Does this section apply to us?
You should read this section if you are a UK competent authority currently processing personal data for law enforcement purposes, and therefore Part 3 of the Data Protection Act 2018 already applies to you.
If you are not a competent authority, or you are processing personal data for non-law enforcement purposes (eg HR records), this section does not apply to you.
For further information, see our Guide to law enforcement processing.
What are the key points?
Part 3 of the Data Protection Act 2018 brings the EU Law Enforcement Directive EU2016/680 into UK law. This complements the GDPR and sets out requirements for processing personal data for criminal law enforcement purposes. Part 3 of the Data Protection Act 2018 will continue to be law after exit date, with some specific amendments to the transfers provisions to reflect that the UK is no longer an EU member state.
Most of your obligations will not be affected. The two key areas to consider are:
- transferring personal data out of the UK (sections 73 and 74); and
- receiving personal data from the EU into the UK.
Transferring personal data out of the UK
On exit date, the EU member states will become third countries under Part 3. This means the rules on international transfers for law enforcement purposes will apply to transfers from the UK to the EU.
The general rule is that you can still transfer personal data to your partner law enforcement authorities in third countries (including EU member states) if the transfer is necessary for law enforcement purposes, and the transfer is covered by a UK adequacy decision, an appropriate safeguard, or special circumstances (ie an exemption) applies. You can also transfer personal data to other recipients (who are not relevant authorities) if you meet some additional conditions and notify the ICO. For full details, read the international transfers section of our Guide to Law Enforcement Processing.
The UK government has confirmed that there will be transitional provisions to permit transfers to EU member states and Gibraltar for law enforcement purposes on the basis of new UK adequacy regulations. (For law enforcement purposes, this will not extend to EEA countries outside the EU, where you should continue to consider other safeguards).
The position on transfers to countries outside the EU will remain the same, and you can continue to follow our existing guidance.
Receiving personal data from the EU into the UK
Other EU member states will have similar laws in place that also implement the Law Enforcement Directive. Once we leave the EU, the UK will become a third country and rules on international transfers will apply to transfers to the UK.
The European Commission and EU member states will need to make decisions regarding transfers of personal data to the UK for law enforcement purposes. If the EU Commission makes a formal ‘adequacy decision’ under the Law Enforcement Directive that the UK regime offers an adequate level of protection, there will be no need for specific additional safeguards. However, if we leave the EU on 29 March 2019 without a deal, there will not yet be such a decision in place.
This means the sender will need to ensure ‘appropriate safeguards’ are in place under the national law in their member state. The sender can take into account the ongoing protection provided by the DPA 2018 itself when assessing appropriate safeguards.
How can we prepare?
- The first thing to do is to take stock. Understand your international flows of personal data for law enforcement purposes, especially with your partners in the EU, so you know if any of those transfers will be affected.
- Consider how you may continue to make any transfers to your law enforcement partners in the EU lawfully after exit date. The UK government has confirmed transitional adequacy provisions will be put in place to allow transfers to the EU and Gibraltar for law enforcement purposes, but you should review our guidance on international transfers under the law enforcement processing regime.
- Discuss with your law enforcement partners in the EU whether they need you to put any additional safeguards in place to permit you to receive transfers from the EU into the UK. The European Commission and each member state are still considering the longer-term position on these transfers, but in the meantime the sender is likely to be able to consider relying on local legal provisions implementing the Law Enforcement Directive which permit transfers under (a) a contract or other legally binding instrument containing appropriate safeguards, or (b) the sending controller’s own assessment that appropriate safeguards are in place (taking into account the safeguards in the DPA 2018).
- Update your processing record, privacy notice and logs, with details of transfers to EU member states. If you are making any transfers of personal data for law enforcement purposes to EU recipients who are not relevant authorities, you will need to start notifying the ICO from exit day (Section 77(7)).