A look at the UK-US Agreement on visa, immigration and nationality information sharing

Just when our data-related attention has been fixed on the Snowden revelations, it seems the UK and US authorities have decided to ‘regularise’ data exchange on people for visa, immigration and nationality purposes. This decision was set out in a bilateral agreement signed on 18 April 2013 in New Zealand, resulting in a whole new level of exchange of personal data between states. It came into effect in November 2013, but was presented to Parliament in January this year.

Our government purports that this level of data exchange is lawful – yet we consider it violates every principle of EU data protection law.

The new agreement is important as it permits the exchange of substantial amounts of personal data collected in the context of visa and immigration procedures between the two countries. As everyone who works in the immigration field is well aware, people must divulge enormous amounts of sensitive personal data in immigration procedures. It has always been a matter of speculation to what extent that personal data is secure, particularly since the UK forms started including a mandatory ‘consent’ box for the UK authorities to share personal data with other parts of government and indeed with other countries (without notifying the data subject either before or afterwards). Some jurists have questioned whether such consent which is both mandatory and so wide that the individual can have no idea what may be done with his or her data is actually valid consent for the purposes of data protection law and the right to privacy. In a new report, Jan-Philipp Albrecht, a rapporteur for the European Parliament's Civil Liberties, Justice and Home Affairs Committee on the proposed EU data protection reforms said that consumers should not have to opt out from automatic settings in order to avoid businesses deeming that they have given consent to their personal data being processed. Please click on the following link for further information: A pre-ticked box in web forms should NOT mean consent - EU report.

There are four aspects of the Agreement which bear attention: (1) the definition of Information; (2) the scope and purpose of the agreement; (3) disclosure and use of data; (4) protections for the data subject.

Information

The definition of Information is a key part of the agreement as everything else depends on it. Information means data which a person provides to either of the authorities (US or UK) for the purposes of:

  • Authorisation for transit;
  • Travel (eg visas, ESTAs etc);
  • Work (all categories);
  • Residence (all categories);
  • Citizenship applications (all types).

This includes personal data on admissibility, immigration or nationality compliance actions and or decisions. All this personal data is Information which may be shared between the parties. This covers just about everything which a person provides to the immigration authorities on either side of the Atlantic.

Scope and Purpose

Personal data categorised as Information can be shared between the UK and US authorities for the following purposes:

  • To enforce or administer immigration and nationality laws of either party;
  • To facilitate decision-making on applications for transit, visas, admission, extension of stay, other immigration benefit, nationality or removal;
  • To prevent, investigate or punish acts that would constitute a crime which would make the individual inadmissible or removable under the laws of either party (this last one is particularly wide).

This personal data can be provided either on a systemic search or a case-by-case one. So the US authorities could ask for all personal data on, for instance, anyone who has received Tier 2 general leave (and their family members) in a systemic search (or all asylum seekers), or could ask for all personal data on a named individual.

The scope of the agreement is limited to personal data on non-British or US citizens (though the temporal element in respect of information on citizenship applications is entirely unclear). The UK authorities have also signalled that “The UK will hold limited, if any, Information about European Economic Area nationals and their family members due to their free movement rights under European Union (EU) law.” This is rather disingenuous as there is no commitment not to share Information on EU citizens and their family members. It is only a warning to the US authorities that they may not have very much on these people. Also there is no limitation on the UK authorities seeking information on EU citizens and their family members from the US authorities.

Disclosure and Use of Data

The UK and US authorities agree to provide one another with Information so long as it is for one of the purposes set out above. They may disclose all the personal data they wish to any of their domestic authorities which can make out an argument that they have a role in carrying out one of the purposes. This could include criminal justice authorities, intelligence and police. The parties agree not to disclose this personal data to any private party, the public, a foreign government, international organization or court without express consent of the other party. However, if the other party consents then they can share further the data with courts and other governments. The only limitation is that when the authorities are sharing personal data they make their best efforts to ensure that the data is not disclosed to home authorities of refugees or persons with protection under the Convention against Torture (that is to say disclose to the persecutors). If the person has not yet been granted refugee status or CAT protection then the parties should not share his or her personal data with the home state if it is ‘reasonably forseeable’ that the person will be granted international protection. The same goes for the asylum seeker’s family members.

If one of the parties loses the personal data or it is accessed by unauthorised persons they have to notify one another.

Protections for the data subject

There is not much here. The UK and US authorities confirm to one another in the agreement that they have systems whereby people can request access to their personal data and its correction or notation. They further assure one another that where their authorities refuse to give access to data or to correct it, the data subject can seek redress. The UK and US authorities permit themselves to retain all the personal data they have exchanged for as long as they think it necessary. They are only obliged to destroy personal data if it is not relevant to a purpose or erroneously provided.

Conclusions

The audacity of the agreement is astonishing. Virtually every principle of European data protection law is violated:

  • Consent of the data subject – this can only be dispensed with where the authorities can make out an individual and justified case on a permitted ground:
  • Purpose limitation – personal data even with consent, can only be used for the purpose for which it has been collected;
  • No sharing without consent of the data subject;
  • The data subject always has a right to correction;
  • The personal data must be deleted once it has been used for its exclusive (and usually singular) permitted purpose. For a good outline of these rules see the helpful fact sheets of the European Court of Human Rights’ judgements on data.

The agreement may run into trouble on two main legal counts – EU data protection law and the rights of EU citizens to have their data protected and under Article 8 the right to privacy, European Convention on Human Rights.