30 January 2023
The Data Protection and Digital Information Bill will degrade privacy and data protection safeguards in policing. Under certain conditions, law enforcement agencies (LEAs) will be able to circumvent rights protections by acting with the same powers as intelligence agencies. Laws safeguarding personal data during transfers will be diluted and the means for oversight will be significantly reduced.
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
Last summer the government published the Data Protection and Digital Information Bill which would make substantial changes to the Data Protection Act 2018. This legislation implemented the EU’s General Data Protection Regulation and Law Enforcement Directive, the latter dealing with police data protection.
Open Rights Group noted that the Bill will “tear up our data rights” and “increase data discrimination and prejudice.” One issue that has received little attention, however, is the proposed changes to data protection rules governing the police.
Statewatch Director, Chris Jones, comments:
"The proposals are another example of the government’s attempts to limit the accountability of state agencies – just as we have seen with multiple other pieces of legislation since the 2019 election.
The plan to put police forces on the same footing as intelligence agencies when they work together is apparently because of ‘challenges to joint operational working’. But if the police and the agencies have to work together, why should they not both be subject to the more stringent safeguards that apply to the police?
The plans to ease data transfers overseas and remove logging requirements compound the problem. But as we know all too well by now, this government has little interest in accountability – despite the rampant abuse and malpractice within the police that continues to be uncovered."
Joint police and intelligence agency action
Under the proposed changes, data protection safeguards that apply to law enforcement agencies (LEAs) would be removed where the home secretary decrees it necessary for police to work in conjunction with intelligence agencies – so, rather than applying more stringent safeguards to the intelligence agencies, the bill will instead loosen those that apply to the police.
This is because of “the increasing expectation that Law Enforcement and the Intelligence Services will work jointly in operational partnerships,” according to the government.
The changes would allow the Home Secretary to issue certificates authorising joint processing between police forces and intelligence agencies, who must make joint applications for those certificates. The Home Secretary would be obliged to consult the UK Information Commissioner before issuing or refusing a certificate, and any such certificates would require the active approval of both houses of parliament.
Under this regime, LEAs would effectively qualify as intelligence agencies in the eyes of data protection law, meaning much weaker safeguards and controls on their use of personal data. The Data Protection Act 2018 sets out personal data protection rights and principles in relation to processing by the security agencies, but an exemption can be invoked to exclude almost all of them if “required for the purposes of national security.”
Easing data transfers
The proposal also seeks to make it easier for police forces to transfer personal data across borders by removing several safeguards.
Currently, a data controller may transfer personal data to a third party if the third party has been approved for transfers by an adequacy decision – but the government is seeking to alter the conditions that underpin an adequacy decision.
The changes would permit transfers to third states if the home secretary determines that the data protection standards in the recipient state are not "materially lower" than the UK. Currently, those standards must be equivalent to the UK’s.
Furthermore, under the Bill, the home secretary must consider a vastly reduced list of elements specified in a “data protection test” when determining if the standards in a recipient state are “materially lower”. This test serves as the basis for whether to revoke or amend regulations on transfers to third countries.
If data transfers are revoked or amended on this basis, the Home Secretary must consult with the third party not with a view to "remedying the lack of an adequate level of protection," as currently, but to "improving the protection provided to data subjects". The proposal also includes the removal of requirement for the Home Secretary to conduct a review every four years of the third countries to which transfers have been approved.
This is not the end of the matter. Currently, transfers can be approved without an adequacy decision in place provided that “appropriate safeguards” exist. Data controllers are obliged to “assess all the circumstances” to determine whether appropriate safeguards exist.
Under the Bill, controllers would instead be obliged to act “reasonable and proportionality”. Here, “what is reasonable and proportionate is to be determined by reference to all the circumstances, or likely circumstances, of the transfer or type of transfer, including the nature and volume of the personal data transferred.”
Where there is no adequacy agreement nor appropriate safeguards in place, “special circumstances” can provide the grounds for data transfers of personal information. The Bill would also weaken safeguards in these cases, making a personal data transfer justified on special circumstances possible “in particular circumstances for any of the law enforcement purposes,” rather than “in individual cases for any of the law enforcement purposes.”
The Data Protection and Digital Information Bill does not include any requirement to obtain guarantees that data transferred from the UK will not be subject to subsequent transfers to a third party in cases of "serious threats" to security and where authorisation cannot be obtained in good time.
The Bill would also not require authorisation from the data source for onward transfers if that authorisation cannot be received in "good time". The source must be informed that the transfer has taken place, but no provisions are made for rights of restrictions or redress.
Removing logging requirements
The proposal also removes the requirement to keep logs of the justification for the consultation and disclosure of data, including LEA processing of personal data. While logs are generally considered to be a crucial tool for oversight of data processing, the government has stated that logging requirements are time-consuming and would not deter dishonest actors from manufacturing false justifications as to why they had accessed data.
Codes of conduct
Data controllers may adopt their own codes of conduct regarding processing personal data if the Information Commissioner determines the body has the "knowledge and experience to do so". A controller can use compliance with the internally produces codes of conduct to demonstrate compliance with the data protection regime.
Yet, the codes of conduct do not have to implement all the safeguards contained in data protection legislation. Instead, a law enforcement body "may" choose to do so. Though the Commissioner must approve the code of conduct and provide each body with an opinion on the code, no reference is made in the proposal to time limits and resource provisions for the Commissioner.
Statewatch recently reported that the chronic underfunding of public data protection bodies across the EU left public bodies "unable to fulfil legal duties". Similar questions have been raised regarding the UK Information Commissioner’s Office, as its budget decreased by 23% from 2020-2021.
The Surveillance Camera Commissioner and Surveillance Camera Code are to be abolished, with the ICO supposed to take on the role, despite struggling with its existing tasks. Similarly, the Biometrics Commissioner's role is to be taken on by the Investigatory Powers Commissioner.
Under Clause 105 of the proposals, the Forensic Information Databases Strategy Board (FIND-SB) will obtain oversight of the UK’s fingerprint and DNA databases. However, this also permits the Home Secretary to change databases overseen by FIND-SB through the power of regulation due to "the pace of technological change".
Author: Chris Fuller
Submission by Statewatch to the Department of Culture, Media and Sport’s consultation on reforms to the UK’s Data Protection Act 2018.
The UK government is consulting on wide-ranging changes to data protection law that include a proposal to facilitate “joint operational activity between law enforcement and national security partners.”
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.