Among all of the hype surrounding the General Data Protection Regulation (GDPR) some other aspects of information law are being overlooked; I have already written about the Privacy and Electronic Communications (EC Directive) Regulations 2003 and how they are forgotten about. The GDPR is not the only new piece of EU law which is due to take effect in May and which will impact data protection and privacy law in the United Kingdom. The processing of personal data by data controllers for the purpose of law enforcement falls outside of the scope of the GDPR; instead this is dealt with by the Law Enforcement Directive (LED). As the LED a Directive rather than a Regulation, the LED does not have direct effect and therefore requires to be transposed into Member States’ domestic law. This is being achieved in the UK through Part 3 the Data Protection Bill.
The LED is perhaps not as visible as the GDPR because of its much more limited scope. However, this blog aims to cover all information law bases and it would be remiss of me not to write something on it at least. The LED, and therefore the provisions of Part 3 of the Data Protection Bill, applies to what have been termed as “competent authorities” for the purposes of “the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”; these purposes are collectively known as the “law enforcement purposes”.
So, who needs to bother about the LED? Obviously, competent authorities have to bother about it because it governs how they process personal data for the law enforcement purposes; however, they are not the only ones. Data Subjects should also be concerned about the LED as it governs how their personal data is processed by these competent authorities and sets out what rights they have in relation to personal data processed by them for law enforcement purposes. The competent authorities are mostly set out in Schedule 7 to the Data Protection Bill; however, clause 30(1)(b) of the Data Protection Bill provides that “any other person if and to the extent that the person has statutory functions for any of the law enforcement purposes” is also a competent authority. The most obvious competent authority is the police; however, there are quite a few others listed within Schedule 7 including Revenue Scotland, the Department for Work and Pensions, the Police Investigations and Review Commissioner and HMRC. Of course, both the Information Commissioner and Scottish Information Commissioner process personal data for the law enforcement purposes and therefore Part 3 of the Data Protection Bill would apply to them when they’re processing personal data in the capacity. In terms of 30(1)(b) competent authorities, the most obvious example would be local authorities who are responsible for things such as Trading Standards provision and also the investigation of fraud concerning benefits administered by them.
One thing that should be noted is that the security and intelligence services (The Security Service, Secret Intelligence Service and GCHQ) are not covered by the LED. National Security falls outside of the scope of EU law and therefore the European Union has no competence to regulate these areas. Therefore, although the Security Services process personal data for law enforcement purposes, the LED does not apply to them. The Data Protection Bill does make provision for the processing of personal data by the security and intelligence agencies; this can be found in Part 4 of the Data Protection Bill (and falls outside of the scope of this blog post).
Chapter 1 of Part 3 of the Data Protection Bill provides the key definitions which require to be used when applying Part 3. The definitions are broadly the same as those to be found in the GDPR with relevant modifications being made. Therefore if you are familiar with data protection law then these definitions will not be too alien to you.
Chapter 2 of Part 3 of the Data Protection Bill sets out the six principles to be complied with when processing personal data under Part 3. Meanwhile, Chapter 3 sets out data subjects’ rights; including the right to subject access, the right to rectification and the right to erasure or restriction of processing.
The rights of data subjects under part 3 of the Data Protection Bill will be the subject of a separate blog post later in the month; however, it is suffice to say that they have a more limited scope than under the GDPR because of the nature of the processing being dealt with.
There is one final part of the Data Protection Bill to make mention of in this blog post and that is Schedule 8 to the Data Protection Bill. This Schedule sets out the conditions which must be met before a competent authority can carry out sensitive processing of personal data under Part 3.
The LED is supposed to be transposed into Member States’ domestic law by 6th May 2018; it remains to be seen whether the Data Protection Bill will complete its passage through Parliament and receive Royal Assent in time to allow Part 3 to be commenced by then.
If you require any advice or assistance in connection with the provisions of the Law Enforcement Directive or any other information law concern, please contact Alistair Sloan on 0345 450 0123 or send him an E-mail.