Does this section apply to us?
This section applies if you are a UK competent authority currently processing personal data for law enforcement purposes under Part 3 of the Data Protection Act 2018.
If you are not a competent authority, or if you are processing personal data for non-law enforcement purposes (eg HR records), this section does not apply.
For further information, see our Guide to law enforcement processing.
How can we prepare?
- The first thing to do is to take stock. Understand your international flows of personal data for law enforcement purposes, especially with your law enforcement partners in the EU.
- Discuss with your partners in the EU whether they need you to put any additional safeguards in place to permit you to receive transfers from the EU into the UK. The sender is likely to be able to consider relying on local law enforcement processing provisions, which should permit transfers under (a) a contract or other legally binding instrument containing appropriate safeguards, or (b) the sending controller’s own assessment that appropriate safeguards are in place (taking into account the safeguards in the DPA 2018).
- Update your processing record, privacy notice and logs with details of transfers to law enforcement partners in EU member states. The UK government has confirmed transitional adequacy provisions will allow transfers to the EU and Gibraltar for law enforcement purposes to continue, but you should review our guidance on international transfers under the law enforcement processing regime. If you are making any transfers of personal data for law enforcement purposes to EU recipients who are not relevant authorities, you will need to start notifying the ICO from exit day (section 77(7)).
How will the law enforcement regime change?
Part 3 of the Data Protection Act 2018 brings the EU Law Enforcement Directive EU2016/680 into UK law. This complements the GDPR and sets out requirements for processing personal data for criminal law enforcement purposes. Part 3 of the Data Protection Act 2018 will continue to be law after exit date, with some specific amendments to the transfer provisions to reflect that the UK is no longer an EU member state.
Most of your obligations will not be affected. The two key areas to consider are:
- transferring personal data out of the UK (sections 73 and 74); and
- receiving personal data from the EU into the UK.
How can we transfer data out of the UK?
On exit date, the EU member states will become third countries under Part 3. This means the rules on international transfers for law enforcement purposes will apply to transfers from the UK to the EU.
The general rule is that you can still transfer personal data to your partner law enforcement authorities in third countries (including EU member states) if the transfer is necessary for law enforcement purposes and the transfer is covered by a UK adequacy decision or an appropriate safeguard, or special circumstances (ie an exemption) applies. You can also transfer personal data to other recipients (who are not relevant authorities) if you meet some additional conditions and notify the ICO. For full details, read the international transfers section of our Guide to Law Enforcement Processing.
The UK government has confirmed that there will be transitional provisions to permit transfers to EU member states and Gibraltar for law enforcement purposes on the basis of new UK adequacy regulations. (For law enforcement purposes, this will not extend to EEA countries outside the EU, where you should continue to consider other safeguards).
The position on transfers to countries outside the EU will remain the same, and you can continue to follow our existing guidance.
How can we maintain transfers from the EU into the UK?
Other EU member states will have similar laws in place that also implement the Law Enforcement Directive. Once we leave the EU, the UK will become a third country and rules on international transfers will apply to transfers to the UK.
The European Commission and EU member states will need to make decisions regarding transfers of personal data to the UK for law enforcement purposes. If the EU Commission makes a formal ‘adequacy decision’ under the Law Enforcement Directive that the UK regime offers an adequate level of protection, there will be no need for specific additional safeguards. However, if we leave the EU without a deal, there will not yet be such a decision in place.
This means the sender will need to ensure ‘appropriate safeguards’ are in place under the national law in their member state. The likely options are:
- a contract or other legally binding instrument containing appropriate safeguards; or
- the sender’s own assessment that appropriate safeguards exist. The sender can take into account the ongoing protection provided by the DPA 2018 itself when assessing appropriate safeguards.