Teal blue graphic

Law enforcers beware: significant changes to data laws are on the way

What is happening?

As many readers will be aware, the European Commission is in the process of finalising the General Data Protection Regulation (the GDPR). This will set out a new legal framework governing the collection, use and disclosure of personal data by organisations across Europe. When finalised, the GDPR will replace the Data Protection Act 1998 (the Act) in the UK.

Whilst these negotiations are reaching their final stages, one would expect that post adoption, the Act would be redundant. However, there is a strong possibility that the Act may be around for longer than expected.

It is important to note that, whilst the GDPR has attracted all the attention, there are other, less highly publicised, but still important, pieces of sector specific European data protection legislation scheduled to be implemented within the same timeframe as the GDPR.

The Police and Criminal Justice Data Protection Directive

The Police and Criminal Justice Data Protection Directive (2012/0010) (the Directive) seeks to regulate the use of personal data for law enforcement purposes, specifically "for the purposes of prevention, investigation, detection or prosecution of criminal offences, the execution of criminal penalties or the safeguarding against and the prevention of threats to public security." 

The Directive will cover the use of personal data for law enforcement purposes by not just police forces, but also public organisations tasked with tackling crime. This includes Local Authorities undertaking statutory functions that could result in criminal prosecutions, such as illegal dumping of waste and trading standards offences.

Unlike the GDPR, the Directive will need to be implemented into each country's statute book. This allows member states some degree of flexibility in respect of the application of the Directive's provisions. 

This means that organisations that fulfil law enforcement functions will need to comply with two data protection regimes. For most of Europe the requirements of the Directive, as implemented by national law, will apply in relation to data used for law enforcement purposes. The GDPR will apply in relation to all other uses of personal data. 

What is different in the UK?

This dual regime for law enforcers may sound complicated enough but in the UK the situation is even less certain. Unlike most of the rest of Europe, the UK government has an opt-out in respect of the application of European data protection legislation in relation to domestic law enforcement. The UK has partly exercised this opt-out, so whilst the UK has agreed to be bound by the Directive, when adopted, to permit the sharing and receipt of personal data for law enforcement purposes with other member states in Europe, it has opted out of the Directive's provisions in relation to the processing of personal data for law enforcement purposes within the UK.

This leaves a gap in the UK regulation, as the GDPR does not regulate use of personal data for law enforcement purposes.

This has left the UK government with a number of options:

  • Revoke the exercise of the opt-out so that the Directive will apply in the UK. This seems highly unlikely given the current government's stance on national sovereignty over criminal justice matters.
  • Pass UK legislation to extend the scope of the GDPR in the UK to also cover domestic law enforcement purposes. This is a possible solution but would require careful consideration of any consequential effects that would not be desirable in the law enforcement arena. 
  • Retain the Act, or an amended version of the Act to continue to regulate use of personal data for law enforcement purposes. This is perhaps the easiest solution to implement and would require least change for law enforcement bodies. However, with the GDPR imposing stricter obligations in a number of areas, this could result in highly sensitive information used for law enforcement purposes being subject to a less stringent regime than comparatively benign data that will be regulated by the GDPR.
  • Enact completely new UK specific legislation for domestic law enforcement data processing.

What does this mean for organisations undertaking law enforcement activities in the UK?

Public bodies using personal data for law enforcement purposes need to be prepared to implement three separate but related governance regimes for personal data:

  • one regime to deal with law enforcement data processed within the UK (the requirements for which are entirely unknown in the UK at the moment);
  • the Directive in relation to law enforcement data sent to or received from other member states; and
  • the GDPR to regulate the processing of all other personal data. 

The European deadline for finalising the new legislation is the end of 2015, although this seems likely to slip into 2016. There will then be an implementation period of 18 months to two years before the new laws come into force. However, even when the final texts of the GDPR and the Directive are agreed it is still not clear what steps the UK government will take to regulate use of personal data for law enforcement purposes.

What can you do now to prepare?

It would be precipitous to undertake any substantive work in preparation for the new regime at this point but officers should be mindful of the potential new data protection framework. Officers should identify where information is held solely for law enforcement purposes, and whether or not such data is held in systems that solely hold personal data for law enforcement purposes. 

More substantive work can be undertaken to prepare for implementation of the GDPR in relation to use of personal data for non-law enforcement related purposes. Although the GDPR is still in draft form, we know that the following changes are highly likely to be implemented:

  • additional transparency requirements, which will require a review and update of all existing privacy notices;
  • new rights for individuals in relation to data deletion and data portability, which will require new processes and procedures to be put in place and additional staff training;
  • mandatory breach reporting obligations, which will require an effective breach management procedure to be in place;
  • new requirement to carry out privacy impact assessments for projects involving particularly intrusive data processing; and
  • obligations to implement 'privacy by design' tools to ensure that privacy is built into systems, processes and procedures from the outset and as a default.

A number of these obligations are already best practice and organisations would be well advised to start implementing privacy by design principles and privacy impact assessments if they have not done so already. We also recommend that it also undertakes a 'data mapping' exercise to ensure they have a good understanding of how, why and where personal data is being collected and shared/disclosed across it. Having a good grip of data flows and the reasons why personal data needs to be used across the organisation will be an effective starting point for implementing the new legislation when it is finalised. 

Contributor: Varun Shingari

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at October 2015. Specific advice should be sought for specific cases. For more information see our terms & conditions on www.TLTsolicitors.com

Insights & events View all