European Union – EU Citizens Win Case About Data Protection/Access in U.K.

The U.K. adopted an “immigration exemption” clause in the 2018 Data Protection Act¹ in which European Union (EU) citizens are denied access to their personal records with the U.K. Home Office².  This left those EU citizens in a weaker position to object to any information, decisions, and rulings made by the U.K. Home Office with respect to decisions and policies decided affecting them and, as concerns the below-discussed case, their EU settlement status.³

On 26 May 2021, the U.K. Court of Appeal ruled⁴ that not allowing EU citizens to access their personal records with the U.K. Home Office is a breach of their fundamental human rights⁵ and the general data protection rules (GDPR)⁶.    

The ruling makes it possible for EU citizens who are denied settled status in the U.K. or future immigration visas to the U.K. to have access to the databases and records containing information used in the decisions by the authorities concerning them, including information about social benefits, civil offence records, etc.

The case itself concerns the U.K. Home Office, but it is reasonable to expect that other bodies must uphold the same level of transparency towards EU citizens as it is set out in this ruling.

The immigration exemption to personal data records is laid down in the 2018 Data Protection Act (DPA) saying that certain rights protected by the GDPR do not apply when data is processed for the following purposes:

• Paragraph 2, Schedule 2 (DPA)⁷

(a)    the maintenance of effective immigration control, or

(b)    the investigation or detection of activities that would undermine the maintenance of effective immigration control.

On the basis of this Act, the Home Office could deny access to files that hold information on immigrants.  A denial of access to personal records undermines EU citizens’ legal right to challenge decisions by the Home Office.

The Court of Appeal found that this immigration exemption is not compliant with GDPR⁸ and the charter of fundamental rights of the EU⁹.

The judgement ruled against the Home Office’s considerations that effective immigration control should weigh more than individual rights to access own data.

The judges noted in the ruling that the Home Office relied on the immigration exemption in 59 percent of the cases since DPA came into force¹⁰.  

The case concerns individual access to information about immigration cases.  However, it is reasonable to expect that the same standard for transparency of personal records is to be upheld not only by the Home Office in the U.K., but all other bodies too.

Companies should familiarise themselves with the requirements for EU citizens going to the U.K. to work and/or live in order to foster compliance and help ensure business continuity.  

1  The U.K. Data Protection Act (2018) is based on the EU General Data Protection Regulation (GDPR), No 2016/679 (4 May 2016).

2  For information about the Home Office, see: https://www.gov.uk/government/organisations/home-office/about .

3  Following Brexit, EU citizens living in the U.K. must apply for a “settled status scheme” if they want to continue living in the United Kingdom.  EU citizens moving to the U.K. after 1 January 2021, must apply for a visa in order to move to the United Kingdom (see: https://www.gov.uk/browse/visas-immigration/eu-eea-swiss ).  EU citizens who have been in the U.K. continuously for five or more years wishing to obtain “settled status” must apply for it (the deadline for applying is 30 June 2021) and, if granted, will be awarded such status in the U.K., entitling them to certain benefits.  For further information, see: https://www.gov.uk/settled-status-eu-citizens-families .

4  England and Wales Court of Appeal (Civil Division) Decisions: The Open Rights Group & Anor, R (On the Application Of) v The Secretary of State for the Home Department & Anor [2021] EWCA Civ 800 (26 May 2021).  See: https://www.bailii.org/ew/cases/EWCA/Civ/2021/800.html.  (Note that this is a 3^rd party (non-governmental, non-KPMG) website. Providing this link does not represent an endorsement of this website by KPMG.)

5  Charter of Fundamental Rights of the European Union (18 December 2000) creates a basis for the U.K. 1998 Human Rights Act.  The Charter stipulates in Article 8 that data must be processed fairly for specified purposes and everyone has the right to access data concerning him/her.  

6  See footnote 1.

7  See footnote 1.

8  See footnote 1.

9  See footnote 4.

10  Premise (16) in the judgement by the Court of Appeal, Appeal No. C1/2019/2726/QBACF (London, 26 May 2021).  (See: https://www.bailii.org/ew/cases/EWCA/Civ/2021/800.html .)  (Note that this is a 3^rd party (non-governmental, non-KPMG) website. Providing this link does not represent an endorsement of this website by KPMG.)

* Please note the KPMG International member firm in the United States does not provide immigration or labour law services. However, KPMG Law LLP in Canada can assist clients with U.S. immigration matters.

The information contained in this newsletter was submitted by the KPMG International member firm in The Netherlands.