’s internal paperwork using the “subject access” right in data protection legislation before advising them. The Home Office file will show whether there are barriers to removing the detainee from the UK and whether the Home Office has correctly addressed matters such as the detainee’s mental health and torture history. It is these matters that render detention unlawful and mandate release.
For example, a recent case showed that the Home Office had received independent evidence that a detainee was a torture victim who should not be detained. It had, however, dismissed that evidence, with the consequence that he remained detained, unnecessarily and unlawfully, for another eight months. The Bill simply cancels the right to access this wherever the government deems its immigration interests to be affected. If paperwork is withheld, vulnerable people are likely to be falsely imprisoned as a result.
At any one time there are approximately 3,000 detainees being held in Immigration Removal Centres in the UK, and around 10 times that number pass through those centres in a given year. Many should not be there (indeed, there are growing calls for an end to the system altogether). So preventing detainees’ lawyers from accessing their files will affect hundreds of cases concerning individual liberty in any one year, some of which are for persons who have been detained for periods counted in years, not months.
The same careful process is required in other contexts, such as challenging a decision regarding the status of a potential victim of human trafficking. One of my clients has a highly traumatic trafficking history within the UK, and public authority documents have been important in reconstructing a past clouded by incomplete memories of time, place and person. This too relied upon use of the “subject access” right.
Other data protection rights, such as the right to restrict unfair processing of information, are also an important bulwark against the disproportionate sharing of migrants’ data between public authorities, which is increasingly pervasive.
The government claims that the proposed restriction is “targeted” on only some aspects of data protection law and would be applied selectively in practice. But it restricts principles that lie at the heart of data protection law, such as Article 5(1)(a) and (b) of the EU General Data Protection Regulation, which require data to processed “fairly” and transparently and for “specified..and legitimate purposes”. But serious doubts remain. History is littered with supposedly “targeted” laws that took on a life of their own once interpretation passed into the hands of those tasked with applying them.
It is difficult to understand why the government thinks it needs to take such a draconian step. Perhaps making legal accountability more difficult is the point. That, and perhaps a hubristic Brexit-inspired impulse to re-draw the boundaries of EU data protection law to better reflect this government’s expressed “hostile environment” for undocumented migrants. In reality, the migrant exemption would create a dangerously discriminatory two-tier data protection regime, further marginalising some of the most vulnerable people in society.
But the “migrant exemption” is not just bad law from the point of view of victims; it is highly likely to be found to be unlawful as going beyond the boundaries of the limited derogation provision in the EU General Data Protection Regulation (which becomes directly effective in the UK on 25 May 2018). And it is bad politics too: it would mean that the UK’s data protection regime fell short of providing equivalent data protections post-Brexit and could therefore prevent the free exchange of data with EU member states. That is a very real possibility: the EU Court of Justice previously struck down data arrangements between the US and the EU and it would not hesitate to do so in relation to the UK.
But the most pressing need is people like my client, who rely on the Data Protection Act to vindicate their fundamental human rights. There will be many others like him in the future. The Data Protection Bill should not take those rights away from them.
For further information about the case, see further here.
Daniel Carey is a solicitor with Deighton Pierce Glynn Solicitors.