Part 3.3 – Law Enforcement Processing
Here’s our third and final pass at the Law Enforcement part of this legislation. Can we transfer personal data to third countries? No, but… Yeah, but… No, but…
Chapter 5 – Transfers of Personal Data to Third Countries Etc
Section 72 – Overview and interpretation
As we have come to expect this is essentially a mini table of contents for this chapter, which is pretty much redundant info. But hey why not.
There is a sneaky little detail stating that ‘relevant authority’ in relation to a third country means transferring data to a person in that third country that has functions comparable to those of a ‘competent authority.’ Keep in mind that means more than just spy and intelligence workers. We’re talking that this could mean (we pray it doesn’t) that your personal data (read internet search history) could be transferred to a backwater cop in Mississippi.
Section 73 – General principles for transfers of personal data
Now a controller cannot transfer personal data to a third country unless the situation meets three conditions:
First that the transfer is necessary for any law enforcement purpose. Not a subset of law enforcement purposes, any of them. The definition being prevention, investigation, detection, prosecution, execution of penalties or safeguarding and prevention against threats to public security. So basically anything.
Second that there is an adequacy test on the authority or if not that then appropriate safeguards or if not that special circumstances. So basically you always can if you want to.
Third, the recipient is a relevant authority in that third country or not if they meet some very low standards.
Section 74 – Transfers on the basis of an adequacy decision
Just a check to make sure that the recipient country has a GDPR comparable level of personal data protection.
Section 75 – Transfers on the basis of appropriate safeguards
Or you could just write up a legal instrument containing appropriate safeguards and say that it’s covered. Good thing we have legal documents in the world. They have never ever been ignored.
Section 76 – Transfers on the basis of special circumstances
If all that fails you can just say that there are special circumstances.
Section 77 – Transfers of personal data to persons other than relevant authorities
The low standards that need to be met in order to pass data to non-relevant authorities are listed below:
First that the transfer is strictly necessary, without any further definition.
Second, you have to check that there aren’t other fundamental rights of the data subject that are more important than the public interest.
Third transferring the data to a relevant authority would fail to get the result.
Fourth you have to tell the recipient what the purpose of the transfer is.
Section 78 – Subsequent transfers
The third country can’t transfer the data onwards without first asking permission.
Chapter 6 – Supplementary
Section 79 – National security: certificate
So we have here that there are hall passes that can be offered up by any minister of the crown (any cabinet minister). Now, remember that Chris Grayling (Secretary of State for Transport) has had multiple articles posing the question that he could be the most incompetent member of the government.
Section 80 – Special processing restrictions
A few restrictions on transferring personal data outside the country. Mostly reminders to think about what this means and notes that you have to inform others.
Section 81 – Reporting of infringements
You gots to report your errors.
In conversation with someone about the overwhelming redundancy in this legislation and a suggestion was made that this could be being carried out on purpose to essentially enshrine most of GDPR into UK law in preparation for Brexit. That is a thought, but if so this is an extremely poor alternative to just re-writing GDPR. I’ll continue to explore this.