2

Context: I'm an EU citizen studying in the UK. When I travel to my home country in the EU (for example through a direct flight or by train), and then return to the UK, some of my personal information is processed and stored. This concerns all stages of my travel, in both directions: obtaining visa for those who are not EU, booking my ticket, checking-in and completing APIS, going through security, boarding, flying (data is transmitted to countries over which my plane flies), landing card, border checks at arrival, fingerprints and what they tell to the border officer (where they're staying or who they're visiting...) etc.

Question: How will retention of this data (retention period, retention databases) be regulated for travels happening during the Brexit transition/implementation period?

Partial Answer: Data retention periods are set both in EU law and domestic law. As far as I understand it EU law will still apply (but there might be some caveats that should be explained in the Withdrawal Agreement Bill 2019, which I haven't read). As a consequence, it seems that nothing can change before the end of the transition period, that would breach EU law (modulo the caveats in the Withdrawal Bill). Therefore my question boils down to:

  • Understanding if really the Withdrawal Bill preserves EU law during the transition period,
  • Figuring out what the caveats are,
  • Understanding what domestic law is in charge of, and how this law can change while not breaching the terms set out in the Widrawal Bill (i.e. looking at the two points above, preserving EU law with caveats).

Now with respect to the first two points, sources are

Now with respect to the last point, domestic law which regulates data retention is probably contained in the following sources:

  • some FOI requests (I haven't read any of them),
  • EEA Regulations 2016 (which according to Wikipedia are possibly being changed on Brexit day, which means when the transition period STARTS!),
  • (possibly internal) directives which are specific to some departmens of the UK govt (internal border directives, home office directives etc) (I've read already what is found at https://www.gov.uk/brexit and nothing useful is found).

I hope that some of you is familiar with the above sources and can help me out understanding.

Important Note: It might happen that right before the retention period expires, the legal framework changes and everything is kept forever: in fact my understanding is that the law is not quite "you give me your info and I promise will delete in X years" but rather "you give me your info, and every day I will look at what the current law says and delete accordingly".

An example of an official directive, and how unclear this can be: From https://www.gov.uk/government/publications/personal-information-use-in-borders-immigration-and-citizenship/borders-immigration-and-citizenship-privacy-information-notice#how-long-we-keep-your-personal-information-for

This seems to suggest they keep data concerning my personal information forever:

We will keep your personal information for as long as it is necessary for permitted purposes. In the borders, immigration and citizenship system, we maintain a long-term record of immigration history and immigration offending to support future decision-making and enforce penalties.

and

Information on foreign national offenders may be retained until the death of the data subject.

and

However, it should be noted that the Jay Inquiry, which commenced in February 2015, has placed a moratorium on the disposal of all records throughout the Home Office, including all operational records and case files. This is currently in force and will remain so until further notice. It does not apply where there is a statutory requirement to delete data.

This seems to suggest they keep it for 15 years only instead! (whatever typically means):

Personal data will be typically retained for 25 years after a decision to grant settlement or naturalisation and for 15 years after the last action in other cases.

This says they keep names for 5 and APIS for 10 years:

At the border, passenger name records data is retained for 5 years. Advance passenger information may be retained for 10 years.

This is when something goes wrong at the border I guess:

Arrest and detention records may be held for 6 years.

Improve this question
1
  • 1
    The answer you posted, which was deleted, was posted under another account (link). If you merge your accounts, you will have access to the deleted answer. By logging in with the account that owns this question (link), you will have the ability to comment on this question and on the answers to this question.
    – phoog
    Commented Feb 25, 2020 at 23:31

1 Answer 1

Reset to default
0

I think the definitive answer to the headline question will be in data protection legislation rather than the Withdrawal Agreement.

The provisions of 2016/679 (with some listed exemptions and revisions) have been incorporated in the Data Protection Act 2018. I've seen no indication that changes to this Act are being considered during (or after) the transition period.

The UK government page on the DPA suggests that the Act has been written to take into account an end to EU membership.

Improve this answer
2
  • Did you read any of 2016/679 or DPA, in particular do you know which sections might be useful for understanding matters concerning data retention for EU citizens travelling between UK and EU during Brexit transition/implementation period?
    – rapuwepu
    Commented Jan 26, 2020 at 14:53
  • If the law is in the data protection regulation, then what about prior to 2016, ie prior to the current EU regulation? What is actually written in the EU/UK Data protection regulation with respect to this matter? I don't understand your second and third paragraph: won't the EU regulation hold until the end of the transition period anyway?
    – rapuwepu
    Commented Jan 26, 2020 at 21:59

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .