(1)

Regulation (EU) 2016/679 sets out the rules for the transfer of personal data from controllers or processors in the European Union to third countries and international organisations to the extent that such transfers fall within its scope of application. The rules on international data transfers are laid down in Chapter V of that Regulation, that is in Articles 44 to 50. While the flow of personal data to and from countries outside the European Union is essential for the expansion of international cooperation and cross-border trade, the level of protection afforded to personal data in the European Union must not be undermined by transfers to third countries (2).

(2)

Pursuant to Article 45(3) of Regulation (EU) 2016/679, the Commission may decide, by means of an implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensure(s) an adequate level of protection. Under this condition, transfers of personal data to a third country may take place without the need to obtain any further authorisation, as provided for in Article 45(1) and recital 103 of that Regulation.

(3)

As specified in Article 45(2) of Regulation (EU) 2016/679, the adoption of an adequacy decision has to be based on a comprehensive analysis of the third country's legal order, covering both the rules applicable to the data importers and the limitations and safeguards as regards access to personal data by public authorities. In its assessment, the Commission has to determine whether the third country in question guarantees a level of protection “essentially equivalent” to that ensured within the European Union (recital 104 of Regulation (EU) 2016/679). The standard against which the “essential equivalence” is assessed is that set by European Union legislation, notably Regulation (EU) 2016/679, as well as the case law of the Court of Justice of the European Union (3). The European Data Protection Board’s (EDPB) adequacy referential is also of significance in this regard (4).

(4)

As clarified by the Court of Justice of the European Union, this does not require finding an identical level of protection (5). In particular, the means to which the third country in question has recourse for protecting personal data may differ from the ones employed in the European Union, as long as they prove, in practice, effective for ensuring an adequate level of protection (6). The adequacy standard therefore does not require a point-to-point replication of Union rules. Rather, the test lies in whether, through the substance of data protection rights and their effective implementation, supervision and enforcement, the foreign system as a whole delivers the required level of protection (7).

(5)

The Commission has carefully analysed the law and practice of the United Kingdom. Based on the findings developed in recitals (8) to (270), the Commission concludes that the United Kingdom ensures an adequate level of protection for personal data transferred within the scope of Regulation (EU) 2016/679 from the European Union to the United Kingdom.

(6)

This conclusion does not concern personal data transferred for United Kingdom immigration control purposes or which otherwise falls within the scope of the exemption from certain data subject rights for purposes of the maintenance of effective immigration control (the “immigration exemption”) pursuant to paragraph 4(1) of Schedule 2 to the UK Data Protection Act. The validity and interpretation of the immigration exemption under UK law is not settled following a decision of the England and Wales Court of Appeal of 26 May 2021. While recognising that data subject rights can, in principle, be restricted for immigration control purposes as “an important aspect of the public interest”, the Court of Appeal has found that the immigration exemption is, in its current form, incompatible with UK law, as the legislative measure lacks specific provisions setting out the safeguards listed in Article 23(2) of the United Kingdom General Data Protection Regulation (UK GDPR) (8). In these conditions, transfers of personal data from the Union to the United Kingdom to which the immigration exemption can be applied should be excluded from the scope of this Decision (9). Once the incompatibility with UK law is remedied, the immigration exemption should be reassessed, as well as the need to maintain the limitation of the scope of this Decision.

(7)

This Decision should not affect the direct application of Regulation (EU) 2016/679 to organisations established in the United Kingdom where the conditions regarding the territorial scope of that Regulation, laid down in its Article 3, are fulfilled.

(8)

The United Kingdom is a Parliamentary democracy which has a constitutional sovereign as Head of State. It has a sovereign Parliament, which is supreme to all other government institutions, an Executive drawn from and accountable to Parliament and an independent judiciary. The Executive draws its authority from its ability to command the confidence of the elected House of Commons and is accountable to both Houses of Parliament which are responsible for scrutinising the Government and debating and passing laws.

(9)

The United Kingdom Parliament has devolved responsibility to the Scottish Parliament, the Welsh Parliament (Senedd Cymru), and the Northern Ireland Assembly for legislating on domestic matters in Scotland, Wales and Northern Ireland which the United Kingdom Parliament has not reserved to itself. While data protection is a reserved matter, i.e. the same legislation applies across the country, other areas of policy relevant to this Decision are devolved. For instance, the criminal justice systems, including policing, of Scotland and Northern Ireland are devolved to the Scottish Parliament and Northern Ireland Assembly, respectively. The United Kingdom does not have a codified constitution in the sense of an entrenched constitutive document. Constitutional principles have emerged over time, drawn from case law and convention in particular. The constitutional value of certain statutes, such as Magna Carta, the Bill of Rights 1689 and the Human Rights Act 1998 has been recognised by courts. The fundamental rights of individuals have been developed, as part of the constitution, through common law, those statutes, and international treaties, in particular the European Convention on Human Rights which the United Kingdom ratified in 1951. The United Kingdom also ratified the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) in 1987 (10).

(10)

The Human Rights Act 1998 incorporates the rights contained in the European Convention on Human Rights into the law of the United Kingdom. The Human Rights Act grants any individual the fundamental rights and freedoms provided in Articles 2 to 12 and 14 of the European Convention on Human Rights, Articles 1, 2 and 3 of its First Protocol and Article 1 of its Thirteenth Protocol, as read in conjunction with Articles 16, 17 and 18 of that Convention. This includes the right to respect for private and family life (and the right to data protection as part of that right) and the right to a fair trial (11). In particular, pursuant to Article 8 of that Convention, a public authority may only interfere with the right to privacy in accordance with the law, where necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

(11)

In accordance with the Human Rights Act 1998, any action of public authorities must be compatible with a Convention Right (12). In addition, primary and subordinate legislation must be read and given effect in a way that is compatible with the Convention rights (13).

(12)

The United Kingdom withdrew from the European Union on 31 January 2020. On the basis of the Agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community (14), Union law continued to apply in the United Kingdom during the transition period until 31 December 2020. Prior to the withdrawal and during the transition period, the legislative framework on the protection of personal data in the United Kingdom consisted of the relevant EU legislation (in particular Regulation (EU) 2016/679 and Directive (EU) 2016/680 of the European Parliament and of the Council (15)) and national legislation, in particular the Data Protection Act 2018 (DPA 2018) (16) which provided national rules, where allowed by Regulation (EU) 2016/679, specifying and restricting the application of the rules of Regulation (EU) 2016/679 and transposed Directive (EU) 2016/680.

(13)

To prepare for withdrawal from the European Union, the United Kingdom Government enacted the European Union (Withdrawal) Act 2018 (17), which incorporates directly applicable Union legislation into the law of the United Kingdom (18). This so-called “retained EU law” includes Regulation (EU) 2016/679 in its entirety (including its recitals) (19). In accordance with that act, the unmodified retained EU law must be interpreted by the courts of the United Kingdom in accordance with the relevant case law of the European Court of Justice and general principles of Union law as they have effect immediately before the end of the transition period (called “retained EU case law” and “retained general principles of EU law” respectively) (20).

(14)

Under the European Union (Withdrawal) Act 2018, the ministers of the United Kingdom have the power to introduce secondary legislation, via statutory instruments, to make the necessary modifications to retained European Union law consequential to the United Kingdom’s withdrawal from the European Union. They exercised that power by adopting the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (DPPEC Regulations) (21). The DPPEC Regulations amend Regulation (EU) 2016/679 as brought into United Kingdom law through the European Union (Withdrawal) Act 2018, the DPA 2018, and other data protection legislation to fit the domestic context (22).

(15)

Consequently, the legal framework on the protection of personal data in the United Kingdom after the end of the transition period consists of:

(16)

As the UK GDPR is based on EU legislation, the data protection rules in the United Kingdom in many aspects closely mirror the corresponding rules applicable within the European Union.

(17)

In addition to the powers afforded to the Secretary of State by the European Union (Withdrawal) Act 2018, several provisions of the DPA 2018 give powers to the Secretary of State to adopt secondary legislation to amend certain provisions of the Act or provide supplementary and additional rules (25). The Secretary of State has so far only exercised the power under Section 137 of the DPA 2018 to adopt the Data Protection (Charges and Information) (Amendment) Regulations 2019, which set out the circumstances in which data controllers are required to pay an annual charge to the UK’s independent data protection authority, the Information Commissioner.

(18)

Finally, further guidance on the data protection legislation of the United Kingdom is provided in the codes of practice and other guidance adopted by the Information Commissioner. Although not formally legally binding, this guidance carries interpretative weight and demonstrates how the data protection legislation applies and is enforced by the Commissioner in practice. In particular, Sections 121 to 125 of the DPA 2018 require the Commissioner to prepare codes of practice on data-sharing, direct marketing, age-appropriate design and data protection and journalism.

(19)

In its structure and main components, the UK legal framework applying to data transferred under this Decision is thus very similar to the one applying in the European Union. This includes the fact that such framework does not only rely on obligations laid down in domestic law, that have been shaped by EU law, but also on obligations enshrined in international law, in particular through the United Kingdom’s adherence to the ECHR and Convention 108, as well as its submission to the jurisdiction of the European Court of Human Rights. These obligations arising from legally binding international instruments, concerning notably the protection of personal data, are therefore a particular important element of the legal framework assessed in this Decision.

(20)

Similarly to Regulation (EU) 2016/679, the UK GDPR applies to the processing of personal data wholly or partly by automated means, or to other processing, if the personal data forms part of a filing system (26). The definitions of “personal data”, of “data subject” and of “processing” of the UK GDPR are identical to those of Regulation (EU) 2016/679 (27). In addition, the UK GDPR applies to the processing of manual unstructured personal data (28) held by certain United Kingdom public authorities (29), although UK GDPR principles and rights that are not relevant to such personal data are disapplied by Sections 24 and 25 of the DPA 2018. Similarly to what is provided under Regulation (EU) 2016/679, the UK GDPR does not apply to the processing of personal data by an individual in the course of a purely personal or household activity (30).

(21)

The UK GDPR extends its scope also to the processing in the course of an activity which, immediately before the end of the transition period, fell outside the scope of European Union law (e.g. national security) (31), or was within the scope of Chapter 2 of Title 5 of the Treaty on European Union (Common Foreign and Security Policy activities) (32).As in the European Union system, the UK GDPR does not apply to the processing of personal data by a competent authority for purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (so called “law enforcement purposes”) – such processing is instead governed by Part 3 of the DPA 2018, as it is the case for Directive (EU) 2016/680 under European Union law – or the processing of personal data by intelligence services (the Security Service, the Secret Intelligence Service and the Government Communications Headquarters) which is covered by Part 4 of the DPA 2018 (33).

(22)

The territorial scope of the UK GDPR is described in Article 3 of the UK GDPR (34) and includes the processing of personal data (regardless of where it takes place) in the context of the activities of an establishment of a controller or a processor in the United Kingdom as well as to the processing of personal data of data subjects who are in the United Kingdom, where the processing activities are related to the offering of goods or services to such data subjects or the monitoring of their behaviour (35). This reflects the approach taken in Article 3 of Regulation (EU) 2016/679.

(23)

The definitions of personal data, processing, controller, processor, as well as the definition of pseudonymisation, laid down in Regulation (EU) 2016/679 have been retained without material modifications in the UK GDPR (36). Moreover, special categories of data are defined in Article 9(1) of the UK GDPR in the same way as under Regulation (EU) 2016/679 (“revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation”). Section 205 of the DPA 2018 provides the definition of “biometric data” (37), “data concerning health” (38) and “genetic data” (39).

(24)

Personal data should be processed lawfully and fairly.

(25)

The principles of lawfulness, fairness and transparency and the grounds for lawful processing are guaranteed in the law of the United Kingdom through Articles 5(1)(a) and 6(1) of the UK GDPR, which are identical to the respective provisions in Regulation (EU) 2016/679 (40). Section 8 of the DPA 2018 complements Article 6(1)(e) by providing that the processing of personal data under Article 6(1)(e) of the UK GDPR (necessary for the performance of a task carried out in the public interest, or in the exercise of the controller’s official authority), includes processing of personal data that is necessary for the administration of justice, the exercise of a function of either House of Parliament, the exercise of a function conferred on a person by an enactment or rule of law, the exercise of a function of the Crown, a Minister of the Crown or a government department, or an activity that supports or promotes democratic engagement.

(26)

With respect to consent (one of the grounds for lawful processing), the UK GDPR also retains the conditions provided for in the Article 7 of Regulation (EU) 2016/679 unmodified, that is to say the controller must be able to demonstrate that the data subject has consented, a written request for consent must be presented using clear and plain language, the data subject must have the right to withdraw consent at any time, and when assessing whether consent is freely given, it should be taken into account whether the performance of a contract is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. Moreover, pursuant to Article 8 of the UK GDPR, in the context of the provision of information society services a child’s consent is lawful only when the child is at least 13 years old. This falls within the age bracket set in Article 8 of Regulation (EU) 2016/679.

(27)

Specific safeguards should exist where “special categories” of data are being processed.

(28)

The UK GDPR and the DPA 2018 contain specific rules as regards the processing of special categories of personal data, which are defined in Article 9(1) of the UK GDPR in the same way as under Regulation (EU) 2016/679 (see recital (23) above). According to Article 9 of the UK GDPR, the processing of special categories of data is in principle prohibited, unless a specific exception applies.

(29)

These exceptions (listed in Article 9(2) and (3) of the UK GDPR) do not make any changes of substance to those in Article 9(2) and (3) of Regulation (EU) 2016/679. Unless the data subject has given its explicit consent to the processing of those personal data, the processing of special categories of personal data is only permitted in specific and limited circumstances. In most instances, processing of sensitive data must be necessary for a specific purpose defined in the relevant provision (see Article 9(2)(b), (c), (f), (g), (h), (i) and (j)).

(30)

Moreover, where an exception under Article 9(2) of the UK GDPR requires an authorisation by law or refers to the public interest, Section 10 of the DPA 2018 together with Schedule 1 to the DPA 2018 further specify the conditions that must be met for the exceptions to be relied upon. For example, in the case of processing of sensitive data for protecting “public health” (Article 9(2)(i) of the UK GDPR), paragraph 3(b) of Part 1 of Schedule 1 requires that, in addition to the necessity test, such processing is carried out “by or under the responsibility of a health professional” or “by another person who owes a duty of confidentiality under an enactment or rule of law”, including under the well-established common law duty of confidentiality.

(31)

Where sensitive data is processed for reasons of substantial public interest (Article 9(2)(g) of the UK GDPR), Part 2 of Schedule 1 to the DPA 2018 provides an exhaustive list of purposes that can be considered as of substantial public interest, and, for each of these purposes, sets out specific additional conditions. For instance, promoting racial and ethnic diversity at senior levels of organisations is recognised as a substantial public interest. Processing of sensitive data for this specific purpose is subject to detailed requirements, including that the processing is carried out as part of a process of identifying suitable individuals to hold senior positions, is necessary to promote racial and ethnic diversity and is not likely to cause substantial damage or substantial distress to the data subject.

(32)

Section 11(1) of the DPA 2018 sets out conditions for personal data to be processed in the circumstances described in Article 9(3) of the UK GDPR relating to the obligation of secrecy. This includes circumstances in which it is carried out by or under the responsibility of a health professional or a social work professional, or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

(33)

In addition, many of the exceptions listed in Article 9(2) of the UK GDPR require suitable and specific safeguards in order to be used. Depending on the nature of the processing and the level of risk for the rights and freedoms of data subjects, the conditions for processing provided for in Schedule 1 to the DPA 2018 establish different safeguards. Schedule 1 sets out the conditions for each processing situation in turn.

(34)

In some cases, the DPA 2018 regulates and limits the type of sensitive data that may be processed for a particular legal basis to be complied with. For example, paragraph 8 of Schedule 1 authorises the processing of sensitive data for the purpose of the promotion of equality of opportunity or treatment. This processing condition can only be used if the data reveals racial or ethnic origin, religious or philosophical beliefs, sexual orientation, or if it is health data.

(35)

In some cases, the DPA 2018 limits the type of controller that may use the processing condition. For example, paragraph 23 of Schedule 1 provides for processing of sensitive data in relation to elected representatives’ responses to the public. This processing condition can only be used if the controller is the elected representative or is acting under their authority.

(36)

In some other cases, the DPA 2018 sets limits on the categories of data subject for the processing condition to be used. For example, paragraph 21 of Schedule 1 regulates the processing of sensitive data for occupational pension schemes. This condition can only be used if the data subject in question is a sibling, parent, grandparent, or great-grandparent of the scheme member.

(37)

In addition, when relying on the exceptions in Article 9(2) of the UK GDPR that are further specified in Section 10 of the DPA 2018 together with Schedule 1 to the DPA 2018, the controller in most instances is required to draft an “Appropriate Policy Document”. It must outline the controller’s procedures for securing compliance with the principles in Article 5 of the UK GDPR. It must also set out policies for retention and erasure, with an indication of the likely storage period. Controllers must review and update this document as appropriate. The controller must keep the policy document for six months after processing is finished and must make it available to the Information Commissioner on request (41).

(38)

Pursuant to paragraph 41 of Schedule 1 to the DPA 2018, the Policy Document must always be accompanied by an augmented record of processing. This record must track the commitments included in the Policy Document, i.e. whether data is being erased or retained in accordance with the policies. If the policies have not been followed, the log must record the reasons. The record must also describe how the processing satisfies Article 6 of the UK GDPR (lawfulness of processing) and the specific condition in Schedule 1 to the DPA 2018 relied on.

(39)

Finally, like Regulation (EU) 2016/679, the UK GDPR also provides general safeguards for certain processing operations of special categories of data. Article 35 of the UK GDPR requires a data protection impact assessment if special categories of data are processed on a large scale. Pursuant to Article 37 of the UK GDPR, a controller or processor must designate a data protection officer where its core activities consist of processing special categories of data on a large scale.

(40)

With respect to personal data relating to criminal convictions and offences, Article 10 of the UK GDPR is identical to Article 10 of Regulation (EU) 2016/679. It allows the processing of personal data relating to criminal convictions and offences only under the control of official authority or when the processing is authorised by domestic law providing for appropriate safeguards for the rights and freedoms of data subjects.

(41)

Where the processing of data relating to criminal convictions and offences is not carried out under the control of official authority, Section 10(5) of the DPA 2018 provides that such processing can take place only for the specific purposes/ in the specific situations set out in Parts 1, 2 and 3 of Schedule 1 to the DPA 2018 and is subject to the specific requirements that are set out for each of these purposes/situations. For example, criminal convictions data can be processed by not-for-profit bodies if the processing is carried out (a) in the course of its legitimate activities with appropriate safeguards by a foundation, association or other not-for-profit body with a political, philosophical, religious or trade union aim, and (b) on condition that (i) the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes, and (ii) the personal data is not disclosed outside that body without the consent of the data subjects.

(42)

Moreover, Part 3 of Schedule 1 to the DPA 2018 sets out further circumstances in which criminal convictions data may be used which correspond to the legal grounds for processing of sensitive data in Article 9(2) of Regulation (EU) 2016/679 and the UK GDPR (e.g. consent of the data subject, vital interests of an individual if the data subject is legally or physically unable to give consent, if data has already manifestly been made public by the data subject, if processing is necessary for the establishment, exercise or defence of a legal claim etc.).

(43)

Personal data should be processed for a specific purpose and subsequently used only insofar as this is not incompatible with the purpose of processing.

(44)

This principle is provided in Article 5(1)(b) of Regulation (EU) 2016/679 and has been retained without changes in Article 5(1)(b) of the UK GDPR. The conditions on further compatible processing pursuant to Article 6(4) of Regulation (EU) 2016/679 have also been retained with no material modifications in Article 6(4)(a) - (e) of UK GDPR.

(45)

Moreover, data should be accurate and, where necessary, kept up to date. It should also be adequate, relevant and not excessive in relation to the purposes for which it is processed, and in principle be kept for no longer than is necessary for the purposes for which the personal data is processed.

(46)

These principles of data minimisation, accuracy and storage limitation are set out in Article 5(1)(c) to (e) of Regulation (EU) 2016/679 and are retained without modifications in Article 5(1)(c) to (e) in the UK GDPR.

(47)

Personal data should also be processed in a manner that ensures their security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. To that end, business operators should take appropriate technical or organisational measures to protect personal data from possible threats. These measures should be assessed taking into consideration the state of the art and related costs.

(48)

Data security is enshrined in the law of the United Kingdom through the principle of integrity and confidentiality in Article 5(1)(f) of the UK GDPR and in Article 32 of the UK GDPR on security of processing. Those provisions are identical to the respective provisions of Regulation (EU) 2016/679. Moreover, under the same conditions as those set out in Articles 33 and 34 of Regulation (EU) 2016/679, the UK GDPR requires the notification of a personal data breach to the supervisory authority (Article 33 of the UK GDPR) and the communication of a personal data breach to the data subject (Article 34 of the UK GDPR).

(49)

Data subjects should be informed of the main features of the processing of their personal data.

(50)

This is ensured by Articles 13 and 14 of the UK GDPR, which, in addition to a general principle of transparency, provide rules on the information to be provided to the data subject (42). The UK GDPR introduces no material modifications to these rules compared to the corresponding articles of Regulation (EU) 2016/679. However, like under Regulation (EU) 2016/679, the transparency requirements of those articles are subject to several exceptions laid down in the DPA 2018 (see recitals (55) to (72)).

(51)

Data subjects should have certain rights which can be enforced against the controller or processor, in particular the right of access to data, the right to object to the processing and the right to have data rectified and erased. At the same time, such rights may be subject to restrictions, as far as these restrictions are necessary and proportionate to safeguard public security or other important objectives of general public interest.

(52)

The UK GDPR grants individuals the same enforceable rights as Regulation (EU) 2016/679. The provisions providing the rights of the individuals have been maintained in the UK GDPR without material changes.

(53)

The rights include the right of access by the data subject (Article 15 of the UK GDPR), the right to rectification (Article 16 of the UK GDPR), the right to erasure (Article 17 of the UK GDPR), the right to restriction of processing (Article 18 of the UK GDPR), a notification obligation regarding rectification or erasure of personal data or restriction of processing (Article 19 of the UK GDPR), the right to data portability (Article 20 of the UK GDPR), and the right to object (Article 21 of the UK GDPR) (43). The latter also includes the right of a data subject to object to the processing of personal data for the purpose of direct marketing provided in paragraphs 2 and 3 of Article 21 of Regulation (EU) 2016/679. Moreover, under Section 122 of the DPA 2018, the Information Commissioner must prepare a Code of Practice in relation to the carrying out of direct marketing in accordance with the requirements of the data protection legislation (and the Privacy and Electronic Communications (EC Directive) Regulations 2003) and such other guidance to promote good practice in direct marketing that the Commissioner considers appropriate. The Information Commissioner’s Office is currently developing the direct marketing code (44).

(54)

The data subject’s right not to be subject to a decision based solely on automated processing that produces legal effects concerning them, or similarly affects them significantly, as provided in Article 22 GDPR, has also been retained in UK GDPR without substantial changes. However, a new paragraph 3A has been added to reference that Section 14 of the DPA 2018 sets out safeguards for data subjects’ rights, freedoms and legitimate interests when the processing is carried out under Article 22(2)(b) of the UK GDPR. This only applies when the basis for such a decision is an authorisation or requirement under United Kingdom law, and does not apply where the decision is necessary under a contract or made with the data subject’s explicit consent. Where Section 14 of the DPA 2018 applies, the controller must, as soon as reasonably practicable, notify the data subject in writing that a decision has been taken based solely on automated processing. The data subject has a right to request that the controller - within one month of receipt of the notice - reconsider the decision, or to take a new decision that is not based solely on automated processing. The Secretary of State is empowered to adopt further safeguards as regards automated decision-making. This power has not yet been exercised.

(55)

The DPA 2018 sets out several restrictions to individual rights, fitting within the framework of Article 23 of the UK GDPR. No restrictions are introduced within this framework concerning the right to object to direct marketing as provided in Article 21(2) and (3) of the UK GDPR or to the right not to be subject to automated decision making as provided in Article 22 of the UK GDPR.

(56)

The restrictions are detailed in Schedules 2-4 to the DPA 2018. The United Kingdom authorities have explained that they are guided by two principles: the principle of specificity (taking a granular approach, splitting broad restrictions into multiple, more specific provisions) and the principle of conditionality (each provision is complemented by safeguards in the form of limitations or conditions to prevent abuse) (45).

(57)

The restrictions described in Article 23(1) of the UK GDPR are designed to ensure they only apply in specified circumstances where necessary in a democratic society and proportionate to the legitimate aim they pursue. Furthermore, in accordance with established case law on the interpretation of restrictions, an exemption from the data protection regime can only be applied in any particular case if it is necessary and proportionate to do so (46). The test of necessity has been required to be “a strict one, requiring any interference with the subject’s rights to be proportionate to the gravity of the threat to the public interest. The exercise therefore involves a classic proportionality analysis (47).”

(58)

The aims pursued by these restrictions correspond to the ones listed in Article 23 of Regulation (EU) 2016/679, except for the restrictions for national security and defence that are instead regulated by Section 26 of the DPA 2018, but are subject to the same requirements of necessity and proportionality (see recitals (63) to (66)).

(59)

Some of the restrictions, for example those related to the prevention or detection of crime, to the apprehension or prosecution of offenders, and to the assessment or collection of tax or duty (48) permit restrictions to all the individual rights and transparency obligations (excluding rights under Article 21(2) and Article 22). The scope of other restrictions is limited to transparency obligations and access rights, such as the restrictions relating to legal professional privilege (49), to the right to freedom from a requirement to provide information that would lead to self-incrimination (50), and to corporate finance, notably the prevention of insider trading (51). Few of the restrictions permit a restriction to the controller’s obligation to communicate a data breach to a data subject and the principles of purpose limitation, and lawfulness, fairness and transparency of the processing (52).

(60)

Some of the restrictions apply automatically “in full” to a certain type of processing of personal data (for example, the application of transparency obligations and individual rights is excluded when personal data is processed for the purposes of assessing a person’s suitability for judicial office or personal data is processed by a court, tribunal, or individual, acting in a judicial capacity).

(61)

However, in the majority of cases, the relevant paragraph in Schedule 2 to the DPA 2018 specifies that the restriction applies only when (and to the extent) that the application of the provisions “would be likely to prejudice” the legitimate aim pursued by that restriction: for example, the listed provisions of the UK GDPR do not apply to personal data processed for the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of a tax or duty “to the extent that the application of those provisions would be likely to prejudice” any of these matters (53).

(62)

The “would be likely to prejudice” standard has been consistently interpreted by UK courts to mean “a very significant and weighty chance of prejudice to the identified public interests” (54). A restriction subject to the prejudice test can therefore only be invoked if and to the extent that there is a very significant and weighty chance that the granting of a certain right would prejudice the public interest at stake. The controller is responsible for assessing on case-by-case basis whether these conditions are fulfilled (55).

(63)

In addition to the restrictions contained in Schedule 2 to the DPA 2018, Section 26 of the DPA 2018 provides an exemption which may be applied to certain provisions of the UK GDPR and of the DPA 2018 if that exemption is required for the purpose of safeguarding national security or for defence purposes. This exemption applies to the data protection principles (except the principle of lawfulness), the transparency obligations, the rights of the data subject, the obligation to notify a data breach, rules on international transfers, some of the duties and powers of the Information Commissioner, and the rules on remedies, liabilities and penalties, except for the provision on the general conditions for imposing administrative fines set out in Article 83 of the UK GDPR and the provision on penalties in Article 84 of the UK GDPR. Moreover Section 28 of the DPA 2018 modifies the application of Article 9(1) to enable the processing of special categories of data in Article 9(1) of the UK GDPR to the extent that the processing is carried out for safeguarding national security or for defence purposes, and with appropriate safeguards for the rights and freedoms of data subjects (56).

(64)

The exemption can only be applied to the extent that it is required to safeguard national security or defence. As it is also the case for the other exemptions provided for by the DPA 2018, it must be considered and invoked by the controller on a case-by-case basis. Moreover, any application of the exemption must be in compliance with human right standards (underpinned by the Human Rights Act 1998), according to which any interference with privacy rights should be necessary and proportionate in a democratic society (57).

(65)

This interpretation of the exemption is confirmed by the ICO that has issued detailed guidance on the application of the national security and defence exemption, making clear that it must be considered and applied by the controller on a case by case basis (58). In particular, the guidance stresses that “[t]his is not a blanket exemption” and that, in order to invoke it, “it is not enough that the data is processed for national security purposes”. By contrast, the controller relying on it must “show that there is a real possibility of an adverse effect on national security” and, when necessary, the controller is expected to “provide [the ICO] with evidence about why [it] used this exemption”. The guidance contains a checklist and a series of examples to further clarify the conditions under which this exemption can be invoked.

(66)

The fact that the data is processed for national security or defence purposes is therefore not on its own sufficient for the exemption to be applied. A controller must consider the actual consequences to national security if it had to comply with the particular data protection provision. The exemption can only be applied to those specific provisions which have been identified as posing the risk and must be applied as restrictively as possible (59).

(67)

This approach has been confirmed by the Information Tribunal (60). In the case of Baker v Secretary of State for the Home Department (“Baker v Secretary of State” ), it determined that it was unlawful to apply the national security exemption as a blanket exemption to access requests received by the intelligence services. Instead, the exemption had to be applied on a case-by-case basis, by looking at each request on its merit and in view of the right of individuals to respect for their private lives (61).

(68)

Article 85(2) of the UK GDPR allows for provision to be made for personal data processed for journalistic, artistic, academic and literary purposes to be exempt from several provisions of the UK GDPR. Part 5 of Schedule 2 to the DPA 2018 sets out the exemptions for processing for these purposes. It provides for exemptions from the data protection principles (except the principle of integrity and confidentiality), the legal grounds for processing (incl. special categories of data and criminal convictions etc. data), the conditions for consent, the transparency obligations, the rights of the data subjects, the obligation to notify data breaches, and the requirement to consult the Information Commissioner prior to high risk processing, and the rules on international transfers (62). In this regard, the UK GDPR does not depart in a substantive manner from Regulation (EU) 2016/679, which in its Article 85 also provides for the possibility to exempt processing carried out for journalistic purposes or the purposes of academic, artistic or literary expression from a number of requirements of Regulation (EU) 2016/679. The provisions of the DPA 2018, notably Schedule 2, Part 5, are compatible with the UK GDPR.

(69)

The core balancing exercise to be carried out under Article 85 of the UK GDPR relates to whether an exemption to the data protection rules mentioned in recital (68) is “necessary to reconcile the right to the protection of personal data with the freedom of expression and information” (63). According to Schedule 2, paragraphs 26(2) and (3) to the DPA 2018, the United Kingdom applies a “reasonable belief” test in order for this balance to be struck. For an exemption to be justified, the controller must reasonably believe (i) that publication is in the public interest; and (ii) that the application of the relevant GDPR provision would be incompatible with journalistic, academic, artistic or literary purposes. As confirmed by case law (64), the “reasonable belief” test has both a subjective and an objective component: it is insufficient for the controller to demonstrate that he himself believed compliance was incompatible. His belief must be reasonable, i.e. it could be believed by a reasonable person, knowing the relevant facts. The controller must therefore exercise due diligence when forming his belief in order to be able to demonstrate reasonableness. According to the explanations provided by the United Kingdom authorities, the “reasonable belief” test must be carried out on an exemption-by-exemption basis (65). If the conditions are met, the exemption is considered necessary and proportionate under United Kingdom law.

(70)

According to Section 124 of the DPA 2018, the ICO is to prepare a Code of Practice on Data Protection and Journalism. Work on this Code is ongoing. Guidance on the matter under the Data Protection Act 1998 has been issued which notably stresses that, to rely on this exemption, it is insufficient to merely state that compliance would be an inconvenience for journalist activities, but there must be a clear argument that the provision in question presents an obstacle to responsible journalism (66). Guidance on the application of the public interest test and the balancing of public interest against an individual’s interest in privacy has also been published by the United Kingdom’s telecommunications regulator OFCOM and the BBC in its editorial guidelines (67). The guidelines notably provide examples of information that can be considered in the public interest, and explain the need to be able to demonstrate that the public interest outweighs privacy rights in the particular circumstances of the case.

(71)

Similarly to what is provided in Article 89 GDPR, personal data processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes can also be exempted from a number of listed provisions of the UK GDPR (68). As regards research and statistics, exemptions are possible to the provisions of the UK GDPR related to confirmation of processing and access to data and safeguards for third country transfers; right to rectification; restriction of processing and objection to processing. As regards archiving in the public interest, exemptions are also possible to the notification obligation regarding rectification or erasure of personal data or restriction of processing and to the right to data portability.

(72)

According to paragraphs 27(1) and 28(1) of Schedule 2 to the DPA 2018, the exemptions to the listed provisions of the UK GDPR are possible where the application of the provisions would “prevent or seriously impair the achievement” of the purposes in question (69).

(73)

Given their relevance for an effective exercise of individual rights, any relevant development regarding the interpretation and application in practice of the above-mentioned exemptions (in addition to the one relating to the maintenance of effective immigration control, as explained in recital (6)), including any further development of the case law and of ICO guidance and enforcement actions, will be duly taken into account in the context of the continuous monitoring of this Decision (70).

(74)

The level of protection afforded to personal data transferred from the European Union to controllers or processors in the United Kingdom must not be undermined by the further transfer of such data to recipients in a third country. Such “onward transfers”, which from the perspective of the United Kingdom controller or processor constitute international transfers from the United Kingdom, should be permitted only where the further recipient outside the United Kingdom is itself subject to rules ensuring a similar level of protection to that guaranteed within the United Kingdom legal order. For this reason, the application of the rules of the UK GDPR and the DPA 2018 on international transfers of personal data is an important factor to ensure the continuity of protection in the case of personal data transferred from the European Union to the United Kingdom under this Decision.

(75)

The regime on international transfers of personal data from the United Kingdom is set out in Articles 44-49 of the UK GDPR, supplemented by the DPA 2018, and is in substance identical to the rules set out in Chapter V of Regulation (EU) 2016/679 (71). Transfers of personal data to a third country or international organisation can only take place on the basis of adequacy regulations (the UK equivalent to an adequacy decision under Regulation (EU) 2016/679), or in the absence of adequacy regulations, where the controller or processor has provided appropriate safeguards in accordance with Article 46 of the UK GDPR. In the absence of adequacy regulations or appropriate safeguards, a transfer can only take place based on derogations set out in Article 49 of the UK GDPR.

(76)

The adequacy regulations made by the Secretary of State can stipulate that a third country (or a territory or a sector within a third country), an international organisation, or a description (72) of such a country, territory, sector, or organisation ensures an adequate level of protection of personal data. When assessing the adequacy of the level of protection, the Secretary of State must take into account the exact same elements that the Commission is required to assess under Article 45(2)(a)-(c) of Regulation (EU) 2016/679, interpreted together with recital 104 of Regulation (EU) 2016/679 and the retained EU case law. This means that, when assessing the adequate level of protection of a third country, the relevant standard will be whether that third country in question ensures a level of protection “essentially equivalent” to that guaranteed within the United Kingdom.

(77)

As for the procedure, adequacy regulations are subject to the “general” procedural requirements provided for in Section 182 of the DPA 2018. Under this procedure, the Secretary of State must consult the Information Commissioner when proposing to adopt UK adequacy regulations (73). Once adopted by the Secretary of State, those regulations are laid before Parliament and subject to the “negative resolution” procedure under which both Houses of Parliament can scrutinise the regulations and have the ability to pass a motion annulling the regulations within a 40 day period (74).

(78)

According to Section 17B(1) of the DPA 2018, the adequacy regulations must be reviewed at intervals of not more than four years and the Secretary of State must, on an ongoing basis, monitor developments in third countries and international organisations that could affect decisions to make adequacy regulations, or to amend or revoke such regulations. Where the Secretary of State becomes aware that a country or organisation specified no longer ensures an adequate level of protection of personal data, he must, to the extent necessary, amend or revoke the regulations and enter into consultations with the third country or international organisation concerned to remedy the lack of an adequate level of protection. These procedural aspects also mirror the corresponding requirements of Regulation (EU) 2016/679.

(79)

In the absence of adequacy regulations, international transfers can take place where the controller or processor has provided appropriate safeguards in accordance with Article 46 of the UK GDPR. These safeguards are similar to those under Article 46 of Regulation (EU) 2016/679. They include legally binding and enforceable instruments between public authorities or bodies, binding corporate rules (75), standard data protection clauses, approved codes of conduct, approved certification mechanisms, and with authorisation from the Information Commissioner, contractual clauses between controllers (or processors) or administrative arrangements between public authorities. However, the rules have been modified, from a procedural point of view, to work within the United Kingdom framework, in particular the standard data protection clauses can be adopted by the Secretary of State (Section 17C) or the Information Commissioner (Section 119A) in accordance with the DPA 2018.

(80)

In absence of an adequacy decision or appropriate safeguards, a transfer can only take place based on derogations set out in Article 49 of the UK GDPR (76). The UK GDPR introduces no material changes to the derogations, compared to the corresponding rules of Regulation (EU) 2016/679. Under the UK GDPR, as under Regulation (EU) 2016/679, certain derogations can only be relied on if the transfer is occasional (77). Moreover, the ICO in its guidance on international transfers, clarifies that: “You should only use these as true ‘exceptions’ from the general rule that you should not make a restricted transfer unless it is covered by an adequacy decision or there are appropriate safeguards in place” (78). With respect to transfers that are necessary for important reasons of public interest (Article 49(1)(d)), the Secretary of State can make regulations to specify circumstances in which a transfer of personal data to a third country or international organisation is not necessary for important reasons of public interest. Furthermore, the Secretary of State can by regulations restrict the transfer of a category of personal data to a third country or international organisation where the transfer cannot take place based on adequacy regulations, and the Secretary of State considers the restriction to be necessary for important reasons of public interest. No such regulations have been adopted so far.

(81)

This framework for international transfers has become applicable at the end of the transition period (79). However, paragraph 4 of Schedule 21 to the DPA 2018 (introduced by the DPPEC Regulations) provide that as of the end of the transition period, certain transfers of personal data are treated as if they are based on adequacy regulations. These transfers include transfers to an EEA State, the territory of Gibraltar, a Union institution, body, office or agency set up by, or on the basis of the EU Treaty, and third countries which were the subject of an EU adequacy decision at the end of the transition period. Consequently, the transfers to these countries can continue as before the United Kingdom’s withdrawal from the EU. After the end of the transition period, the Secretary of State must conduct a review of these adequacy findings during a period of four years, i.e. by the end of December According to the explanation provided by the United Kingdom authorities, although the Secretary of State needs to undertake such a review by the end of December 2024, the transitional provisions do not include a “sunset” provision and the relevant transitional provisions will not automatically cease to have effect if a review is not completed by the end of December 2024.

(82)

Finally, as regards the future evolution of the United Kingdom’s international transfers regime – through the adoption of new adequacy regulations, the conclusion of international agreements or the development of other transfer mechanisms – the Commission will closely monitor the situation, assess whether the different transfer mechanisms are used in a way that ensures the continuity of protection, and, if necessary, take appropriate measures to address possible adverse effects for such continuity (see recitals (278) to (287)). As the EU and the United Kingdom share similar rules on international transfers, it is expected that problematic divergence could also be avoided through cooperation, exchange of information and sharing of experience, including between the ICO and the EDPB.

(83)

Under the accountability principle, entities processing data are required to put in place appropriate technical and organisational measures to effectively comply with their data protection obligations and be able to demonstrate such compliance, in particular to the competent supervisory authority.

(84)

The principle of accountability provided for in Regulation (EU) 2016/679 has been retained in Article 5(2) of the UK GDPR without material change and the same applies to Article 24 on the responsibility of the controller, Article 25 on data protection by design and by default and Article 30 on records of processing activities. Articles 35 and 36 on data protection impact assessment and prior consultation of supervisory authority have also been retained. Articles 37-39 of Regulation (EU) 2016/679 on the designation and the tasks of the data protection officers have been retained in the UK GDPR with no material changes. Furthermore, the provisions of Articles 40 and 42 of Regulation (EU) 2016/679 on codes of conduct and certification have been retained in the UK GDPR (80).

(85)

In order to ensure that an adequate level of data protection is guaranteed in practice, an independent supervisory authority tasked with powers to monitor and enforce compliance with the data protection rules should be in place. This authority should act with complete independence and impartiality in performing its duties and exercising its powers.

(86)

In the United Kingdom, the oversight and enforcement of compliance with the UK GDPR and the DPA 2018 is carried out by the Information Commissioner. The Information Commissioner is a “Corporation Sole”: a separate legal entity constituted in a single person. The Information Commissioner is supported in her work by an office. On 31 March 2020 the Information Commissioner’s Office had 768 permanent staff (81). The sponsor-department of the Information Commissioner is the Department for Digital, Culture, Media and Sport (82).

(87)

The independence of the Commissioner is explicitly established in Article 52 of the UK GDPR which does not make any substantive changes to Article 52(1)-(3) GDPR. The Commissioner must act with complete independence in performing her tasks and exercising her powers in accordance with the UK GDPR, remain free from external influence, whether direct or indirect, in relation to those tasks and powers, and neither seek nor take instructions from anyone. The Commissioner must also refrain from any action incompatible with her duties and shall not, while holding office, engage in any incompatible occupation, whether gainful or not.

(88)

The conditions for the appointment and removal of the Information Commissioner are set out in Schedule 12 to the DPA 2018. The Information Commissioner is appointed by Her Majesty on a recommendation from Government pursuant to a fair and open competition. The candidate must have the appropriate qualifications, skills and competence. In accordance with the Governance Code on Public Appointments (83), a list of appointable candidates is made by an advisory assessment panel. Before the Secretary of State at the Department for Digital, Culture, Media and Sport finalises his or her decision, the relevant Select Committee of Parliament must carry out a pre-appointment scrutiny. The position of the Committee is made public (84).

(89)

The Information Commissioner holds office for a term of up to seven years. A person cannot be appointed as the Information Commissioner more than once. The Information Commissioner can be removed from office by Her Majesty following an Address by both Houses of Parliament (85). No request for dismissal of the Information Commissioner can be presented to either House of Parliament unless a Minister has presented a report stating that he or she is satisfied that the Information Commissioner is guilty of serious misconduct and/or the Commissioner no longer fulfils the conditions required for the performance of the Commissioner’s functions (86).

(90)

The funding of the Information Commissioner comes from three sources: (i) data protection charges paid by controllers, which are set by Secretary of State’s regulations (87) (the Data Protection (Charges and Information) Regulations 2018), and amount to 85% - 90% of the Office’s annual budget (88); (ii) grant in aid paid by the Government to the Information Commissioner. Grant in aid is mainly used to finance the operating costs of the Information Commissioner as regards non-data protection related tasks (89); and (iii) fees charged for services (90). At present, no such fees are charged.

(91)

The general functions of the Information Commissioner in relation to the processing of personal data that the UK GDPR applies to, are laid down in Article 57 of the UK GDPR, mirroring closely the corresponding rules of Regulation (EU) 2016/679. Its functions include monitoring and enforcement of the UK GDPR, promoting public awareness, handling complaints lodged by the data subjects, conducting investigations etc.. In addition, Section 115 of the DPA 2018 sets out other general functions of the Commissioner, which include a duty to advise Parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of individuals’ rights and freedoms with regard to the processing of personal data, and a power to issue, on the Commissioner’s own initiative or on request, opinions to Parliament, the government or other institutions and bodies as well as to the public on any issue related to the protection of personal data. To maintain the independence of the judiciary, the Information Commissioner is not authorised to exercise her functions in relation to the processing of personal data by an individual acting in a judicial capacity, or a court or tribunal acting in its judicial capacity. However, oversight on the judiciary is ensured by specialised bodies (see recitals (99) to (103).

(92)

The powers of the Information Commissioner are set out in Article 58 of the UK GDPR, which introduces no material changes to the corresponding article of Regulation (EU) 2016/679. The DPA 2018 sets out supplementary rules on how these powers can be exercised. In particular, the Commissioner has powers to: (a) order the controller and the processor (and in certain circumstances any other person) to provide necessary information by giving an information notice (“information notice”) (91); (b) carry out investigations and audits by giving an assessment notice, which may require the controller or processor to permit the Commissioner to enter specified premises, inspect or examine documents or equipment, interview people processing personal data on behalf of the controller etc. (“assessment notice”) (92); (c) obtain otherwise access to documents etc. of controllers and processors and access to their premises in accordance with Section 154 of the DPA 2018 (“powers of entry and inspection”); (d) exercise corrective powers including by means of warnings and reprimands or give orders by means of an enforcement notice, which requires controllers/processors to take or refrain from taking specified steps, including ordering the controller or processor to do anything specified in Article 58(2)(c)-(g) and (j) of the UK GDPR (“enforcement notice”) (93); (e) and issue administrative fines in the form of a penalty notice (“penalty notice”) (94). The latter can be issued also in case a public authority has failed to comply with the provisions of the UK GDPR (95).

(93)

The ICO’s Regulatory Action Policy sets out the circumstances under which it will issue an information, assessment, enforcement or penalty notice (96). An enforcement notice given in response to a failure by a controller or processor may only impose requirements which the Commissioner considers appropriate for the purpose of remedying the failure. Enforcement and penalty notices may be issued to a controller or processor in relation to violations of Chapter II of the UK GDPR (principles of processing), Articles 12 -22 (rights of the data subject), Articles 25-39 (obligations of controllers and processors) and Articles 44-49 (international transfers) of the UK GDPR. An enforcement notice may also be given where a controller has failed to comply with the requirement to pay a charge in regulations made under Section 137 of the DPA 2018. In addition, a monitoring body under Article 41 or a certification provider can be given an enforcement notice if they fail to comply with their obligations under the UK GDPR. A penalty notice can be also given to a person who has not complied with an information notice, an assessment notice or an enforcement notice.

(94)

The penalty notice requires the person to pay to the Information Commissioner an amount specified in the notice. In determining whether to give a penalty notice to a person and determining the amount of the penalty, the Information Commissioner must have regard to the matters listed in Article 83(1) and (2) of the UK GDPR, which are identical to the corresponding rules of Regulation (EU) 2016/679 (97). Under Article 83(4) and (5) the maximum amounts of the administrative fines in case of a failure to comply with the obligations referred to in those provisions are £8 700 000 or £17 500 000 respectively. In the case of an undertaking, the Information Commissioner can also impose fines as a percentage of worldwide annual turnover, if higher. As in the equivalent provisions of Regulation (EU) 2016/679, these amounts are set at 2% and 4% in Articles 83(4) and (5) respectively. In case of a failure to comply with an information notice, an assessment notice or an enforcement notice, the maximum amount of the penalty that may be imposed by a penalty notice is the higher of £17 500 000 or, in the case of an undertaking, 4% worldwide annual turnover.

(95)

The UK GDPR together with the DPA 2018 have also strengthened other powers of the Information Commissioner. For example, the Commissioner can now conduct compulsory audits in relation to all controllers and processors through the use of assessment notices, whereas under the previous legislation, the Data Protection Act 1998, the Commissioner only had this power in respect of central government and health organisations, others having to agree to an audit.

(96)

Since the introduction of Regulation (EU) 2016/679, the ICO handles about 40 000 complaints from data subjects per year (98) and, in addition, carries out about 2 000ex officio investigations (99). A majority of complaints are related to the rights of access to and disclosure of data. Following her investigations, the Commissioner is taking enforcement measures across a broad range of sectors. More specifically, according to the Information Commissioner’s latest annual report (2019-2020) (100), the Commissioner issued 54 information notices, 8 assessment notices, 7 enforcement notices, 4 cautions, 8 prosecutions and 15 fines during the reporting period (101).

(97)

This includes several significant monetary penalties imposed under Regulation (EU) 2016/679 and the DPA 2018. In particular, the Information Commissioner in October 2020 fined a British airline company £20 million for a data breach affecting more than 400 000 customers. At the end of October 2020, an international hotel chain was fined £18.4 million for failing to keep millions of customers’ personal data secure and in November 2020 a British service provider selling event tickets online was fined £1.25 million for failing to protect customers' payment details (102).

(98)

In addition to the enforcement powers of the Information Commissioner described in recital (92), certain violations of the data protection legislation constitute offences and may therefore be subject to criminal sanctions (Section 196 of the DPA 2018). This applies, for example, to knowingly or recklessly obtaining or disclosing personal data without the consent of the controller, procuring the disclosure of personal data to another person without the consent of the controller (103), re-identifying information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data (104), intentionally obstructing the Commissioner’s power to exercise her powers in relation to the inspection of personal data in accordance with international obligations (105), making false statements in response to an information notice, or destroying information in connection to information and assessment notices (106).

(99)

Oversight of the processing of personal data by the courts and judiciary is twofold. Where a judicial office holder or a court is not acting in a judicial capacity, oversight is provided by the ICO. Where the controller is operating in a judicial capacity, the ICO cannot exercise its oversight functions (107) and the oversight is carried out by special bodies. This reflects the approach taken in Regulation (EU) 2016/679 (Article 55(3)).

(100)

In particular, in the second scenario, for the courts of England and Wales and the First-tier and Upper Tribunals of England and Wales, such oversight is provided by the Judicial Data Protection Panel (108). Additionally, the Lord Chief Justice and Senior President of Tribunals have issued a Privacy Notice (109) which sets out how the courts in England and Wales process personal data for a judicial function. A similar notice has been issued by the Northern Irish (110) and Scottish judiciaries (111).

(101)

Moreover, in Northern Ireland, the Lord Chief Justice of Northern Ireland has appointed a High Court judge as Data Supervisory Judge (DSJ) (112). They have also issued guidance to the Northern Irish Judiciary on what to do in the event of a loss or potential loss of data and the process for dealing with any issues arising from this (113).

(102)

In Scotland, the Lord President has appointed a Data Supervisory Judge to investigate any complaints on grounds of data protection. This is set out under the judicial complaints rules which mirror those established for England and Wales (114).

(103)

Finally, in the Supreme Court, one of the Supreme Court Justices is nominated to oversee data protection.

(104)

In order to ensure adequate protection and in particular the enforcement of individual rights, the data subject should be provided with effective administrative and judicial redress, including compensation for damages.

(105)

First, a data subject has the right to lodge a complaint with the Information Commissioner, if the data subject considers that, in connection with personal data relating to him or her, there is an infringement of the UK GDPR (115). The UK GDPR retains the rules in Article 77 of Regulation (EU) 2016/679 on that right without material modifications. The same applies to Article 57(1)(f) and (2) that set out the tasks of the Commissioner in relation to the handling of complaints. As described in recitals (92) to (98) above, the Information Commissioner has the power to assess the compliance of the controller and processor with the UK GDPR and DPA 2018, require them to take or refrain from taking necessary steps in case of non-compliance and to impose fines.

(106)

Second, the UK GDPR and DPA 2018 provide the right to a remedy against the Information Commissioner. Pursuant to Article 78(1) of the UK GDPR, an individual has a right to an effective judicial remedy against a legally binding decision of the Commissioner concerning them. In the context of the judicial review, the judge examines the decision being challenged in the claim, and considers whether the Information Commissioner has acted lawfully. Moreover, pursuant to Article 78(2) of the UK GDPR, if the Commissioner fails to appropriately handle a complaint made by the data subject, (116) the complainant has access to judicial remedy. It can apply to a First Tier Tribunal to order the Commissioner to take appropriate steps to respond to the complaint, or to inform the complainant of progress on the complaint (117). In addition, any person who is served one of the abovementioned notices (information, assessment, enforcement or penalty notice) by the Commissioner may appeal to a First Tier Tribunal (118). If the Tribunal considers that the decision of the Commissioner is not in accordance with the law or the Information Commissioner should have exercised her discretion differently, the Tribunal must allow the appeal, or substitute another notice or decision which the Information Commissioner could have given or made.

(107)

Third, individuals can obtain judicial redress against controllers and processors directly before the courts under Article 79 of the UK GDPR and Section 167 of the DPA 2018. If, on an application by a data subject, a court is satisfied that there has been an infringement of the data subject's rights under the data protection legislation, the court may order the controller in respect of the processing, or a processor acting on behalf of that controller, to take steps specified in the order or to refrain from taking steps specified in the order.

(108)

Moreover, under Article 82 of the UK GDPR and Section 168 of the DPA 2018, any person who has suffered material or non-material damage as a result of an infringement of the UK GDPR has the right to receive compensation from the controller or processor for the damage suffered. The rules on the compensation and liability in Article 82(1) – (5) of the UK GDPR are identical with the corresponding rules in Regulation (EU) 2016/679. Under Section 168 of the DPA 2018, non-material damage includes also distress. Under Article 80 of the UK GDPR the data subject has also a right to mandate a representative body or organisation to lodge the complaint with the Commissioner on his or her behalf (under Article 77 of the UK GDPR) and to exercise the rights referred to in Articles 78 (right to an effective judicial remedy against the Commissioner), 79 (right to an effective judicial remedy against a controller or processor) and 82 (right to compensation and liability) of the UK GDPR on his or her behalf.

(109)

Fourth, and in addition to the avenues for redress described above, any person that considers that his or her rights, including rights to privacy and data protection, have been violated by public authorities, can obtain redress before the UK courts under the Human Rights Act 1998 (119). An individual who claims that a public authority has acted (or proposes to act) in a way which is incompatible with a Convention right, and consequently unlawful under Section 6(1) of the Human Rights Act 1998, can bring proceedings against the authority in the appropriate court or tribunal, or rely on the rights concerned in any legal proceedings, when he or she is (or would be) a victim of the unlawful act.

(110)

If the court finds any act of a public authority to be unlawful, it can grant such relief or remedy, or make such order, within its powers as it considers just and appropriate (120). The court can also declare a provision of primary legislation to be incompatible with a Convention right.

(111)

Finally, after exhausting national remedies, an individual can obtain redress before the European Court of Human Rights for violations of the rights guaranteed under the European Convention of Human Rights.

(112)

The Commission also assessed the United Kingdom’s legal framework for the collection and subsequent use of personal data transferred to business operators in the United Kingdom by United Kingdom public authorities in the public interest, in particular for criminal law enforcement and national security purposes (hereinafter referred to as “government access”). In assessing whether the conditions under which government access to data transferred to the UK under this Decision would fulfil the “essential equivalence” test pursuant to Article 45(1) of Regulation (EU) 2016/679, as interpreted by the Court of Justice of the European Union in light of the Charter of Fundamental Rights, the Commission took into account in particular the following criteria.

(113)

First, any limitation to the right to the protection of personal data must be provided for by law and the legal basis which permits the interference with such a right must itself define the scope of the limitation on the exercise of the right concerned (121).

(114)

Second, in order to satisfy the requirement of proportionality, according to which derogations from and limitations to the protection of personal data must apply only in so far as is strictly necessary in a democratic society to meet specific objectives of general interest equivalent to those recognized by the Union, the legislation of the third country in question which permits the interference must lay down clear and precise rules governing the scope and application of the measures in question and impose minimum safeguards so that the persons whose data has been transferred have sufficient guarantees to protect effectively their personal data against the risk of abuse (122). The legislation must, in particular, indicate in what circumstances and under which conditions a measure providing for the processing of such data may be adopted (123) as well as subject the fulfilment of such requirements to independent oversight (124).

(115)

Third, that legislation must be legally binding under domestic law and these legal requirements must not only be binding on the authorities, but also enforceable before courts against the authorities of the third country in question (125). In particular, data subjects must have the possibility of bringing legal action before an independent and impartial court in order to have access to their personal data, or to obtain the rectification or erasure of such data (126).

(116)

As an exercise of power by a public authority, government access in the United Kingdom must be carried out in full respect of the law. The United Kingdom has ratified the European Convention of Human Rights (see recital (9)) and all public authorities in the United Kingdom are required to act in compliance with the Convention (127). Article 8 of the Convention provides that any interference with privacy must be in accordance with the law, in the interests of one of the aims set out in Article 8(2), and proportionate in light of that aim. Article 8 also requires that the interference is “foreseeable”, i.e. have a clear, accessible basis in law, and that the law contains appropriate safeguards to prevent abuse.

(117)

In addition, in its case law, the European Court of Human Rights has specified that any interference with the right to privacy and data protection should be subject to an effective, independent and impartial oversight system that must be provided for either by a judge or by another independent body (128) (e.g. an administrative authority or a parliamentary body).

(118)

Moreover, individuals must be provided with an effective remedy, and the European Court of Human Rights has clarified that the remedy must be offered by an independent and impartial body which has adopted its own rules of procedure, consisting of members that must hold or have held high judicial office or be experienced lawyers, and that there must be no evidential burden to be overcome in order to lodge an application with it. In undertaking its examination of complaints by individuals, the independent and impartial body should have access to all relevant information, including closed materials. Finally, it should have the powers to remedy non-compliance (129).

(119)

The United Kingdom also ratified the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), and signed the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (known as Convention 108+) in 2018 (130). Article 9 of Convention 108 provides that derogations from the general data protection principles (Article 5 Quality of data), the rules governing special categories of data (Article 6 Special categories of data) and data subject rights (Article 8 Additional safeguards to the data subject) are only permissible when such derogation is provided for by the law of the Party and constitutes a necessary measure in a democratic society in the interests of protecting State security, public safety, the monetary interests of the State or the suppression of criminal offences, or for protecting the data subject or the rights and freedoms of others (131).

(120)

Therefore, through membership of the Council of Europe, adherence to the European Convention of Human Rights and submission to the jurisdiction of the European Court of Human Rights, the United Kingdom is subject to a number of obligations, enshrined in international law, that frame its system of government access on the basis of principles, safeguards and individual rights similar to those guaranteed under EU law and applicable to the Member States. As stressed in recital (19), continued adherence to such instruments is therefore a particularly important element of the assessment on which this Decision is based.

(121)

Further, specific data protection safeguards and rights are guaranteed by the DPA 2018 when data is processed by public authorities, including by law enforcement and national security bodies.

(122)

In particular, the regime for the processing of personal data in the context of criminal law enforcement is set out in Part 3 of the DPA 2018, which was enacted to transpose Directive (EU) 2016/680. Part 3 of the DPA 2018 applies to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (132).

(123)

The concept of “competent authority” is defined in Section 30 of the DPA as a person listed in Schedule 7 to the DPA 2018 as well as any other person to the extent that the person has statutory functions for any of the law enforcement purposes (133). As explained below (see recital (139)), certain competent authorities (for example the National Crime Agency) may make use, under certain conditions, of the powers provided by the Investigatory Power Act 2016 (IPA 2016). In this case, the safeguards provided by the IPA 2016 will apply in addition to those provided by Part 3 of the DPA 2018. The intelligence services (Secret Intelligence Service, Security Service and the Government Communications Headquarters) are not “competent authorities” (134) falling under Part 3 of the DPA 2018 and, therefore, the rules provided therein do not apply to any of their activities. A specific Part of the DPA 2018 (Part 4) is dedicated to the processing of personal data by intelligence services (for more details see recital (125)).

(124)

Similarly to Directive (EU) 2016/680, Part 3 of the DPA 2018 sets out the principles of lawfulness and fairness (135), purpose limitation (136), data minimisation (137), accuracy (138), storage limitation (139) and security (140). The legislation imposes specific transparency obligations (141) and provides individuals with a right of access (142), rectification and deletion (143) and the right not to be subject to automated decision-making (144). The competent authorities are also required to implement data protection by design and default, to keep records of processing activities, and, for certain processing operations, to carry out data protection impact assessments and to pre-consult the Information Commissioner (145). Pursuant to Section 56 of the DPA 2018, they are required to demonstrate compliance. Moreover, they are required to put in place appropriate measures to ensure security of processing (146) and are subject to specific obligations in case of a data breach, including notification of such breaches to the Information Commissioner and data subjects (147). As is the case in Directive (EU) 2016/680, there is also a requirement for a controller (unless it is a court or other judicial authority acting in a judicial capacity) to designate a data protection officer (DPO) (148) which assists the controller in complying with its obligations as well as monitoring that compliance (149). Furthermore, the legislation imposes specific requirements for international transfers of personal data for law enforcement purposes to third countries or international organisations to ensure continuity of protection (150). At the same date as this Decision, the Commission has adopted an adequacy decision on the basis of Article 36(3) of Directive (EU) 2016/680, finding that the data protection regime applicable to processing by United Kingdom criminal law enforcement authorities ensures a level of protection essentially equivalent to the one guaranteed by Directive (EU) 2016/680.

(125)

Part 4 of the DPA 2018 applies to all processing by or on behalf of the intelligence services. In particular, it sets out the main data protection principles (lawfulness, fairness and transparency (151); purpose limitation (152); data minimisation (153); accuracy (154); storage limitation (155) and security (156)), imposes conditions on the processing of special categories of data (157), provides for data subject rights (158), requires data protection by design (159) and regulates international transfers of personal data (160). The ICO has recently issued detailed guidance on the processing by intelligence agencies under Part 4 of the DPA 2018 (161).

(126)

At the same time, Section 110 of the DPA 2018 provides for an exemption from specified provisions in Part 4 of the DPA 2018 (162) when such exemption is required to safeguard national security. This exemption can be relied upon on the basis of a case-by-case analysis (163). As explained by the United Kingdom authorities and confirmed by the case law, a “controller must consider the actual consequences to national security or defence if they had to comply with the particular data protection provision, and if they could reasonably comply with the usual rule without affecting national security or defence” (164). Whether or not the exemption has been used appropriately is subject to the oversight of the ICO (165).

(127)

Moreover, in relation to the possibility to restrict for the protection of “national security” the application of the above specified provisions, according to Section 111 of the DPA 2018, a controller may apply for a certificate signed by a Cabinet Minister or the Attorney General certifying that a restriction of such rights is a necessary and proportionate measure to the protection of national security (166).

(128)

The United Kingdom government has issued guidance to assist controllers when considering whether to apply for a national security certificate under the DPA 2018 that notably highlights that any limitation to data subjects’ rights for safeguarding national security must be proportionate and necessary (167). All national security certificates must be published on the ICO’s website (168).

(129)

The certificate should be for a fixed duration of no more than five years, so to be regularly reviewed by the Executive (169). A certificate shall identify the personal data or categories of personal data subject to the exemption as well the provisions of the DPA 2018 to which the exemption applies (170).

(130)

It is important to note that the national security certificates do not provide for an additional ground for restricting data protection rights for national security reasons. In other words, the controller or processor can only rely on a certificate when it has concluded it is necessary to rely on the national security exemption which, as explained above, must be applied on a case-by-case basis (171). Even if a national security certificate applies to the matter in question, the ICO can investigate whether or not reliance on the national security exemption was justified in a specific case (172).

(131)

Any person directly affected by the issuing of the certificate may appeal to the Upper Tribunal (173) against the certificate (174) or, where the certificate identifies data by means of a general description, challenge the application of the certificate to specific data (175). The tribunal will review the decision to issue a certificate and decide whether there were reasonable grounds for issuing the certificate (176). It can consider a wide range of issues, including necessity, proportionality and lawfulness, having regard to the impact on the rights of data subjects and balancing the need to safeguard national security. As a result, the tribunal may determine that the certificate does not apply to specific personal data which is the subject of the appeal (177).

(132)

A different set of possible restrictions concern those applying, under Schedule 11 of the DPA 2018, to certain provisions of Part 4 of the DPA 2018 (178) to safeguard other important objectives of general public interest or protected interests such as, for example, parliamentary privilege, legal professional privilege, the conduct of judicial proceedings or the combat effectiveness of the armed forces (179). The application of these provisions is either exempted for certain categories of information (“class based”), or exempted to the extent that the application of these provisions would be likely to prejudice the protected interest (“prejudice based”) (180). Prejudice-based exemptions can only be invoked as far as the application of the listed data protection provision would be likely to prejudice the specific interest in question. The use of an exemption must therefore always be justified by referring to the relevant prejudice that would be likely to occur in the individual case. Class-based exemptions can be invoked only with respect to the specific, narrowly defined category of information for which the exemption is granted. These are similar in purpose and effect to several of the exceptions to the UK GDPR (under Schedule 2 of the DPA 2018) which, in turn, reflect those provided in Article 23 GDPR.

(133)

It follows from the above that limitations and conditions are in place under the applicable UK legal provisions, as also interpreted by the courts and the Information Commission, to ensure that these exemptions and restrictions remain within the boundaries of what is necessary and proportionate to protect national security.

(134)

The law of the United Kingdom imposes a number of limitations on the access and use of personal data for criminal law enforcement purposes, and provides oversight and redress mechanisms in this area which are in line with the requirements referred to in recitals (113) to (115) of the present decision. The conditions under which such access can take place and the safeguards applicable to the use of these powers are assessed in detail in the following sections.

(135)

Pursuant to the principle of lawfulness guaranteed under Section 35 of the DPA 2018, the processing of personal data for any of the law enforcement purposes is lawful only if it is based on law and either the data subject has given consent to the processing for that purpose (181) or the processing is necessary for the performance of a task carried out for that purpose by a competent authority.

(136)

In the United Kingdom legal framework, the collection of personal data from business operators, including those that would be processing data transferred from the EU under the present adequacy decision, for purposes of criminal law enforcement is permissible on the basis of search warrants (182) and production orders (183).

(137)

Search warrants are issued by a court, usually on the application of the investigating officer. They permit an officer to enter premises to search for material or individuals relevant to their investigation and retain anything for which a search has been authorised, including any relevant documents or material containing personal data (184). A production order, which also needs to be issued by a court, requires the person specified in it to produce or give access to material they are in possession or control of. The applicant must justify to the court why the warrant or order is necessary, as well as why it is in the public interest. There are several statutory powers that permit the issuance of search warrants and production orders. Each provision has its own set of statutory conditions which must be satisfied for a warrant (185) or a production order (186) to be issued.

(138)

Production orders and search warrants may be challenged by way of judicial review (187). In terms of safeguards, all criminal law enforcement authorities falling within the scope of Part 3 of the DPA 2018), may only access personal data – which is a form of processing – in line with the principles and requirements set out in the DPA 2018 (see recitals (122) and (124) above). Therefore, a request made by any law enforcement authority should be in compliance with the principle according to which the purposes of processing must be specified, explicit and legitimate (188) and that the personal data processed by a competent authority must be relevant to that purpose and not excessive (189).

(139)

For the purpose of preventing or detecting only serious crimes (190), certain law enforcement authorities, for example the National Crime Agency or the Chief of Police (191), can use targeted investigatory powers under the IPA 2016. In this case, the safeguards provided by the IPA 2016 will apply in addition to those provided by Part 3 of the DPA 2018. The specific investigatory powers that those law enforcement authorities can rely upon are: targeted interceptions (Part 2 of the IPA 2016), acquisition of communications data (Part 3 of the IPA 2016), retention of communications data (Part 4 of the IPA 2016) and targeted equipment interference (Part 5 of the IPA 2016). Interception covers the acquisition of the content of a communication (192) while acquisition and retention of communications data is not aimed at obtaining the content of the communication, but at the “who”, “when”, “where” and “how” of the communication. This covers for instance the time and duration of a communication, the phone number or email address of the originator and recipient of the communication, and sometimes the location of the devices from which the communication was made, the subscriber to a telephone service or an itemised bill (193). Equipment interference is a set of techniques used to obtain a variety of data from equipment, which includes computers, tablets and smart phones as well as cables, wires and storage devices (194).

(140)

Targeted interception powers can also be used when “necessary for the purpose of giving effect to the provisions of an EU mutual assistance instrument or an international mutual assistance agreement” (so-called “mutual assistance warrant” (195)). Mutual assistance warrants are only provided in relation to interception, not acquisition of communications data or equipment interference. These targeted powers are regulated in the Investigatory Powers Act 2016 (IPA 2016) (196), which, together with the Regulation of Investigatory Powers Act 2000 (RIPA) for England, Wales and Northern Ireland and the Regulation of Investigatory Powers (Scotland) Act 2000 (RIPSA) for Scotland, provide for the legal basis and set out the applicable limitations and safeguards for the use of such powers. The IPA 2016 also provides the regime for the use of bulk investigatory powers, although those are not available to law enforcement authorities (only intelligence agencies can make use of them) (197).

(141)

In order to exercise these powers, the authorities need to obtain a warrant (198) issued by a competent authority (199), and approved by an independent Judicial Commissioner (200) (so-called “double-lock” procedure). The obtaining of such a warrant is subject to a necessity and proportionality test (201). Since these targeted investigatory powers provided by the IPA 2016 are the same as those available to national security agencies, the conditions, limitations and safeguards applicable to such powers are addressed in detail in the Section on access and use of personal data by United Kingdom public authorities for national security purposes (see recitals (177) and following).

(142)

The sharing of data by a law enforcement authority with a different authority for purposes other than the ones for which it was originally collected (so-called “onward sharing”) is subject to certain conditions.

(143)

Similarly to what is provided under Article 4(2) of Directive (EU) 2016/680, Section 36(3) of the DPA 2018 allows that personal data collected by a competent authority for a law enforcement purpose may be further processed (whether by the original controller or by another controller) for any other law enforcement purpose, provided that the controller is authorised by law to process data for the other purpose and the processing is necessary and proportionate to that purpose (202). In this case, all the safeguards provided by Part 3 of the DPA 2018, referred to in recitals (122) and (124) apply to the processing carried out by the receiving authority.

(144)

In the United Kingdom legal order, different laws explicitly allow such onward sharing. In particular, (i) the Digital Economy Act 2017 allows the sharing between public authorities for several purposes, for example in case of any fraud against the public sector which would involve loss or a risk to loss for public authorities (203) or in case of a debt owed to a public authority or to the Crown (204); (ii) the Crime and Courts Act 2013 that permits the sharing of information with the National Crime Agency (NCA) (205) for combating, investigating and prosecuting serious and organised crime; (iii) the Serious Crime Act 2007 that allows public authorities to disclose information to anti-fraud organisations for the purposes of preventing fraud (206).

(145)

These laws explicitly provide that the sharing of information should be in compliance with the principles set in the DPA 2018. Moreover, the College of Policing has issued an Authorised Professional Practice on Information Sharing (207) to assist the police in complying with their data protection obligations under the UK GDPR, DPA and Human Rights Act 1998. The compliance of the sharing with the applicable data protection legal framework is, of course, subject to judicial review (208).

(146)

Moreover, similarly to what is set out in Article 9 of Directive (EU) 2016/680, the DPA 2018 provides that personal data collected for any law enforcement purpose may be processed for a purpose that is not a law enforcement one when the processing is authorised by law (209).

(147)

This type of sharing covers two scenarios: 1) when a criminal law enforcement authority shares data with a non-criminal law enforcement authority other than an intelligence agency (such as, e.g. a financial or tax authority, a competition authority, a youth welfare office, etc.); and 2) when a criminal law enforcement authority shares data with an intelligence agency. In the first scenario, the processing of personal data will fall within the scope of the UK GDPR as well as under Part 2 of the DPA 2018. The Commission has assessed the safeguards provided by the UK GDPR and Part 2 of the DPA 2018 in recitals (12) to (111) and has come to the conclusion that the United Kingdom ensures an adequate level of protection for personal data transferred within the scope of Regulation (EU) 2016/679 from the European Union to the United Kingdom.

(148)

In the second scenario, with respect to the sharing of data collected by a criminal law enforcement authority with an intelligence agency for purposes of national security, the legal basis authorising such sharing is Section 19 of the Counter Terrorism Act 2008 (CTA 2008) (210). Under this Act, any person may give information to any of the intelligence services for the purpose of discharging any of the functions of that service, including “national security”.

(149)

As regards the conditions under which data can be shared for national security purposes, the Intelligence Services Act (211) and the Security Service Act (212) limit the ability of the intelligence services to obtain data to what is necessary to discharge their statutory functions. Law enforcement agencies seeking to share data with the intelligence services will need to consider a number of factors/limitations, in addition to the statutory functions of the agencies which are set out in the Intelligence Services Act and the Security Service Act (213). Section 20 of the CTA 2008 makes clear that any data sharing pursuant to Section 19 must still comply with the data protection legislation; which means that all of the limitations and requirements in Part 3 of the DPA 2018 apply. Furthermore, as competent authorities are public authorities for the purpose of the Human Rights Act 1998, they must ensure that they act in compliance with Convention rights, including Article 8 of the ECHR. These limits ensure that all data sharing between the law enforcement agencies and the intelligence services complies with data protection legislation and the ECHR.

(150)

When a competent authority intends to share personal data processed under Part 3 of the DPA 2018 with law enforcement authorities of a third country, specific requirements apply (214). In particular, such transfers may take place when they are based on adequacy regulations made by the Secretary of State or, in the absence of such regulations, appropriate safeguards must be ensured. Section 75 of the DPA 2018 provides that appropriate safeguards are in place where established by a legal instrument binding the intended recipient, or where the controller, having assessed all the circumstances surrounding transfers of that type of personal data to the third country or international organisation, concludes that appropriate safeguards exist to protect the data.

(151)

If a transfer is not based on an adequacy regulation or appropriate safeguards, it can take place only in certain, specified circumstances, referred to as “special circumstances” (215). This is the case when the transfer is necessary: (a) to protect the vital interests of the data subject or another person; (b) to safeguard the legitimate interests of the data subject; (c) for the prevention of an immediate and serious threat to the public security of a member state or third country; (d) in individual cases for any of the law enforcement purposes; or (e) in individual cases for a legal purpose (such as in relation to legal proceedings or to obtain legal advice). It may be noted that (d) and (e) do not apply if the rights and freedoms of the data subject override the public interest in the transfer. This set of circumstances corresponds to the specific situations and conditions qualifying as “derogations” under Article 38 of Directive (EU) 2016/680.

(152)

Moreover, when the material acquired by law enforcement authorities under a warrant authorising the use of interception or equipment interference is handed over to a third country, the IPA 2016 imposes additional safeguards. In particular, such disclosure, defined as “overseas disclosure”, is allowed only if the issuing authority considers that specific appropriate arrangements are in place which limit the number of persons to whom the data is disclosed, the extent to which any material is disclosed or made available as well as the extent to which any of the material is copied and the number of copies made. Moreover, the issuing authority may consider that appropriate arrangements are necessary to ensure that every copy made of any part of that material is destroyed as soon as there are no longer any relevant grounds for retaining it (if not destroyed earlier) (216).

(153)

Finally, specific forms of onward transfers from the United Kingdom to the United States could in the future take place based on the “Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime (the “UK-US Agreement” or “the Agreement”) (217), concluded in October 2019 (218). While the UK-US Agreement has not yet entered into force at the time of adoption of this Decision, its foreseeable entry into force may affect onward transfers to the US of data first transferred to the United Kingdom on the basis of the Decision. More specifically, data transferred from the EU to service providers in the United Kingdom could be subject to orders for the production of electronic evidence issued by competent US law enforcement authorities and made applicable in the United Kingdom under this Agreement once in force. For these reasons, the assessment of the conditions and safeguards under which such orders can be issued and executed is relevant to this Decision.

(154)

In this respect, it should be noted that, first, as regards its material scope, the Agreement is only applicable to crimes that are punishable with a maximum term of imprisonment of at least three years (defined as “serious crime”) (219), including “terrorist activity”. Second, data processed in the other jurisdiction may be obtained under this Agreement only following an “Order […] subject to review or oversight under the domestic law of the Issuing Party by a court, judge, magistrate, or other independent authority prior to or in proceedings regarding, enforcement of the Order” (220). Third, any order must “be based on requirements for a reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation” (221) and “be targeted at specific accounts as well as identify a specific person, account, address, or personal device, or any other specific identifier” (222). Fourth, data obtained under this agreement benefits from equivalent protections to the specific safeguards provided by the so-called “EU-US Umbrella Agreement” (223) – a comprehensive data protection agreement concluded in December 2016 by the EU and the US and that sets out the safeguards and rights applicable to data transfers in the area of law enforcement cooperation – which are all incorporated into this Agreement by reference on a mutatis mutandis basis to notably take into account the specific nature of the transfers (i.e. transfers from private operators to a law enforcement, rather than transfers between law enforcement authorities) (224). The UK-US Agreement specifically provides that equivalent protections to those provided by the EU-US Umbrella Agreement will be applied “to all personal information produced in the execution of Orders subject to the Agreement to produce equivalent protections” (225).

(155)

Data transferred to US authorities under the UK-US Agreement should therefore benefit from protections provided by an EU law instrument, with the necessary adaptations to reflect the nature of the transfers at issue. The United Kingdom authorities have further confirmed that the protections of the Umbrella Agreement will apply to all personal information produced or preserved under the Agreement, irrespective of the nature or type of body making the request (e.g. both federal and State law enforcement authorities in the US), so that equivalent protection must be provided in all cases. However, the United Kingdom authorities have also explained that the details of the concrete implementation of the data protection safeguards are still subject to discussions between the United Kingdom and the US. In the context of the talks with the European Commission’s services on this decision, the United Kingdom authorities confirmed that they will only let the Agreement enter into force once they are satisfied that its implementation complies with the legal obligations provided therein, including clarity with respect to compliance with the data protection standards for any data requested under this Agreement. As a possible entry into force of the Agreement may impact the level of protection assessed in this Decision, any information and future clarification regarding the way the US will comply with its obligations under the Agreement should be communicated by the United Kingdom to the European Commission, as soon as it becomes available and in any case before the entry into force of the Agreement, to ensure proper monitoring of this decision in line with Article 45 (4) of Regulation (EU) 2016/679. Particular attention will be given to the application and adaptation of the Umbrella Agreement’s protections to the specific type of transfers covered by the UK-US Agreement.

(156)

More generally, any relevant development as regards the entry into force and application of the Agreement will be duly taken into account in the context of the continuous monitoring of this decision, including with respect to the necessary consequences to be drawn in case of any indication that an essentially equivalent level of protection is no longer ensured.

(157)

Depending on the powers used by the competent authorities when processing personal data for a law enforcement purpose (whether under the DPA 2018 or the IPA 2016), different bodies ensure the oversight over the use of these powers. In particular, the Information Commissioner oversees the processing of personal data when it falls under the scope of Part 3 of the DPA 2018 (226). Independent and judicial oversight on the use of investigatory powers under the IPA 2016 is ensured by the Investigatory Powers Commissioner’s Office (IPCO) (227) (this part is addressed in recitals (250) to (255)). Moreover, additional oversight is guaranteed by the Parliament as well as by other bodies.

(158)

The general functions of the Information Commissioner – whose independence and organisation are explained in recital (87) – in relation to the processing of personal data falling under the scope of Part 3 of the DPA 2018 are laid down in Schedule 13 to the DPA 2018. The ICO’s main task is to monitor and enforce Part 3 of the DPA 2018 as well as to promote public awareness, advise Parliament, the government and other institutions and bodies. To maintain the independence of the judiciary, the Information Commissioner is not authorised to exercise its functions in relation to processing of personal data by an individual acting in a judicial capacity, or a court or tribunal acting in its judicial capacity. In these circumstances, other bodies would exercise the oversight functions, as explained in recitals (99) to (103).

(159)

The Commissioner has general investigative, corrective, authorisation and advisory powers in relation to processing of personal data to which Part 3 applies. In particular, the Commissioner has the powers to notify the controller or the processor of an alleged infringement of Part 3 of the DPA 2018, to issue warnings or reprimand to a controller or processor that has infringed provisions of Part 3 of the Act, as well as to issue on its own initiative or on request, opinions to Parliament, government or other institutions and bodies as well as to the public on any issue related to the protection of personal data (228).

(160)

Moreover, the Commissioner has powers to issue information notices (229), assessment notices (230) and enforcement notices (231) as well as the power to access documents of controllers and processors, access their premises (232) and issue administrative fines in the form of penalty notices (233). The ICO’s Regulatory Action Policy sets out the circumstances under which it issues respectively information, assessment, enforcement and penalty notices (234) (see also recital (93) and Directive (EU) 2016/680 adequacy decision recitals 101-102).

(161)

According to its latest annual reports (2018–2019 (235), 2019-2020 (236)), the Information Commissioner has conducted a number of investigations and taken enforcement measures with respect to processing of data by law enforcement authorities. For example, the Commissioner conducted an investigation and published an Opinion in October 2019 concerning law enforcement’s use of facial recognition technology in public places. The investigation focused, in particular, on the use of live facial recognition capabilities by South Wales Police and the Metropolitan Police Service (MPS). The Information Commissioner also investigated the MPS “Gangs matrix” (237) and found a range of serious infringements of data protection law that were likely to undermine public confidence in the matrix and how the data was being used. In November 2018, the Information Commissioner issued an enforcement notice and the MPS subsequently took the steps required to increase security and accountability and to ensure that the data was used proportionately. Another example of an enforcement action in this area is the £325 000 fine issued by the Commissioner in May 2018 against the Crown Prosecution Service, for losing unencrypted DVDs containing recordings of police interviews. The Information Commissioner also conducted investigations into broader topics, for example in the first half of 2020 on the use of Mobile Phone Extraction for Policing Purposes and the processing of victims’ data by the police. Moreover, the Commissioner is currently investigating a case that involves the access of law enforcement authorities to data held by a private sector entity, Clearview AI Inc. (238)

(162)

Besides the enforcement powers of the Information Commissioner mentioned in recitals ((160) and (161)), certain violations of the data protection legislation constitute offences and may therefore be subject to criminal sanctions (section 196 of the DPA 2018). This applies, for example, to obtaining, disclosing or retaining personal data without the consent of the controller and procuring the disclosure of personal data to another person without the consent of the controller (239)’; re-identifying information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data (240); intentionally obstructing the Commissioner to exercise its powers in relation to inspection of personal data in accordance with international obligations (241), making false statements in response to an information notice, or destroying information in connection to information and assessment notices (242).

(163)

In addition to the Information Commissioner, there are several oversight bodies in the area of criminal law enforcement with specific mandates relevant for data protection issues. This includes for instance the Commissioner for the Retention and Use of Biometric Material (‘the Biometrics Commissioner’) (243) and the Surveillance Camera Commissioner (244).

(164)

The Home Affairs Select Committee (HASC) ensures parliamentary oversight in the area of law enforcement. This Committee consists of 11 Members of Parliament, drawn from the three largest political parties. The Committee has the task to examine the expenditure, administration, and policy of the Home Office and associated public bodies, i.e. including the police and the NCA – whose work the Committee can scrutinise specifically (245).

(165)

The Committee can, within the limits of their remit, choose its own subject of inquiry, including specific cases, as long as the issue is not sub judice. The Committee may also seek written and oral evidence from a wide range of relevant groups and individuals. It produces reports on its findings and issues recommendations to the Government (246). The Government is expected to respond to each of the report’s recommendations and must respond within 60 days (247).

(166)

In the area of surveillance, the Committee also produced a report concerning the Regulation of Investigatory Powers Act 2000 (RIPA 2000) (248), which found that the RIPA 2000 was not fit for purpose. Their report was taken into account during the replacement of significant parts of the RIPA 2000 with the IPA 2016. A full list of inquiries can be found on the Committee’s website (249).

(167)

The tasks of the HASC are performed in Scotland by the Justice Subcommittee on Policing and in Northern Ireland by the Committee for Justice (250).

(168)

As regards processing of data by law enforcement authorities, redress mechanisms are available under Part 3 of the DPA 2018 and under the IPA 2016, as well as under the Human Rights Act 1998.

(169)

This series of mechanisms provide data subjects with effective administrative and judicial means of redress, enabling them in particular to ensure their rights, including the right to have access to their personal data, or to obtain the rectification or erasure of such data.

(170)

First, under Section 165 the DPA 2018, a data subject has the right to lodge a complaint with the Information Commissioner if the data subject considers that, in connection with personal data relating to him or her, there is an infringement of Part 3 of the DPA 2018 (251). The Information Commissioner has the power to assess the compliance of the controller and processor with the DPA 2018, require them to take necessary steps in case of non-compliance and impose fines.

(171)

Second, the DPA 2018 provides the right to a remedy against the Information Commissioner if it fails to appropriately handle a complaint made by the data subject. More specifically, if the Commissioner fails to “progress” (252) a complaint made by the data subject, the complainant has access to judicial remedy, as they can apply to a First Tier Tribunal (253) to order the Commissioner to take appropriate steps to respond to the complaint, or to inform the complainant of progress on the complaint (254). In addition, any person who is given any of the mentioned notices (information, assessment, enforcement or penalty notice) from the Commissioner may appeal to a First Tier Tribunal. If the Tribunal considers that the decision of the Commissioner is not in accordance with the law or the Information Commissioner should have exercised its discretion differently, the Tribunal must allow the appeal, or substitute another notice or decision which the Information Commissioner could have given or made (255).

(172)

Third, individuals can obtain judicial redress against controllers and processors directly before the courts. In particular, under Section 167 of the DPA 2018, a data subject may submit an application before the court for an infringement of his/her right under the data protection legislation and the court may by means of an order request the controller to take (or to refrain from taking) any step with respect to the processing to comply with the DPA 2018. Moreover, under Section 169 of the DPA 2018, any person who has suffered damage due to a violation of a requirement of the data protection legislation (including Part 3 of the DPA 2018), other than the UK GDPR, is entitled to compensation for that damage from the controller or the processor, except if the controller or processor proves that the controller or processor is not in any way responsible for the event giving rise to the damage. Damage includes both financial loss and damage not involving financial loss, such as distress.

(173)

Finally, any person, as far as he/she considers that his/her rights, including rights to privacy and data protection, have been violated by any public authorities, can obtain redress before the courts of the United Kingdom under the Human Rights Act 1998 (256), and, after exhausting national remedies, a person, non-governmental organisation and groups of individuals can obtain redress before the European Court of Human Rights for violations of the rights guaranteed under the European Convention of Human Rights (257) (see in recital (111)).

(174)

Individuals can obtain redress for violations of the IPA 2016 before the Investigatory Powers Tribunal. The redress avenues available under the IPA 2016 are described in recitals (263) to (269) below.

(175)

In the United Kingdom legal order, the intelligence services empowered to collect electronic information held by controllers or processors on national security grounds, in situations that are relevant to an adequacy scenario, are the Security Service (258) (MI5), the Secret Intelligence Service (259) (SIS) and the Government Communications Headquarters (260) (GCHQ) (261).

(176)

In the United Kingdom, the powers of the intelligence agencies are set out in the IPA 2016 and the RIPA 2000, which, together with the DPA 2018, defines the material and personal scope of these powers as well as the limitations and safeguards for their use. Those powers as well as the limitations and safeguards applicable to them are assessed in detail in the following sections.

(177)

The IPA 2016 provides the legal framework for the use of investigatory powers, i.e. the power to intercept, access communication data and perform equipment interference. The IPA 2016 introduces a general prohibition and makes it a criminal offence to use techniques that allow access to the content of communications, access to communication data or equipment interference without lawful authority (262). This is reflected in the fact that the use of these investigatory powers is lawful only when carried out on the basis of a warrant or an authorization (263).

(178)

The IPA 2016 lays down detailed rules governing the scope and application of each investigatory powers as well as their specific limitations and safeguards. Different rules apply depending on the type of investigatory power (interception of communications, acquisition and retention of communication data and equipment interference) (264) as well as on whether the power is exercised on a specific target or in bulk. Details on the scope, safeguards and limitations of each measure provided by the IPA 2016 are described in the specific section below.

(179)

Moreover, the IPA 2016 is supplemented with a number of statutory Codes of Practice, issued by the Secretary of State, approved by both Houses of the Parliament (265) and applicable throughout the country, providing further guidance on the use of these powers (266). While data subjects can rely directly on the provisions laid down in the IPA 2016 to exercise their rights, Schedule 7 paragraph 5 to the IPA 2016 specifies that the Codes of Practice are admissible as evidence in civil and criminal proceedings, and the court, tribunal or supervisory authority may take into account any non-compliance with the Codes when determining a relevant issue in judicial proceedings (267). In the context of its assessment of the “quality of the law” of the UK’s previous legislation in the area of surveillance, the RIPA 2000, the Grand Chamber of the European Court of Human Rights expressly recognised the relevance of the UK Codes of Practice and accepted that its provisions could be taken into account in assessing the foreseeability of the legislation permitting the surveillance (268).

(180)

It should then be noted that targeted powers (targeted interception (269), acquisition of communication data (270), retention of communication data (271) and targeted equipment interference (272)) are available to national security agencies and certain law enforcement authorities (273) while only intelligence services may make use of bulk powers (i.e. bulk interception (274), bulk acquisition of communications data (275), bulk equipment interference (276) and bulk personal datasets (277)).

(181)

In deciding which investigation power should be used, the intelligence agency has to comply with the “general duties in relation to privacy” listed in Section 2(2)(a) of the IPA 2016, which include a necessity and proportionality test. More specifically, pursuant to this provision, a public authority having the intention to use an investigatory power must consider (i) whether what is sought to be achieved by the warrant, authorisation or notice could reasonably be achieved by other less intrusive means; (ii) whether the level of protection to be applied in relation to any obtaining of information by virtue of the warrant, authorisation or notice is higher because of the particular sensitivity of that information; (iii) the public interest in the integrity and security of telecommunication systems and postal services, and (iv) any other aspects of the public interest in the protection of privacy (278).

(182)

The way these criteria should be applied – and the way their compliance is assessed as part of the authorisation of the use of such powers by the Secretary of State and the independent Judicial Commissioners – is further specified in the relevant Codes of Practice. In particular, the use of any one of these investigative powers must always be “proportionate to what is sought to be achieved [which] involves balancing the seriousness of the intrusion into the privacy (and other considerations set out in section 2(2)) against the need for the activity in investigative, operational or capability terms”. This means notably that it “should offer a realistic prospect of bringing the expected benefit and should not be disproportionate or arbitrary” and “[n]o interference with privacy should be considered proportionate if the information which is sought could reasonably be obtained by other less intrusive means” (279). More specifically, compliance with the principle of proportionality must be assessed having regard to the following criteria: “(i) the extent of the proposed interference with privacy against what is sought to be achieved; (ii) how and why the methods to be adopted will cause the least possible interference to the person and others; (iii) whether the activity is an appropriate use of the Act and a reasonable way, having considered all reasonable alternatives, of achieving what is sought to be achieved; (iv) what other methods, as appropriate, were either not implemented or have been employed but which are assessed as insufficient to fulfil operational objectives without the use of the proposed investigatory power” (280).

(183)

In practice, as explained by the United Kingdom authorities, this ensures that an intelligence agency, first, sets the operational objective (thus delimitating the collection, e.g. an international counterterrorism purpose in a specific geographic area) and, second, on the basis of that operational objective, will have to consider which technical option (e.g. targeted or bulk interception, equipment interference, acquisition of communication data) is the most proportionate (i.e. the least intrusive to privacy cf. Section 2(2) of the IPA) to what is sought to be achieved and therefore can be authorised under one of the available statutory bases.

(184)

It is worth noting that this reliance on standards of necessity and proportionality has also been noted and welcomed by the UN Special Rapporteur on the Right to Privacy, Joseph Cannataci, who stated, regarding the system established by the IPA 2016, that “[t]he procedures in place both within the intelligence services as within the law enforcement agencies appear to systematically require consideration of the necessity and proportionality of a surveillance measure or operation before it is recommended for authorization as well as its review on the same grounds” (281). He also observed that in his meeting with representatives of law enforcement and national security agencies “[he] received a consensus view that the right to privacy needs to be a primary consideration for any decision regarding surveillance measures. All of them understood and appreciated necessity and proportionality as the cardinal principles to be taken into account”.

(185)

The specific criteria for issuing the different warrants, as well as the limitations and safeguards established by the IPA 2016 regarding each investigatory power are detailed in recitals (186) to (243).

(186)

There are three types of warrant for targeted interception: the targeted interception warrant (282), the targeted examination warrant and a mutual assistance warrant (283). The conditions to obtain such warrants as well as the relevant safeguards are set out in Chapter 1 of Part 2 of the IPA 2016.

(187)

A targeted interception warrant authorizes the interception of the communications described in the warrant in the course of their transmission and obtaining other data relevant for those communications (284), including secondary data (285). A targeted examination warrant authorises a person to carry out the selection for examination of intercepted content obtained under a bulk interception warrant (286).

(188)

Any warrant pursuant to Part 2 of the IPA 2016 may be issued by the Secretary of State (287) and approved by a Judicial Commissioner (288). In all cases the duration of any type of targeted warrant is limited to 6 months (289) and specific rules apply concerning its modification (290) and renewal (291).

(189)

Before issuing the warrant, the Secretary of State must carry out a necessity and proportionality assessment (292). Specifically, for a targeted interception warrant and a targeted examination warrant, the Secretary of State should verify whether the measure is necessary for one of the following grounds: the interest of national security; the prevention or detection of a serious crime; or the interests of the economic well-being of the United Kingdom (293) in so far as those interests are also relevant to the interests of national security (294). On the other hand, a mutual assistance warrant (see recital (139) above) can be issued only if the Secretary of State considers that circumstances exist equivalent to those in which he/she would issue a warrant for the purpose of preventing and or detecting serious crime (295).

(190)

Moreover, the Secretary of State should assess whether the measure is proportionate to what is sought to be achieved (296). The assessment on the proportionality of the measures requested must take into account the general duties in relation to privacy set out in Section 2(2) of the IPA 2016, notably the need to assess whether what is sought to be achieved by the warrant, authorisation or notice could reasonably be achieved by other less intrusive means and whether the level of protection to be applied in relation to any obtaining of information by virtue of the warrant, is higher because of the particular sensitivity of that information (see recital (181) above).

(191)

To this end, the Secretary of State will have to take into account all the elements of the application provided by the authority submitting the request, in particular those related to the persons to be intercepted and the relevance of the measure for the investigation. Such elements are spelled out in the Code of Practice on Interception of Communications and must be described at a certain level of specificity (297). Moreover, Section 17 of the IPA 2016 requires that any warrant issued under its Chapter 2 must name or describe the specific person or a group of persons, organisation or premises to be intercepted (the “target”). In case of a targeted interception warrant or a targeted examination warrant, these may also relate to a group of persons, more than one person or organisation, or more than one set of premises (also so called “thematic warrant”) (298). In these cases, the warrant should describe the common purpose or activity shared by the group of persons or the operation/investigations and name or describe as many of those persons/organisations or set of premises where it is reasonably practicable (299). Finally, all the warrants issued under Part 2 of the IPA 2016 must specify the addresses, numbers, apparatus, factors, or combination of factors that are to be used for identifying the communications (300). In this respect, the Code of Practice on Interception of Communications specifies that, in case of a targeted interception warrant and targeted examination warrant “the warrant must specify (or describe) the factors or combination of factors that are to be used for identifying the communications. Where the communications are to be identified by reference to a telephone number (for example) the number must be specified by being rendered in its entirety. But where very complex or continually-changing internet selectors are to be used for identifying the communications, those selectors should be described as far as possible” (301).

(192)

An important safeguard in this context is that the assessment carried out by the Secretary of State to issue a warrant must be approved by an independent Judicial Commissioner (302) that will notably check whether the decision to issue the warrant complies with the necessity and proportionality principles (303) (on the status and role of Judicial Commissioners see recitals (251) to (256) below). The IPA 2016 also clarifies that, when carrying out such check, the Judicial Commissioner must apply the same principles as would be applied by a court on an application for judicial review (304). This ensure that in each case, and before access to data takes place, compliance with the principle of necessity and proportionality is systematically check by an independent body.

(193)

The IPA 2016 provides for few specific and narrow exceptions to carry out targeted interceptions without a warrant. The limited cases are detailed in the law (305) and, except for the one based on the “consent” of the sender/recipient, they are carried out by persons (private or public bodies) different than national security agencies. Moreover, this type of interceptions are carried out for purposes different than “intelligence” gathering (306) and for some of them it is very unlikely that the collection can take place in the context of a “transfer” scenario (for example in case of interception carried out in psychiatric hospital or in prison). Considering the nature of the body to which these specific cases apply (different than national security agencies), all the safeguards provided by Part 2 of the DPA 2018 and the UK GDPR will apply, including the ICO’s oversight and the available redress mechanisms. Moreover, in addition to the safeguards provided by the DPA 2018, in certain cases, the IPA 2016 also provides for the IPCO’s ex post oversight (307)

(194)

When interception is carried out, additional limitations and safeguards are applicable in light of to the specific status of the person(s) intercepted (308). For example, the interception of items subject to legal privilege is authorised only in presence of exceptional and compelling circumstances, the person issuing the warrant must give regard to the public interest in the confidentiality of items subject to legal privilege and that specific requirements are in place for the handling, retention and disclosure of such material (309).

(195)

Furthermore, the IPA 2016 provides for specific safeguards related to security, retention and disclosure that the Secretary of State should take into account before issuing a targeted warrant (310). In particular, Section 53(5) of the IPA 2016 requires that every copy made of any of that material collected under the warrant must be stored in a secure manner and is destroyed as soon as there are no longer any relevant grounds for retaining it, while Section 53(2) of the IPA 2016 requires that the number of persons to whom the material is disclosed and the extent to which any material is disclosed, made available or copied must be limited to the minimum that is necessary for the statutory purposes.

(196)

Finally, when the material that has been intercepted either by a targeted interception warrant or by a mutual assistance warrant is to be handed over to a third country (“overseas disclosures”), the IPA 2016 provides that the Secretary of State must ensure that appropriate arrangements are in place to ensure that similar safeguards on security, retention and disclosure exist in that third country (311). In addition, Section 109(2) of the DPA 2018 provides that intelligence services may only transfer personal data outside of the United Kingdom territory if the transfer is a necessary and proportionate measure carried out for the purposes of the controller’s statutory functions or for other purposes provided for in Section 2(2)(a) of the Security Service Act 1989 or Sections 2(2)(a) and 4(2)(a)of the Intelligence Services Act 1994 (312). Importantly, these requirements also apply in cases where the national security exemption pursuant to Section 110 of the DPA 2018 is invoked, as Section 110 of the DPA 2018 does not list Section 109 of the DPA 2018 as one of the provisions that can be disapplied if an exemption from certain provisions is required for the purpose of safeguarding national security.

(197)

The IPA 2016 permits the Secretary of State to require telecommunications operators to retain communications data for the purpose of targeted access by a range of public authorities, including law enforcement and intelligence agencies. Part 4 of the IPA 2016 provides for the retention of communications data, while Part 3 provides for targeted acquisition of communications data (TCD). Part 3 and Part 4 of the IPA 2016 also set out specific limitations on the use of these powers and provide for specific safeguards.

(198)

The term “communications data” covers the “who”, “when”, “where” and “how” of a communication, but not the content, i.e. what was said or written. Different from interception, the acquisition and retention of communications data is not aimed at obtaining the content of the communication, but aimed at obtaining information such as the subscriber to a telephone service or an itemised bill. This could include the time and duration of communication, the number or email address of the originator and recipient and sometimes the location of the devices from which the telecommunication was made (313).

(199)

It should be noted that the retention and acquisition of communications data normally will not concern personal data of EU data subjects transferred under this Decision to the United Kingdom. The obligation to retain or disclose communications data pursuant to Part 3 and 4 of the IPA 2016 covers data that is collected by telecommunication operators in the UK directly from the users of a telecommunication service (314). This type of “customer facing” processing typically does not involve a transfer on the basis of this Decision, i.e. a transfer from a controller/processor in the EU to a controller/processor in the United Kingdom.

(200)

However, for the sake of completeness, the conditions and safeguards governing these acquisition and retention regimes are analysed in the following recitals.

(201)

As a premise, it must be noted that the retention and the targeted acquisition of communications data is available both to national security agencies and to certain law enforcement authorities (315). The conditions to require the retention and/or acquisition of communications data may vary depending on the ground for requesting the measure, namely a national security or a law enforcement purpose.

(202)

In particular, while the new regime has introduced the general requirement of an ex ante authorization by an independent body that will apply in all cases when communication data is retained and/or acquired (either for a law enforcement or for a national security purpose), following the Tele2/Watson judgment of the European Court of Justice (316), specific safeguards have been introduced when the measure is requested for law enforcement purposes. In particular, when the retention or the acquisition of communication data is requested for a law enforcement purpose, the ex ante authorisation must always be given by the Investigatory Power Commissioner. This is not always the case when the measure is requested for a national security purpose, since, as described below, in certain cases such type of measures may be authorised by different “authorising individual”. Moreover, the new regime has raised to “serious crimes” the threshold for which the retention and the acquisition of communication data can be permitted (317).

(203)

According to Part 3 of the IPA 2016, relevant public authorities are authorised to obtain communications data from a telecommunication operator or any person capable of obtaining and disclosing such data. The authorisation may not allow the interception of the content of the communications (318) and ceases to have effect after a period of one month (319) with the possibility to be renewed subject to an additional authorisation (320). The acquisition of communications data requires an authorisation by the Investigatory Powers Commissioner (IPC) (321) (on the status and powers of the IPC see recitals (250) to (251) below). This is always the case when the acquisition of communication data is requested by a relevant law enforcement authority. However, according to Section 61 of the IPA 2016, when data is acquired for the interests of national security or economic well-being of the United Kingdom as long as it is relevant for national security, or where an application is made by a member of an intelligence agency under Section 61(7)(b) (322), the acquisition may be alternatively (323) authorised by the IPC or by a designated senior officer (324). The designated officer must be independent from the investigation or operation concerned and have working knowledge of human rights principles and legislation, specifically those of necessity and proportionality (325). The decision taken by the designated officer will be subject to the ex-post oversight carried out by the IPC (see recital (254) below for more details on ex-post oversight functions of the IPC).

(204)

The authorisation to acquire communication data is based on an assessment of necessity and proportionality of the measure. More specifically, the necessity of the measure is assessed in light of the grounds listed in the legislation (326). Considering the targeted nature of this measure, it must also be necessary for a specific investigation or operation (327). Further requirements on the assessment of the necessity of the measures are laid out in the Code of Practice on Communication Data (328). In particular, this Code provides that the application submitted by the requesting authority should identify three minimum elements to justify the necessity of such request: (i) the event under investigation such as a crime or location of vulnerable missing person; (ii) the person whose data is sought, such as a suspect, witness or missing person, and how they are linked to the event; and (iii) the communications data sought, such as a telephone number or IP address, and how this data is related to the person and the event (329).

(205)

Moreover the acquisition of communication data has to be proportionate to what is sought to be achieved (330). The Code of Practice on Communication Data clarifies that, in conducting such assessment, the authorising individual should carry out a balancing exercise between “the extent of the interference with an individual’s rights and freedoms against a specific benefit to the investigation or operation being undertaken by a relevant public authority in the public interest” and that taking into account all the considerations of a particular case, “an interference with the rights of an individual may still not be justified because the adverse impact on the rights of another individual or group of individuals is too severe”. Moreover, in order to specifically assess the proportionality of the measure, the Code lists a number of elements that should be included in the application submitted by the requesting authority (331). Furthermore, particular consideration must be given to the type of communication data (“entity” or “events” data (332)) to be acquired, and preference must be given to the use of less intrusive category of data (333). The Code of Practice on Communication Data also contains specific instructions for authorisations involving the communications data of people in particular professions (such as medical doctors, lawyers, journalists, parliamentarians, or ministers of religion) (334) which are subject to additional safeguards (335).

(206)

Part 4 of the IPA 2016 sets out the rules on retention of communications data, and in particular the criteria allowing the Secretary of State to issue a retention notice (336). The safeguards introduced by the IPA are the same when the data is retained either for a law enforcement purpose or in the interest of national security.

(207)

The issuance of such retention notices aims at securing that telecommunication operators retain, for a maximum period of 12 months, relevant communications data that would otherwise be deleted once no longer required for business purpose (337). The data retained are to remain available for the period required should it subsequently be necessary for a public authority to acquire it under an authorisation for a targeted acquisition of communication data provided by Part 3 of the IPA 2016 and described in recitals (203) to (205).

(208)

The exercise of the power to require the retention of certain data is subject to a number of limitations and safeguards. The Secretary of State can issue a retention notice to one or several operators (338) only when he/she considers that the requirement to retain data is necessary for one of the statutory purposes (339) and is proportionate to what is sought to be achieved (340). As clarified by the IPA 2016 itself (341), before issuing a retention notice, the Secretary of State must take into account: the likely benefits of the notice (342); a description of the telecommunications services; the appropriateness of limiting the data to be retained by reference to location, or descriptions of persons to whom telecommunications services are provided (343); the likely number of users (if known) of any telecommunications service to which the notice relates (344); the technical feasibility of complying with the notice; the likely cost of complying with the notice, and any other effect of the notice on the telecommunications operator (or description of operators) to whom it relates (345). As further detailed in Chapter 17 of the Code of Practice on Communications Data, all retention notices need to specify each data type that needs to be retained and how that data type meets the necessary tests for retention.

(209)

In all cases (for both national security and law enforcement purposes) the decision of the Secretary of State to issue the retention notice must be approved by an independent Judicial Commissioner under the so-called “double-lock procedure”, who must review in particular whether the notice to retain relevant communications data is necessary and proportionate for one or more of the statutory purposes (346).

(210)

Equipment interference is a set of techniques used to obtain a variety of data from equipment (347), which includes computers, tablets and smart phones as well as cables, wires and storage devices (348). Equipment interference allows to obtain both the content of communications and equipment data (349).

(211)

In accordance with Section 13(1) of the IPA 2016, the use of equipment interference by an intelligence service requires an authorisation by means of a warrant under the “double lock” procedure established by the IPA 2016, provided that there is “a British Islands connection” (350). According to the explanations provided by the United Kingdom authorities, in situations where data is transferred from the European Union to the United Kingdom within the scope of this Decision, there would always be a “British Islands connection” and any equipment interference covering such data would therefore be subject to the mandatory warrant requirement of Section 13(1) of the IPA 2016 (351).

(212)

The rules on targeted equipment interference warrants are set out in Part 5 of the IPA 2016. Similarly to targeted interception, targeted equipment interference has to relate to a specific “target”, which has to be set out in the warrant (352). The details on how a “target” must be identified depend on the matter and the type of equipment to be interfered. In particular Section 115(3) of the IPA specifies the elements that should be included in the warrant (e.g. name of the person or organisation, description of the location), depending for example on whether the interference concerns an equipment that belongs, is used to or is in possession of a particular person or an organisation or a group of person, is in a specific location etc. (353). The purposes for which targeted equipment interference warrants can be issued depends on the public authority applying for it (354).

(213)

Similarly to targeted interception, the issuing authority needs to consider whether the measure is necessary to achieve a specific purpose and whether it is proportionate to what is sought to be achieved (355). Moreover, it should also consider whether safeguards exist in relation to security, retention and disclosure as well as in relation to “overseas disclosure” (356) (see recital (196)).

(214)

The warrant has to be approved by a Judicial Commissioner, except in cases of urgency (357). In the latter case, a Judicial Commissioner has to be informed that a warrant has been issued and must approve it within three working days. In case the Judicial Commissioner refuses to approve it, the warrant ceases to have affect and may not be renewed (358). Moreover, the Judicial Commissioner has the power to require that any data that was obtained under the warrant is deleted (359). The fact that a warrant was issued urgently does not impact ex post oversight (see recitals (244) to (255)) or the possibilities for individuals to seek redress (see recitals (260) to (270)). Individuals can complain to the ICO or make a claim regarding any alleged conduct to the Investigatory Powers Tribunal in the usual way. In all cases, the test applied by the Judicial Commissioner when deciding whether or not to approve a warrant is the necessity and proportionality test as applicable to requests for targeted interception (360) (see recital (192) above).

(215)

Finally, specific safeguards applicable to targeted interception apply also to equipment interference as regards the duration, renewal, and modification of the warrant as well as the interception of Members of Parliament, of items subject to legal privilege and of journalistic material (see further details in recital (193)).

(216)

Bulk powers are regulated in Part 6 of the IPA 2016. Moreover, the Codes of practice provide for more details on the use of bulk powers. While there is no definition in United Kingdom law of ‘bulk power’, in the context of the IPA 2016 it has been described as the collection and retention of large quantities of data acquired by the Government through various means (i.e. the powers of bulk interception, bulk acquisition, bulk equipment interference and bulk personal datasets) and which can subsequently be accessed by the authorities. This description is clarified by contrasting it to what ‘bulk power’ is not: it does not equate to so-called “mass surveillance” without limitations or safeguards. On the contrary, as explained below, it incorporates limitations and safeguards designed to ensure that access to data is not given on an indiscriminate or unjustified basis (361). In particular, bulk powers can only be used if a link is established between the technical measure that a national intelligence agency intends to use and the operational objective for which such measure is requested.

(217)

Moreover, bulk powers are available to intelligence agencies only and are always subject to a warrant issued by the Secretary of State and approved by a Judicial Commissioner. In choosing the means to collect intelligence, regards must be given to whether the objective in question can be sought by “less intrusive means” (362). This approach follows from the framework of the legislation which is built on the principle of proportionality and therefore prioritises targeted over bulk collection.

(218)

The regime for bulk interception is provided in Chapter 1 of Part 6 of the IPA 2016 while Chapter 3 of the same Part regulates bulk equipment interference. These regimes are substantially the same, so the conditions and additional safeguards applicable to those warrants are analysed together.

(219)

A bulk interception warrant is limited to the interception of communications in the course of their transmission sent or received by individuals who are outside the British Islands (363), so-called “overseas-related communications” (364), as well as other relevant data and the subsequent selection for examination of the intercepted material (365). A bulk equipment interference warrant (366) authorises the addressee to secure interference with any equipment for the purpose of obtaining overseas-related communications (including anything comprising speech, music, sounds, visual images or data of any description), equipment data (data that enables or facilitates a functioning of a postal service; a telecommunication system; telecommunications service) or any other information (367).

(220)

The Secretary of State can issue a bulk warrant only on an application made by a head of an intelligence service (368). A warrant authorising a bulk interception or a bulk equipment interference must be issued only if necessary for the interest of national security and for a further purpose of preventing or detecting serious crime, or the interest of the economic well-being of the United Kingdom when relevant for national security (369). Moreover, Section 142(7) of the IPA 2016 requires that a bulk interception warrant must be specified in a greater detailed than the simple reference to the “interests of national security”, the “economic wellbeing of the UK” and of “preventing and combating serious crime” but a link must be established between the measure to be sought and one or more operational purpose/s that must be included in the warrant.

(221)

The choice of the operational purpose is a result of a multi-layer process. Section 142(4) provides that the operational purposes specified in the warrant must be specified in a list maintained by the heads of the intelligence services, as purposes which they consider are operational purposes for which intercepted content or secondary data obtained under bulk interception warrants may be selected for examination. The list of operational purposes must be approved by the Secretary of State. The Secretary of State may give such approval only if satisfied that the operational purpose is specified in a greater level of detail than the general grounds for authorising the warrant (national security or national security and economic well-being or preventing serious crime) (370). At the end of each relevant three-month period, the Secretary of State must give a copy of the list of operational purposes to the Parliamentary ISC. Finally, the Prime Minister must review the list of operational purposes at least once a year (371). As noted by the High Court, “[t]hese are not to be belittled as insignificant safeguards, as they build together an intricate set of modes of accountability, which involve Parliament as well as members of the government at the highest level” (372).

(222)

Such operational purposes also limit the scope of the selection of the interception material for the examination stage. The selection for examination of any material collected under the bulk warrant must be justified in light of the operational purpose/s. As explained by the United Kingdom authorities, this means that practical arrangements on examination must be assessed by the Secretary of State already at the stage of the warrant, providing sufficient details to fulfil the statutory duties under section 152 and 193 of the IPA 2016 (373). The details given to the Secretary of State in relation to those arrangements would need to include for example, information (if applicable) on how filtering arrangements might vary during the time that a warrant will have effect (374). For more details on the process and the safeguards applied to the filtering and examination phases, see recital (229) below.

(223)

A bulk power can be authorised only if it is proportionate to what is sought to be achieved (375). As specified in the Code of Practice on Interception, any assessment of proportionality involves “balancing the seriousness of the intrusion into the privacy (and other considerations set out in section 2(2)) against the need for the activity in investigative, operational or capability terms. The conduct authorised should offer a realistic prospect of bringing the expected benefit and should not be disproportionate or arbitrary” (376). As already mentioned, this means in practice that the proportionality test is based on a balance test between what is sought to be achieved (“operational purpose/s”) and the technical options available (e.g. targeted or bulk interception, equipment interference, acquisition of communication data), giving preference to the least intrusive means (see recitals (181) and (182) above). When more than one measure is appropriate to the objective, the less intrusive means must be preferred.

(224)

An additional safeguard on the assessment of the proportionality of the measure requested is ensured by the fact that the Secretary of State must receive the relevant information needed to properly carry out his/her assessment. In particular, the Code of Practice on Interception and the Code of Practice on Equipment Interference require that the application submitted by the relevant authority should mention the background of the application, the description of communications to be intercepted and the telecommunications operators required to assist, the description of the conduct to be authorised, the operational purposes, and an explanation on why the conduct is necessary and proportionate (377).

(225)

Finally and importantly, the Secretary of State’s decision to issue the warrant must be approved by an independent Judicial Commissioner that assesses the evaluation of the necessity and proportionality of the proposed measure, using the same principles that would be used by a court in an application for judicial review (378). More specifically, the Judicial Commissioner will review the Secretary of State’s conclusions as to whether the warrant is necessary and whether the conduct is proportionate in the light of the principles set in Section 2(2) of the IPA 2016 (general duties in relation to privacy). The Judicial Commissioner will also review the Secretary of State’s conclusions as to whether each of the operational purposes specified on the warrant is a purpose for which selection is, or may be, necessary. If the Judicial Commissioner refuses to approve the decision to issue a warrant the Secretary of State may either: (i) accept the decision and therefore not issue the warrant; or (ii) refer the matter to the Investigatory Powers Commissioner for a decision (unless the Investigatory Powers Commissioner has made the original decision) (379).

(226)

The IPA 2016 has introduced further limits on the duration, renewal and modification of a bulk warrant. The warrant must have a duration of a maximum of six months and any decision to renew or modify (except minor modifications) the warrant must be also approved by a Judicial Commissioner (380). The Code of Practice on Interception and the Code of Practice on Equipment Interference specified that a change in the operational purposes of the warrant is considered as a major modification of the warrant (381).

(227)

Similar to what is provided for targeted interception, Part 6 of the IPA 2016 provides that the Secretary of State must ensure that arrangements are in force to provide safeguards on the retention and disclosure of material obtained under the warrant (382) ., as well as for overseas disclosure (383). In particular, Sections 150(5) and 191(5) of the IPA 2016 require that every copy made of any of that material collected under the warrant must be stored in a secure manner and is destroyed as soon as there are no longer any relevant grounds for retaining it, while Sections 150(2) and 191(2) require that the number of persons to whom the material is disclosed and the extent to which any material is disclosed, made available or copied must be limited to the minimum that is necessary for the statutory purposes (384).

(228)

Finally, when the material that has been intercepted either through a bulk interception or a bulk equipment interference is to be handed over to a third country (“overseas disclosures”), the IPA 2016 provides that the Secretary of State must ensure that appropriate arrangements are in place to ensure that similar safeguards on security, retention and disclosure exist in that third country (385). In addition, Section 109 of the DPA 2018 sets out specific requirements for international transfers of personal data by intelligence services to third countries or international organisations, and does not allow data to be transferred to a country or territory outside the United Kingdom or to an international organisation, unless the transfer is necessary and proportionate for the purpose of the controller’s statutory functions or for other purposes provided for in Section 2(2)(a) of the Security Service Act 1989 or Sections 2(2)(a) and 4(2)(a)of the Intelligence Services Act 1994 (386). Importantly, these requirements also apply in cases where the national security exemption pursuant to Section 110 of the DPA 2018 is invoked, as Section 110 of the DPA 2018 does not list Section 109 of the DPA 2018 as one of the provisions that can be disapplied if an exemption from certain provisions is required for the purpose of safeguarding national security.

(229)

Once the warrant has been approved and the data has been collected in bulk, the data will be subject to a selection before being examined. The selection and examination phase is subject to a further proportionality test carried out by the analyst that defines, on the basis of the operational purposes included in the warrant (and potentially existing filtering arrangements) the criteria for selection. As provided by sections 152 and 193 of the IPA, when issuing the warrant the Secretary of State must ensure that arrangements are in place to guarantee that the selection of the material is carried out only for the specified operational purposes and that it is necessary and proportionate in all circumstances. In this respect, the United Kingdom authorities clarified that the material intercepted in bulk is selected, first of all, via automated filtering with the aim to discard data that is unlikely to be of national security interest. The filters will vary from time to time (as internet traffic patterns, types and protocols change) and will depend on the technology and operational context. After this phase, the data can be selected for examination only if relevant for the operational purposes specified in the warrant (387). The safeguards provided by the IPA 2016 for the examination of the material collected apply to any type of data (both intercepted content and secondary data) (388). Section 152 and 193 of the IPA 2016 also provide for a general prohibition to select for examination material referring to conversations sent by or intended to individuals who are in the British Islands. If the authorities wish to examine such material, they would submit a request for a targeted examination warrant under Part 2 and Part 4 of the IPA 2016, issued by the Secretary of State and approved by a Judicial Commissioner (389). If a person deliberately selects intercepted content for examination in breach of the requirements set in the legislations (390) he or she commits a criminal offence (391).

(230)

The assessment carried out by the analyst over the selection of the material is subject to an ex post oversight by the IPC who evaluates the compliance with the specific safeguards set in the IPA 2016 for the examination phase (392) (see also recital (229)). The IPC must keep under review (including by way of audit, inspection and investigation) the exercise by public authorities of the investigatory powers mentioned in the IPA 2016 (393). In this respect, the Code of Practice on Interception and the Code of Practice on Equipment Interference clarify that records must be kept by the agency for purposes of subsequent examination and audits, and these records must outline why access to the material by authorised persons is necessary and proportionate and the applicable operational purposes (394). For example, in its 2018 Annual report the Investigatory Powers Commissioner Office (IPCO) (395) concluded that the justifications recorded by the analysts for the examination of certain material collected in bulk met the required standard of proportionality, by providing sufficient details of the reasons of their “queries” in relation to the purpose to be achieved (396). In its 2019 report, the IPCO, in relation to bulk powers, clearly stated its intention to continue the inspections of bulk interceptions, including a detailed examination of the selectors and search criteria (397). It will also continue to scrutinise carefully, on a case-by-case basis, the choice of surveillance measures (targeted v. bulk) both during its consideration of warrant applications under the double lock and at inspections (398). This further monitoring will be duly taken into account in the context of the Commission’s monitoring of this Decision referred to in recitals (281)-(284).

(231)

Chapter 2 of Part 6 of the IPA 2016 regulates bulk acquisition warrants that authorise the addressee to require a telecommunications operator to disclose or obtain any communications data in the possession of the operator. These warrants also authorize the requesting authority to select the data for the further phase of the examination. As it is the case for targeted retention and acquisition of communications data (see recital (199)), also the bulk acquisition of communications data does normally not concern personal data of EU data subjects transferred under this Decision to the United Kingdom. The obligation to disclose communications data pursuant to Chapter 2 of Part 6 of the IPA 2016 covers data that is collected by telecommunication operators in the United Kingdom directly from the users of a telecommunication service (399). This type of “customer facing” processing typically does not involve a transfer on the basis of this Decision, i.e. a transfer from a controller/processor in the EU to a controller/processor in the United Kingdom.

(232)

However, for the sake of completeness the conditions and safeguards governing the acquisition of bulk communications data are described below.

(233)

The IPA 2016 replaces the legislation concerning the acquisition of bulk communications data which was the subject of the CJEU judgment in the Privacy International case. The legislation at issue in that case was repealed and the new regime provides for specific conditions and safeguards under which such measure can be authorised.

(234)

In particular, differently from the previous regime under which the Secretary of State had full discretion in authorising the measure (400), the IPA 2016 requires the Secretary of State to issue a warrant only if the measure is necessary and proportionate. This means in practice that there should be a link between the access to the data and the aim pursued (401). More specifically, the Secretary of State will have to assess the existence of a link between the measure requested and one or more “operational purpose/s” indicated in the warrant (see recital (219)) respect to the assessment of the proportionality, the relevant Code of Practice specifies that “the Secretary of State must take into account whether what is sought to be achieved by the warrant could reasonably be achieved by other less intrusive means (Section 2(2)(a) of the Act). For example, obtaining the required information through a less intrusive power such as the targeted acquisition of communications data” (402).

(235)

To conduct such assessment, the Secretary of State will rely on information that the heads of intelligence (403) are required to submit in their application, such as the reasons why the measure is considered to be necessary for one of the statutory grounds and the reasons why what is sought to be achieved could not reasonably be achieved by other less intrusive means (404). Moreover, the operational purposes limit the scope for which data obtained under the warrant can be selected for examination (405). As specified in the relevant Code of Practice, the operational purposes must describe a clear requirement and contain sufficient detail to satisfy the Secretary of State that acquired data may only be selected for examination for specific reasons (406). In fact, the Secretary of State will have to ensure, before authorising the warrant, that specific arrangements are in place for securing that only that material which has been considered necessary for examination for an operational purpose and a statutory purpose is selected for the examination and should be proportionate and necessary in all circumstances. This specific requirement, reflected in sections 158 and 172 (407) of the IPA 2016, regarding the prior assessment of the necessity and proportionality of the criteria used for the purposes of selection represents another important novelty of the regime introduced by the IPA 2016 compared to the regime previously in place.

(236)

The IPA 2016 also introduced the obligation on the Secretary of State, to ensure that, before issuing the warrant for the bulk acquisition of communications data specific limitations are in place on the security, the retention and the disclosure of the personal data collected (408). In case of overseas disclosure, the safeguards, described in recital (227), for bulk interception and bulk equipment interference apply also in this context (409). Further limits are set out in the legislation on the duration (410), renewal (411) and modification of the bulk warrants (412).

(237)

Importantly, as for the other bulk powers, before issuing the warrant, the Secretary of State needs get the approval by a Judicial Commissioner (413). This is a key feature of the regime put in place by the IPA 2016.

(238)

The IPC carries out an ex post oversight on the examination procedure over the material (communication data) acquired in bulk (see recital (254) below). In that respect, the IPA 2016 introduced the requirement that the intelligence analyst carrying out the examination, has to record, prior to selecting the data for examination, the reason why the proposed examination is necessary and proportionate for a specified operational purpose (414). In the IPCO Annual Report 2019 it was found with respect to GCHQ’s and MI5’s practice that “the critical role of bulk communications data (BCD) to the range of activities conducted at GCHQ was well articulated in the casework we inspected. We considered the nature of the requested data and the stated intelligence requirements and were satisfied that the documentation demonstrated that their approach was necessary and proportionate” (415). “MI5’s recorded justifications were of a good standard and satisfied the principles of necessity and proportionality” (416).

(239)

Bulk Personal Dataset (BPD) warrants (417) authorise intelligence agencies to retain and examine sets of data that contain personal data relating to a number of individuals. According to the explanations provided by the United Kingdom authorities, the analysis of such datasets can be “the only way for UKIC to progress investigations and identify terrorists from very limited lead intelligence, or when their communications have been deliberately concealed” (418). There are two types of warrants: “class BPD warrants” (419) which concern a certain category of datasets, i.e. datasets which are similar in their content and proposed use and raise similar considerations as to, for instance, the degree of intrusion and sensitivity and the proportionality of using the data, therefore allowing the Secretary of State to consider the necessity and proportionality of acquiring all data within the relevant class all at once. For example, a class BPD warrant may cover travel datasets that relate to similar routes (420). “Specific BPD warrants” (421) instead concern one specific dataset, such as a dataset of a novel or unusual type of information which does not fall within an existing class BPD warrant, or a dataset that concerns specific types of personal data (422) and therefore requires additional safeguards (423). The provisions of the IPA 2016 relating to BPDs allow such datasets to be examined and retained only where it is necessary and proportionate to do so (424), and in line with the general obligations relating to privacy (425).

(240)

The power to issue a BPD warrant is subject to the “double lock” procedure: the assessment of the necessity and proportionality of the measure is first carried out by the Secretary of State and then by the Judicial Commissioner (426). The Secretary of State is required to consider the nature and scope of the type of warrant being sought, the category of data concerned and the number of individual bulk personal datasets likely to fall within the specific type of warrant (427). Also, as specified in the Code of Practice on Intelligence Services’ Retention and Use of Bulk Personal Datasets, detailed records are to be kept and are subject to IPC audit (428). Retaining and examining BPD outside the limits of the IPA 2016 is a criminal offense (429).

(241)

Personal data processed under Part 4 of the DPA 2018 must not be processed in a manner that is incompatible with the purpose for which it was collected (430). The DPA 2018 provides that the controller can process the data for another purpose, different from that for which the data was collected, when it is compatible with the original one and provided that the controller is authorised by law to process the data and that processing is necessary and proportionate (431). Moreover, the Security Service Act 1989 and the Intelligence Services Act 1994 specify that the heads of the intelligence agencies have the duty to ensure that no information is obtained or disclosed except so far as necessary for the proper discharge of the agency functions or for the other limited and specific purposes listed in the relevant provisions (432).

(242)

In addition, Section 109 of the DPA 2018 sets out specific requirements for international transfers of personal data by intelligence services to third countries or international organisations. According to this provision, personal data is not allowed to be transferred to a country or territory outside the United Kingdom or to an international organisation, unless the transfer is necessary and proportionate for the purpose of the controller’s statutory functions or for other purposes provided for in Section 2(2)(a) of the Security Service Act 1989 or Sections 2(2)(a) and 4(2)(a)of the Intelligence Services Act 1994 (433). Importantly, these requirements also apply in cases where the national security exemption pursuant to Section 110 of the DPA 2018 is invoked, as Section 110 of the DPA 2018 does not list Section 109 of the DPA 2018 as one of the provisions that can be disapplied if an exemption from certain provisions is required for the purpose of safeguarding national security.

(243)

Moreover, as stressed by the ICO in its guidance on intelligence services processing, in addition to the safeguards provided by Part 4 of the DPA 2018, an intelligence agency, when sharing data with a third country intelligence body, is also subject to safeguards provided by other legislative measures applying to them to ensure that personal data is obtained, shared and handled lawfully and responsibly (434). For example, the IPA 2016 sets out further safeguards in relation to transfers to a third country of material collected through targeted interception (435), targeted equipment interference (436), bulk interception (437), bulk acquisition of communications data (438) and bulk equipment interference (439) (so-called “overseas disclosures”). In particular, the authority issuing the warrant must ensure that arrangements are in force for securing that the third country receiving the data limits the number of persons who see the material, and the extent of disclosure and the number of copies made of any material to the minimum necessary for the authorised purposes set out in the IPA 2016 (440).

(244)

Government access for national security purposes is overseen by a number of different bodies. The Information Commissioner oversees the processing of personal data in light of the DPA 2018 (for more information on the independence, appointment role and powers of the Commissioner see recitals (85) to (98)), while independent and judicial oversight on the use of investigatory powers under the IPA 2016 is provided by the IPC. The IPC oversees the use of IPA 2016 investigatory powers by both law enforcement and national security authorities. Political oversight is guaranteed by the Intelligence Service Committee of the Parliament.

(245)

The processing of personal data carried out by the intelligence services under Part 4 of the DPA 2018, is overseen by the Information Commissioner (441).

(246)

The general functions of the Information Commissioner in relation to the processing of personal data by intelligence services under Part 4 of the DPA 2018 are laid down in Schedule 13 to the DPA 2018. The tasks include, but are not limited to, monitoring and enforcement of Part 4 of the DPA 2018, promoting public awareness, advising Parliament, the government and other institutions on legislative and administrative measures, promote the awareness of controllers and processors of their obligations, provide information to a data subject concerning the exercise of the data subject’s rights, conduct investigations etc.

(247)

The Commissioner, as for Part 3 of the DPA 2018, has the powers to notify controllers of an alleged infringement and to issue warnings that a processing is likely to infringe the rules, and issues reprimands when the infringement is confirmed. It can also issue enforcement and penalty notices for violations of certain provision of the act (442). However, differently than for other parts of the DPA 2018, the Commissioner cannot give an assessment notice to a national security body (443).

(248)

Moreover, Section 110 of the DPA 2018 provides an exception to the use of certain powers of the Commissioner when this is required for the purposes of safeguarding national security. This includes the power of the Commissioner to issue (any type of) notices under the DPA (information, assessment, enforcement and penalty notices), the power to do inspections in accordance with international obligations, the powers of entry and inspection, and the rules on offences (444). As explained in recital (126), these exceptions apply only if necessary and proportionate and on a case-by-case basis.

(249)

The ICO and UK intelligence services have signed a Memorandum of Understanding (445) that establishes a framework for co-operation on a number of issues, including data breach notifications and the handling of data subjects complaints. In particular, it provides that, upon receiving a complaint, the ICO will assess that the application of any national security exemption has been used appropriately. Responses to queries made by the ICO in the context of the examination of individual complaints have to be given within 20 working days by the concerned intelligence agency, using appropriate secure channels if it involves classified information. From April 2018 to date, the ICO has received 21 complaints from individuals about the intelligence services. Each complaint was assessed and the outcome was communicated to the data subject (446).

(250)

Pursuant to Part 8 of the IPA 2016, oversight over the use of investigatory powers is exercised by the Investigatory Powers Commissioner (IPC). The IPC is assisted by other Judicial Commissioners, which are collectively referred to as Judicial Commissioners (447). The IPA 2016 sets out the guarantees that protect the independence of the Judicial Commissioners. Judicial Commissioners are required to hold, or to have held, a high judicial office (i.e. must be or have been a member of the most senior courts) (448) and, as any member of the judiciary, they enjoy an independent status from the government (449). Pursuant to Section 227 of the IPA 2016, it is the Prime Minister that appoints the IPC and as many Judicial Commissioners as he considers necessary. All Commissioners, whether they are current or former members of the judiciary, can only be appointed on the basis of a joint recommendation by the three Chief Justices for England & Wales, Scotland and Northern Ireland and the Lord Chancellor (450). The Secretary of State must provide the IPC with staff, accommodation, equipment and other facilities and services (451). The term of the Commissioners is three years and they can be reappointed (452). As a further guarantee of their independence, Judicial Commissioners can be removed from office only subject to strict conditions imposing a high threshold: either by the Prime Minister in the specific circumstances listed in an exhaustive manner in Section 228(5) of the IPA 2016 (such as bankruptcy or imprisonment), or if a resolution approving the removal has been passed by each House of Parliament (453).

(251)

The IPC and Judicial Commissioners are supported in their roles by the Investigatory Powers Commissioner’s Office (IPCO). The IPCO’s staff includes a team of inspectors, in-house legal and technical expertise, and a Technology Advisory Panel to provide expert advice. As it is the case for the individual Judicial Commissioners, the independence of the IPCO is protected. The IPCO is an “arm’s-length body” of the Home Office, i.e. it receives funding from the Home Office, but carries out its functions independently (454).

(252)

The main functions of the Judicial Commissioners are set out in Section 229 of the IPA 2016 (455). In particular, the Judicial Commissioners have an extensive power of prior approval, which is part of the safeguards introduced in the United Kingdom legal framework with the IPA 2016. Warrants in relation to targeted interception, equipment interference, bulk personal datasets, bulk acquisition of communication data as well as retention notices for communication data all have to be approved by Judicial Commissioners (456). The IPC must also always pre-authorise the acquisition of communication data for law enforcement purposes (457). If a Commissioner refuses to approve a warrant, the Secretary of State can appeal to the Investigatory Powers Commissioner, whose decision is final.

(253)

The UN Special Rapporteur on the Right to Privacy strongly welcomed the establishment of the Judicial Commissioners with the IPA 2016, as “all the more sensitive or intrusive requests to conduct surveillance need to be authorized by both a cabinet minister and the Investigatory Powers Commissioner’s Office”. In particular, he stressed that “this element of judicial review [through the role of the IPC] assisted by a better-resourced team of experienced inspectors and technology experts is one of the most significant new safeguards introduced by the IPA”, that replaced a previously fragmented system of oversight authorities and complements the role of the Intelligence and Security Committee of Parliament and the Investigatory Powers Tribunal” (458).

(254)

In addition, the IPC has the powers to carry out ex post oversight, including by way of audit, inspection and investigation, of the use of investigatory powers under the IPA 2016 (459) and some other powers and functions provided in relevant legislation (460). The results of such ex post oversight are included in the report that the IPC must prepare annually and present to the Prime Minister (461) and that must be published and laid before Parliament (462). The report contains relevant statistics and information about the use of the investigatory powers by intelligence agencies and law enforcement authorities as well as the deployment of the safeguards in relation to items subject to legal privilege, confidential journalistic material and sources of journalistic information, information on the arrangements taken and the operational purposes used in the context of bulk warrants. Finally, in the IPCO Annual Report, it is specified in which area recommendations were given to public authorities and how they have been addressed (463).

(255)

In accordance with Section 231 of the IPA 2016, if the IPC becomes aware of any relevant error committed by public authorities in the use of their investigatory powers, it must inform the person concerned where they consider that the error is serious and it is in the public interest for the person to be informed (464). In particular, Section 231 of the IPA 2016 specifies that, when informing a person of an error, the IPC must provide information on any right he/she has to apply to the Investigatory Powers Tribunal, and provide such details as the Commissioner considers necessary for the exercise of those rights and there is a public interest for the disclosure (465).

(256)

The parliamentary oversight by the Intelligence and Security Committee (ISC) has its statutory footing in the Justice and Security Act 2013 (JSA 2013) (466). The Act establishes the ISC as a committee of the United Kingdom Parliament. Since 2013, the ISC has been provided with greater powers including the oversight of operational activities of security services. Under Section 2 of the JSA 2013, the ISC has the task to oversee the expenditure, administration, policy and operations of national security agencies. The JSA 2013 specifies that the ISC is able to conduct investigations on operational matters when they do not relate to ongoing operations (467). The Memorandum of Understanding agreed between the Prime Minister and the ISC (468) specifies in details the elements to be taken into account when considering whether an activity is not part of any ongoing operation (469). The ISC can also be asked to investigate ongoing operations by the Prime Minister and can review information voluntarily provided by the agencies.

(257)

Under Schedule 1 to the JSA 2013 the ISC may ask the heads of any of the three intelligence services to disclose any information. The agency must make such information available, unless the Secretary of State vetoes it (470). According to the explanations provided by the United Kingdom authorities, in practice very little information is withheld from the ISC (471).

(258)

The ISC consists of members belonging to either House of the Parliament and appointed by the Prime Minister after consulting the leader of the opposition (472). The ISC is required to make an annual report to Parliament on the discharge of its functions and other reports that it considers appropriate (473). Moreover, the ISC is entitled to receive every three months the list of operational purposes that is used to examine material obtained in bulk (474). Copies of the investigations, inspections or audits of the Investigatory Powers Commissioner are shared with the ISC by the Prime Minister when the matter of the reports is relevant for the Committee statutory competences (475). Finally the Committee can ask the IPC to perform an investigation and the Commissioner must inform the ISC of the decision as to whether to carry out such investigation (476).

(259)

The ISC also provided input on the draft IPA 2016, which resulted in a number of amendments that are now reflected in the IPA 2016 (477). In particular, the ISC recommended the strengthening of privacy protections by introducing a set of privacy protections which apply across the full range of investigatory powers (478). It also suggested changes to the proposed capabilities concerning Equipment Interference, BPD and Communications Data, and requested other specific amendments to strengthen the limitations and safeguards for the use of investigatory powers (479).

(260)

In the field of government access for national security purposes, data subjects must have the possibility of bringing legal action before an independent and impartial court in order to have access to their personal data, or to obtain the rectification or erasure of such data (480). Such a judicial body must notably have the power to adopt binding decisions on the intelligence service (481). In the United Kingdom, as explained in recitals (261) to (271), a number of judicial redress avenues provide data subjects with the possibility to pursue and obtain such legal remedies.

(261)

Under Section 165 of the DPA 2018, a data subject has the right to lodge a complaint with the Information Commissioner if the data subject considers that, in connection with personal data relating to him or her, there is an infringement of Part 4 of the DPA 2018. The Information Commissioner has the power to assess the compliance of the controller and processor with the DPA 2018, requiring them to take necessary steps. Moreover, under Part 4 of the DPA 2018, individuals are entitled to apply to the High Court (or Court of Session in Scotland) for an order requiring the controller to comply with the rights of access to data (482), to object to processing (483) and to rectification or erasure (484).

(262)

Individuals are also entitled to seek compensation for damage suffered due to a contravention of a requirement of Part 4 of the DPA 2018 from the controller or a processor (485). Damage includes both financial loss and damage not involving financial loss, such as distress (486).

(263)

Individuals can obtain redress for violations of the IPA 2016 before the Investigatory Powers Tribunal.

(264)

The Investigatory Powers Tribunal is established by the RIPA 2000 and is independent from the executive (487). In accordance with Section 65 of the RIPA 2000, the members of that Tribunal are appointed by Her Majesty for a period of five years. A member of that Tribunal may be removed from office by Her Majesty on an Address (488) by both Houses of Parliament (489).

(265)

Under Section 65 of the RIPA 2000 the Tribunal is the appropriate judicial body for any complaint by a person aggrieved by conduct under the IPA 2016, RIPA 2000 or any conduct of the intelligence services (490).

(266)

To bring an action before the Investigatory Powers Tribunal (“standing requirement”), according to Section 65 of the RIPA 2000 an individual has to believe (491) that the conduct of an intelligence service has taken place in relation to him, any of his property, any communications sent by or to him, or intended for him, or his use of any postal service, telecommunications service or telecommunications system” (492). In addition, the complainant is required to believe that the conduct has taken place in “challengeable circumstances” (493) or “to have been carried out by or on behalf of the intelligence services (494). As in particular this “belief” standard has been interpreted quite broadly (495), bringing a case before that Tribunal is subject to low standing requirements”.

(267)

Where the Investigatory Powers Tribunal considers a complaint made to them, it is the duty of the Tribunal to investigate whether the persons against whom any allegation is made in the complaint have engaged in relation to the complainant as well as to investigate the authority that has allegedly engaged in the violations and whether the alleged conduct has taken place (496). Where that Tribunal hears any proceedings, it must apply the same principles for making their determination in those proceedings as would be applied by a court on an application for judicial review (497). In addition, the addressees of the warrants or notices under the IPA 2016, and every other person holding office under the Crown, employed by the police force or the Police Investigations and Review Commissioner have the duty to disclose or provide to that Tribunal all such documents and information as the Tribunal may require for the purpose of enabling them to exercise their jurisdiction (498).

(268)

The Investigatory Powers Tribunal must give notice to the complainant whether there has been determination in his or her favour or not (499). Under Section 67(6) and (7) of the RIPA 2000, the Tribunal has the power to issue interim orders and to provide any such award of compensation or other order as it thinks fit. This may include an order quashing or cancelling any warrant or authorisation and an order requiring the destruction of any records of information obtained in exercise of any power conferred by a warrant, authorization or a notice, or otherwise held by any public authority in relation to any person (500). According to Section 67A of the RIPA 2000, a determination of the Tribunal can be appealed, subject to leave granted by the Tribunal or relevant appellate court.

(269)

Finally, it is worth noting that the role of the Investigatory Powers Tribunal has been discussed in the context of legal actions before the European Court of Human Rights in several occasions, notably in the case of Kennedy v. the United Kingdom (501) and more recently in the case Big Brother Watch and others v. United Kingdom (502) , where the Court declared that the “IPT offered a robust judicial remedy to anyone who suspected that his or her communications had been intercepted by the intelligence services” (503).

(270)

As explained in recitals (109) to (111), means of redress under the Human Rights Act 1998 and before the European Court of Human Rights (504) are also available in the area of national security. Section 65(2) of RIPA 2000 provides the Investigatory Powers Tribunal with exclusive jurisdiction for all Human Rights Act’s claims in relation to the intelligence agencies (505). This means, as noted by the High Court, “whether there has been a breach of the HRA on the facts of a particular case is something that can in principle be raised and adjudicated by an independent tribunal which can have access to all relevant material, including secret material. […] We also bear in mind in this context that the Tribunal is itself now subject to the possibility of an appeal to an appropriate appellate court (in England and Wales that would be the Court of Appeal); and that the Supreme Court has recently decided that the Tribunal is in principle amenable to judicial review: see R (Privacy International) v Investigatory Powers Tribunal [2019] UKSC 22; [2019] 2 WLR 1219” (506).

(271)

It follows from the above that when United Kingdom law enforcement or national security authorities access personal data falling within the scope of this Decision, such access is governed by laws that set the conditions under which access can take place and ensures that access and further use of the data is limited to what is necessary and proportionate to the law enforcement or national security objective pursued. Moreover, such access is subject in most instances to prior authorisation by a judicial body, through the approval of a warrant or a production order, and in any case to independent oversight. Once data has been accessed by public authorities, its processing, including further sharing and onward transfer, is subject to specific data protection safeguards under Part 3 the DPA 2018, reflecting those provided by Directive (EU) 2016/680, for processing by law enforcement authorities and Part 4 of the DPA 2018 for processing by intelligence agencies. Finally, data subjects enjoy in this area effective administrative and judicial redress rights, including to obtain access to their data or rectification or erasure of such data.

(272)

Given the importance of such conditions, limitations and safeguards for the purposes of the present Decision, the Commission will closely monitor the application and interpretation of the UK rules framing government access to data. This will include relevant legislative, regulatory and case-law developments, as well as activities of the ICO and other oversight authorities in this area. Close attention will also be paid to the execution by the UK of relevant judgments of the European Court of Human Rights, including measures identified in the “action plans” and “action reports” submitted to the Committee of Ministers in the context of the supervision of compliance with the Court’s rulings.

(273)

The Commission considers that the UK GDPR and the DPA 2018 ensure a level of protection for personal data transferred from the European Union that is essentially equivalent to the one guaranteed by Regulation (EU) 2016/679.

(274)

Moreover, the Commission considers that, taken as a whole, the oversight mechanisms and redress avenues in United Kingdom law enable infringements to be identified and punished in practice and offer legal remedies to the data subject to obtain access to personal data relating to him/her and, eventually, the rectification or erasure of such data.

(275)

Finally, on the basis of the available information about the United Kingdom legal order, the Commission considers that any interference with the fundamental rights of the individuals whose personal data are transferred from the European Union to the United Kingdom by United Kingdom public authorities for public interest purposes, in particular law enforcement and national security purposes, will be limited to what is strictly necessary to achieve the legitimate objective in question, and that effective legal protection against such interference exists.

(276)

Therefore, in the light of the findings of this Decision, it should be decided that the United Kingdom ensures an adequate level of protection within the meaning of Article 45 of Regulation (EU) 2016/679, interpreted in light of the Charter of Fundamental Rights of the European Union.

(277)

This conclusion is based on both the relevant UK domestic regime and its international commitments, in particular adherence to the European Convention of Human Rights and submission to the jurisdiction of the European Court of Human Rights. Continued adherence to such international obligations is therefore a particularly important element of the assessment on which this Decision is based.

(278)

Member States and their organs are required to take the measures necessary to comply with acts of the Union institutions, as the latter are presumed to be lawful and accordingly produce legal effects until such time as they expire, are withdrawn, annulled in an action for annulment or declared invalid following a reference for a preliminary ruling or a plea of illegality.

(279)

Consequently, a Commission adequacy decision adopted pursuant to Article 45(3) of Regulation (EU) 2016/679 is binding on all organs of the Member States to which it is addressed, including their independent supervisory authorities. In particular, during the period of application of this Decision, transfers from a controller or processor in the European Union to controllers or processors in the United Kingdom may take place without the need to obtain any further authorisation.

(280)

It should be recalled that, pursuant to Article 58(5) of Regulation (EU) 2016/679 and as explained by the Court of Justice in the Schrems judgment (507), where a national data protection authority questions, including upon a complaint, the compatibility of a Commission adequacy decision with the fundamental rights of the individual to privacy and data protection, national law must provide it with a legal remedy to put those objections before a national court which may be required to make a reference for a preliminary ruling to the Court of Justice (508).

(281)

Pursuant to Article 45(4) of Regulation (EU) 2016/679, the Commission is to monitor, on an ongoing basis, relevant developments in the United Kingdom after the adoption of this Decision in order to assess whether it still ensures an essentially equivalent level of protection. Such monitoring is particularly important in this case, as the United Kingdom will administer, apply and enforce a new data protection regime no longer subject to European Union law and which may be liable to evolve. In that respect, special attention will be paid to the application in practice of the United Kingdom rules on transfers of personal data to third countries, and the impact it may have on the level of protection afforded to data transferred under this Decision; to the effectiveness of the exercise of individual rights, including any relevant development in law and practice concerning the exceptions to or restrictions of such rights (notably the one relating to the maintenance of effective immigration control); as well as compliance with the limitations and safeguards with respect to government access. Amongst other elements, case law developments and oversight by the ICO and other independent bodies will inform the Commission’s monitoring.

(282)

To facilitate this monitoring, the United Kingdom authorities should promptly inform the Commission of any material change to the UK legal order that has an impact on the legal framework that is the object of this Decision, as well as any evolution in practices related to the processing of the personal data assessed in this Decision, both as regards the processing of personal data by controllers and processors under the UK GDPR and the limitations and safeguards applicable to access to personal data by public authorities. This should include developments regarding the elements mentioned in recital (281).

(283)

Moreover, in order to allow the Commission to effectively carry out its monitoring function, the Member States should inform the Commission about any relevant action undertaken by the national data protection authorities, in particular regarding queries or complaints by EU data subjects concerning the transfer of personal data from the Union to controllers or processors in the United Kingdom. The Commission should also be informed about any indications that the actions of United Kingdom public authorities responsible for the prevention, investigation, detection or prosecution of criminal offences, or for national security including any oversight bodies, do not ensure the required level of protection.

(284)

Where available information, in particular information resulting from the monitoring of this Decision or provided by United Kingdom or Member States’ authorities, reveals that the level of protection afforded by the United Kingdom may no longer be adequate, the Commission should promptly inform the competent United Kingdom authorities thereof and request that appropriate measures be taken within a specified timeframe, which may not exceed three months. Where necessary, this period may be extended for a specified period of time, taking into account the nature of the issue at stake and/or of the measures to be taken. For example, such a procedure would be triggered in cases where onward transfers, including on the basis of new adequacy regulations adopted by the Secretary of State or international agreements concluded by the United Kingdom, would no longer be carried out under safeguards ensuring the continuity of protection within the meaning of Article 44 of Regulation (EU) 2016/679.

(285)

If, at the expiry of that specified timeframe, the competent United Kingdom authorities fail to take those measures or otherwise demonstrate satisfactorily that this Decision continues to be based on an adequate level of protection, the Commission will initiate the procedure referred to in Article 93(2) of Regulation (EU) 2016/679 with a view to partially or completely suspend or repeal this Decision.

(286)

Alternatively, the Commission will initiate this procedure with a view to amend the Decision, in particular by subjecting data transfers to additional conditions or by limiting the scope of the adequacy finding only to data transfers for which an adequate level of protection continues to be ensured.

(287)

On duly justified imperative grounds of urgency, the Commission will make use of the possibility to adopt, in accordance with the procedure referred to in Article 93(3) of Regulation (EU) 2016/679, immediately applicable implementing acts suspending, repealing or amending the Decision.

(288)

The Commission must take into account that, with the end of the transition period provided by the Withdrawal Agreement and as soon as the interim provision under Article 782 of the EU-UK Trade and Cooperation Agreement will cease to apply, the United Kingdom will administer, apply and enforce a new data protection regime compared to the one in place when it was bound by EU law. This may notably involve amendments or changes to the data protection framework assessed in this Decision, as well as other relevant developments.

(289)

It is therefore appropriate to provide that this Decision will apply for a period of four years as of its entry into force.

(290)

Where in particular information resulting from the monitoring of this Decision reveals that the findings relating to the adequacy of the level of protection ensured in the United Kingdom are still factually and legally justified, the Commission should, at the latest six months before this Decision ceases to apply, initiate the procedure to amend this Decision by extending its temporal scope, in principle, for an additional period of four years. Any such implementing act amending this Decision is to be adopted in accordance with the procedure referred to in Article 93(2) of Regulation (EU) 2016/679.

(291)

The European Data Protection Board published its opinion (509), which has been taken into consideration in the preparation of this Decision.

(292)

The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 93 of Regulation (EU) 2016/679,