Data retention for EU citizens travelling between UK and EU during Brexit transition/implementation period
Context: I'm an EU citizen studying in the UK. When I travel to my home country in the EU (for example through a direct flight or by train), and then return to the UK, some of my personal information is processed and stored. This concerns all stages of my travel, in both directions: obtaining visa for those who are not EU, booking my ticket, checking-in and completing APIS, going through security, boarding, flying (data is transmitted to countries over which my plane flies), landing card, border checks at arrival, fingerprints and what they tell to the border officer (where they're staying or who they're visiting...) etc.
Question: How will retention of this data (retention period, retention databases) be regulated for travels happening during the Brexit transition/implementation period?
Steps to follow in order to answer my question:
This below isn't part of my question, but is how I would try to answer it. Please someone more knowledgable fill in the details!
Data retention periods are set both in EU law and domestic law. As far as I understand it EU law will still apply (but there might be some caveats that should be explained in the Withdrawal Agreement Bill 2019, which I haven't read). As a consequence, it seems that nothing can change before the end of the transition period, that would breach EU law (modulo the caveats in the Withdrawal Bill). Therefore my question boils down to:
* Understanding if really the Withdrawal Bill preserves EU law during the transition period,
* Figuring out what the caveats are,
* Understanding what domestic law is in charge of, and how this law can change while not breaching the terms set out in the Widrawal Bill (i.e. looking at the two points above, preserving EU law with caveats).
Now with respect to the first two points, sources are
* https://publications.parliament.uk/pa/bills/cbill/58-01/0001/20001.pdf for the Withdrawal Bill and
* https://publications.parliament.uk/pa/bills/cbill/58-01/0001/en/20001en.pdf for the corresponding notes.
I hope that some of you has read this, unfortunately I haven't yet.
Now with respect to the last point, domestic law which regulates data retention is probably contained in the following sources:
* some FOI requests (I haven't read any of them),
* EEA Regulations 2016 (which according to Wikipedia are possibly being changed on Brexit day, which means when the transition period STARTS!),
* (possibly internal) directives which are specific to some departmens of the UK govt (internal border directives, home office directives etc) (I've read already what is found at https://www.gov.uk/brexit and nothing useful is found).
I hope that some of you is familiar with the above sources and can help me out understanding.
Important Note: It might happen that right before the retention period expires, the legal framework changes and everything is kept forever: in fact my understanding is that the law is not quite "you give me your info and I promise will delete in X years" but rather "you give me your info, and every day I will look at what the current law says and delete accordingly".
An example of an official directive, and how unclear this can be:
From https://www.gov.uk/government/publications/personal-information-use-in-borders-immigration-and-citizenship/borders-immigration-and-citizenship-privacy-information-notice#how-long-we-keep-your-personal-information-for
This seems to suggest they keep data concerning my personal information forever:We will keep your personal information for as long as it is necessary for permitted purposes. In the borders, immigration and citizenship system, we maintain a long-term record of immigration history and immigration offending to support future decision-making and enforce penalties.
andInformation on foreign national offenders may be retained until the death of the data subject.
andHowever, it should be noted that the Jay Inquiry, which commenced in February 2015, has placed a moratorium on the disposal of all records throughout the Home Office, including all operational records and case files. This is currently in force and will remain so until further notice. It does not apply where there is a statutory requirement to delete data.
This seems to suggest they keep it for 15 years only instead! (whatever typically means):Personal data will be typically retained for 25 years after a decision to grant settlement or naturalisation and for 15 years after the last action in other cases.
This says they keep names for 5 and APIS for 10 years:At the border, passenger name records data is retained for 5 years. Advance passenger information may be retained for 10 years.
This is when something goes wrong at the border I guess:Arrest and detention records may be held for 6 years.
Best Answer
As far as I understand, UK’s data retention policies are compatible with both UK and EU law. The Home Office’s policies and regulations regarding data retention have been devised keeping in mind the EU’s strict privacy laws. An example of that is PNR. Whilst PNR may be retained for up to five years it has to be depersonalized after 6 months. Being an EU member, the UK has to abide by this policy for all flights originating in Europe. Legally, the Home Office had the option of retaining PNR data for flights outside the EU for longer, but they decided that having two standards would not be cost effective and would not really help for the purposes it was being collected for.
The current data retention policy has been created after much deliberation. I don’t see why it needs to be changed after Brexit. After all, even if not bound by EU laws, the Home Office will still have to abide by the UK’s own data protection laws. Any attempt to change retention policies will face strong criticism and legal challenge from privacy advocates.
The question that should be asked is “what will happen to data in post Brexit-UK that was collected before Brexit?” Again, this would only be an issue if there is a policy change.
A definitive answer can only be written after an explicit intention by the Home Office to change policy. Everything else is speculation.
Pictures about "Data retention for EU citizens travelling between UK and EU during Brexit transition/implementation period"
Is GDPR still valid in UK after Brexit?
Data protection law after 31 December 2020: does the GDPR apply in the UK after Brexit? No, the EU GDPR does not apply in the UK after the end of the Brexit transition period on 31 December 2020.Can EU data be stored in the UK?
Yes. Now the EU has an approved adequacy decisions for the UK, most EEA processors will be able to send personal data back to UK controllers with no restrictions.How do I keep EU citizenship after Brexit?
How can I get an EU passport after Brexit? In order to get an EU passport after Brexit you can apply to one of Europe's citizenship or residency by investment programs. In exchange for a qualifying investment, you and your family can get EU citizenship after Brexit.Can EU citizens use eGates after Brexit?
ID cards will no longer be accepted as a valid travel document to enter the UK, though some exemptions do apply. UK and EU citizens may use the eGates at passport control.Brexit: The transition period explained - BBC News
Sources: Stack Exchange - This article follows the attribution requirements of Stack Exchange and is licensed under CC BY-SA 3.0.
Images: freestocks.org, Wikimedia Commons, ArtHouse Studio, Ethan Wilkinson