What is the EU Law Enforcement Directive?
The EU Data Protection Directive 2016/680, also known as the Law Enforcement Directive (LED), complements the General Data Protection Regulation (GDPR).
It sets out the requirements for:
- the processing of personal data for criminal law enforcement purposes;
- the free movement of such data; and
- replaces the 2008 Council Framework Decision (2008/977/JHA) on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.
The Directive applies to EU Member States (including the UK), who are required to transpose it into their national law in May 2018.
Part 3 of the Data Protection Bill 2017 intends to implement the EU Law Enforcement Directive into domestic UK law.
What is the Data Protection Bill, and how does it apply to law enforcement?
The Data Protection Bill will replace the Data Protection Act 1998 (DPA 1998) for domestic processing for criminal law enforcement purposes by competent authorities. Part 3 of the Bill will also govern international transfers for criminal law enforcement purposes.
In practice, this means that specific processing for law enforcement purposes by the police and other law enforcement agencies will be governed by the new provisions in the Bill.
The new law enforcement provisions are intended to cover both cross-border and UK domestic processing of personal data for the law enforcement purposes.
Are the Law Enforcement Provisions in Part 3 of the DP Bill different from the GDPR?
It is important to read the GDPR and the law enforcement provisions of the Bill side by side.
The LE provisions in the Bill only apply to competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (commonly referred to as the Law Enforcement Purposes). The LE provisions are likely to cover criminal courts, prisons and any other person that has statutory functions for any of the law enforcement purposes as well as law enforcement bodies like the police or prosecution bodies.
As with the GDPR, the LE provisions demand more from organisations in terms of accountability, and enhance the existing rights of individuals, subject to appropriate restrictions.
There are some key differences in the requirements of Part 3 of the Bill to:
- categorise individuals (ie witnesses, victims, suspects, convicted perpetrators);
- classify if the data is fact or personal opinion/assessment; and
- log the specific processing actions for automated systems (ie metadata that someone did something at x time) such as collection, alteration, disclosure or erasure.