The UK government's plan to excuse itself from having to hand over information about the data it holds on immigrants has received short shrift from MPs.
In the first debate on the Data Protection Bill in the House of Commons on Monday evening – the draft text having been passed by the Lords in January – MPs lambasted an exemption that critics say will prevent people gaining access to immigration data held on them.
The Data Protection Bill aims to implement the European Union's General Data Protection Regulation, as well as replacing existing UK laws on data processing by corporate and law enforcement bodies.
Although culture secretary Matt Hancock described it as "a forensic Bill", other members were less kind.
"We would argue that it is a little bit more piecemeal," said Labour MP Liam Byrne. "It is not haphazard; it is seeking to do a job by incorporating a substantive bit of legislation from Brussels into British law. However, we are troubled that the privacy provisions are not quite robust enough."
SNP members were equally disapproving, with Brendan O'Hara saying that "in certain crucial areas, it falls short of what we expect from modern data protection legislation".
Immigration exemption 'deeply worrying'
In common with other MPs, O'Hara said a central cause for concern was the immigration exemption, which he described as "deeply worrying".
The clause, which was unsuccessfully challenged in the House of Lords, would bring in a broad exemption removing a person's rights as a data subject – their ability to access information or ask how it is being used – if satisfying them would prejudice "effective immigration control".
There is, though, no legal definition of immigration control on the face of the Bill and O'Hara said that, "given that effective immigration control is both highly subjective and highly political, I fear it will make individuals' rights extremely susceptible to changes in political tides".
He added: "This broad, wide-ranging exemption is fundamentally unfair, and it runs contrary to basic human rights. It is unprecedented and as unnecessary as it is disproportionate."
UK.gov told: Scrap immigration exemption from Data Protection Bill or we'll see you in courtREAD MORE
A number of MPs relayed examples of situations where immigrants or British citizens would have to rely on subject access requests to gain the information they needed to challenge incorrect assumptions made by the Home Office.
Such requests, allowed under existing data protection laws, are often the only way lawyers can gain access to information about people's immigration histories.
"In a recent answer to a House of Lords question, the other place was told that in the 10 years to 2015, 250,000 appeals were allowed against the Home Office," said SNP member Joanna Cherry.
"Allowing the Home Office an exemption from subject access requests in immigration matters will have the effect of insulating the government from challenges to unlawful decision making, and that is just not right."
Lib Dem MP Ed Davey said that what Whitehall had done to the Bill with this addition, which is not present in the GDPR, was "dirt-smearing", and pressed the government for an explanation of the thinking behind it.
But both Hancock and minister Margot James refused to acknowledge these concerns, with James saying only that the government was "not seeking a blanket exemption".
Hancock also shrugged off Cherry's statement that legal opinions suggested the immigration exemption would not be permissible under the GDPR, saying simply that "there are always legal opinions about everything".
Eerke Boiten, a data privacy and cybersecurity expert at De Montfort University, said this "casual dismissal" of legal advice was "a bit shocking".
But he, along with many other observers, welcomed the number of interventions on the exemption, which has been the centre of campaigns from a number of civil rights groups.
"The exemption of data protection rights, particularly regarding access to data, for immigration purposes means that mistakes will remain unchallenged and uncorrected," Boiten said.
He added that it was "good to see that some MPs have finally picked up on the issue of UK adequacy under GDPR once the UK becomes a third country for the EU – after data protection experts have been warning of this issue from the start of Brexit".
Indeed, many made a direct link between the two, with Davey's being perhaps the most succinct: "I say candidly to those on the Treasury Bench that if they want their Brexit negotiations to proceed as smoothly as internal Tory party politics allows, and to secure the data adequacy agreement that British business desperately needs, they will have to drop that immigration exemption—not water it down, not caveat it, but drop it."
But even if the government were to scratch the exemption, it would have a number of other hurdles to jump if it was to be granted an adequacy agreement.
Labour MP Daniel Zeichner said he was pleased that the prime minister Theresa May has put continued free flow of data as a priority, but said "she still does not seem quite to understand the pitfalls in seeking an adequacy arrangement".
"Some of the national security and immigration exemptions in this Bill are potentially enough to deny us data adequacy in the eyes of some countries in the EU," he said. "We need to ensure that this Bill is not going to cause us harm further down the line."
Another possible issue is the government's approach to fundamental human rights, with some observers noting that Hancock's references to "British citizens" were a cause for concern, especially in relation to Article 8 of the EU Charter of Fundamental Rights.
"The point about fundamental rights is that they don't just apply to citizens, they apply to everyone," explained Paul Bernal, a privacy and IT expert at the University of East Anglia.
"Rights like these are 'human' rights, not citizens' rights. It's about respect and the dignity of the person – not the protection provided by a state to its citizens. Our current government has a lot of difficulty with this."
Since the GDPR is underpinned by the Charter, if the UK wants an adequacy decision, "we would have to respect that charter" – a data protection regime that only applies to citizens runs directly counter to that, and so "would mean, effectively, the EU could not trust the UK with person data".
"We already have problems because our surveillance regime does not respect privacy sufficiently: this 'citizens vs everyone' issue could be the final nail in the coffin of our chances for adequacy. That would be a hammer blow to a vast range of businesses in the UK."
MPs mount the press regulation hobby horse
Other issues touched on during the debate included provisions on automated decision-making, the framework for data processing by government – another area that has come under fire from the ICO – and small businesses.
Opposition MPs also lobbied the government to implement Article 80(2) of the GDPR, which would allow certain not-for-profit bodies to complain to a regulator without an individual instructing them to, saying this would improve consumer rights.
However, much of the four-hours spent on the second reading – which gives a flavour of the issues that will come up during the Public Bill Committee stage – was taken up with interventions and speeches on journalism, as the Bill is being used to push through rules on press regulation.
Many observers found this a disappointment.
"I hope that the politicians' ongoing obsession with press regulation, which should never have been tied in with this Data Protection Bill in the first place, will not stop them from discussing the real data protection issues and getting this bill right," said Boiten.
Others took to Twitter to complain:
And even SNP MP Cherry suggested that the debate risked being derailed by too much focus on this topic – which has been repeatedly debated, at great length, in the Commons.
"Let us not sweep these issues under the carpet – let us have a full and frank debate about them—but we should not let the Leveson issues completely dominate the debate about the Data Protection Bill, because it covers very important issues beyond Leveson," she said.
However, the MPs don't have long to consider these issues, as the government's aim is to have the Bill on the statute book by May 6 – ahead of the May 25 deadline for GDPR.
"Given the time constraints on the Bill…I understand why the Government would like debate on it to be narrowly focused. In many ways that is a shame, as this is a prime opportunity to debate some of the most pressing public policy issues of the day," said Labour's Darren Jones.
"In one way, that is one of the greatest challenges for the Bill, because—this is not a criticism but a statement of fact—this debate is about more than what is in the Bill."
The Public Bill Committee is due to meet for the first time on Tuesday 13 March, and is accepting written evidence until 27 March. ®