Campaign groups have increased pressure on the UK government to remove a section of the Data Protection Bill that could effectively prevent people gaining access to immigration data held on them.
The bill passed through the House of Lords at the start of the year, and has its second reading in the House of Commons today, which is the first opportunity for MPs to scrutinise and debate the text.
Among the various concerns about the bill, much has been made of the insertion of a new exemption for immigration (schedule 2, part 1, paragraph 4).
The clause, which was unsuccessfully challenged by peers, would bring in a broad exemption removing a person's rights as a data subject – their ability to access information or ask how it is being used – if satisfying them would prejudice "effective immigration control".
Opponents have voiced concern about the lack of specificity in the text, especially as there are already exemptions for cases of crime, national security, public safety and protection of sources in both the European Union's General Data Protection Regulation and elsewhere in national law.
But more significantly, if passed, the law could prevent asylum seekers gaining the information they need to appeal a Home Office decision on whether they have the right to remain, or challenge potential mistakes.
"Victims of administrative errors will have no way to stop a typo from turning their lives upside down," said the Open Rights Group in a statement.
"Rights are universal, that's what makes them rights. This exemption creates a two-tier system where immigrants will have less access to their personal data than UK citizens, which inherently undermines the whole system."
The ORG is lobbying against the clause with EU citizens' rights group the3million, which said that "everyone should be entitled to know how the Home Office and other government agencies are using their records".
The groups have today launched a legal challenge against the exemption and are being represented by law firm Leigh Day, which has written to the home secretary Amber Rudd to outline their concerns.
"The immigration exemption creates a discriminatory two-tier system for data protection rights," said Leigh Day solicitor Rosa Curling.
"The clause is incompatible with GDPR, as well as EU law generally and the European Convention on Human Rights. If the exemption is made law, our clients will apply for judicial review."
The pressure comes after prime minister Theresa May made much of the UK's data protection standards in her second Mansion House speech last Friday.
"The UK has exceptionally high standards of data protection," she said, once again setting out the need for an arrangement post-Brexit that will provide "stability and confidence" for businesses and individuals.
"That is why we will be seeking more than just an adequacy arrangement and want to see an appropriate ongoing role for the UK's Information Commissioner's Office," she said.
The government has repeatedly called for the ICO to be given a place at the table of the European Data Protection Board (EDPB) – the new group for member states' data protection agencies that is set to wield more power than the existing Article 29 Working Party.
However, the likelihood of this happening is far from certain, especially as the EDPB – unlike WP29 – is an EU body.
This is emphasised by the draft text of the European Commission's withdrawal agreement, which states that references to member states do not apply to the UK when it comes to "nomination, appointment or election" of members of bodies or in "decision-making and governance" of EU bodies.
There is also concern that the UK won't be granted the adequacy-plus agreement it desires because of national legislation, particularly the controversial Snoopers' Charter, which it has already had to admit breaches data protection law.
Or as lawyer and writer David Allen Green put it:
Just choked as the former home secretary who forced through the investigatory powers legislation boasted of the UK's standards of data protection.— David Allen Green (@davidallengreen) March 2, 2018
The UK's tech industry has previously said it wants full compliance with the GDPR and warned Brexiteers against the perception that the GDPR is incompatible with securing new trade agreements. ®