(1)

Directive (EU) 2016/680 sets out the rules for the transfer of personal data from competent authorities in the Union to third countries and international organisations to the extent that such transfers fall within its scope of application. The rules on international data transfers by competent authorities are laid down in Chapter V of the Directive (EU) 2016/680, more specifically in Articles 35 to 40. While the flow of personal data to and from countries outside the European Union is essential for efficient law enforcement cooperation, it must be guaranteed that the level of protection afforded to personal data in the European Union is not undermined by such transfers (2).

(2)

Pursuant to Article 36(3) of Directive (EU) 2016/680, the Commission may decide, by means of an implementing act, that a third country, a territory or one or more specified sectors within a third country or an international organisation ensure(s) an adequate level of protection. Under this condition, transfers of personal data to a third country may take place without the need to obtain any further authorisation (except where another Member State from which the data were obtained has to give its authorisation to the transfer), as provided for in Article 35(1) and recital 66 of the Directive (EU) 2016/680.

(3)

As specified in Article 36(2) of Directive (EU) 2016/680, the adoption of an adequacy decision has to be based on a comprehensive analysis of the third country’s legal order. In its assessment, the Commission has to determine whether the third country in question guarantees a level of protection ‘essentially equivalent’ to that ensured within the European Union (recital 67 of Directive (EU) 2016/680). The standard against which the ‘essential equivalence’ is assessed is that set by EU legislation, notably Directive (EU) 2016/680, as well as the case-law of the Court of Justice of the European Union (3). The European Data Protection Board’s adequacy referential is also of significance in this regard (4).

(4)

As clarified by the Court of Justice of the European Union, this does not require finding an identical level of protection (5). In particular, the means to which the third country in question has recourse for protecting personal data may differ from the ones employed in the European Union, as long as they prove, in practice, effective for ensuring an adequate level of protection (6). The adequacy standard therefore does not require a point-to-point replication of Union rules. Rather, the test lies in whether, through the substance of privacy rights and their effective implementation, supervision and enforcement, the foreign system as a whole delivers the required level of protection (7).

(5)

The Commission has carefully analysed the relevant law and practice of the United Kingdom (UK). Based on its findings, set out below, the Commission concludes that the United Kingdom ensures an adequate level of protection for personal data transferred from competent authorities in the Union, falling within the scope of Directive (EU) 2016/680, to competent authorities in the United Kingdom falling within the scope of Part 3 of the Data Protection Act 2018 (DPA 2018) (8).

(6)

This Decision has the effect that such transfers may take place without the need to obtain any further authorisation for a period of four years, subject to possible renewal, and without prejudice to the conditions laid down in Article 35 of the Directive (EU) 2016/680.

(7)

The United Kingdom is a parliamentary democracy. It has a sovereign parliament, which is supreme to all other government institutions, an executive drawn from and accountable to parliament and an independent judiciary. The Executive draws its authority from its ability to command the confidence of the elected House of Commons and is accountable to both Houses of Parliament (House of Commons and House of Lords) which are responsible for scrutinising the Government and debating and passing laws. The United Kingdom Parliament has devolved responsibility to the Scottish Parliament, the Welsh Parliament (Senedd Cymru), and the Northern Ireland Assembly for legislating on certain domestic matters in Scotland, Wales and Northern Ireland. While data protection is a matter reserved for the United Kingdom Parliament, i.e. the same legislation applies across the country, other areas of policy relevant to this Decision are devolved. For instance, the criminal justice systems, including policing (the activities carried out by police forces) of Scotland and Northern Ireland are devolved to the Scottish Parliament and Northern Ireland Assembly respectively (9).

(8)

While the United Kingdom does not have a codified constitution in the sense of an entrenched constitutive document, its constitutional principles have emerged over time, drawn from case-law and convention in particular. The constitutional value of certain statutes, such as Magna Carta, the Bill of Rights 1689 and the Human Rights Act 1998 has been recognised. The fundamental rights of individuals have been developed, as part of the constitution, through common law, the statutes, and international treaties, in particular the European Convention of Human Rights (ECHR), which the United Kingdom ratified in 1951. The United Kingdom also ratified the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) in 1987 (10).

(9)

The Human Rights Act 1998 incorporates the rights contained in the ECHR into the law of the United Kingdom. The Act grants any individual the fundamental rights and freedoms provided in Articles 2 to 12 and 14 of the ECHR and Articles 1 to 3 of its First Protocol and Article 1 of its Thirteenth Protocol, as read with Articles 16 to 18 of the ECHR. This includes the right to respect for private and family life, which in turn includes the right to data protection, and the right to a fair trial (11). In particular, in accordance with Article 8 of the ECHR, a public authority may only interfere with the right to privacy in accordance with the law, where necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

(10)

In accordance with the Human Rights Act 1998, any action of public authorities must be compatible with a right guaranteed under the ECHR (12). In addition, primary and subordinate legislation must be read and given effect in a way, which is compatible with those rights (13). As far as an individual considers that his or her rights, including rights to privacy and data protection, have been violated by public authorities, he or she can obtain redress before the United Kingdom courts under the Human Rights Act 1998 and eventually, after exhausting national remedies, he or she can obtain redress before the European Court of Human Rights for violations of the rights guaranteed under the ECHR.

(11)

The United Kingdom withdrew from the Union on 31 January 2020. On the basis of the Agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community (14), Union law continued to apply in the United Kingdom during the transition period until 31 December 2020. Prior to the withdrawal and during the transition period, the legislative framework on the protection of personal data in the United Kingdom governing the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, consisted of relevant parts of the Data Protection Act 2018, which transposed Directive (EU) 2016/680.

(12)

To prepare for the exit from the EU, the Government of the United Kingdom enacted the European Union (Withdrawal) Act 2018 (EUWA) (15), which incorporated directly applicable Union legislation into the law of the United Kingdom and provided that so-called ‘EU-derived domestic legislation’ continues to have effect after the end of the transition period. Part 3 of the DPA 2018 (16) transposing Directive (EU) 2016/680 constitutes ‘EU-derived domestic legislation’ under the EUWA. In accordance with the EUWA, the unmodified ‘EU-derived domestic legislation’ must be interpreted by the courts of the United Kingdom in accordance with the relevant case-law of the Court of Justice of the European Union (Court of Justice) and general principles of Union law as they had effect immediately before the end of the transition period (referred to as ‘retained EU case-law’ and ‘retained general principles of EU law’ respectively) (17).

(13)

Under the EUWA, the ministers of the United Kingdom have the power to introduce secondary legislation, via statutory instruments, to introduce necessary modifications to retained EU law that result from the United Kingdom’s withdrawal from the Union. The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (DPPEC Regulations) (18) exercised this power. They amend the United Kingdom data protection legislation, including the DPA 2018, to fit the domestic context (19).

(14)

Consequently, the legal standards on the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security in the United Kingdom after the transition period under the Withdrawal Agreement will continue to be set out in relevant parts of the DPA 2018, but as amended by the DPPEC Regulations, in particular in Part 3 of that Act. The United Kingdom General Data Protection Regulation (UK GDPR) does not apply to this type of processing.

(15)

Part 3 of the DPA 2018 provides the rules for processing of personal data for criminal law enforcement purposes, including data protection principles, legal grounds of processing (lawfulness), rights of the data subjects, obligations of the competent authorities as controllers and restrictions on onward transfers. At the same time, applicable rules on the oversight, enforcement and redress applicable to the law enforcement sector are provided in Parts 5 and 6 of the DPA 2018.

(16)

Moreover, in the light of the relevant role played by the police forces in the law enforcement sector, considerations should be given to the rules governing policing. Policing being a devolved matter, different pieces of legislation that are, however, often similar as to their content are applicable to policing in (a) England and Wales; (b) Scotland; and (c) Northern Ireland (20). In addition, various types of guidance documents provides additional clarifications on how the powers of the police should be used. There are three main forms of police guidance: (1) statutory guidance issued under legislation, such as the Code of Ethics (21) and the Code of Practice on the Management of Police Information (MoPI Code of Practice) (22) issued under the Police Act 1996 (23) or PACE codes (24) issued under the Police and Criminal Evidence Act (25); (2) Authorised Professional Practice on the Management of Police Information (APP Guidance on the Management of Police Information) (26), issued by the College of Policing; and (3) operational guidance (published by the police themselves). The National Police Chiefs Council (a coordinating body for all United Kingdom police forces) publishes operational guidance which all police forces have endorsed and which therefore applies nationally (27). The aim of this guidance is to ensure consistency between forces in the way information is managed (28).

(17)

The MoPI Code of Practice was issued by the Secretary of State in 2005, using the powers provided for in Section 39A of the Police Act 1996 (29). Any code of practice issued under the Police Act must have the approval of the Secretary of State and is subject to consultation with the National Crime Agency prior to being laid before Parliament. Section 39A (7) of the Police Act requires the police to have due regard to codes issued under the Act hence the police is expected to comply with it (30). Moreover, non-statutory guidance (such as the APP Guidance on the Management of Police Information) must always be consistent with the MoPI Code of Practice which sits above it (31)..In any case, while there might be certain operational situations when police officers need to deviate from this guidance, they are still required to comply with the requirements of Part 3 of the DPA 2018 (32).

(18)

Further guidance on the data protection legislation of the United Kingdom for processing in the law enforcement sector is provided by the Information Commissioner (‘Information Commissioner’ or ‘ICO’) (33) (for further details on the ICO see recitals 93 to 109). Although not legally binding, in a court case, the courts would be bound to take into consideration any breach of the guidance, as it carries interpretative weight and demonstrates how the data protection legislation is interpreted and enforced by the Commissioner in practice (34).

(19)

Finally, as mentioned in recitals 8 to 10, the United Kingdom law enforcement agencies must ensure compliance with the (ECHR) and Convention 108.

(20)

In its structure and main components, the legal framework governing the processing of data by United Kingdom criminal law enforcement authorities is thus very similar to the one applying in the EU. This includes the fact that such framework does not only rely on obligations laid down in domestic law, that have been shaped by EU law, but also on obligations enshrined in international law, in particular through the United Kingdom adherence to the ECHR and Convention 108, as well as its submission to the jurisdiction of the European Court of Human Rights. These obligations arising from legally binding international instruments, concerning notably the protection of personal data, are therefore a particular important element of the legal framework assessed in this Decision.

(21)

The material scope of Part 3 of the DPA 2018 coincides with the scope of Directive (EU) 2016/680 as specified in Article 2(2) thereof. Part 3 applies to the processing by a competent authority of personal data wholly or partly by automated means and the processing by a competent authority otherwise than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system.

(22)

Moreover, in order to fall under the scope of that Part 3, the controller must be a ‘competent authority’ and the processing must be carried out for a ‘law enforcement purpose’. Therefore, the data protection regime that is assessed in this Decision applies to all the law enforcement activities of these competent authorities.

(23)

The concept of ‘competent authority’ is defined in Section 30 of the DPA as a person listed in Schedule 7 to the DPA 2018 as well as any other person to the extent that the person has statutory functions for any of the law enforcement purposes. Competent authorities listed in Schedule 7 include not only police forces, but also all United Kingdom ministerial government departments as well as other authorities with investigatory functions (e.g. the Commissioner for Her Majesty’s Revenue and Customs, the Welsh Revenue Authority, the Competition and Markets Authority, Her Majesty’s Land Register or the National Crime Agency), prosecutorial agencies, other criminal justice agencies and other holders or organisations who carry out law enforcement activities (35). Part 3 of the DPA 2018 also applies to courts and tribunals when they exercise their judicial functions, except for the part related to data subject’s rights and ICO oversight (36). The list of competent authorities provided by Schedule 7 is not definitive and may be updated by the Secretary of State by Regulations taking into account the changes in the organisation of the public offices (37).

(24)

The processing in question must also be for a ‘law enforcement purpose’, defined as the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (38). Processing by a competent authority is not governed by Part 3 of the DPA 2018 where it does not occur for law enforcement purposes. This will be the case, for example, when the Competition and Markets Authority investigates cases that are not criminalised (e.g. mergers between companies). In that case, the UK GDPR, together with Part 2 of the DPA 2018, will apply as the processing of personal data by competent authorities is carried out for purposes other than law enforcement purposes. To determine which data protection regime applies (Part 3 or Part 2 of the DPA 2018) to the processing of personal data in question, the competent authority, i.e. the controller, must consider whether the ‘primary purpose’ of such processing is one of the law enforcement purposes under the DPA 2018.

(25)

As for the territorial scope of Part 3 of the DPA 2018, Section 207(2) provides that the DPA applies to the processing of personal data in the context of the activities of a person who has an establishment in the entire United Kingdom territory. This includes public authorities of territories of England, Wales, Scotland and Northern Ireland which fall under the material scope of Part 3 of the DPA 2018 (39).

(26)

The key concepts of personal data and processing are defined in Section 3 of the DPA 2018 and apply throughout the DPA. The definitions closely follow the corresponding definitions set out in Article 3 of Directive (EU) 2016/680. Under the DPA 2018, personal data means any information relating to an identified or identifiable living individual (40). Under Section 3(3) of the DPA 2018 an individual is identifiable if he or she can be directly or indirectly identified from the information, including by reference to a name or an identifier or by reference to one or more factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity. The notion of ‘processing’ is defined as an operation or set of operations which is performed on information, or on sets of information, such as (a) collection, recording, organisation, structuring or storage; (b) adaptation or alteration; (c) retrieval, consultation or use; (d) disclosure by transmission, dissemination or otherwise making available; (e) alignment or combination; or (f) restriction, erasure or destruction. Moreover, the Act defines ‘sensitive processing’ as ‘(a) the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; (b) the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual; (c) the processing of data concerning health; (d) the processing of data concerning an individual’s sex life or sexual orientation’ (41). In this respect, Section 205 of the DPA 2018 provides the definition of ‘biometric data’ (42), ‘data concerning health’ (43) and ‘genetic data’ (44).

(27)

Section 32 of the DPA 2018 clarifies the definitions of ‘controller’ and ‘processor’ in the context of processing of personal data for law enforcement purposes closely following the equivalent definitions in Directive (EU) 2016/680. The controller means the competent authority, which determines the purposes and means of the processing of personal data. Where the processing is required by law, the controller is the competent authority on which such an obligation is imposed by that law. A processor is defined as any person who processes personal data on behalf of the controller (other than a person who is an employee of the controller).

(28)

Pursuant to Section 35 of the DPA 2018, the processing of personal data must be lawful and fair, in a manner similar to Article 4(1)(a) of Directive (EU) 2016/680. In accordance with Section 35(2) of the DPA 2018, the processing of personal data for any of the law enforcement purposes is lawful only if it is based on law and either the data subject has given consent to the processing for that purpose, or the processing is necessary for the performance of a task carried out for that purpose by a competent authority.

(29)

Similarly to Article 8 of Directive (EU) 2016/680, in order to ensure the lawfulness of a processing falling under Part 3 of the DPA 2018, such processing must be ‘based on law’. ‘Lawful’ processing means authorised by either statute, common law or royal prerogatives (45).

(30)

The powers of competent authorities are in general governed by statutes, meaning that their functions and powers are set out clearly in legislations adopted by the Parliament (46). In certain cases, the police as well as other competent authorities listed under Schedule 7 of the DPA 2018 can rely on common law to process data (47). Common law has built up through precedents set by decisions of the courts. The common law is relevant in the context of powers available to the police that derives from this source of law its core duty to protect the public by detecting and preventing crime (48). The police forces have, however, both common law and legislative powers (49) to execute such a duty. Where the police have a statutory power, this supersedes any common law power (50).

(31)

The breadth of the police officer’s common law powers and obligations has been recognised by the courts to include ‘all steps which appear to him necessary for keeping the peace, for preventing crime or for protecting property from criminal injury’ (51). Common law powers are not unqualified powers. They are subject to a range of limitations, including limits established by the courts (52) and by legislation, in particular, the Human Rights Act 1998 and the Equality Act 2010 (53). Moreover, for competent authorities processing data under Part 3 of the DPA 2018, this includes exercising common law powers consistently with the requirements set out in the DPA 2018 (54). Furthermore, a decision to perform any sort of data processing must consider the requirements of applicable guidance, such as the MoPI Code of Practice as well as guidance specific to one of the United Kingdom countries (55). A number of guidance documents are issued by the government and operational policing to ensure police officers exercise processing their powers within the limits set by common law or the relevant statute (56).

(32)

Royal prerogatives represent another component of the ‘law’ and refer to certain powers vested in the Crown and exercisable by the executive that are not based on statute, but derive from the sovereignty of the monarch (57). There are very few examples of prerogative powers being relevant in the law enforcement context. They include, for example, the mutual legal assistance framework enabling the sharing of data by a Secretary of State with third countries for law enforcement purposes and the power to share data in this way is not always set out in statute (58). Royal prerogatives are bound by common law principles (59) and are subordinate to statute, therefore subject to the limits provided by the Human Rights Act 1998 and the DPA 2018 (60).

(33)

Similarly to Article 8 of Directive (EU) 2016/680, the United Kingdom regime requires that in order to comply with the principle of lawfulness, competent authorities should ensure that, when the processing is based on the law, it must also be ‘necessary’ to perform the task carried out for the law enforcement purpose. The ICO gives guidance in this respect clarifying that ‘it must be a targeted and proportionate way of achieving the purpose. The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means. It is not enough to argue that processing is necessary because you have chosen to operate your business in a particular way. The question is whether the processing is necessary for the stated purpose’ (61).

(34)

As mentioned in recital 28, Section 35(2) of the DPA 2018 provides for the possibility to process personal data on the basis of the ‘consent’ of the individual.

(35)

However, consent does not appear to be a legal basis relevant for the processing operations falling within the scope of the present decision. In fact, the processing operations covered by the present decision will always concern data that has been transferred under Directive (EU) 2016/680 by a competent authority of a Member State to a United Kingdom competent authority. Therefore, they will typically not involve the type of direct interaction (collection) between a public authority and data subjects that can be based on consent under Section 35(2)(a) of the DPA 2018.

(36)

While reliance on consent is thus not considered relevant for the assessment carried out under this Decision, it is worth noting, for sake of completeness, that in a law enforcement context processing is never based solely on consent as a competent authority must always have an underlying power that enables it to process the data (62). More specifically, and similarly to what is allowed under Directive (EU) 2016/680 (63), this means that consent serves as an additional condition to enable certain limited and specific processing operations that could otherwise not be carried out, for example the collection and processing of a DNA sample of an individual who is not a suspect. In this case, the processing would not be carried out if the consent is not given or is withdrawn (64).

(37)

In cases requiring the consent of the individual, such consent must be unambiguous and involve a clear affirmative action (65). Police forces are required to have a privacy notice including, among others, the necessary information related to the valid use of consent. In addition, some of them publish additional material on how they comply with data protection legislation, including how and when they would use consent as a legal basis (66).

(38)

Specific safeguards should exist where ‘special categories’ of data are being processed. In this respect, similarly to what is provided by Article 10 of Directive (EU) 2016/680, Part 3 of the DPA 2018 provides stronger safeguards for so-called ‘sensitive processing’ (67).

(39)

According to Section 35(3) of the DPA 1998, sensitive data can be processed by competent authorities for law enforcement purposes only in two cases: (1) the data subject has given consent to the processing for the law enforcement purpose and at the time when the processing is carried out, the controller has an appropriate policy document in place (68); or (2) the processing is strictly necessary for the law enforcement purpose, the processing meets at least one of the conditions in Schedule 8 to the DPA 2018, and at the time when the processing is carried out, the controller has an appropriate policy document in place (69).

(40)

As regards the first case and as explained in recital 38, reliance on consent is not considered relevant in the type of transfer situation subject to the present this Decision (70).

(41)

When the processing of sensitive data does not rely on consent, it can be carried out using one of the conditions listed in Schedule 8 to the DPA 2018. These conditions relate to processing necessary for statutory purposes; the administration of justice; the protection of the vital interests of the data subject or of another individual; the safeguarding of children and of individuals at risk; legal claims; judicial acts; preventing fraud; archiving; where personal data is manifestly made public by the data subject. Apart from the case when the data is manifestly made public, all of the conditions provided by Schedule 8 are subject to a ‘strict necessity’ test. As clarified by the ICO, ‘strictly necessary in this context means that the processing has to relate to a pressing social need, and you cannot reasonably achieve it through less intrusive means’ (71). Moreover, some of the conditions are subject to additional restrictions. For example, to rely on the ‘statutory purposes’ condition and the ‘safeguarding condition’ (Schedule 8, paragraph 1 and paragraph 4) there is an additional substantial public interest test to be fulfilled. Moreover, in relation to the conditions regarding the safeguard of the child (Schedule 8, paragraph 4) the data subject must also be of a specific age and considered at risk. Moreover, the controller can only apply the condition provided in paragraph 4 of Schedule 8 in case of specific circumstances (72). Similarly, there are restrictions for the ‘judicial acts’ and ‘preventing fraud’ conditions (Schedule 8, paragraphs 7 and 8 respectively). Both are only applicable to specific controllers. In the case of judicial acts, only a court or another judicial authority may use such a condition and, in the case of fraud prevention, only controllers who are anti-fraud organisations are able to rely on this condition.

(42)

Finally, when the processing relies on one of the conditions listed in Schedule 8 and pursuant respectively to Section 42 DPA 2018, an ‘appropriate policy document’ must be in place – explaining the controller’s procedures for securing compliance with the data protection principles and the controller’s policies as regards the retention and erasure of personal data – and augmented record obligations apply.

(43)

Personal data should be processed for a specific purpose and subsequently used only insofar as this is not incompatible with the purpose of processing. This data protection principle is guaranteed by Section 36 of the DPA 2018. This provision, similarly to Article 4(1)(b) of Directive (EU) 2016/680, requires that (a) the law enforcement purpose for which personal data is collected on any occasion must be specified, explicit and legitimate; and (b) personal data so collected must not be processed in a manner that is incompatible with the purpose for which it was collected.

(44)

Where competent authorities process data for a law enforcement purpose, this may include archiving, scientific or historical research and statistical purposes (73). In these cases, the DPA 2018 also clarifies that archiving (or processing for scientific or historical research and statistical purposes) is not permitted where it is carried out with respect to decisions made in relation to a particular data subject or if it is likely to cause him or her substantial damage or distress (74).

(45)

Data must be accurate and, where necessary, kept up to date. It must also be adequate, relevant and not excessive in relation to the purposes for which it is processed. Similarly to Article 4(1)(c), (d) and (e)) of Directive (EU) 2016/680, these principles are ensured in Sections 37 and 38 of the DPA 2018. Every reasonable step must be taken to ensure that personal data that is inaccurate (75) is erased or rectified without delay (76), having regard to the law enforcement purpose for which it is processed (77), and to ensure that personal data which is inaccurate, incomplete or no longer up to date is not transmitted or made available for any of the law enforcement purposes (78).

(46)

Furthermore, similarly to Article 7 of Directive (EU) 2016/680, the United Kingdom data protection regime specifies that personal data based on facts must, so far as possible, be distinguished from personal data based on personal assessments (79). Where relevant and as far as possible, a clear distinction must be made between personal data relating to different categories of data subjects, such as suspects, persons convicted of a criminal offence, victims of a criminal offence and witnesses (80).

(47)

Pursuant to Article 5 of Directive (EU) 2016/680, data should, in principle, be kept for no longer than is necessary for the purposes for which the personal data is processed. According to Section 39 of the DPA 2018 and similarly to Article 5 of that Directive, it is prohibited to keep personal data processed for any of the law enforcement purposes for longer than is necessary in relation to the purpose for which it is processed. The United Kingdom legal regime requires that appropriate time limits must be established for the periodic review of the need for the continued storage of personal data for any of the law enforcement purposes. Further rules on practices related to retention of personal data and the applicable time limits have been set out in the relevant legislation and guidance governing the powers and functioning of the police. For example, in England and Wales the College of Policing’s MoPI Code of Practice, together with the APP Guidance on the Management of Police Information, provides a framework to ensure a consistent risk based retention, review and disposal process for the management of operational policing information (81). This framework sets clear expectations across the service as to how information should be created, shared, used and managed within and between individual police forces and other agencies (82). The police are expected to comply with the Code of Practice and compliance is verified by Her Majesty’s Inspectorate of Constabulary and Fire & Rescue Services (83).

(48)

The Police Service of Northern Ireland (PSNI) is not required by law to follow the MoPI Code of Practice. However, the MoPI framework adopted in 2011 is supplemented by a PSNI Handbook (84), which sets out policies and procedures on the way in which the MoPI Code of Practice is applied in Northern Ireland.

(49)

In Scotland, the Police forces rely on the Record Retention Standard Operating Procedure (SOP) (85) which supports the Police Service of Scotland Records Management Policy (86). The SOP sets specific retention rules for the records held by Police Scotland.

(50)

In addition to the overarching requirement to review records which applies across the whole of the United Kingdom, further detail is provided in localised rules. To give a few examples, with respect to England and Wales, the Police and Criminal Evidence Act, as amended by the Protection of Freedom Act 2012 (PoFA), makes provision for the retention of fingerprints and DNA profiles as well as a specific regime for individuals not convicted (87). The PoFA also created the position of Commissioner for the Retention and Use of Biometric Material (‘the Biometrics Commissioner’) (88). Specific rules on custody images are set out in the 2017 Custody Image Review (89). Concerning Scotland, the Criminal Procedure (Scotland) Act 1995 provides the rules for the obtaining and retention of fingerprint and biological samples (90). As in the case of England and Wales, the legislation regulates the retention of biometric data in different cases (91).

(51)

Personal data must be processed in a manner that ensures their security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. To that end, public authorities are to take appropriate technical or organisational measures to protect personal data from possible threats. These measures must be assessed taking into consideration the state of the art and related costs.

(52)

These principles are reflected in Section 40 of the DPA 2018 according to which, similarly to Article 4(1)(f) of Directive (EU) 2016/680, personal data processed for any of the law enforcement purposes must be processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures. This includes protecting the data against unauthorised or unlawful processing and against accidental loss, destruction or damage (92). Section 66 of the DPA 2018 further specifies that each controller and each processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks arising from the processing of personal data. According to the explanatory notes, the controller must evaluate the risks and implement appropriate security measures based on this evaluation, for example, encryption or specific levels of security clearance for staff processing the data (93). The evaluation must also take into account, for example, the nature of the data processed and any other relevant factors or circumstances that might affect the security of the processing.

(53)

The regime governing compliance with the data security principles is very similar to one established by Articles 29 to 31 of Directive (EU) 2016/680. In particular, in case of a personal data breach in relation to personal data for which the controller is responsible, according to Section 67(1) of the DPA 2018, the controller must, without undue delay, and where feasible, within 72 hours after becoming aware of the breach, notify the personal data breach to the Information Commissioner (94). The obligation to notify does not apply when the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals (95). The controller must document the facts relating to any personal data breach, its effects and remedial action taken in a way that enables the Information Commissioner to verify compliance with the DPA (96). If a processor becomes aware of a security breach, it must notify the controller without undue delay (97).

(54)

Under Section 68(1) of the DPA 2018, if a personal data breach is likely to pose a high risk to the rights and freedoms of individuals, the controller must inform the data subject of the breach without undue delay (98). The notice must include the same information as the notification to the Information Commissioner described in recital 53. This obligation does not apply if the controller has implemented appropriate technical and organisational protection measures, which were applied to the personal data affected by the breach. It also does not apply if the controller has taken subsequent measures, which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise. Finally, the controller is not required to notify the data subject if doing so would involve a disproportionate effort (99). In that case, the information must be made available to the data subject in another equally effective way, for example, by means of a public communication (100). If the controller has not informed the data subject of the breach, the Information Commissioner, having been notified pursuant to Section 67 of the DPA and after considering the likelihood of the breach resulting in a high risk, can require the controller to notify the data subject of the breach (101).

(55)

Data subjects must be informed of the main features of the processing of their personal data. This data protection principle is reflected in Section 44 of the DPA 2018 which, similarly to Article 13 of Directive (EU) 2016/680, provides that the controller has a general duty to make available to data subjects information on the processing of their personal data (whether by making the information generally available to the public or in any other way) (102). The information required to be made available includes (a) the identity and the contact details of the controller; (b) where applicable, the contact details of the data protection officer; (c) the purposes for which the controller processes personal data; (d) the existence of the rights of data subjects to request from the controller access to personal data, rectification of personal data, and erasure of personal data or the restriction of its processing; and (e) the existence of the right to lodge a complaint with the Information Commissioner and the contact details of the Commissioner (103).

(56)

The controller must also, in specific cases for the purpose of enabling the exercise of a data subject’s rights under the DPA 2018 (for example when the personal data being processed was collected without the knowledge of the data subject), give the data subject information about (a) the legal basis for the processing; (b) information about the period for which the personal data will be stored or, where that is not possible, about the criteria used to determine that period; (c) where applicable, information about the categories of recipients of the personal data (including recipients in third countries or international organisations); (d) such further information as is necessary to enable the exercise of the data subject’s rights under Part 3 of the DPA 2018 (104).

(57)

Data subjects must be granted a number of enforceable rights. Chapter 3 of Part 3 of the DPA 2018 provides individuals with rights of access, rectification and erasure and restriction (105), which are comparable to those provided under Chapter 3 of Directive (EU) 2016/680.

(58)

The right of access is set out in Section 45 of the DPA 2018. First, an individual is entitled to obtain a confirmation from the controller whether his/her personal data is being processed or not (106). Second, where the personal data is processed, the data subject has a right to access that data and receive the following information about the processing: (a) the purposes and legal bases of the processing; (b) the categories of data concerned; (c) the recipient to whom the data has been disclosed; (d) the period for which the personal data is to be stored; (e) the existence of the data subject’s right to rectification and erasure of personal data; (f) the right to lodge a complaint; and (g) any information about the origin of the personal data concerned (107).

(59)

Pursuant to Section 46 of the DPA 2018, the data subject has a right to require the controller to rectify inaccurate personal data relating to him or her. The controller must rectify (or where the data is inaccurate because it is incomplete, complete) the data without undue delay. If the personal data must be maintained for the purposes of evidence, the controller must (instead of rectifying the personal data) restrict its processing (108).

(60)

Section 47 of the DPA 2018 provides individuals with a right to erasure and restriction of processing. The controller must (109) erase personal data without undue delay where the processing of the personal data would infringe any of the data protection principles, the legal grounds of the processing, or the safeguards related to archiving and sensitive processing. The controller must also erase the data if they have a legal obligation to do so. If the personal data must be maintained for the purposes of evidence, the controller must (instead of erasing the personal data) restrict its processing (110). The controller must restrict the processing of personal data if a data subject contests the accuracy of personal data, but it is not possible to ascertain whether it is accurate or not (111).

(61)

Where a data subject requests the rectification or erasure of personal data or the restriction of its processing, the controller must inform the data subject in writing whether the request has been granted, and if it has been refused, inform the data subject of the reasons for the refusal and the available redress avenues (data subject’s right to make a request to the Information Commissioner to investigate whether the restriction has been applied lawfully, right to lodge a complaint with the Information Commissioner, and right to apply for a compliance order to a court) (112).

(62)

Where the controller rectifies personal data received from another competent authority, it must notify the other authority (113). Where the controller rectifies, erases or restricts the processing of personal data which has been disclosed by the controller, the controller must notify the recipients, and the recipients must similarly rectify, erase or restrict the processing of the personal data (insofar as they retain responsibility for it) (114).

(63)

Moreover, the data subject has the right to be informed without undue delay by the controller about a personal data breach when this is likely to result in a high risk to the rights and freedoms of individuals (115).

(64)

In relation to all those rights of the data subject and similarly to what is provided under Article 12 of Directive (EU) 2016/680, the controller has an obligation to ensure that any information to the data subject is provided in a concise, intelligible and easily accessible form (116) and, where possible, it should be provided in the same form as the request (117). The controller must comply with a request of the data subject without undue delay or in any case before, in principle, the end of a period of one month from the request (118). Where the controller has reasonable doubts about the identity of an individual, they may request additional information and delay dealing with the request until the identity is ascertained. The controller can require a reasonable fee or refuse to act when it deems the request to be manifestly unfounded. (119). The ICO has provided guidance on when a request is considered to be manifestly unfounded or excessive and when a fee can be requested (120).

(65)

Moreover, under Section 53(4) of the DPA 2018, the Secretary of State can by regulations specify the maximum amount of a fee.

(66)

A competent authority can, under certain circumstances, restrict certain rights of the data subject: the right to access (121), to be informed (122), to know about a personal data breach (123), and to be informed about the reason of the refusal of a request of rectification or erasure (124). Similarly to the regime contained in Chapter III of Directive (EU) 2016/680, the competent authority can only apply the restriction where it is, having regard to the fundamental rights and legitimate interests of the data subject, necessary and proportionate to: (a) avoid obstructing an official or legal inquiry, investigation or procedure; (b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties; (c) protect public security; (d) protect national security; (e) protect the rights and freedoms of others.

(67)

The ICO has provided guidance on the application of those restrictions. According to this guidance, controllers must carry out a case-by-case analysis to balance the rights of the individual against the harm disclosure would cause. In particular, they need to justify any restriction applied as necessary and proportionate and may only limit what is provided if it would prejudice the aforementioned purposes (125).

(68)

There are also a number of other pieces of guidance issued by competent authorities that provide detailed information on all aspects of the data protection legislation, including on the application of the restrictions of data subjects’ rights (126). For example, in relation to Section 45(4), the Data Protection Manual of the National Police Chief’s Counsel states: ‘It is important to note that the restrictions can only be applied as far as is necessary and can only be applied as long as is necessary. Consequently a blanket application of the restriction to all of an applicant’s personal data or permanent application of the restriction are not permitted. On the latter point, it is often the case that personal data collected without the knowledge of the data subject who is a suspect in an investigation needs to be initially protected from disclosure to them, to avoid prejudicing the investigation while the investigation is proceeding, but at a later date there would be no harm in disclosure if the personal data had been disclosed to the individual during interview. Police forces must adopt processes that ensure the application of these restrictions is only to the extent required and is only for the necessary duration’ (127). This guidance also provide examples of when each of the restrictions is likely to be engaged (128).

(69)

Moreover, in relation to the possibility to restrict any of the above-mentioned rights for the protection of ‘national security’, a controller may apply for a certificate signed by a cabinet Minister or the Attorney General (or the Advocate General for Scotland) certifying that a restriction of such rights is a necessary and proportionate measure for the protection of national security (129). The United Kingdom government has issued guidance on national security certificates under the DPA 2018 that notably highlight that any limitation to data subjects’ rights for safeguarding national security must be proportionate and necessary (130) (for more details on the national security certificates see recitals 131 to 134).

(70)

Moreover, where a restriction to a data subject’s right applies, the competent authority must inform the data subject without undue delay that their rights have been restricted, of the reasons for the restriction, and of the available redress avenues, unless providing that information would undermine the reason for applying the restriction (131). As a further safeguard against the misuse of restrictions, the controller must record the reasons for restricting information and make the record available to the Information Commissioner if requested (132).

(71)

If the controller refuses to provide additional transparency information, or access, or refuses a request for rectification, erasure or restriction of processing, the individual can request the Information Commissioner to investigate whether the controller has used the restriction lawfully (133). The concerned individual can also make a complaint to the Information Commissioner or apply to a court to order the controller to comply with the request (134).

(72)

Sections 49 and 50 of the DPA 2018 cover respectively the rights related to automated decision-making and the safeguards to be applied (135). Similarly to Article 11 of Directive (EU) 2016/680, the controller can only take a significant decision based solely on automated processing of personal data if it is required or authorised by law (136). A decision is significant, if it would produce an adverse legal effect concerning the data subject or significantly affect the data subject (137).

(73)

Where the controller is required or authorised by law to make a significant decision, Section 50 of the DPA 2018 sets out the safeguards that will apply to such a decision (which is defined as a ‘qualifying significant decision’). The controller must, as soon as reasonably practicable, notify the data subject that such a decision has been made. The data subject can then, within a month, request the controller to reconsider the decision or take a new decision that is not based solely on automated processing. The controller must consider the request and inform the data subject of the outcome of that consideration. The DPA 2018 gives the Secretary of State the power to adopt regulations for additional safeguards (138). No such regulations have been adopted yet.

(74)

The level of protection afforded to personal data transferred from a law enforcement authority of a Member State to a United Kingdom law enforcement authority must not be undermined by the further transfer of such data to recipients in a third country. Such ‘onward transfers’, which from the perspective of a United Kingdom law enforcement authority constitute international transfers from the United Kingdom, should be permitted only where the further recipient outside the United Kingdom is itself subject to rules ensuring a similar level of protection to that guaranteed within the United Kingdom legal order.

(75)

The United Kingdom regime on international transfers is regulated by Chapter 5 of Part 3 of the DPA 2018 (139) and reflects the approach taken in Chapter V of Directive (EU) 2016/680. In particular, in order to transfer a personal data to a third country, a competent authority must meet three conditions: (a) the transfer must be necessary for a law enforcement purpose; (b) the transfer must be based on: (i) an adequacy regulation in respect of the third country; (ii) if not based on an adequacy regulation, the existence of appropriate safeguards; or (iii) if not based on an adequacy decision or appropriate safeguards, it must be based on special circumstances; and (c) the recipient of the transfer must be: (i) a relevant authority (i.e. the equivalent of a competent authority) in the third country; (ii) a ‘relevant international organisation’ e.g. an international body that carries out functions corresponding to any of the law enforcement purposes; or (iii) a person other than a relevant authority, but only where the transfer is strictly necessary for performing one of the law enforcement purposes; there are no fundamental rights and freedoms of the data subject concerned that override the public interest necessitating the transfer; a transfer of the personal data to a relevant authority in the third country would be ineffective or inappropriate; and the recipient is informed of the purposes for which the data may be processed (140).

(76)

Adequacy regulations with respect to a third country, a territory or a sector within a third country, an international organisation, or a description (141) of such a country, territory, sector or organisation are adopted by the Secretary of State. As regards the standard to be met, the Secretary of State has to assess whether such a territory/sector/organisation ensures an adequate level of protection of personal data. Section 74A(4) of the DPA 2018 specifies that, to this end, the Secretary of State must consider a number of elements that reflects those listed in under Article 36 of Directive (EU) 2016/680 (142). In this respect, since the end of the transition period, Part 3 of the DPA 2018 constitutes ‘EU-derived domestic legislation’ which, as explained, will be interpreted by the United Kingdom courts in accordance with relevant case-law of the Court of Justice dating from before the United Kingdom’s departure from the Union and general principles of Union law, as they had effect immediately before the end of the transition period. This includes the ‘essential equivalence’ standard that will thus apply to the adequacy assessments carried out by the United Kingdom authorities.

(77)

As for the procedure, the regulations are subject to the ‘general’ procedural requirements provided for in Section 182 of the DPA 2018. Under this procedure, the Secretary of State must consult the Information Commissioner when proposing to make future United Kingdom adequacy regulations (143). Once adopted by the Secretary of State, those regulations are laid before Parliament and subject to thenegative resolution’ procedure under which both Houses of Parliament can scrutinise the regulation and have the ability to pass a motion annulling the regulation within a 40-day period (144).

(78)

According to Section 74B(1) of the DPA 2018, the adequacy regulations must be reviewed at intervals of not more than four years and the Secretary of State must, on an ongoing basis, monitor developments in third countries and international organisations that could affect decisions to make adequacy regulations, or to amend or revoke such regulations. Where the Secretary of State becomes aware that a given country or an organisation no longer ensures an adequate level of protection of personal data, he must, to the extent necessary, amend or revoke the regulations and enter into consultations with the third country or international organisation concerned to remedy the lack of an adequate level of protection.

(79)

Similarly to what is provided in the Article 37 of Directive (EU) 2016/680, in the absence of an adequacy regulation, a transfer of personal data in the context of the law enforcement sector would be possible when appropriate safeguards are in place. Such safeguards are ensured by means of either (a) a legal binding instrument containing appropriate safeguards for the protection of personal data; or (b) an assessment performed by the controller which, having assessed all the circumstances surrounding the transfer, concludes that appropriate safeguards exist to protect the data (145). Furthermore, when transfers are based on appropriate safeguards, the DPA 2018 provides that, in addition to the ICO’s normal oversight role, competent authorities must provide specific information about the transfers to the ICO (146).

(80)

If a transfer is not based on an adequacy decision or appropriate safeguards, it can take place only in certain, specified circumstances, referred to as ‘special circumstances’ (147). This is the case when the transfer is necessary: (a) to protect the vital interests of the data subject or another person; (b) to safeguard the legitimate interests of the data subject; (c) for the prevention of an immediate and serious threat to the public security of a third country; (d) in individual cases for any of the law enforcement purposes; or (e) in individual cases for a legal purpose (such as in relation to legal proceedings or to obtain legal advice) (148). It may be noted that points (d) and (e) do not apply if the rights and freedoms of the data subject override the public interest in the transfer (149). This set of circumstances corresponds to the specific situations and conditions qualifying as ‘derogations’ under Article 38 of Directive (EU) 2016/680.

(81)

In those circumstances, the transfer’s date, time, and justification, the name of and any other pertinent information about the recipient, and a description of the personal data transferred must be documented, and provided to the Information Commissioner upon request (150).

(82)

Section 78 of the DPA 2018 regulates the scenario of ‘subsequent transfers’, namely when personal data that has been transferred from the United Kingdom to a third country, is subsequently transferred to another third country or an international organisation. Pursuant to Section 78(1), the United Kingdom transferring controller must make it a condition of the transfer that the data is not to be further transferred to a third country without the authorisation of the transferring controller. In addition, according to Section 78(3) and similarly to what is provided under Article 35(1)(e) of Directive (EU) 2016/680, a number of substantive requirements apply in case such an authorisation is required. More specifically, when deciding whether to authorise or not the transfer, a competent authority has to make sure that the further transfer is necessary for a law enforcement purpose and should consider, among other factors, (a) the seriousness of the circumstances leading to the request for authorisation; (b) the purpose for which the personal data was originally transferred; and (c) the standards for the protection of personal data that apply in the third country or international organisation to which the personal data would be transferred.

(83)

Furthermore, when the data subject to a further transfer from the United Kingdom was originally transferred from the European Union, additional safeguards apply.

(84)

First, Section 73(1)(b) of the DPA 2018 – similarly to Article 35(1)(c) of Directive (EU) 2016/680 – provides that in a case where the personal data was originally transmitted or otherwise made available to the controller or another competent authority by a Member State, that Member State, or any person based in that Member State which is a competent authority for the purposes of Directive (EU) 2016/680, must have authorised the transfer in accordance with the law of the Member State.

(85)

However, similarly to Article 35(2) of Directive (EU) 2016/680, such an authorisation is not required when (a) the transfer is necessary for the prevention of an immediate and serious threat either to the public security of a Member State or a third country or to the essential interests of a Member State, and (b) the authorisation cannot be obtained in good time. In this case, the authority in the Member State which would have been responsible for deciding whether to authorise the transfer must be informed without delay (151).

(86)

Second, the same approach applies in case of data originally transferred from the European Union to the United Kingdom, then further transferred by the United Kingdom to a third country which would subsequently onward transfer it to a third country. In that case, pursuant to Section 78(4), the United Kingdom competent authority cannot give its authorisation to the latter transfer, under Section 78(1), unless the ‘member State [that has originally transferred the data in question], or any person based in that member State which is a competent authority for the purposes of the Law Enforcement Directive, has authorised the transfer in accordance with the law of the member State’. These safeguards are important as they enable Member States’ authorities to ensure continuity of protection, in compliance with EU data protection law, throughout the ‘transfer chain’.

(87)

This new framework for international transfers became applicable at the end of the transition period (152). However, paragraphs 10-12 of Schedule 21 (introduced by the DPPC Regulations) provide that as of the end of the transition period, certain transfers of personal data are treated as if they are based on adequacy regulations. These transfers include transfers to a Member State, an EFTA State, a third country which is the subject of an EU adequacy decision at the end of transition period and the territory of Gibraltar. Consequently, the transfers to these countries can continue as before the United Kingdom’s withdrawal from the Union. After the end of the transition period, the Secretary of State must conduct a review of these adequacy findings during a period of four years, i.e. by the end of December 2024. According to the explanation provided by the United Kingdom authorities, although the Secretary of State needs to undertake such a review by the end of December 2024, the transitional provisions do not include a ‘sunset’ provision and the relevant transitional provisions will not automatically cease to have effect if a review is not completed by the end of December 2024.

(88)

Under the accountability principle, public authorities processing data are required to put in place appropriate technical and organisational measures to effectively comply with their data protection obligations and be able to demonstrate such compliance, in particular to the competent supervisory authority.

(89)

This principle is reflected in Section 56 of the DPA 2018, which introduces a general accountability obligation for the controller, i.e. an obligation to implement appropriate technical and organisational measures to ensure, and to be able to demonstrate, that the processing of personal data complies with the requirements of Part 3 of the DPA 2018. The measures implemented must be reviewed and updated where necessary, and where proportionate in relation to the processing, include appropriate data protection policies.

(90)

In line with Chapter IV of Directive (EU) 2016/680, Sections 55–71 of the DPA 2018 provide for different mechanisms to ensure accountability and allow controllers and processors to demonstrate compliance. In particular, controllers are required to implement data protection measures by design and by default, i.e. to ensure that data protection principles are implemented in an effective manner and are required to maintain records of all categories of processing activities for which the controller is responsible (including information on the identity of the controller, contact details of the data protection officer, the purposes of the processing, the categories of recipients of disclosures, and a description of the categories of data subject, and personal data) and keep these records available for the Information Commissioner on request. The controller and processor must also keep logs for certain processing operations and make them available to the Information Commissioner (153). The controllers are also specifically required to cooperate with the Information Commissioner in the performance of the Commissioner’s tasks.

(91)

The DPA 2018 also sets out additional requirements for processing that is likely to result in a high risk to the rights and freedoms of individuals. These include an obligation to carry out data protection impact assessments and to consult the Information Commissioner before processing if such an assessment indicates that the processing would result in a high risk to the rights and freedoms of individuals (in the absence of measures to mitigate the risk).

(92)

The controllers must furthermore appoint a data protection officer, unless the controller is a court, or other judicial authority, acting in its judicial capacity (154). The controller must ensure that the data protection officer is involved in all issues relating to the protection of personal data, have necessary resources and access to personal data and processing operations and can independently perform its tasks. The tasks of the data protection officer are set out in Section 71 of the DPA 2018, including providing information and advice, monitoring compliance as well as cooperating with and acting as a contact point for the Information Commissioner. In performing its tasks, the data protection officer must have regard to the risks associated with processing operations, taking into account the nature, scope, context and purposes of processing.

(93)

In order to ensure that an adequate level of data protection is guaranteed also in practice, an independent supervisory authority tasked with powers to monitor and enforce compliance with the data protection rules must be in place. This authority is to act with complete independence and impartiality in performing its duties and exercising its powers.

(94)

In the United Kingdom, the oversight and enforcement of compliance with the UK GDPR and the DPA 2018 is carried out by the Information Commissioner (155). The Information Commissioner oversees also the processing of personal data by competent authorities falling under the scope of Part 3 of the DPA 2018 (156). The Information Commissioner is a ‘Corporation Sole’: a separate legal entity constituted in a single person. The Information Commissioner is supported in her work by an office. On 31 March 2020 the Information Commissioner’s Office had 768 permanent staff (157). The sponsor-department of the Information Commissioner is the Department for Digital, Culture, Media and Sport (158).

(95)

The independence of the Commissioner is explicitly established in Article 52 of the UK GDPR which reflects the requirements laid down in Article 52(1) to (3) of Regulation (EU) 2016/679 of the European Parliament and of the Council (159). The Commissioner must act with complete independence in performing her tasks and exercising her powers in accordance with the UK GDPR, remain free from external influence, whether direct or indirect, in relation to those tasks and powers, and neither seek nor take instructions from anyone. The Commissioner must also refrain from any action incompatible with her duties and shall not, while holding office, engage in any incompatible occupation, whether gainful or not.

(96)

The conditions for the appointment and removal of the Information Commissioner are set out in Schedule 12 to the DPA 2018. The Information Commissioner is appointed by the Queen on a recommendation from Government pursuant to a fair and open competition. The candidate must have the appropriate qualifications, skills and competence. In accordance with the Governance Code on Public Appointments (160), a list of appointable candidates is made by an advisory assessment panel. Before the Secretary of State at the Department for Digital, Culture, Media and Sport finalises his or her decision, the relevant Select Committee of Parliament must carry out a pre-appointment scrutiny. The position of the Committee is made public (161).

(97)

The Information Commissioner holds office for a term of up to seven years. The Information Commissioner can be removed from office by Her Majesty following an Address by both Houses of Parliament (162). No request for dismissal of the Information Commissioner can be presented to either House of Parliament unless a Minister has presented a report to that House stating that he or she is satisfied that the Information Commissioner is guilty of serious misconduct and/or the Commissioner no longer fulfils the conditions required for the performance of the Commissioner’s functions (163).

(98)

The funding of the Information Commissioner comes from three sources: (i) data protection charges paid by controllers which are set by a Secretary of State’s regulations (164) and amount to 85–90 % of the Office’s annual budget (165); (ii) grant in aid which may be paid by the Government to the Information Commissioner and is mainly used to finance the operating costs of the Information Commissioner as regards non-data protection related tasks (166); (iii) fees charged for services (167). At present, no such fees are charged.

(99)

The general functions of the Information Commissioner in relation to the processing of personal data falling under the scope of Part 3 of the DPA 2018, are laid down in Schedule 13 to the DPA 2018. The tasks include monitoring and enforcement of Part 3 of the DPA 2018, promoting public awareness, advising Parliament, the government and other institutions on legislative and administrative measures, promoting the awareness of controllers and processors of their obligations, providing information to a data subject concerning the exercise of the data subject’s rights, and conducting investigations. To maintain the independence of the judiciary, the Information Commissioner is not authorised to exercise her functions in relation to processing of personal data by an individual acting in a judicial capacity, or a court or tribunal acting in its judicial capacity. However, oversight on the judiciary is ensured by specialised bodies, discussed below.

(100)

The Commissioner has general investigative, corrective, authorisation and advisory powers in relation to processing of personal data to which Part 3 of the DPA 2018 applies. The Commissioner has the powers to notify the controller or the processor of an alleged infringement of Part 3, to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of Part 3, and to issue reprimands to a controller or processor where processing operations have infringed provisions of Part 3. Moreover, on its own initiative or on request, the Commissioner may issue opinions to the United Kingdom Parliament, the government or other institutions and bodies as well as to the public on any issue related to the protection of personal data (168).

(101)

Furthermore, the Commissioner has powers to:

(102)

The ICO’s Regulatory Action Policy sets out the circumstances under which the Commissioner will issue respectively an information, assessment, enforcement and penalty notice (173). An enforcement notice may imposes requirements which the Commissioner considers appropriate for the purpose of remedying the failure. A penalty notice requires the person to pay to the Information Commissioner an amount specified in the notice. A penalty notice may be given when there has been a failure to comply with certain provisions of the DPA 2018 (174) or may be given to a controller or processor that has not complied with an information notice, an assessment notice or an enforcement notice.

(103)

More specifically, in determining whether to give a penalty notice to a controller or processor and determining the amount of the penalty, the Information Commissioner must have regard to the matters listed Section 155(3) of the DPA 2018, including the nature and gravity of the failure, the intentional or negligent character of the failure, any action taken by the controller or processor to mitigate the damage suffered by data subjects, the degree of responsibility of the controller or processor (taking into account technical and organisational measures implemented by the controller or processor), any relevant previous failures by the controller or processor; the categories of personal data affected by the failure and whether the penalty would be effective, proportionate and dissuasive.

(104)

The maximum amount of the penalty that may be imposed by a penalty notice is (a) GBP 17 500 000 in relation to a failure to comply with data protection principles (Sections 35, 36, 37, 38(1), 39(1) and 40 of the DPA 2018) transparency obligations and individual rights (Sections 44, 45, 46, 47, 48, 49, 52 and 53 of the DPA 2018), and principles for international transfers of personal data (Sections 73, 75, 76, 77 or 78 of the DPA 2018); and (b) GBP 8 700 000 otherwise (175). In relation to a failure to comply with an information notice, an assessment notice or an enforcement notice, the maximum amount of the penalty that may be imposed by a penalty notice is GBP 17 500 000.

(105)

According to its latest annual reports (2018–2019 (176), 2019–2020 (177)), the Information Commissioner has conducted a number of investigations in relation to processing of personal data by criminal law enforcement. For example, the Commissioner conducted an investigation and published an Opinion in October 2019 concerning the law enforcement use of facial recognition technology in public places. The investigation particularly focused on the use of live facial recognition capabilities in South Wales Police and the Metropolitan Police Service (MPS). Moreover, the Commissioner investigated the MPS ‘Gangs matrix’ (178) and found a range of serious infringements of data protection law that were likely to undermine public confidence in the matrix and the use of the data.

(106)

In November 2018, the Information Commissioner issued an enforcement notice and the MPS subsequently took the steps required to increase security and accountability and to ensure that the data was used proportionately.

(107)

Another example of a recent enforcement action is the GBP 325 000 fine issued by the Commissioner in May 2018 against the Crown Prosecution Service, for losing unencrypted DVDs containing recordings of police interviews. Moreover, the Information Commissioner conducted investigations into broader topics, for example in the first half of 2020 on the use of Mobile Phone Extraction for Policing Purposes and the processing of victims’ data by the police.

(108)

In addition to those enforcement powers of the Information Commissioner, certain violations of the data protection legislation constitute offences and may therefore be subject to criminal sanctions (Section 196 of the DPA 2018). This, for example, applies to obtaining or disclosing personal data without the consent of the controller and procuring the disclosure of personal data to another person without the consent of the controller (179); re-identifying information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data (180); intentionally obstructing the Commissioner to exercise its powers in relation to inspection of personal data in accordance with international obligations (181), making false statements on response to an information notice, or destroying information in connection to information and assessment notices (182).

(109)

The Information Commissioner also has a duty under Section 139 of the DPA 2018 to lay before each House of Parliament a general report on the exercise of their functions under the Act (183).

(110)

Oversight of the processing of personal data by the courts and judiciary is twofold. Where a judicial office holder or a court is not acting in a judicial capacity, oversight is provided by the Information Commissioner. Where the controller is operating in a judicial capacity, the ICO cannot exercise its oversight functions (184) and the oversight is carried out by special bodies. This reflects the approach taken in Article 32 of Directive (EU) 2016/680.

(111)

In particular, in the second scenario, for the courts of England and Wales and the First-tier and Upper Tribunals of England and Wales, such oversight is provided by the Judicial Data Protection Panel (185). Additionally, the Lord Chief Justice and Senior President of Tribunals have issued a Privacy Notice (186) which sets out how the courts in England and Wales process personal data for a judicial function. A similar notice has been issued by the Northern Irish (187) and Scottish judiciaries (188).

(112)

Moreover, in Northern Ireland, the Lord Chief Justice of Northern Ireland has appointed a High Court judge as Data Supervisory Judge (DSJ) (189). They have also issued guidance to the Northern Irish Judiciary on what to do in the event of a loss or potential loss of data and the process for dealing with any issues arising from this (190).

(113)

In Scotland, the Lord President has appointed a Data Supervisory Judge to investigate any complaints on grounds of data protection. This is set out under the judicial complaints rules which mirror those established for England and Wales (191).

(114)

Finally, in the Supreme Court, one of the Supreme Court Justices is nominated to oversee data protection.

(115)

In order to ensure adequate protection and in particular the enforcement of individual rights, the data subject should be provided with effective administrative and judicial redress, including compensation for damages.

(116)

First, a data subject has the right to lodge a complaint with the Information Commissioner, if the data subject considers that, in connection with personal data relating to him or her, there is an infringement of Part 3 of the DPA 2018 (192). As described in recitals 100 and 109, the Information Commissioner has the power to assess the compliance of the controller and processor with the DPA 2018, require them to take or refrain from taking necessary steps in case of non-compliance and impose fines.

(117)

Second, the DPA 2018 provides a right to a remedy against the Information Commissioner. If the Commissioner fails to ‘progress’ (193) a complaint made by the data subject, the complainant has access to judicial remedy, as they can apply a First Tier Tribunal (194) to order the Commissioner to take appropriate steps to respond to the complaint, or to inform the complainant of progress on the complaint (195). In addition, any person who is given any of the notices above (information, assessment, enforcement or penalty notice) from the Commissioner may appeal to a First Tier Tribunal. If the Tribunal considers, that the decision of the Commissioner is not in accordance with the law or the Information Commissioner should have exercised its discretion differently, the Tribunal must allow the appeal, or substitute another notice or decision which the Information Commissioner could have given or made (196).

(118)

Third, individuals can obtain judicial redress against controllers and processors directly before the courts under Section 167 of the DPA 2018. If, on an application by a data subject, a court is satisfied that there has been an infringement of the data subject’s rights under the data protection legislation, the court may order the controller in respect of the processing, or a processor acting on behalf of that controller, to take steps specified in the order or to refrain from taking steps specified in the order. Moreover, under Section 169 of the DPA 2018, any person who suffers damage by reason of a violation of a requirement of the data protection legislation (including Part 3 of the DPA 2018), other than the UK GDPR, is entitled to compensation for that damage from the controller or the processor, except if the controller or processor proves that the controller or processor is not in any way responsible for the event giving rise to the damage. Damage includes both financial loss and damage not involving financial loss, such as distress.

(119)

Fourth, as far as any person considers that his or her rights, including rights to privacy and data protection, have been violated by public authorities, he or she can obtain redress before the United Kingdom courts under the Human Rights Act 1998. The controllers under Part 3 of the DPA 2018, i.e. the competent authorities, are always public authorities within the meaning of the Human Rights Act 1998. An individual who claims that a public authority has acted (or proposes to act) in a way which is incompatible with a Convention right, and consequently unlawful under Section 6(1) of the Human Rights Act 1998 can bring proceedings against the authority in the appropriate court or tribunal, or rely on the rights concerned in any legal proceedings, when he or she is (or would be) a victim of the unlawful act (197).

(120)

If the court finds any act of a public authority to be unlawful, it can grant such relief or remedy, or make such order, within its powers as it considers just and appropriate (198). The court can also declare a provision of primary legislation to be incompatible with a right guaranteed under the ECHR.

(121)

Finally, after exhausting national remedies, an individual can obtain redress before the European Court of Human Rights for violations of the rights guaranteed under the ECHR.

(122)

United Kingdom law authorises the sharing of data by a law enforcement authority with other UK authorities for purposes other than the ones for which it was originally collected (so-called ‘onward sharing’) subject to certain conditions.

(123)

Similarly to what is provided under Article 4(2) of Directive (EU) 2016/680, Section 36(3) of the DPA 2018 allows that personal data collected by a competent authority for a law enforcement purpose may be further processed (whether by the original controller or by another controller) for any other law enforcement purpose, provided that the controller is authorised by law to process data for the other purpose and the processing is necessary and proportionate (199). In this case, all the safeguards provided by Part 3 of the DPA 2018 and analysed above apply to the processing carried out by the receiving authority.

(124)

In the United Kingdom legal order, different laws explicitly allow onward sharing. In particular, (i) the Digital Economy Act 2017 allows the sharing between public authorities for several purposes, for example in case of any fraud against the public sector which would involve loss or a risk to loss for a public authority (200) or in case of a debt owed to a public authority or to the Crown (201); (ii) the Crime and Courts Act 2013 permits the sharing of information with the National Crime Agency (NCA) (202) for combating, investigating and prosecuting serious and organised crime; (iii) the Serious Crime Act 2007 allows public authorities to disclose information to anti-fraud organisations for the purposes of preventing fraud (203).

(125)

These laws explicitly provide that the sharing of information should be in compliance with the rules set in the DPA 2018. Moreover, the College of Policing has issued an Authorised Professional Practice on Information Sharing (204) to assist the police in complying with their data protection obligations under the UK GDPR, DPA and Human Rights Act 1998. The compliance of the sharing with the applicable data protection legal framework can, of course, be subject to judicial review (205).

(126)

Moreover, similarly to what is set out in Article 9 of Directive (EU) 2016/680, the DPA 2018 provides that personal data collected for any law enforcement purpose may be processed for a purpose that is not a law enforcement one when the processing is authorised by law (206). This type of sharing covers two scenarios: (1) when a criminal law enforcement authority shares data with a non-criminal law enforcement authority other than an intelligence agency (such as e.g. a financial or tax authority, a competition authority, a youth welfare office); (2) when a criminal law enforcement authority shares data with an intelligence agency. In the first scenario, the processing of personal data will fall within the scope of the UK GDPR as well as under Part 2 of the DPA 2018. As specified in the Decision adopted under Regulation (EU) 2016/679, the safeguards provided by the UK GDPR and Part 2 of the DPA 2018 provide a level of protection that is essentially equivalent to the one provided within the Union (207).

(127)

In the second scenario, with respect to the sharing of data collected by a criminal law enforcement authority with an intelligence agency for purposes of national security, the legal basis authorising such sharing is the Counter Terrorism Act 2008 (CTA 2008) (208). Under the CTA 2008, any person may give information to any of the intelligence services for the purpose of discharging any of the functions of that service, including ‘national security’.

(128)

As regards the conditions under which data can be shared for national security purposes, the Intelligence Services Act and the Security Services Act limit the ability of the intelligence services to obtain data to what is necessary to discharge their statutory functions. Competent authorities, falling under the scope of Part 3 of the DPA 2018, seeking to share data with the intelligence services will need to consider a number of factors/limitations, in addition to the statutory functions of the agencies which are set out in the Intelligence Services Act and the Security Services Act (209). Section 20 of the CTA 2008 makes clear that any data sharing pursuant to Section 19 of the CTA 2008 must still comply with the data protection legislation; which means that all of the limitations and requirements of the DPA 2018 apply. Furthermore, law enforcement authorities and intelligence services are public authorities for the purpose of the Human Rights Act 1998, and must thus ensure that they act in compliance with rights guaranteed under the ECHR, including its Article 8. In order words, these requirements mean that all data sharing between law enforcement agencies and intelligence services shall comply with data protection legislation and the ECHR.

(129)

The processing by intelligence services of personal data received or obtained from law enforcement authorities purposes of national security is subject to a number of conditions and safeguards (210). Part 4 of the DPA 2018 applies to all processing by or on behalf of the intelligence services. It sets out the main data protection principles (lawfulness, fairness and transparency (211); purpose limitation (212); data minimisation (213); accuracy (214); storage limitation (215) and security (216), imposes conditions on the processing of special categories of data (217), provides for data subject rights (218), requires data protection by design (219) and regulates international transfers of personal data (220).

(130)

At the same time, Section 110 of the DPA 2018 provides for an exemption from specified provisions in Part 4 of the DPA 2018, when such exemption is required to safeguard national security. Section 110(2) of the DPA 2018 lists the provisions from which an exemption is allowed. It includes the data protection principles (except the principle of lawfulness), the data subject rights, the obligation to inform the Information Commissioner about a data breach, the Information Commissioner’s powers of inspection in accordance with international obligations, certain of the Information Commissioner’s enforcement powers, the provisions that make certain data protection violations a criminal offence, and the provisions relating to special purposes of processing, such as journalistic, academic or artistic purposes. This exemption can be relied upon on the basis of a case-by-case analysis (221). As explained by the United Kingdom authorities and confirmed by the case-law of United Kingdom courts, ‘(a) controller must consider the actual consequences to national security or defence if they had to comply with the particular data protection provision, and if they could reasonably comply with the usual rule without affecting national security or defence’ (222). Whether or not the exemption has been used appropriately is subject to the oversight of the ICO (223).

(131)

Moreover, in relation to the possibility to restrict any of the above-mentioned rights for the protection of ‘national security’, section 79 of the DPA 2018 provides for the possibility of a controller to apply for a certificate signed by a Cabinet Minister or the Attorney General certifying that a restriction of such rights is, or at any time was, a necessary and proportionate measure to protect national security (224). The United Kingdom government has issued guidance on national security certificates under the DPA 2018 that notably highlight that any limitation to data subjects’ rights for safeguarding national security must be proportionate and necessary (225). All national security certificates must be published on the ICO’s website (226).

(132)

The certificate should be for a fixed duration of no more than five years, so to be regularly reviewed by the executive (227). A certificate shall identify the personal data or categories of personal data subject to the exemption as well the provisions of the DPA 2018 to which the exemption applies (228).

(133)

It is important to note that national security certificates do not provide for an additional ground for restricting data protection rights for national security reasons. In other words, the controller or processor can only rely on a certificate when they have concluded it is necessary to rely on the national security exemption, which must be applied on a case-by-case basis. Even if a national security certificate applies to the matter in question, the ICO can investigate whether or not reliance on the national security exemption was justified in a specific case (229).

(134)

Any person directly affected by the issuing of the certificate can appeal to the Upper Tribunal (230) against the certificate (231) or, where the certificate identifies data by means of a general description, challenge the application of the certificate to specific data (232).

(135)

The tribunal will review the decision to issue a certificate and decide whether there were reasonable grounds for issuing the certificate (233). It can consider a wide range of issues, including necessity, proportionality and lawfulness, having regard to the impact on the rights of data subjects and balancing the need to safeguard national security. As a result, the tribunal may determine that the certificate does not apply to specific personal data which is the subject of the appeal (234).

(136)

A different set of possible restrictions concern those applying, under Schedule 11 of the DPA 2018, to certain provisions of Part 4 of the DPA 2018 (235) to safeguard other important objectives of general public interest or protected interests such as, for example, parliamentary privilege, legal professional privilege, the conduct of judicial proceedings or the combat effectiveness of the armed forces. The application of these provisions is either exempted for certain categories of information (‘class based’), or exempted to the extent that the application of these provisions would be likely to prejudice the protected interest (‘prejudice based’) (236). Prejudice-based exemptions can only be invoked as far as the application of the listed data protection provision would be likely to prejudice the specific interest in question. The use of an exemption must therefore always be justified by referring to the relevant prejudice that would be likely to occur in the individual case. Class-based exemptions can be invoked only with respect to the specific, narrowly defined category of information for which the exemption is granted. These are similar in purpose and effect to several of the exceptions to the UK GDPR (under Schedule 2 of the DPA 2018) which, in turn, reflect those provided in Article 23 GDPR.

(137)

It follows from the above that limitation and conditions are in place under the applicable United Kingdom legal provisions, as also interpreted by the courts and the Information Commission, to ensure that these exemption and restrictions remain within the boundaries of what is necessary and proportionate to protect national security.

(138)

The processing of personal data carried out by the intelligence services under Part 4 of the DPA 2018 is overseen by the Information Commissioner (237).

(139)

The general functions of the Information Commissioner in relation to the processing of personal data by intelligence services under Part 4 of the DPA 2018 are laid down in Schedule 13 to the DPA 2018. The tasks include, but are not limited to, in particular, monitoring and enforcement of Part 4 of the DPA 2018, promoting public awareness, advising Parliament, the government and other institutions on legislative and administrative measures, promoting the awareness of controllers and processors of their obligations, providing information to a data subject concerning the exercise of the data subject’s rights, and conducting investigations

(140)

The Commissioner, as for Part 3 of the DPA 2018, has the power to notify controllers of an alleged infringement and to issue warnings that a processing is likely to infringe the rules, and issues reprimands when the infringement is confirmed. It can also issue enforcement and penalty notices for violations of certain provision of the act (238). However, differently than for other parts of the DPA 2018, the Commissioner cannot give an assessment notice to a national security (239).

(141)

Moreover, Section 110 of the DPA 2018 provides an exception to the use of certain powers of the Commissioner when this is required for the purposes of safeguarding national security. This includes the power of the Commissioner to issue (any type of) notices under the DPA (information, assessment, enforcement and penalty notices), the power to carry out inspections in accordance with international obligations, the powers of entry and inspection, and the rules on offences (240). As explained in recital 136, these exceptions will apply only if necessary and proportionate and on case-by-case basis. The application of these exceptions can be subject to a judicial review (241).

(142)

The ICO and United Kingdom intelligence services have signed a Memorandum of Understanding (242) that establishes a framework for cooperation on a number of issues, including data breach notifications and the handling of data subjects complaints. In particular, it provides that upon receiving a complaint, the ICO will assess whether any national security exemption has been invoked appropriately. Responses to queries made by the ICO in the context of the examination of individual complaints have to be given within 20 working days by the concerned United Kingdom Government Guidance on National Security Certificates under the Data Protection Act, using appropriate secure channels if it involves classified information. From April 2018 to date, the ICO has received 21 complaints from individuals about the intelligence services. Each complaint was assessed and the outcome was communicated to the data subject (243).

(143)

Moreover, the Intelligence and Security Committee (ISC) carries out parliamentary oversight over data processing by intelligence agencies. This Committee has its statutory basis in the Justice and Security Act 2013 (JSA 2013) (244). The Act establishes the ISC as a committee of the United Kingdom Parliament. The ISC consists of members belonging to either House of the Parliament and appointed by the Prime Minister after consulting the leader of the opposition (245). The ISC is required to make an annual report to Parliament on the discharge of its functions and other reports that it considers appropriate (246).

(144)

Since 2013, the ISC has been provided with greater powers including the oversight of operational activities of security services. Under Section 2 of the JSA 2013, the ISC has the task to oversee the expenditure, administration, policy and operations of national security agencies. The JSA 2013 specifies that the ISC is able to conduct investigations on operational matters when they do not relate to ongoing operations (247). The Memorandum of Understanding agreed between the Prime Minister and the ISC (248) specifies in detail the elements to be taken into account when considering whether an activity is not part of any ongoing operation (249). The ISC can also be asked to investigate ongoing operations by the Prime Minister and can review information voluntarily provided by the agencies.

(145)

Under Schedule 1 of the JSA 2013 the ISC may ask the heads of any of the three intelligence services to disclose any information. The agency must make such information available, unless the Secretary of State vetoes it (250). The United Kingdom authorities explained that in practice very little information is withheld from the ISC (251).

(146)

With respect to redress, first of all, under Section 165(2) of the DPA 2018, a data subject may bring a complaint before the ICO if he or she believes that, in connection to personal data relating to him or her, there is a violation of Part 4 of the DPA 2018, including any abusive use of the national security derogations and restrictions.

(147)

Moreover, under Part 4 of the DPA 2018, individuals are entitled to apply to the High Court (or Court of Session in Scotland) for an order requiring the controller to comply with the rights of access to data (252), to object to processing (253) and to rectification or erasure.

(148)

Individuals are also entitled to seek compensation for damage suffered due to a contravention of a requirement of Part 4 of the DPA 2018 from the controller or a processor (254). Damage includes both financial loss and damage not involving financial loss, such as distress (255).

(149)

Finally, an individual can submit a complaint to the Investigatory Powers Tribunal for any conduct by or on behalf of the United Kingdom intelligence agencies (256).The Investigatory Powers Tribunal (IPT) is established by the Regulation of Investigatory Powers Act 2000 for England, Wales and Northern Ireland and the Regulation of Investigatory Powers (Scotland) Act 2000 for Scotland (RIPA 2000) and is independent from the executive (257). In accordance with Section 65 of the RIPA 2000, the members of the IPT are appointed by Her Majesty for a period of five years.

(150)

A member of the Tribunal may be removed from office by Her Majesty on an Address (258) by both Houses of Parliament (259).

(151)

To bring an action before the IPT (‘standing requirement’), according to Section 65 of the RIPA 2000, an individual has to believe (i) that the conduct of an intelligence service has taken place in relation to him, any of his property, any communications sent by or to him, or intended for him, or his use of any postal service, telecommunications service or telecommunications system (260), and (ii) that the conduct has taken place in ‘challengeable circumstances’ (261) or ‘been carried out by or on behalf of the intelligence services (262). As in particular this ‘belief’ standard has been interpreted quite broadly (263), bringing a case before the Tribunal is subject to relatively low standing requirements.

(152)

Where the Tribunal considers a complaint made to them, it is the duty of the Tribunal to investigate whether the persons against whom any allegation is made in the complaint have engaged in relation to the complainant as well as to investigate the authority that has allegedly engaged in the violations and whether the alleged conduct has taken place (264). Where the Tribunal hears any proceedings, it must apply the same principles for making their determination in those proceedings as would be applied by a court on an application for judicial review (265).

(153)

The Tribunal must give notice to the complainant whether there has been determination in his or her favour or not (266). Under Section 67(6) and (7) of the RIPA 2000, the Tribunal has the power to issue interim orders and to provide any such award of compensation or other order as it thinks fit (267). According to Section 67A of the RIPA 2000, a determination of the Tribunal can be appealed, subject to leave granted by the Tribunal or relevant appellate court.

(154)

In particular, individuals can bring a claim – and obtain redress – before the IPT in case where they consider that a public authority has acted (or proposes to act) in a way which is incompatible with a ECHR rights, including the right to privacy and data protection, and is consequently unlawful under Section 6(1) of the Human Rights Act 1998. The IPT that has been granted exclusive jurisdiction for all Human Rights Act claims in relation to the intelligence agencies. This means, as noted by the High Court, ‘whether there has been a breach of the HRA on the facts of a particular case is something that can in principle be raised and adjudicated by an independent tribunal which can have access to all relevant material, including secret material. […] We also bear in mind in this context that the IPT is itself now subject to the possibility of an appeal to an appropriate appellate court (in England and Wales that would be the Court of Appeal); and that the Supreme Court has recently decided that the IPT is in principle amenable to judicial review: see R (Privacy International) v Investigatory Powers Tribunal [2019] UKSC 22; [2019] 2 WLR 1219’ (268). If the IPT finds any act of a public authority to be unlawful, it can grant such relief or remedy, or make such order, within its powers as it considers just and appropriate (269).

(155)

After exhausting national remedies, an individual can obtain redress before the European Court of Human Rights for violations of the rights guaranteed under the ECHR, including the right to privacy and data protection.

(156)

It follows from the above that the sharing by United Kingdom criminal law enforcement authorities of data transferred under this Decision with other public authorities, including intelligence agencies, is framed by limitations and conditions ensuring that such onward sharing will be necessary and proportionate and subject to specific data protection safeguards under the DPA 2018. Moreover, processing of data by the concerned public authorities is overseen by independent bodies and affected individuals have access to effective judicial remedies.

(157)

The Commission considers that Part 3 of the DPA 2018 ensures a level of protection for personal data transferred for criminal law enforcement purposes from competent authorities in the Union to United Kingdom competent authorities which is essentially equivalent to the one guaranteed by Directive (EU) 2016/680.

(158)

Moreover, the Commission considers that, taken as a whole, the oversight mechanisms and redress avenues in United Kingdom law enable infringements to be identified and sanctioned in practice and offer legal remedies to the data subject to obtain access to personal data relating to him/her and, eventually, the rectification or erasure of such data.

(159)

Finally, on the basis of the available information about the United Kingdom legal order, the Commission considers that any interference with the fundamental rights of the individuals whose personal data are transferred from the European Union to the United Kingdom by United Kingdom public authorities for public interest purposes, including in the context of the sharing of personal data between law enforcement authorities and other public authorities such as national security bodies, will be limited to what is strictly necessary to achieve the legitimate objective in question, and that effective legal protection against such interference exists.

(160)

Therefore, it should be decided that the United Kingdom ensures an adequate level of protection within the meaning of Article 36(2) of Directive (EU) 2016/680, interpreted in light of the Charter of Fundamental Rights.

(161)

This conclusion is based on both the relevant United Kingdom domestic regime and its international commitments, in particular adherence to the European Convention of Human Rights and submission to the jurisdiction of the European Court of Human Rights. Continued adherence to such international obligations is therefore a particularly important element of the assessment on which this Decision is based.

(162)

Member States and their organs are required to take the measures necessary to comply with acts of the Union institutions, as the latter are presumed to be lawful and accordingly produce legal effects until such time as they expire, are withdrawn, annulled in an action for annulment or declared invalid following a reference for a preliminary ruling or a plea of illegality.

(163)

Consequently, a Commission adequacy decision adopted pursuant to Article 36(3) of Directive (EU) 2016/680 is binding on all organs of the Member States to which it is addressed, including their independent supervisory authorities. In particular, during the period of application of this Decision, transfers from a controller or processor in the Union to controllers or processors in the United Kingdom may take place without the need to obtain any further authorisation.

(164)

At the same time, it should be recalled that, pursuant to Article 47(5) of Directive (EU) 2016/680, and as explained by the Court of Justice in the Schrems judgment, where a national data protection authority questions, including upon a complaint, the compatibility of a Commission adequacy decision with the fundamental rights of the individual to privacy and data protection, national law must provide it with a legal remedy to put those objections before a national court, which may be required to make a reference for a preliminary ruling to the Court of Justice (270).

(165)

Pursuant to Article 36(4) of Directive (EU) 2016/680, the Commission is to monitor, on an ongoing basis, relevant developments in the United Kingdom after the adoption of this Decision in order to assess whether it still ensures an essentially equivalent level of protection. Such monitoring is particular important in this case, as the United Kingdom will administer, apply and enforce a new data protection regime no longer subject to Union law, which may be liable to evolve. In that respect, special attention will be paid to the application in practice of the United Kingdom rules on transfers of personal data to third countries, including through the conclusion of international agreements, and the impact it may have on the level of protection afforded to data transferred under this Decision; as well as to the effectiveness of the exercise of individual rights in the areas covered by this Decision. Amongst other elements, case-law developments and oversight by the ICO and other independent bodies will inform the Commission’s monitoring.

(166)

In order to facilitate this monitoring, the United Kingdom authorities should promptly and regularly inform the Commission of any material change to the United Kingdom legal order that has an impact on the legal framework that is the object of this Decision, as well as any evolution in practices related to the processing of the personal data assessed in this Decision, in particular with respect to the elements mentioned in recital 165.

(167)

Moreover, in order to allow the Commission to effectively carry out its monitoring function, the Member States should inform the Commission about any relevant action undertaken by the national data protection authorities, in particular regarding queries or complaints by EU data subjects concerning the transfer of personal data from the Union to competent authorities in the United Kingdom. The Commission should also be informed about any indications that the actions of United Kingdom public authorities responsible for the prevention, investigation, detection or prosecution of criminal offences, including any oversight bodies, do not ensure the required level of protection.

(168)

Where available information, in particular information resulting from the monitoring of this Decision or provided by United Kingdom or Member States’ authorities, reveals that the level of protection afforded by the United Kingdom may no longer be adequate, the Commission should promptly inform the competent United Kingdom authorities thereof and request that appropriate measures be taken within a specified timeframe, which may not exceed three months. Where necessary, this period may be extended for a specified period of time, taking into account the nature of the issue at stake and/or of the measures to be taken.

(169)

If, at the expiry of that specified timeframe, the competent United Kingdom authorities fail to take those measures or otherwise demonstrate satisfactorily that this Decision continues to be based on an adequate level of protection, the Commission will initiate the procedure referred to in Article 58(2) of the Directive (EU) 2016/680 with a view to partially or completely suspend or repeal this Decision.

(170)

Alternatively, the Commission will initiate this procedure with a view to amend the Decision, in particular by subjecting data transfers to additional conditions or by limiting the scope of the adequacy finding only to data transfers for which an adequate level of protection continues to be ensured.

(171)

On duly justified imperative grounds of urgency, the Commission will make use of the possibility to adopt, in accordance with the procedure referred to in Article 58(3) of the Directive (EU) 2016/680, immediately applicable implementing acts suspending, repealing or amending the Decision.

(172)

It should be taken into account that, with the end of the transition period provided by the Withdrawal Agreement and as soon as the interim provision under Article 782 of the EU-UK Trade and Cooperation Agreement will cease to apply, the United Kingdom will administer, apply and enforce a new data protection regime compared to the one in place when it was bound by European Union law. This may notably involve amendments or changes to the data protection framework assessed in this Decision, as well as other relevant developments.

(173)

It is therefore appropriate to provide that this Decision will apply for a period of four years as of its entry into force.

(174)

Where in particular information resulting from the monitoring of this Decision reveals that the findings relating to the adequacy of the level of protection ensured in the United Kingdom are still factually and legally justified, the Commission should, at the latest six months before this Decision ceases to apply, initiate the procedure to amend this Decision by extending its temporal scope, in principle, for an additional period of four years Any such implementing act amending this Decision is to be adopted in accordance with the procedure referred to in Article 58(2) of Directive (EU) 2016/680.

(175)

The European Data Protection Board published its opinion (271), which has been taken into consideration in the preparation of this Decision.

(176)

The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 58 of Directive (EU) 2016/680.

(177)

In accordance with Article 6a of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, as annexed to the TEU and to the TFEU, Ireland is not bound by the rules laid down in Directive (EU) 2016/680, and hence this implementing decision, which relate to the processing of personal data by the Member States when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title V of Part Three of the TFEU where Ireland is not bound by the rules governing the forms of judicial cooperation in criminal matters or police cooperation which require compliance with the provisions laid down on the basis of Article 16 TFEU. Moreover, by virtue of Council Implementing Decision (EU) 2020/1745 (272), Directive (EU) 2016/680 is to be put into effect and applied on a provisional basis in Ireland as of 1 January 2021. Ireland is therefore bound by this Implementing Decision, under the same conditions as apply to the application of Directive (EU) 2016/680 in Ireland as set out in Implementing Decision (EU) 2020/1745, as regards the Schengen acquis it participates in.

(178)

In accordance with Articles 2 and 2a of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark is not bound by the rules laid down in Directive (EU) 2016/680, and hence this Implementing Decision, or subject to their application which relate to the processing of personal data by the Member States when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title V of Part Three of the TFEU. However, given that Directive (EU) 2016/680 builds upon the Schengen acquis, Denmark, in accordance with Article 4 of that Protocol, notified on 26 October 2016 its decision to implement Directive (EU) 2016/680. Denmark is therefore bound under international law to implement this Implementing Decision.

(179)

As regards Iceland and Norway, this Implementing Decision constitutes a development of provisions of the Schengen acquis, as provided for by the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis (273).

(180)

As regards Switzerland, this Implementing Decision constitutes a development of provisions of the Schengen acquis, as provided for by the Agreement between the European Union, the European Community and the Swiss Confederation concerning the association of the Swiss Confederation with the implementation, application and development of the Schengen acquis (274).

(181)

As regards Liechtenstein, this Implementing Decision constitutes a development of provisions of the Schengen acquis, as provided for by the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (275),