The UK government has an introduced its data use and access bill (duab) to parliament, but proposed reforms to police data protection rules clock Undermine law enforcement data adequaacy with the european union (EU).
Currently going through the committee stage of parliamentary scrutiny, the duab will amend the uk's implementation of the eu Law Enforcement Directive (LED)Which is transposed into law via the current Data Protection Act (DPA) 2018 And represented in part three of the DPA, Specifically.
In combination with the current data handling practices of Uk Law Enforcement Bodies, The Bill's Proposed Amendments to Part Three – Which Include Allowing Allowing Transfer of Data to Data to offshahore CLOUDHORE CLOWDER Removing the need for police to log justiifications when accessing data, and enabling police and intelligence services to share data outdeed of the LED Rules – Could Present A CHALD PRESENT A CHALLENG FOR UK DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DA
In June 2021, the European Commission Granted “Data Adequaacy” to the UK Following its exit from the eu, allowing the free flow of personal data to and from the bloc to continue, but Warned The decision may yet be revised if future data protection laws diverge significantly from that in europe.
While Computer Weekly's Previous Reporting on Police Hyperscale Cloud Use Has Identified Major problems with the ability of these services to comply with part threeThe government's duab changes are seeking to solve the issue by simply removing the requires that are not being called with.
For example, while the DPA 2018 does allow for overseas transfers to “non-law enforcement recipients” If the data controller can show it is strictly innocent to do so. This means information can only be sent on a case-by-Case Basis for Specific, Limited Purpooses when there is no other, less intrusive means of achieving the same goal.
However, in June 2024, Computer weekly confirmed that uk policing data uploaded to microsoft services is routinely sent offshore For some forms of processing, while it support is provided on a global “Follow-the-sun” model.
To circumvent the Lack of Compliance with these Transfer Requirements, The Government has Simply Dropped Them From The Duab, meaning policing bodies will no long to assistant to assistants the suitability of the Transfer or report it to the data regulator.
Commenting on the transfer issue during a duab debate in the house of Lords, Liberal Democrat Peer Tim Clement-Jones Highlighted How, As It Stands, Cloud Servicers Routinely Processes UK, and are unable to provide Necessary Contractual Guarantees to Policing Bodies as required by Part Three: “As a result, their use for law enforcement data processing is, on the face of it, not the face of it
He added: “The government's attempts to change the law highlight the issue and sugges [General Data Protection Regulation] and the dpa. “
Through the duab, the government has also expanded the list of Lawful recipients to now include “a processor with processing… is governed by, or authorized in accordance in, Controller that complies with Section 59“, Which outlines key elements that must be contained in any contract between a law enforcement controller and processor.
This include specific details of the exact types of data, the categories of data subjects and the specific purpose of the processing, as well as expensive guarantees from the processor about how we Comply with all the requirements of part three.
However, Given the International Nature of the data sharing that takes place Aspects of part three.
As Microsoft Told The Scottish Police Authority (Spa), in relationship to its azure-hosted digital evidence sharing capability, the company “Cannot accept Specific Consent [to transfer data internationally] on a case-by-Case Basis as this would be impossible to operationalise ”.
All of this effectively means that under the duab, the data can be routinely offshore
Similarly, while the LED provided a five-yar grace period to ensure all legacy police systems could record justification logs for where a particular paper of information has Systems Procured after May 2016 Were required to have this capability from the start – Most Policing Systems in the UK Still do not have this capability.
INTEAD, The UK Government has Simply Removed The Records these Justiifications, Arguing that the change will save police time and that the data has little evidentiary value Record an honest justification anyway.
According to moren sayers-a long-term commentator on DPA Part Three Compliance Issues with more than 25 years of Experience in Delivering Secure Solutions to Policing and the Wider criminal Justice Sector-Changing the Law In this way will permanently Diverge Uk Law from the LED requirements.
He added that while uk police has been breaking the law in practice since the DPA came into effect in May 2018, The law they were breaking was at least aligned to those in the European Union.
“Even thought Processing (even if no one actually did so), “He said.
“Once Duab Comes Into Force, however, the landscape has totally changed. Not only Citizens) Offshore to a range of counts not demed adequate by the eu, but uk law will have changes to make it legal for them to do so.
“By making these changes under duab, the government have thrown into sharp relieve AWS This Special Status. “
Computer weekly contacted the home office about the threat to the UK's LED ADEQUACY Created by the Government's Proposed Changes to the Law Enforcement data protection regime.
“We have introduced some targeted amendments in the data use and access bill to improve public trust and to drive up law enforcement Efficiency by Simplifies the Legislation. Adequacy and Had the Uk's Adequaacy Decisions in Mind when Producing this Bill, “said a spekesperson. “Any changes to our data protection regime must not come at the expense of security, and high standards of protective will containue to be applied.”
A Home Office Source Told Computer Weekly That that The Use of Cloud Providers in Particular has caused some confusion, and that measuresures contained within the bill are intended to canforcement the confidence Use cloud processors. However, they said the use of cloud services must not come at the expense of security and high standards of protection will containue to be applied.