DPA 2018 Part 3 : EU Exit="All Change"

EDITED TO REFLECT NEW (NEW) BREXIT DATE OF 31/10/2019

DPA 2018 Part 3 – Some recent changes with big impacts

The Data Protection Act 2018 is less than a year old and already it has gone through a fundamental restructure and changes – but just as many people in the Policing world may not have registered the initial issuing of the DPA 2018; even fewer have yet caught up with the changes which were introduced in February of this year (though some don’t take effect just yet), let alone impact assessed them.

In this article I’m going to do that for you, as well as step back a little and talk again about ‘International Transfers’, which are covered in Chapter 5 of the DPA 2018 Part 3 (both first issue and the changed version). I covered them in this article here.

So the obvious question is – Why change an Act that is so recent? – and the answer (perhaps equally obviously) is ‘Brexit” ; or if you prefer the alternative vernacular favoured by the UK government – ‘EU Exit’.

(EU Exit sounds a lot better that way to be fair from an HMG perspective – more like the EU are leaving the UK, than the other way around; though the result is of course broadly the same).

Regardless of your preferred term however, across the board UK legislation is being changed at an unprecedented pace using the mechanism of Statutory Instruments [SI] - a form of Secondary Legislation that either allows a Minister to directly change the law (giving time for objections afterwards – called the ‘Negative Resolution procedure’ which is used for 90% of legislation changes) or through a (still fairly lightweight) process of formal review by the Commons and Lords – called the ‘Affirmative Resolution procedure’, where once passed, the SI becomes the law regardless of whether you might like it afterwards or not.

These changes to the DPA 2018 went through the positive procedure and were contained in a big sweeping SI called “The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019”. [the DPPEC Regs]

The new regulations are really broad in scope, but deceptively light in their wording even though they run to a chunky 64 pages and their full impact is still being assessed, but in essence they introduce a few changes to a number of Acts on or around 29th March 2019* (some of which will apply regardless of whether we actually do leave the EU on that day), as well as a few changes applied immediately (i.e. since 22nd-ish of February 2019 when this regulation came into effect).

*Or now on the new Brexit day which is listed to be <= 31st October 2019

To be fair the changes in the Part 3 provisions themselves are really pretty light - but the potential impact is (I think you will agree) massive.

Either way; the DPA 2018 has changed and some small parts of it will really radically affect the Law Enforcement community (i.e. Policing, CJS and lot more besides). More specifically they could have a disproportionate and very serious impact on their current and planned use of IT of all types; and that’s what I want to focus on here.

DPA 2018 PART 3 – Chapter 5 – International Transfers: So what's changed?

Most of the changes that we need to be concerned about relate to the means by which Law Enforcement [LE] Personal Data can be legally transferred overseas to ‘a third country’ (one not covered under GDPR / The EU Law Enforcement Directive).

The provisions are actually really quite complex to unpick, so to help I’ve created a flow chart, but first of all we need to remind ourselves of the definitions of some terms as they were laid down under the original DPA 2018:

Competent Authority – a Law Enforcement Authority in the UK or EU which is empowered to process personal data for a statutory Law Enforcement task (i.e. Police forces, CJS, but also any public body that has an enforcement, investigation or prosecuting responsibility).

Third Country – any country other than an EU Member state.

Transfer Data – this one isn’t actually defined in the DPA 2018, here its case law, legal interpretations and industry definitions which can be summarised as;

 “Data transfer is the process of using computing techniques and technologies to transmit or transfer electronic or analog data from one computer node to another. Data is transferred in the form of bits and bytes over a digital or analog medium, and the process enables digital or analog communications and its movement between devices.” Techopedia

These three terms are important – and indeed fundamental - to understanding and properly using the flowcharts that follow

The chart has (like the legislation) two key phases: –

1. The first is common to any form of transfer and is sufficient in itself to validate or guide a transfer to another Law Enforcement body (a Competent Authority equivalent) in a Third Country.
2. The second only applies if your proposed transfer is NOT to a Law Enforcement body – e.g. a foreign Government non-LE agency, a commercial entity or a service provider (including a cloud provider).

For the original DPA 2018, the first step is fairly straightforward; though if the transfer is to a non-EEA country you will need to log all transfers and their justification in case the ICO wants to audit you.

This is a bit of an overhead but probably isn’t a deal breaker or unfeasible overhead.

The second step is however a lot more complex, because there is a general expectation that transfers of data outside of the EEA should be done only on an exceptional basis and only when it is “strictly necessary” to fulfil the LE purpose; must be fully justified AND also communicated to the ICO in each and every case.

Trace through the flowchart below and you’ll see how this all works out in the original DPA 2018 (the one that is in effect today):

Flowchart 1 – Pre-Brexit Chapter 5 - 3rd Country Transfers

Part 3 Chapter 5 of the DPA 2018 lays out a number of legal ways in which data can be transferred to recipients in the EU, or to both Law Enforcement and non-Law Enforcement recipients anywhere in the world.

In real terms however, it also makes routine offshoring or data transfer of LE personal data to non-Law Enforcement recipients outside of the EEA completely impractical – at least for any routine day to day activity like offshoring your email, case management services, or any evidence stores.

It is still legal to do so; but the complexities of doing so - specifically the ‘case-by-case’ and ‘strictly necessary’ tests, plus the need to notify the ICO of what data is transferred and your justification for doing so just kill it stone dead for all practical purposes.

Now here is the big problem – this is exactly what a lot of Police Forces (and other CJS orgs) already do today, and it is also an inevitable outcome of using many Software as a Service packages such as Office 365, Gmail or services like Evidence.com - they all result in non-EEA data transfers to some degree.

Not everyone is wholly transparent about the extent to which the data may be transferred overseas, and the way they write their policies and T&C’s are often open to being read to positively support anyone who wants to believe that their data is safely in the EEA.

Some however (like Microsoft) are actually really clear on this if you read all the info they put up – they'll transparently tell you that they will transfer your data internationally to provide and support their services and that this might even include countries which do not have EU assessments of adequacy; although they DO commit to storing your data in the UK when its ‘at rest’.

Many people read the second part of their commitment and then wrongly transfer that to the ‘whole cloud’ – when this is not true; so read what Cloud providers tell you carefully and exactly.

Let me be clear here (just in case anyone thinks I am Microsoft bashing) – Microsoft’s services are absolutely state of the art in cloud terms – there is nothing wrong with them for the vast majority of users wanting to process personal data: however it is YOUR responsibility as a Data Controller to ensure you comply with the laws under which you are allowed to operate. That is what the whole “cloud shared responsibility model” is all about.

This isn’t therefore a Microsoft (or Google or AWS) problem; nor indeed is it a NPCC or Home Office area to resolve (and they really can’t for different reasons…) - it’s strictly down to each local individual Police Force issue to manage.

This is therefore a massive problem for UK Law Enforcement as a whole – and in particular for Policing who clearly want to make use of common cloud technologies and thus send data outside the EEA.

N.B. I'm going to write another article shortly about the recent Dutch and Swedish Government reviews of Cloud services in respect of GDPR compliance - if you process personal data in a public cloud you'll want to read that one and I'll link to it here when its done to make it easier to find and read.

But wait a second…

Didn't I tell you up front that the Act has just been changed anyway; so what does it say NOW?

Great question – it shows you’re reading along and following the impact of this problem, but sadly if you are a Law Enforcement org (a Competent Authority) your world is about to get even more complex and restrictive than the model above (it’s also going to seriously impact on some CJS IT providers – be they cloud or traditional in nature, so you should read what follows carefully and impact assess it).

The DPPEC Regs are the means by which the UK government has re-aligned the DPA 2018 to a post Brexit world. Mostly this is a big exercise in find and replace of “EU Member State” to “United Kingdom”, but it also changes the flowchart above really significantly.

Under the DPPEC, the whole world (including the EU Member States) are now considered ‘Third Countries’ to the UK.

This means that whereas in the past transfers to non-LE organisations located in non-EU countries was horrendously hard, now ALL transfers to ALL countries will suffer from much greater overheads,;and transfers even to EU based non-LE organisations will need you to tell the ICO what you sent, why and when - it essentially applies the same tough regime as we had in Flowchart 1 to anywhere outside of the UK.

Here’s the adjusted flowchart:

Flowchart 2 – DPPEC Regs Amended Chapter 5 'Post Brexit' - 3rd Country Transfers

 Now here’s the really important thing you need to recognise:

XXX This change is currently planned to come into effect on 29th March*. XXX

*CORRECTION - Now comes into effect <= 31st October 2019

Note: it is likely that if the UK’s exit from the EU is delayed there will be some additional legislation to delay this change too – but if the UK leaves Europe in one of the remaining No-Deal scenarios (or even if we DO get a deal) then this is still going to be the future landscape, so its important to start work on this now. The only way this doesn't come into effect is if the UK does not in fact leave the EU in future and Article 50 is cancelled.

So what would this actually mean? (In simple bullet points)

• Any processes which require transfer of data anywhere outside of the UK will require you to follow the Figure 2 flowchart
• Any transfer of data to a Law Enforcement body in the EU (as well as any to other countries) will require a formal assessment and justification to be put in place. This needs to be documented and held ready for ICO inspection.

(It might well be a one-off exercise and therefore not a massive overhead once its set up if you get the right advice to help you – it will just need regular review & maintenance)

• Any transfer to anyone else in the EU (as well as other countries in the world) will now need to be ‘strictly necessary’ and done on a case by case basis.

Each transfer will need to be justified & reported to ICO each time data is transferred & unlike the bullet above this will be an ongoing specific overhead that occurs each and every time data is considered for transfer out of the UK.

• Use of any IT services – be they cloud or traditional – that requires personal data transfer outside of the UK to operate (i.e. helpdesk services, networks, EU hosted apps – for example systems in Dublin DC’s) will become tremendously hard. Potentially even too hard to practically operate.
• Some cloud services which were not obviously caught under the current Flowchart 1 model – for example the use of AWS European Regional services – would now be at risk if they transfer data outside of the UK. This might affect projects underway to migrate to those cloud services including some big national programmes. 

Summing Up

It is very likely that today that many individual UK Police Forces (and other Competent Authorities) are not adhering to the existing Part 3 Chapter 5 provisions by sending data off-shore without following the required steps.

This can be stated with some confidence because most hyper-cloud services, (and some other non-cloud IT services )require personal data to be transferred outside the EEA in order to work and several big projects and programmes are on record as using those cloud services.

From the end of October 2019 (or at some point yet to be determined before then as things currently stand today); transfers to the EU will also fall under this much more stringent regime; and as a result many more IT services and several more cloud services will be impacted.

This is likely to affect a lot of traditional UK Police IT providers (those using using EU based help-desk or support, hosting or networks) as well as cloud providers – i.e. this isn’t just a cloud problem anymore (if it ever really was).

By contrast IT and Cloud services which are wholly UK sovereign (i.e. operated by UK entities and based in the UK) are not going to be directly affected by this change.

Having said that there are very few truly UK sovereign providers in the market-place today, but a move to private cloud in UK or other UK based services might be wise to re-consider now...

It may be tempting to suggest that a further Statutory Instrument might just fix all this; but actually that’s both unlikely (because it would completely undermine the basis of trust to share data with EU Law Enforcement agencies), and complex (because it would require new primary legislation to be passed, which will take a lot of time and skill to write).

All Law Enforcement Competent Authorities need to rapidly assess their exposure to the existing DPA 2018 Act and the changes this secondary legislation brings.

This is undoubtedly going to lead to a number of difficult discussions in many cases – especially with CTO’s, Seniors and with IT providers (with whom you might have contracts in place that need to be changed and may require specialist advice); but it has to be done and done quickly if you are going to get ahead of this sweep of changes

Getting someone on hand who really understands what this means to explain it would be wise - DPO's may or may not be able to impact assess this set of changes on their own.

Anyway - next time I'm going to talk about the really serious outcomes of the Swedish and Dutch studies into Cloud and the GDPR implications; then I'll try to get back to my original DPA 2018 Part 3 analysis and finish describing what the remaining Chapters say (and what they mean).

In the meantime, and as ever, any questions, etc. just message me or comment accordingly and I'll respond.