Investigations in England and Wales: A Practitioner's Perspective

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

There is no dedicated comprehensive cybersecurity law as such in England and Wales. Rather, there are numerous statute-based laws, underpinned by the possibility of civil actions in common law. These laws criminalise unauthorised interference with computers, including when there is an intention to commit other crimes by means of accessing computers, altering computer programs or producing ‘hacking tools’, when the result is one of serious damage to the economy, environment, national security or human welfare, or there is a significant risk of that (the Computer Misuse Act 1990 (CMA), as amended by the Serious Crime Act 2015); criminalise the interception of communications, including communications sent or received by computers (the Investigatory Powers Act 2016, Part I (IPA)); and impose obligations to protect personal data by the application of appropriate technical and organisational security measures. The three key pieces of legislation in this regard are the General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA) and the Network and Information Systems Regulation 2018 (NISR), which implements the EU’s Network and Information Security Directive and provides state agencies with the power to lawfully interfere with personal property (Part III of the Police Act 1997 (PA) and the Intelligence Services Act 1994 (ISA)).

Computer Misuse Act 1990

In terms of the principal criminal law deterrent, the CMA, implementing the Budapest Convention on Cybercrime, provides for criminal offences on the basis that (1) a person causes a computer to perform any function with intent to secure access to any program or data held in any computer or to enable any such access to be secured, (2) the access he or she intends to secure or to enable to be secured is unauthorised and (3) he or she knows at the time when he or she causes the computer to perform the function that this is the case, then he or she is guilty of an offence. These offences are punishable by imprisonment, some carrying a maximum sentence of life imprisonment if the attack causes or creates a significant risk of serious damage to human welfare or national security.

Securing access to a computer or a program encompasses many different actions. ‘Computer’ is not defined in the CMA. Access is said to be unauthorised if it is obtained by a person other than one who has responsibility for the computer and is entitled to determine whether the act may be done, or is done without the consent of such a person.

The CMA creates further offences when unauthorised access is sought with a view to committing other offences (e.g., theft or fraud) or to impair the operation of a computer, which would include the implanting of viruses or spyware and distributed denial of service attacks. In such cases, the penalty can be up to 10 years’ imprisonment. The CMA also criminalises the obtaining, making, adapting, supplying or offering of articles to be used in committing CMA offences.

Investigatory Powers Act 2016

The IPA was introduced in response to heightened scrutiny of the surveillance activities of public authorities in the United Kingdom surrounding the government’s collection and use of communications and communications data. In essence, the IPA seeks to provide a comprehensive scheme for the use of investigatory powers by public authorities to obtain communications and communications data, undertake electronic surveillance more generally (including through ‘hacking’) and access personal data held in large data sets. The IPA aims to ensure that the requirements of the Human Rights Act 1998 and the European Convention on Human Rights are met. Broadly speaking these powers cover five areas of activity:

  • interception warrants (specific and bulk);
  • obtaining communications data (including bulk acquisition warrants);
  • retention of communications data;
  • equipment interference (including bulk equipment interference); and
  • using bulk data sets.

A further overarching element is that a telecommunications operator, either based inside or outside the United Kingdom, can be mandated to take steps to give effect to a relevant authorisation by way of a technical capability notice (TCN) (except in the case of retention of communications data or bulk data sets). In issuing a TCN, the Secretary of State must be satisfied as to its necessity and proportionality, and approval must be sought from a judicial commissioner (a newly established safeguard in the IPA). Note that although the law generally applies UK-wide, this chapter applies to the law in England and Wales only.

Further, the IPA provides the framework for oversight, for example by establishing the role of the Investigatory Powers Commissioner and the Investigatory Powers Tribunal.

General Data Protection Regulation

The GDPR applies to personal data processing carried out by organisations operating within the European Union and to those operating outside the EU that offer goods or services to individuals in the EU. It does not apply to processing carried out for law enforcement purposes (e.g., by the police or criminal courts), for national security purposes or to processing by individuals for purely domestic or household activities.

Article 5 of the GDPR stipulates that personal data must be processed in accordance with seven principles:

  • it must be processed lawfully, fairly and transparently (lawfulness, fairness and transparency principle);
  • it must not be processed in a manner that is incompatible with the specific, explicit and legitimate purposes for which it was originally collected (purpose limitation);
  • it must be limited to what is necessary in relation to the purpose for which it was collected (data minimisation);
  • it must be accurate and kept up to date (accuracy);
  • it must not be kept for longer than is necessary (storage limitation);
  • it must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality); and
  • data controllers must be able to demonstrate compliance with the principles relating to personal data processing (accountability).

A breach of the GDPR data processing principles can lead to the imposition of substantial administrative fines by the Information Commissioner’s Office (ICO). The ICO may also prosecute offenders in the criminal courts for offences under the DPA (see below) and the CMA. Those suffering damage (including distress) from breaches of the data protection legislation may seek compensation from the controller or processor concerned.

Amplifying the lawfulness, fairness and transparency principle, Article 6 of the GDPR provides six bases for the lawful processing of personal data, including, for example, consent, compliance with a legal obligation, legitimate interest and the public interest.

The GDPR also distinguishes between personal data and ‘special category’ personal data, the latter including data that identifies a person’s sexual orientation, political opinions or ethnic origin, or constitutes biometric data. Under Article 9 of the GDPR, the processing of this data is unlawful unless one of the exceptions under Article 9(2) applies, the most obvious being the presence of explicit consent (the word explicit implying a higher degree of consent than under Article 6).

The GDPR provides a comprehensive, directly effective legal mechanism for modern data handling. It stipulates penalties for breaches but allows EU Member States to restrict the scope of rights and obligations to safeguard matters such as national security, defence, public security and the prevention and detection of criminal offences. The result of these measures in the United Kingdom is found, inter alia, in the DPA.

Data Protection Act 2018

The DPA enacts the EU’s Law Enforcement Directive (LED), which regulates the processing of data by various authorities, such as the Serious Fraud Office, the Financial Conduct Authority (FCA) and the National Crime Agency (NCA). In addition, the DPA complements and amplifies the provisions of the GDPR and provides exemptions from it. Part 3 of the DPA applies to domestic processing of personal data by law enforcement. The DPA also contains provisions regarding the ICO including its enforcement powers.

Subject to particular statutory defences, the DPA criminalises certain behaviour in relation to personal data, including knowingly or recklessly obtaining or disclosing it without the consent of the controller (blagging). It also makes it an offence to retain personal data without the consent of the controller from whom it was obtained, to offer or sell ‘blagged’ personal data, to ‘reidentify’ personal data that has been de-identified (i.e., processed in such a manner that, without more, it can no longer be attributed to a particular data subject) without the controller’s consent, or to process such reidentified data.

Network and Information Systems Regulation 2018

The NISR applies to operators of essential services (e.g., water, transport and energy) and relevant digital service providers (RDSPs) (e.g., online search engines available to the public, online markets and cloud computing services). The NISR requires appropriate and proportionate technical and organisational measures to manage the risk of disruption. Incidents that have a significant effect on the continuity of an essential service must be notified to the applicable competent authority. When incidents are suspected of having a cyber­security element, operators are also strongly encouraged to contact the National Cyber Security Centre (NCSC), part of Government Communications Headquarters (GCHQ), the UK’s dedicated centre for providing advice and support for the police and private sectors.

Police Act 1997 and Intelligence Services Act 1994

Acts that would otherwise be considered breaches of law are made lawful when conducted by state agencies principally in the interests of national security, and for the prevention and detection of serious crime, in accordance with the authorisation regimes established under the IPA, the PA and the ISA.

Part III of the PA provides for authorities to interfere with property when necessary and proportionate. Authorisation may be issued by an authorising officer or with the prior approval of a judicial commissioner if the property affected is someone’s home or office premises, or if the action may result in acquiring knowledge of confidential, journalistic or legal professional privilege material.

The ISA provides a mechanism, on an application by the Security Service, Intelligence Service or GCHQ, for the Secretary of State to authorise interference with property or wireless telegraphy (subject to the requirements of necessity and proportionality).

Relevant law enforcement agencies and other bodies

The primary law enforcement agencies with responsibility for regulating and enforcing the UK’s cyber laws are the ICO and the NCA. The NCSC performs a preventative and coordination role in the event that serious incidents occur, deploying expert technical skills to mitigate the effects. When national security is at risk, the UK’s security and intelligence agencies will also be involved.

The ICO enforces the DPA and the GDPR in the civil jurisdiction and the DPA in the criminal sphere. It is also involved in the regulation of RDSPs under the NISR (see above), regulates organisations engaging in electronic marketing or using cookies,[2] and is the supervisory body for the EU Regulation relating to electronic signatures and online transactions.[3]

The law enforcement body with prime responsibility for investigating and prosecuting cyberattacks is the NCA whose National Cyber Crime Unit (NCCU) works in conjunction with the UK’s Regional Organised Crime Units, the Metropolitan Police Cyber Crime Unit and other national and international strategic partners. The NCCU tackles serious cybercrime incidents both nationally and internationally and offers technical assistance within the NCA itself and to other law enforcement agencies, including through technical interception of communications. It also gathers and coordinates intelligence of serious and organised crime using traditional policing methods such as covert human intelligence sources, undercover officers and technical interception of communications.

Voluntary disclosure of information relevant to the NCA’s functions is encouraged using the information sharing gateway created by the Crime and Courts Act 2013, which absolves informants using it from actions for breach of confidence in the United Kingdom and disapplies other restrictions on disclosure.[4] As with other offences, criminal cases prosecuted by the NCA must satisfy the Full Code Test in The Code for Crown Prosecutors,[5] meaning there must be a reasonable prospect of success and that prosecution must be in the public interest.

The functions of the NCSC including protecting critical services from cyberattacks, managing major incidents and improving underlying security through advice and guidance on threat reduction and incident management to all sectors, from individuals to large organisations and the public sector. The NCSC was given a budget of £285 million for its first five years of operation (2016–2021) and, as at November 2018, it employed approximately 850 people, around a third of whom undertook outward-facing advisory roles. It also supplements its workforce with secondees from the private sector. Despite the widespread admiration that the NCSC has attracted since its launch in October 2016, commentators have noted the risk that its resources will become overstretched as demand grows for its expertise and assistance.

In addition to the ICO, the NCA and the NCSC, other bodies have assumed secondary regulatory oversight roles for cybersecurity. For example, under Principle 11 of the FCA Handbook, regulated firms must notify the FCA of ‘material cyber incidents’ (i.e., those resulting in significant data loss affecting a large number of customers, or in unauthorised access to, or malicious software on, information and communications systems). If a firm is also registered with the Prudential Regulation Authority (PRA), it should report cyber incidents to the PRA as well.[6]

ICO enforcement

The ICO is the independent supervisory authority with responsibility for monitoring the application of the GDPR in the United Kingdom. The ICO’s tasks are enumerated in the GDPR[7] and include monitoring and enforcement, promoting awareness of the obligations of controllers and processors, and providing mutual assistance to overseas supervisory authorities.

ICO investigations may start in a variety of ways, including a complaint by a data subject, information received from other regulators [8] or when the ICO has a concern about a particular sector. The ICO may also commence investigations as a result of information provided by a whistleblower, and the ICO is a ‘prescribed person’ under the Public Interest Disclosure Act 1998, such that qualifying disclosures to the ICO (e.g., a worker’s reasonable belief that a crime has been committed or that a person is failing to comply with a legal obligation) should not give rise to any detriment to the informant at the hands of his or her employer. Between 1 April 2017 and 31 March 2018, 145 whistleblowing disclosures were made to the ICO and the regulator took further action in relation to 70 per cent of these.

The ICO’s specific enforcement powers are detailed in Parts 5 and 6 of the DPA and include the right to seek a warrant of entry and inspection when controllers or processors of personal data are suspected of failing to comply with certain GDPR provisions, or if a criminal offence under the DPA is suspected.[9] However, unless a judge is satisfied that the matter is urgent or that advance warning of the search would defeat the object of entry to the target premises, the ICO must give seven days’ notice in writing to the occupier as one of several preconditions for the issue of a search warrant.[10] Nevertheless, prudent controllers and processors will have a ‘dawn raid’ plan in place for no-notice search warrants. A dawn raid plan would include ensuring reception staff know who to contact and having an internal and external team in place to deal with the incident, including the identification of any legally privileged material that is exempt from inspection and seizure.[11]

It is a criminal offence intentionally to obstruct the ICO in the execution of a search warrant, to fail to provide reasonable assistance in the execution of a search warrant without a reasonable excuse, or to give a deliberately or recklessly false explanation of any document or other material found on the premises.[12] During the execution of a search warrant, occupiers should make careful records (and where possible take copies) of all information and systems accessed by the ICO. The ICO may exercise reasonable force when executing a search warrant.[13]

The ICO has published a Regulatory Action Policy listing its regulatory objectives, elaborating on the nature of its powers and setting out how the ICO will select appropriate regulatory activity for breaches of information rights. That Policy indicates that, as a general principle, companies that have experienced more serious breaches (e.g., when there are more severe consequences, the breach was intentional or in a case of recidivism) may expect stronger regulatory action.

Article 83 of the GDPR sets out two categories of infringement, each with different penalties. The first category carries a maximum penalty of up to 2 per cent of a business’ global annual turnover or €10 million, whichever is the greater. Included in this first category are a failure to take adequate security measures to protect personal data, failure to comply with record-keeping obligations, failure to designate a data protection officer when required to do so and failure to cooperate with the ICO. The second category of offence carries a maximum penalty of up to 4 per cent of a business’ global annual turnover or €20 million, whichever is the greater. Within this category are individual offences relating to the processing principles, the right of data subjects and obstruction of the ICO. The lists of offences in both categories are not exhaustive and may be expanded in the future.

Before issuing a penalty notice, the ICO issues a notice of intent setting out the circumstances of the breach, the ICO’s investigation findings and the proposed level of penalty. The recipient then has 21 days in which to make representations about the imposition of a penalty and its level, before the ICO reaches its final decision.

The ICO’s Regulatory Action Policy suggests that the heaviest penalties will be imposed on organisations that repeatedly and wilfully transgress their obligations and when formal regulatory action would serve as a deterrent to others. When deciding on the level of penalty to impose, the ICO will take into account aggravating factors (e.g., whether an organisation has made any financial gain as a result of the failure to report) and mitigating factors. Deliberate failure, the involvement of vulnerable victims or a poor regulatory history are likely to increase the size of the penalty.

In addition to its civil enforcement powers, the ICO may prosecute criminal offences under the DPA. These include knowingly or recklessly, and without the consent of the data controller, obtaining, disclosing or procuring the disclosure of personal data, or retaining it without the data controller’s consent after obtaining it. Similarly, it is an offence to sell or offer for sale personal data that has been obtained illegally under the DPA.[14] Anyone convicted of this type of offence may only be fined.[15] However, in November 2018, the ICO successfully prosecuted an individual for unauthorised access to personal data under Section 1 of the CMA, securing a six-month custodial sentence for the offender. Afterwards, the ICO announced a more assertive prosecutorial stance stating: ‘Members of the public and organisations can be assured that we will push the boundaries and use any tool at our disposal to protect their rights.’ [16]

Cyber investigations and legal professional privilege

Regardless of whether an investigation is internal or being undertaken by external agencies, legal professional privilege is likely to be a significant consideration, and this applies to cyber investigations as much as to any other form. Indeed in some respects, it is difficult to imagine an investigation that does not involve some element of electronic data, information technology and computer networks.

Whatever the genesis and form of a cyber investigation, it will be important for those involved to bear in mind the definitions of privilege and the complex rules that are features of it, if it is to remain intact.

In very broad terms, legal advice privilege attaches to communications between a client and a lawyer in connection with the giving or receiving of legal advice. Litigation privilege attaches to documents created for the dominant purpose of conducting existing or reasonably contemplated adversarial litigation. Crucial to establishing and maintaining either form of privilege, particularly in the face of investigations by regulators and law enforcement, are the existence of a client–lawyer (including an in-house lawyer) relationship and confidentiality. It is also important to bear in mind that, in most circumstances, privilege does not attach to pre-existing documents and cannot be conferred merely by sending such material to lawyers.

Those involved in an investigation should have the following points in mind from the earliest stages:

  • External legal counsel should be engaged promptly to ensure the requisite creation of a client–lawyer relationship. While privilege attaches to communications between a client and in-house counsel, the role of these lawyers is not always exclusively the provision of legal advice. To avoid arguments about the dominant purpose of in-house counsel’s communications, it may be prudent to engage external lawyers from the outset.
  • The nature of the advice sought should be outlined in the letter of engagement if privilege over that document is to be maintained.
  • The identity of the client should be carefully established from the outset, preferably in the letter of engagement. Legal advice privilege attaches only to communications between lawyers and a client, that is, those individuals tasked with seeking and receiving legal advice on behalf of an entity.
  • Since confidentiality is a prerequisite for the existence of privilege, care should be taken to ensure privileged material is circulated only on a need-to-know basis. Before sharing detailed information with third parties, such as insurers, non-disclosure agreements should be negotiated.
  • If privileged material is referenced at internal meetings, it may be prudent to record privileged discussions in a separate document rather than in general minutes. Similarly, warnings should be given about making manuscript notes of privileged advice that may in themselves not be privileged.
  • All legally privileged material created during the course of an investigation should be marked appropriately, for example by including the words ‘Confidential – Subject to Legal Professional Privilege’. While characterising communications in this way is not determinative of privilege, it should raise the issue in the mind of any external regulators and law enforcers involved, will assist subsequent identification and may ensure caution is exercised when disseminating communications.
  • Since litigation privilege attaches only when adversarial proceedings are in reasonable contemplation at the time a particular communication is made, careful consideration must be given to whether the facts give rise to the necessary circumstances.
  • The use of third parties (e.g., an external IT forensic team) should be carefully considered and care taken to ensure their work is protected by privilege – generally by ensuring instruction is given through external counsel appointed to advise on or handle the investigation.

Although regulators and law enforcement are not permitted to seize privileged communications when exercising their investigatory powers, there are inevitably circumstances when it is not possible to separate privileged and non-privileged material on site. In such circumstances, provision is made allowing for the uplifting and subsequent sifting of this ‘mixed material’.[17] If electronic data is seized in this way, electronic search terms are often sought to identify privileged (and relevant) material. Those advising individuals and companies whose material has been seized will wish to ensure that risk to their clients’ privilege is minimised during this process.[18]

Cyber investigations – cross-border data sharing

As the ‘third industrial revolution’ takes hold and communication technologies converge, crime too has moved online. In the context of cross-border investigations, there is now a discernible trend towards greater international sharing of information and evidence, no more so than in cyber investigations.

Recognising this, in February 2019, the UK Parliament passed the Crime (Overseas Production Orders) Act 2019 (COPOA), which envisages an expedited sharing of electronic data with countries with whom the United Kingdom has agreed a ‘designated international cooperation arrangement’ without the need for more time-consuming mutual legal assistance requests.[19] In reality, COPOA was enacted specifically to facilitate the sharing of electronic data with the United States, though there is no statutory reason why similar treaties may not be agreed with other nations. The European Commission (EC) has itself proposed a Regulation that would achieve similar cross-border measures for sharing electronic data throughout the EU. However, the UK government expressed reservations about participating on the grounds that data sharing in this way with more authoritarian Member States was thought to be undesirable, and because doing so may affect the operation of the bilateral US–UK electronic data sharing agreement, which has been under negotiation for a considerable time and was seen as more significant for UK law enforcement, especially given that the majority of service providers, including the ‘cloud’ services, are based in the United States.

Under the COPOA, UK law enforcement agencies would be able to apply to the UK courts for an order directly requiring overseas service providers to produce or grant access to electronic data for the purposes of investigating and prosecuting indictable or terrorist offences. An individual or company served with an order would normally have seven days to produce the requested data. The COPOA is expected to be brought into force early in 2020, once the US–UK agreement is finalised and the US Congress approves it.

There remain inhibitions in data sharing across borders by both individuals and corporates in the context of investigations. While UK law does not impose conditions over and above those to be found within EU law, vigilance is necessary to ensure that receipt of data from other jurisdictions is compliant with the national law of those jurisdictions (including some within the EU that impose particular additional obligations in respect of personal data).

Current cyber enforcement trends

In the wake of fierce media criticism of technology giants for driving out competition, facilitating interference with democratic processes and high-profile privacy lapses, there is mounting pressure on governments across the world to step up and increase the regulation of these companies. By giving individuals greater rights over their personal data and reinforcing these rights with heavy penalties (see above, under ‘ICO enforcement’), the GDPR has begun a process of wresting control of personal data from these organisations and restoring it to individuals.

Exemplifying this, national supervisory authorities within the EU have so far imposed 11 administrative penalties for GDPR breaches totalling almost €56 million,[20] including that given to Google by the French authorities in January 2019.[21] By contrast, GDPR-related regulatory activity in the United Kingdom has been relatively muted, the ICO having issued no notices of intent (a prerequisite for imposing a financial penalty) in the first 10 months of the GDPR being in force.

While the number of complaints about data protection breaches has increased (perhaps as a result of greater public awareness of data protection in the run-up to implementation of the GDPR), the ICO’s investigations so far have been focused on data misuse, with particular attention on valid consent and lack of transparency of data use. Given the Information Commissioner’s stated intention of working with companies to achieve regulatory compliance, it seems unlikely that minor breaches will be prioritised in the near future.

Future of UK cyber regulation and position of ‘non-state’ investigation

As media and political criticism of social media companies and other technology behemoths grows, pressure is likely to mount on the ICO to demonstrate that these organisations are not beyond the law by taking action against them. Indeed, the Information Commissioner has recently signalled that significant future regulatory activity in the United Kingdom may be anticipated, with calls for yet further regulatory powers.

Following a furore regarding the activities of campaigning groups during the 2016 EU Referendum campaign, the ICO published a report expressing the view that inferred data (i.e., data and characteristics of a person based on their online behaviour and activities) constituted personal data within its sphere of activities.[22] In February 2019, a report by the House of Commons Select Committee on the Department of Digital, Culture, Media and Sport (DCMS or DCMS Report) agreed, recommending that ‘personal data’ should be expanded by law to include inferred data.[23]

The DCMS Report found an urgent need for an independent regulator to establish clear legal liabilities for technology companies to act against harmful or illegal content on their sites. The Report recommended the development of a compulsory code of ethics, overseen by the independent regulator, setting out what constitutes harmful online content. The independent regulator would have statutory powers to monitor relevant tech companies, including requiring them to provide information. Under the proposals, fines would be imposed on technology companies and software developers for failing to meet their obligations under a code of ethics. The DCMS Report also recommended primary legislation to impose a levy on technology companies operating in the United Kingdom to help pay for the ICO to carry out its duties.

Against this backdrop, in April 2019, the UK government published a White Paper on the threat posed by online harms and its outline proposals for dealing with them.[24] The proposals include a new framework applicable to companies that provide services or tools allowing, enabling or facilitating users to share or discover user-generated content, or interact with each other online. This would affect not only social media companies but also many others, including public discussion forums, retailers inviting online product reviews and ‘below the line’ news commentary posted online.

The proposed regime would impose a statutory duty of care on organisations within its scope to take reasonable steps to keep users safe and prevent other persons coming to harm as a direct consequence of interaction with their services. This obligation would be underpinned by codes of practice issued by a regulator. To investigate and penalise breaches of the duty of care, the regulator would have a suite of familiar powers, including GDPR-level penalties. However, the White Paper also proposes more contentious measures, including disruption of business activities, blocking by internet service providers of non-compliant websites and apps, and imposing civil and even criminal liability on the senior managers of companies for the worst breaches. The government has indicated that it will bring forward draft legislation when parliamentary time allows. However, given the breadth of organisations potentially affected and the legal and practical issues attendant on imposing on them such a duty of care, it is unlikely that a parliamentary bill will be introduced swiftly.

Although relatively well resourced, UK law enforcement’s cyber capability inevitably faces practical limits on its ability to tackle increased levels of cybercrime. Just as there has been an increasing interest in private prosecutions in some other areas of crime, victims of cybercrime may wish to take active steps in the future to conduct their own cyber investigations, including ‘active defence’ (colloquially known as hacking back). However, these steps are significantly hindered in the United Kingdom by the way the law is cast. This is particularly so given how the broadly constituted ‘unauthorised access’ element of the CMA[25] works to criminalise actions even if taken to protect the rights and properties of the victim of a crime and the way in which the UK’s data protection legislation safeguards personal data. In these ways, the law provides a real barrier to an investigation by non-public entities that feel they have been wronged and have suffered damage. As a result, non-public entities are effectively limited to working with computers and data they either control or to which voluntary access is given. However, absent some common cause and data sharing agreement, voluntary access is unlikely to be forthcoming given the potential liabilities that may result, not only for those giving access but also for intermediaries facilitating it. Without being granted voluntary access to third-party data, those undertaking private investigations will need to seek the assistance of the courts to identify perpetrators of cybercrime. If those identities are in the possession of third parties, applications to the High Court for disclosure may be necessary (known as Norwich Pharmacal relief) to establish wrongdoing, which may not be a problem if harm or loss can be shown, but will still be costly and time-consuming. Alternatively, private investigators may seek the assistance of a relevant authority, which is likely to be the NCA (subject always to the NCA having a necessary criminal justice justification for acting).

Implications of Brexit for GDPR and cyber investigations

Whatever the future of the Britain’s relationship with the EU, during the UK’s withdrawal negotiations, both sides recognised the importance of data flows and the consequent need for a high level of data protection to facilitate them. By implementing the GDPR and the LED, the UK government hoped that it was in a unique position to obtain an adequacy decision from the EC, such that there should be no obstacle to unimpeded cross-Channel data flows and the UK’s £240 billion data economy should be safeguarded.

More recent pronouncements from the EC have suggested that an adequacy decision could take years to achieve, particularly given the criticism of the UK’s national security legislation, including aspects of the IPA, and that the United Kingdom will become a third country as regards data protection. Indeed, a post-Brexit UK may find itself torn between meeting the EU’s exacting standards of personal data protection and satisfying US trade negotiators who, in a summary of their specific negotiating objectives for a trade agreement with the United Kingdom, indicated hostility to the imposition of measures restricting cross-border data flows.[26] Pending an EC adequacy decision, in the absence of an agreement otherwise, EU–UK data flows will be reliant on the consent of data subjects, or on the personal data protections contained in standard contractual clauses and binding corporate rules.

An immediate consequence of the United Kingdom becoming a third country seems to be a loss of access to all information systems and databases established on the basis of EU law, including the Schengen Information System, the Europol Information System, the Secure Information Exchange Network Application platform for the sharing of sensitive and restricted data for law enforcement, the European Criminal Records Information System and the Passenger Name Records that allow for the reciprocal exchange of passenger data between EU Member States. A loss of access to these sources of data would inevitably weaken cyber investigations and law enforcement more generally.

Who will lead GDPR enforcement after Brexit?

To the extent that cyber incidents are the result of pure criminal intent and actions – for example, data theft, blackmail through ransomware or attacks on the critical national infrastructure for ideological reasons or to demonstrate the technical prowess of the attacker or security weaknesses – it is anticipated that investigations will continue to be undertaken by the NCA supported by the NCSC and its links with the intelligence community nationally and internationally. It is hard to assess how potential barriers that might arise from the UK’s departure from the EU will affect the capacity to obtain evidence and efficiently pursue lines of enquiry given the strong links that undoubtedly exist with overseas law enforcement. This capability traditionally lay outside the ambit of EU law, something perhaps reinforced by the notable reticence of the United Kingdom to accept EU jurisdiction in the law enforcement field in view of it having opted out in the sphere of justice and home affairs.

More directly concerning personal data, and reflecting the intentions set out in the political declaration agreed between the United Kingdom and the EC as part of the UK’s EU withdrawal negotiations, the ICO has confirmed that ‘[u]ntil exit date, we will continue to work with EU data protection authorities in the European Data Protection Board (EDPB) on GDPR guidelines at European level. However, post exit the ICO will only regulate the UK regime. We intend to maintain close links and cooperation with European supervisory authorities (who will have oversight where the EU regime applies)’.

However, close links and regulatory cooperation should not be assumed. After Brexit, the ICO will no longer be a party to data sharing and mutual assistance protocols under the GDPR. It is possible that, once the ICO is no longer a designated supervisory authority under the GDPR, friction could arise between the ICO and supervisory authorities in other jurisdictions as regards who should lead investigations into data infringements. Given the degree of cooperation envisaged by both the UK and EC negotiators during the withdrawal talks, and in light of the mutual assistance that has previously taken place between the ICO and other EU supervisory authorities, it is hoped that a memorandum of understanding will be agreed to prevent the risk of a regulatory stand-off developing.


1 Michael Drury and Julian Hayes are partners at BCL Solicitors LLP.

2 Through the Privacy and Electronic Communications (EC Directive) Regulations 2003 No. 2426.

3 Electronic Identification and Trust Services for Electronic Transactions Regulations 2016.

4 Crime and Courts Act 2013, Section 7(1).

5 ‘The Code for Crown Prosecutors’, The Crown Prosecution Service, at

6 ‘Cyber resilience’, Financial Conduct Authority, at

7 General Data Protection Regulation, Articles 57 and 58 respectively.

9 Data Protection Act 2018 [DPA], Section 154 and Schedule 15.

10 DPA, Schedule 15, para. 4.

11 ibid., para. 11.

12 ibid., para. 15.

13 ibid., para. 7.

14 DPA, Section 170.

15 ibid., Section 196.

16 ‘Six month prison sentence for motor industry employee in first ICO Computer Misuse Act prosecution’, Information Commissioner’s Office [ICO], available at

17 Criminal Justice and Police Act 2001, Part 2.

18 R (McKenzie) v. Director of the Serious Fraud Office [2016] EWHC 102 (Admin).

19 Crime (Overseas Production Orders) Act 2019, Section 4(2).

20 European Data Protection Board, ‘First overview on the implementation of the GDPR and the roles and means of the national supervisory authorities’, available at (page 13).

21 ‘The CNIL’s restricted committee imposes a financial penalty of 50 million euros against Google LLC’, Commission Nationale de l’Informatique et des Libertés, available at

22 Democracy Disrupted – Personal information and political influence, ICO, published July 2018.

23 ‘Disinformation and ‘fake news’: Final Report’ (Section 2: Use of personal and inferred data), available at

25 See Computer Misuse Act 1990, Sections 1 and 2.

26 Executive Office of the President of the United States Trade Representative, ‘United States-United Kingdom Negotiations: Summary of Specific Negotiating Objectives’, February 2019, available at _U.S.-UK_Negotiating_Objectives.pdf (page 6).

Unlock unlimited access to all Global Investigations Review content