Does this section apply to us?
This section applies if you are a UK competent authority currently processing personal data for law enforcement purposes under Part 3 of the Data Protection Act 2018.
If you are not a competent authority, or if you are processing personal data for non-law enforcement purposes (eg HR records), this section does not apply.
For further information, see our Guide to law enforcement processing.
How can we prepare?
- The first thing to do is to take stock. Understand your international flows of personal data for law enforcement purposes, especially with your law enforcement partners in the EU.
- Discuss with your partners in the EU whether they need you to put any additional safeguards in place to permit you to receive transfers from the EU into the UK. The sender is likely to be able to consider relying on local law enforcement processing provisions, which should permit transfers under (a) a contract or other legally binding instrument containing appropriate safeguards, or (b) the sending controller’s own assessment that appropriate safeguards are in place (taking into account the safeguards in the DPA 2018).
- Update your processing record, privacy notice and logs with details of transfers to law enforcement partners in EU member states. The UK government has confirmed transitional adequacy provisions will allow transfers to the EU and Gibraltar for law enforcement purposes to continue, but you should review our guidance on international transfers under the law enforcement processing regime. If you are making any transfers of personal data for law enforcement purposes to EU recipients who are not relevant authorities, you need to notify the ICO (section 77(7)).
How has the law enforcement regime changed?
Part 3 of the Data Protection Act 2018 brought the EU Law Enforcement Directive EU2016/680 into UK law. This complements the UK GDPR and sets out requirements for processing personal data for criminal law enforcement purposes. Part 3 of the Data Protection Act 2018 continues to be law now that the transition period has ended, with some specific amendments to the transfer provisions to reflect that the UK is no longer an EU member state.
Most of your obligations will not be affected. The two key areas to consider are:
- transferring personal data out of the UK (sections 73 and 74); and
- receiving personal data from the EU into the UK.
How can we transfer data out of the UK?
EU member states are now third countries under Part 3. This means the rules on international transfers for law enforcement purposes will apply to transfers from the UK to the EU.
The general rule is that you can still transfer personal data to your partner law enforcement authorities in third countries (including EU member states) if the transfer is necessary for law enforcement purposes and the transfer is covered by a UK adequacy decision or an appropriate safeguard, or special circumstances (ie an exemption) applies. You can also transfer personal data to other recipients (who are not relevant authorities) if you meet some additional conditions and notify the ICO. For full details, read the international transfers section of our Guide to Law Enforcement Processing.
The UK government has confirmed transitional provisions to permit transfers to EU member states, EEA countries outside of the EU, Switzerland and Gibraltar for law enforcement purposes on the basis of new UK adequacy regulations.
The position on transfers to countries outside the EU will remain the same, and you can continue to follow our existing guidance.
How can we maintain transfers from the EU into the UK?
Other EU member states have similar laws in place that also implement the Law Enforcement Directive. The UK is now a third country and rules on international transfers apply to transfers to the UK.
The European Commission and EU member states have not yet made decisions regarding transfers of personal data to the UK for law enforcement purposes. As part of the new trade deal, the EU has agreed to delay transfer restrictions for at least four months, which can be extended to six months (known as the bridge). On 19 February 2021 the European Commission published its draft decisions on the UK’s adequacy under the EU’s General Data Protection Regulation (EU GDPR) and Law Enforcement Directive (LED). In both cases, the European Commission has found the UK to be adequate.
The draft decisions will now be considered by the European Data Protection Board (EDPB) and a committee of the 27 EU Member Governments. If the committee approves the draft decisions, then the European Commission can formally adopt them as legal adequacy decisions. In the absence of adequacy decisions at the end of the bridge, law enforcement transfers from the European Economic Area (EEA) to the UK will need to comply with Law Enforcement Directive transfer restrictions.
If you receive personal data from the EEA, we recommend you put alternative safeguards in place before the end of April, if you haven’t done so already. If the EU Commission adopts an adequacy decision under the Law Enforcement Directive that the UK regime offers an adequate level of , there will be no need for specific additional safeguards.
Unless the EU adopts an LED adequacy decision, tsender will need to ensure ‘appropriate safeguards’ are in place under the national law in their member state. The likely options are:
- a contract or other legally binding instrument containing appropriate safeguards; or
- the sender’s own assessment that appropriate safeguards exist. The sender can take into account the ongoing protection provided by the DPA 2018 itself when assessing appropriate safeguards.