Competent Authorities now (might) have '11 months' till Brexit changes UK DPA law forever (Amended Dates)

Amendment: Since first writing this article, the UK Government have (finally) managed to shoe-horn their selected Withdrawal Agreement through the UK Parliament AND the EU have accepted its terms. As a result the original 'less than a month' strapline of the first article at the point of publication has slipped back somewhat - though the way in which this has been communicated also made it pretty hard to find out exactly where in UK Law it says that is the case...

All the UK's EU Exit related legislation STILL says 'Exit Day' and it is really unlikely that this will change over the coming year (because after all Brexit means Brexit and thus 'Exit means Exit' - or something like that anyway); but don't assume that just because the 'Exit Day' event is still 11pm on Friday 31st January 2020 that these pieces of legislation actually WILL take effect when they say they do.

Now they don't or they won't - at least mostly they won't (because some still do) but you'd need to read the horrendously structured legal doublespeak that is the European Union (Withdrawal Agreement) Act 2020 <LINK> to find out which falls into which category.

This Act is really complex stuff. A textbook example of what a law looks like when lawyers write laws for other lawyers - important but largely incomprehensible. I've learned that in these products the answers you seek are nearly always at the back (its a whole new genre of Legal whodunnit murder mysteries waiting for a publisher to snap it up and publish into a bargain bookstore. They are hefty tomes, making you value the couple of quid you pay for it by bookself inches alone, and the story is pretty incomprehensible but on the last page there's a cunning reveal that actually kind-of makes some sense. If Columbo had been a lawyer, this is the Act he would have written.

For OUR purposes however - the Data Protection Act 2018 Part 3 Provisions for Law Enforcement will now probably NOT change until the end of December 2020 (and thus not January as the DPPEC Regs said they would). This is unless a Minister decides that they should, in which case they still can - confusing...

In essence what we should consider this Act to introduce is at best an 11 Month hiatus in implementation (issued just in the nick of time for many). At best it is a suspension of sentence, and certainly not a pardon or acquittal for any sins thus far committed.

The changes to UK DPA Law that we describe in this article shall still materially affect Law Enforcement and are all still definitely 100% going to happen (probably); but these changes might not apply fully now for 11 months, though it could still happen quicker if a Minister decides they want it to (because the Act gives that power).

Actually, under the terms of the Withdrawal Agreement Act it could still happen up to 12 months after the end of the Implementation Period, plus in theory that Implementation Period COULD extend for up to two years beyond its current schedule of December 2020 (if UK and EU agree it should) - because the Act does recognise this through references to other legislation (but then also says it very definitely won't extend that far) but either way this stuff is coming (and certainly probably within a year or four).

Getting ready is going to take at least the rest of the year for most Competent Authorities because this legal horse still has a way to run and the Act will I am sure throw up more foibles as its better reviewed, so my advice is to thank your lucky stars you've got a bit more time to work out a plan and get moving...

I'm going to keep the rest of this article EXACTLY as it was before however - I just wanted to add this addendum right at the front...

-----------------------------------------------------------

It has become commonplace in popular media to refer to the third Monday in January as 'Blue Monday' - typically the closest Monday to the 21st January, notionally supposed to be the most depressing day of the year (although the original author of the phrase suggested he intended it "to inspire people to take action and make bold life decisions").

As we start 2020, I want to hijack that date and bring it forward a fortnight, plus apply that "positive action" interpretation of Blue Monday; because for every UK Law Enforcement [LE] agency (also called 'Competent Authorities' [CA]) at the end of January this year their operating landscape is going to change fundamentally.

We should by now generally accept that with a huge majority from the General Election result in December, the Government are going to take the UK out of Europe on 31st January of this year - probably with the negotiated Withdrawal Agreement, but potentially without a deal at all.

The remainder of this article will assume that EU Exit is going to happen and explain exactly what that means for UK LE CA's, their direct service providers and the many LE partners and others to whom they may transfer data in Europe.

 Brexit and how it affects UK Data Protection Law for Competent Authorities

I've previously written a bit about this; explaining the implications of the new UK legislation that came into force last January - the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019 [DPPEC] - on the existing special regime that exists for UK LE Competent Authorities under the Data Protection Act 2018 Part 3 [DPA 18 Pt3].

At 11pm GMT on 31st January, the changes introduced by the DPPEC to the UK DPA will come into effect, and the changes in Part 3 specifically will have a significant, serious and immediate impact on all UK Police Forces, MoJ, Home Office, HMRC and other agencies - as well as their suppliers.

The obvious questions are - what impacts and are UK Competent Authorities ready for them? I want to explore that a little in this article, although I suspect the answer to the second question is 'No, CA's are by no measure ready for these changes'.

If I am correct, then there's less than a month for the CA's and their DPO's to get things sorted, or UK CA's could well be operating outside of UK law at the very time the country starts on its stated path of personal legal responsibility...

The Changes caused by the DPPEC

There are in fact only a couple of changes made in the first four (4) Chapters of DPA 18 Pt3 by the DPPEC Regulations. Mainly these are to change phrases like 'member state' to 'United Kingdom', and they don't have much other impact, except the definition of a 'Third Country' in Chapter 1.

In the past a Third Country was any country outside of the EU, but now this is changed to read as follows:

“Third country” means a country or territory outside the United Kingdom."

We'll see shortly why that changed definition is going to be very important indeed.

The only other changes in Chapter 1-4 remove the need for a UK CA to inform EU CA's of changes made to data, or informing EU data controllers receiving data when there is a data breach.

We really have to wait until we reach Chapter 5 before we see the significant changes - the 'big reveal' which makes such a fundamental difference to how UK CA's will work from 1st February this year.

Before we get into the details of that new landscape however, lets just recap briefly on what a UK CA's ought to be doing already when they transfer data outside of the UK - including to Europe.

How UK CA's should already be transferring data (i.e. till the end of Jan 2020)

All of what follows relates only to transfer of Personal Data [PD] processed for a Law Enforcement purpose by a Competent Authority (or their service provider) - covered under DPA 18 Pt3 provisions.

A transfer of data occurs either when data is actually moved to another country, or is made available to recipients in another country. This is important to understand - data does not need to physically move from one country to another, if an overseas recipient can access the data from outside the UK.

When PD is transferred, two things are important to consider:

1. Where has it been transferred to? ; AND
2. To Whom has the data been transferred?

If the data is transferred to another EU member state, then the underlying laws controlling the protection of the data continue to be EU laws and the provisions of DPA 18 Pt3 Chapter 5 (TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES ETC) don't apply.

As a result most transfers to EU agencies and many of the day-to-day IT services used by UK CA's do not require any special considerations. 

Transfers outside of the EU are however called Third Country transfers and all of those fall under the Chapter 5 requirements.

The steps and controls arising from those sort of transfers range from assessing, justifying and documenting at the low end of the scale (to other LE authorities), through to formal engagement and reporting to the ICO for other types of recipient.

 It is these rigorous rules for non-LE recipients that should already be being applied to many of the Cloud Services being used by Police, MoJ, CPS and others, with each and every piece of data uploaded to such a service formally assessed, documented and reported to the ICO every single time they are used.

That means that every single email, file upload, record publication, video, image, piece of evidence that is sent to any Cloud or IT Service processing data outside of the EU should be getting this treatment.

If you represent a UK CA and you don't have this in place already for your chosen major cloud service (for example if you are using Office 365 and you don't assess each file or email containing LE PD data individually), then you're probably already in breach of the DPA 2018 Part 3 and what follows is going to be even harder for you in order to catch up with the additional changes coming at the end of this month. 

The changes introduced by DPPEC

The DPPEC will - as I explained earlier - principally change Chapter 5, and it does so as follows:

1. EVERYWHERE except the UK will now be a Third Country.

It is important to recognise that this includes places the UK has traditionally had special relationships with such as Jersey, Guernsey, Isle of Man and the 14 British Overseas Territories. Transfers of PD to any of these countries will now definitely be a 'Third Country' transfer.

This could (and legally probably should) immediately affect access to UK Policing systems such as PNC and the PSN for Policing Network for the Channel Islands and Isle of Man, and data sharing arrangements for Tax or Immigration investigations for HMRC and Home Office (to list just a couple of aspects).

It may not STOP these transfers (and public interest would suggest we really shouldn't do so anyway), but it does mean that every piece of data accessed from these countries now constitutes a 3rd country Data Transfer and that's a different landscape...

2. The basis of "adequacy" has changed (and will never be the same again).

Up till now the way in which Data Protection regimes in other countries were assessed to be aligned to the UK's regime has been through a European Commission process of assurance against Article 36 of the Law Enforcement Directive [LED].

From 1st Feb this process will change and two new sections in Chapter 5 (S74A and S74B, replacing the old S74) lay out the new way in which adequacy will be determined and periodically reviewed.

This is quite complex, but in essence anywhere that was deemed adequate prior to the UK's departure from EU is likely to continue to remain adequate afterwards.

That kind of makes sense, but it's important to also recognise that should any EU adequacy assessments change post Brexit (for example if the 'Schrems 2' case before the ECJ decided to set aside Privacy Shield) then the UK might not also adjust its adequacy regime and as a result would depart from EU alignment.

Because the ECJ is likely to rule on this case in Q1 of 2020 this could then become an early test of the UK Government's intention (or otherwise) to stay aligned to the EU after departure.

Section 74A also empowers the Secretary of State to determine adequacy at their own broad discretion and for specific transfers of particular types of data, by particular organisations or individuals. This needs to be reviewed periodically (under Section 74B).

Taken together, the landscape of adequacy is now much more complicated & the likelihood of the UK drifting over time away from EU accepted practices is quite high. The whole area of adequacy therefore needs to be watched carefully in the future, but by & large at the point of UK Exit, & for a short time thereafter the question of adequacy probably isn't going to be a showstopper in and of itself.

So what do these changes mean in practical terms?

What do I need to do? 

These changes come into effect in about 4 weeks and as such they need urgent and immediate attention.

Clear the decks, reschedule anything less important and do these tasks THIS MONTH:

1 - Confirm you know all your international data transfers,

 All data transfers should already be documented in your 'Record of Processing', and the records held by your data processors - both of which are required under DPA 2018 Pt3 S61.

This should be cross referenced against the DPA 18 Pt3 rules to ensure all transfers are already lawful, and what adjustments may need to be made (in Step 2)

2 - Confirm all your transfers today are fully aligned to existing DPA 18 Pt 3.

If they aren't then you are already likely to be contravening the law, but bringing your transfer processes in line and then maintaining alignment with the law is principally a business process change activity and the extent to which a data transfer adds overhead to business processes should not be underestimated.

Technology has only a limited role to play in this business change, however conversely the wrong technology choices can make subsequent legal operations difficult or impossible.

3 - Confirm you can continue to use your existing IT services

This is far from being a given - (especially if you make extensive use of Cloud technologies). In fact it is entirely possible that several of the processes or technologies you have in place today will simply not be sustainable or suitable in a post Brexit world.

If they are incompatible (or if they even could be) you should take urgent independent professional advice and do a formal impact assessment to inform a remediation plan which should include an updated DPIA, but not simply be limited to that.

Any transfers or IT services that are incompatible with the post Brexit requirements will need a remediation plan and suitable prioritisation through to delivery.

4 - Confirm you are legally allowed to undertake PD transfers to non-LE Competent Authorities ('Relevant Authorities')in a Third Country.

It surprises many people I talk to, but not all UK Competent Authorities are actually allowed to transfer data to non-Relevant Authorities under the terms of DPA 18 Pt3 S73(4)b(ii), thus:

S73 (4) Condition 3 is that—

 (a) the intended recipient is a relevant authority in a third country or an international organisation that is a relevant international organisation, or

 (b) in a case where the controller is a competent authority specified in any of paragraphs 5 to 17, 21, 24 to 28, 34 to 51, 54 and 56 of Schedule 7—

(i) the intended recipient is a person in a third country other than a relevant authority, and

(ii) the additional conditions in section 77 are met. 

In practice, this means that some UK Competent Authorities who may be happily and lawfully transferring data to recipients in the EU (or perhaps using some IT services based in the EU for core business tasks), shall NOT be allowed to do so post Brexit day, unless the receiving organisation is an EU Relevant Organisation, or they can find an alternative legal basis to do so. Even then they will face multiple new obligations to maintain those transfers that are permitted.

This will affect the following organisations and if this is you, I suggest you seek specialist guidance ASAP (feel free to give me a call):

1 Any United Kingdom government department other than a non-ministerial government department.

2 The Scottish Ministers

3 Any Northern Ireland department

4 The Welsh Ministers

18  The Director General of the Independent Office for Police Conduct

19 The Police Investigations and Review Commissioner

20 The Police Ombudsman for Northern Ireland

22 The Welsh Revenue Authority

23 Revenue Scotland

29 The Competition and Markets Authority

30 The Gas and Electricity Markets Authority

31 The Food Standards Agency

32 Food Standards Scotland

33 Her Majesty’s Land Registry

52 The Information Commissioner

53 The Scottish Information Commissioner

55 The Crown agent 

(NB the numbers relate to their listing order in DPA 18 Schedule 7)

Whilst the above organisations may no longer be able under the terms of DPA 2018 Part 3 (as amended by DPPEC) to transfer the data; other legislation or the DPA 2018 Pt3 S77(8) provisions may still enable them to do so.

 The workflow...

In previous versions of these updates I have provided a high-level workflow diagram, and this time I am going to do so again - with just a little bit more detail.

All UK Competent Authorities and their suppliers/service providers or partners should read and apply this plan to inform your processing arrangements. It also provides a deeper explanation of the steps prospective service providers ought to consider when developing their products or hosting choices.

From Brexit day hosting services in environments that are outside of the UK will become MUCH more complex and if you are an existing provider, or a potential new one, you need to be able to properly examine and adjust your service accordingly.

And finally.... get some help

It should be pretty obvious by now that none of this stuff is trivial - and what we have covered here is by necessity a gallop through some complex legislation.

Not adhering to the law should never be considered to be a valid or ethical option, and only by understanding exactly what the legislation says, creating the necessary forms, workbooks, policies and documentation and fostering the right behaviours and practices can a Competent Authority, supplier or partner be sure of conformance.

There are (perhaps unsurprisingly) not many people out there who really do understand this new landscape, but if you need help then drop me a line; I can arrange for someone to give you a call.