Investigations in England and Wales: A Practitioners’ Perspective

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

England and Wales has no single corpus of cybersecurity law; instead, cyber­security is regulated by a patchwork of statutes and the common law. These laws operate to criminalise both unauthorised interference with computers (Computer Misuse Act 1990 (CMA)) and the interception of communications (Investigatory Powers Act 2016 (IPA), Part 1 and Wireless Telegraphy Act 2006 (WTA)); to impose obligations to protect personal data through the application of appropriate technical and organisational security measures (United Kingdom General Data Protection Regulation (the UK GDPR), Data Protection Act 2018 (DPA) and Network and Information Systems Regulations 2018 (NISR)); and to authorise state agencies to interfere with personal property (Police Act 1997 (PA), Part III and Intelligence Services Act 1994 (ISA)).

Computer Misuse Act 1990

The CMA is the principal criminal law deterrent to computer interference. Its basic criminal offence is committed where (1) a person causes a computer to perform any function with the intent to secure access to any program or data held in any computer, or to enable any such access to be secured, (2) the access the person intends to secure or to enable is unauthorised, and (3) the person knows at the time of causing the computer to perform the function, that this is the case.[2]

Securing access to a computer (which is not defined in the CMA[3]) or a program encompasses many different actions, including using the computer or data, altering or erasing data, or copying or moving data.[4] Access is unauthorised if it is obtained by a person who is not entitled to control access to the program or data and is done without the consent of such a person.[5] There is no ‘public interest’ defence for unauthorised access.[6]

The CMA creates further offences where unauthorised access is sought with a view to committing other offences (e.g., theft or fraud)[7] or to impair the operation of a computer,[8] which would include implanting viruses or spyware and distributed denial-of-service (DDoS) attacks. The CMA also criminalises the obtaining, making, adapting, supplying or offering of articles for use in committing CMA offences.[9] The most serious offence under the CMA is committed if (1) a person carries out any authorised act in relation to a computer, (2) at the time of carrying out the act, the person knows that the act is unauthorised, (3) the act causes or creates a significant risk of serious damage of a material kind and (4) the person intends to cause serious damage of a material kind or is reckless as to whether damage is caused.[10] For the purposes of this offence, damage is of a ‘material kind’ if it constitutes damage to human welfare or the environment in any place, to the economy of any country, or to any country’s national security.[11]

Prosecutions for computer misuse offences are infrequent,[12] with Crown Prosecution Service guidance stating that when a CMA offence is committed to facilitate a more serious offence (such as fraud or blackmail), prosecutors should consider charging only the more serious offence.[13]

In February 2023, the Home Office launched a consultation on possible amendments to the CMA as part of its national cyber strategy.[14] Proposals include increased penalties for existing offences, a new offence of possessing illegally obtained data, the introduction of a statutory defence for those protecting the United Kingdom in cyberspace, who might otherwise technically commit an offence, and introducing new powers for law enforcement agencies to require the preservation of data and to seize domain names and internet protocol addresses used for criminal purposes.

Investigatory Powers Act 2016

The IPA was introduced in response to heightened scrutiny of the surveillance activities of UK public authorities, including the collection and use of communications and communications data. The IPA provides a comprehensive framework for public authorities to obtain communications and communications data, undertake electronic surveillance more generally (including through hacking) and access personal data held in large data sets. The powers provided by the IPA cover five primary areas of activity:

  • interception warrants (specific and bulk);
  • obtaining communications data (including bulk acquisition warrants);
  • retention of communications data;
  • equipment interference (including bulk equipment interference); and
  • using bulk data sets.

A telecommunications operator,[15] whether based within or outside the United Kingdom, can be mandated to take steps to give effect to a relevant authorisation by way of a technical capability notice (TCN)[16] (except in the case of retention of communications data or bulk data sets). When issuing a TCN, the Secretary of State for the Home Department must be satisfied as to its necessity and proportionality,[17] and approval must be sought from an independent judicial commissioner.[18]

The IPA provides the framework for oversight, which included establishing the Investigatory Powers Commissioner and the Investigatory Powers Tribunal.[19] It also aims to ensure compliance with the Human Rights Act 1998 and the European Convention on Human Rights.

The Annual Report of the Investigatory Powers Commissioner 2021 highlighted concern about the key statutory definitions of ‘telecommunications operator’ and ‘communications data’.[20]

In February 2023, the Home Office published a statutory report on the operation of the IPA, which signalled forthcoming updates to the key statutory definitions of ‘telecommunications operator’ and ‘communications data’ to keep pace with technological developments.[21]

Wireless Telegraphy Act 2006

Where ‘bugging’ would not already be caught by the prohibition on unlawful interception contained in the IPA, it may nevertheless be criminalised by the WTA if wireless telegraphy apparatus is used without lawful authority and with the intention of obtaining information about the sender, content or addressee of a message, or where information obtained in this way is disclosed.[22] The use of hidden recording devices for covert surveillance may be caught by these provisions.

UK General Data Protection Regulation

When the United Kingdom exited the European Union, the government incorporated the EU General Data Protection Regulation (GDPR) into domestic legislation, creating the UK GDPR, and implemented a series of amendments by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019/419. Despite this, the United Kingdom’s data protection regime has remained largely unchanged from the GDPR, so much so that on 28 June 2021, the European Commission (EC) adopted a data protection ‘adequacy decision’ in favour of the United Kingdom under the GDPR, albeit subject to a four-year ‘sunset clause’, after which adequacy may be renewed if the United Kingdom ‘continues to ensure an adequate level of data protection’.[23] The EC reserved the right to intervene at any point if the United Kingdom deviates from the level of protection currently in place.

The UK GDPR applies to the processing of personal data by both organisations operating within the United Kingdom and those operating outside the United Kingdom that offer goods or services to individuals in the United Kingdom.[24] It does not apply to processing by ‘competent authorities’ (e.g., the police, National Crime Agency (NCA),[25] HM Revenue and Customs or the Serious Fraud Office) for law enforcement purposes, by the intelligence services or by individuals for purely domestic or household activities.[26]

Article 5 of the UK GDPR stipulates that personal data must be processed in accordance with seven principles, namely:

  • lawfulness, fairness and transparency: it must be processed lawfully, fairly and transparently;
  • purpose limitation: it must not be processed in a manner that is incompatible with the ‘specific, explicit and legitimate purposes’ for which it was originally collected;
  • data minimisation: it must be limited to what is necessary in relation to the purpose for which it was collected;
  • accuracy: it must be accurate and kept up to date;
  • storage limitation: it must not be kept for longer than is necessary;
  • integrity and confidentiality (security): it must be processed in a manner that ensures ‘appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage’, using appropriate technical or organisational measures; and
  • accountability: data controllers must be able to demonstrate compliance with the principles relating to personal data processing.

Breaches of these principles can lead to the Information Commissioner’s Office (ICO) imposing substantial administrative fines. The ICO may also bring prosecutions for DPA and CMA offences (see below). Those suffering damage (including distress) from breaches of the data protection legislation may seek compensation from the controller or processor concerned. There have been relatively few reported decisions about the appropriate level of damages for distress claims, although awards of £250 may be made for cases ‘at the lowest end of the spectrum’.[27]

Amplifying the lawfulness, fairness and transparency principle, Article 6 of the UK GDPR provides six bases for the lawful processing of personal data, including consent, compliance with a legal obligation, legitimate interest and the public interest.

The UK GDPR also distinguishes between personal data and ‘special category’ personal data, the latter including data identifying a person’s sexual orientation, political opinions or ethnic origin, health data or biometric data.[28] Under Article 9, the processing of these types of data is unlawful unless one of the exceptions in Article 9(2) applies, one of which is explicit consent (the word explicit implying a higher degree of consent than under Article 6).

The UK GDPR provides a comprehensive legal mechanism for modern data handling but allows for the restriction of the scope of rights and obligations to safeguard matters such as public security and the prevention and detection of crime.

In July 2022, the government introduced the Data Protection and Digital Information Bill (DPDIB) to Parliament but subsequently withdrew it to allow for further consultation. In March 2023, the DPDIB was reintroduced with slight modifications, aiming to create a pro-growth and pro-innovation data protection framework with fewer regulatory burdens on organisations. If enacted, the fundamental principles of the current UK data protection regime would remain the same. Changes would include restricting the scope of ‘personal data’, providing a list of recognised ‘legitimate interests’ that would automatically meet the lawful processing threshold (including processing for the detection, investigation or prevention of crime), widening the grounds for refusing subject access requests and amending the approach to international data transfers.

Data Protection Act 2018

The DPA, as amended by Schedule 2 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019/419, regulates the processing of data by ‘competent authorities’ and complements, amplifies and provides exemptions to the UK GDPR. The DPA additionally contains provisions concerning the ICO, including its enforcement powers.

Subject to statutory defences, the DPA criminalises certain behaviour in relation to personal data, including knowingly or recklessly obtaining or disclosing it without the consent of the controller (known as blagging). It also makes it an offence to (1) retain personal data without the consent of the controller from whom it was obtained, (2) offer or sell blagged personal data, (3) ‘re-identify’ de-identified (i.e., anonymised or pseudonymised) personal data without the controller’s consent or (4) process re-identified data.[29]

Network and Information Systems Regulations 2018

The NISR apply to operators of essential services[30] (e.g., water, transport and energy) and relevant digital service providers (RDSPs)[31] (e.g., online search engines available to the public, online markets and cloud computing services). The NISR require appropriate and proportionate technical and organisational measures to manage the risk of disruption. Incidents significantly affecting essential service continuity must be notified to the applicable competent authority[32] and it is recommended that the National Cyber Security Centre (NCSC) is contacted when incidents are suspected of having a cybersecurity element. Having recognised a potential supply chain risk to critical national infrastructure, the government has proposed bringing important digitally managed service providers within the scope of the NISR, thereby ensuring that they are protected by appropriate and proportionate security measures.[33] The changes to the NISR are expected as soon as parliamentary time allows and are anticipated to take effect in 2024.

Police Act 1997 and Intelligence Services Act 1994

Actions that would otherwise be considered unlawful are permitted when carried out by state agencies in the interests of national security, and for the prevention and detection of serious crime, in accordance with the various authorisation regimes established under the IPA, the PA and the ISA.

Part III of the PA permits authorities to interfere with property when it is necessary and proportionate. Authorisation may be issued by an authorising officer; however, when the property affected is someone’s home or office premises, or when there is knowledge that confidential, journalistic or legal professional privilege material is likely to be acquired, prior approval of a judicial commissioner is required.

The ISA provides a mechanism, on an application by intelligence agencies, for the Secretary of State for the Home Department to authorise interference with property or wireless telegraphy (subject to the requirements of necessity and proportionality).[34]

Relevant law enforcement agencies and other bodies

The NCSC[35] performs both a preventative and an incident response function, deploying expert technical skills to mitigate the effects of serious cybersecurity incidents. Its primary responsibilities under the UK government’s 2022 National Cyber Strategy[36] are to:

  • take direct action to reduce cyber harms to the United Kingdom;
  • advise UK individuals, businesses and organisations on minimising cyber risk;
  • provide authoritative technical input to government cyber policy and regulation;
  • protect critical information and services on which UK military and national security bodies rely; and
  • promote the development of cyber skills and investment in the cyber sector.

The NCSC’s work is complemented by that of the National Cyber Force (NCF), established in 2020, which is responsible for countering, disrupting and degrading threats to the United Kingdom or its allies. The NCF draws on the resources of Government Communications Headquarters (GCHQ), the Ministry of Defence, the Defence Science and Technology Laboratory and the Secret Intelligence Service for the purposes of preventing serious crime and to launch offensive cyber operations. In April 2023, the NCF published details of its operational principles and approach, emphasising accountability, precision and calibration in its activities.[37]

The ICO[38] enforces the DPA and the UK GDPR through both administrative and civil means, and by bringing criminal prosecutions for DPA offences. Additionally, the ICO regulates RDSPs under the NISR (see above) and organisations engaging in electronic marketing or using cookies,[39] and is the supervisory body for the regulations relating to electronic signatures and online transactions.[40]

The NCA is the law enforcement body with primary responsibility for investigating and prosecuting cyberattacks. It operates within the United Kingdom’s National Cyber Crime Network (an integrated nationwide system operating at national, regional and local levels). The NCA’s National Cyber Crime Unit (NCCU) tackles serious cybercrime incidents, both nationally and inter­nationally, and offers technical assistance within the NCA itself and to other law enforcement agencies, including through technical interception of communications. The NCCU also gathers and coordinates intelligence about serious and organised crime using traditional policing methods, such as covert human intelligence sources, undercover officers and technical interception of communications. The NCCU works in conjunction with the United Kingdom’s regional organised crime units (ROCUs), the Metropolitan Police Cyber Crime Unit and other strategic partners to tackle serious and organised crime, including cyberattacks. The NCCU and ROCUs are complemented by local cyber crime units embedded within each police force.

Voluntary disclosure to the NCA of information relevant to its functions is encouraged through the use of the information sharing gateway created by the Crime and Courts Act 2013, which absolves informants using it from actions for breach of confidence in the United Kingdom and disapplies other restrictions on disclosure.[41] As with other offences, criminal cases prosecuted by the NCA must satisfy the Full Code Test in The Code for Crown Prosecutors,[42] meaning there must be a reasonable prospect of conviction and any prosecution must be in the public interest.

Other bodies have assumed secondary regulatory oversight roles for cybersecurity. For example, Principle 11 of the Financial Conduct Authority (FCA) Handbook requires regulated firms to notify the FCA of ‘material cyber incidents’ (i.e., those resulting in significant data loss affecting a large number of customers, or unauthorised access to, or malicious software on, information and communications systems).[43] Similar notification requirements apply to firms regulated by the Prudential Regulation Authority.[44]

ICO enforcement regime

The ICO’s role is described in the UK GDPR,[45] and includes monitoring and enforcement, promoting awareness of controller and processor obligations, and providing mutual assistance to overseas supervisory authorities.

In 2022, the ICO published a strategic plan identifying several high-level objectives to focus on until 2025.[46] This was accompanied by a regulatory approach document describing how the ICO would select, prioritise and take regulatory action.[47] In the same year, the ICO consulted on a draft Regulatory Action Policy (RAP)[48] and accompanying statutory guidance.[49] The RAP details the ICO’s prioritisation framework, balancing the likely effects of action and alignment with strategic priorities against the likelihood of success, legal, financial and reputational risk and the availability of resources.

The RAP contains a non-exhaustive list of factors for consideration when responding to breaches of information rights, with the statutory guidance setting out the ICO’s risk-based approach, whereby it will focus on areas posing the highest risk and the potential for most harm. The RAP addresses the ICO’s use of information, assessment and enforcement notices, and the methodology of calculating penalty notices.

The ICO’s specific enforcement powers are detailed in Parts 5 and 6 of the DPA and include the right to seek a warrant of entry and inspection where controllers or processors of personal data are suspected of failing to comply with certain UK GDPR provisions, or where a DPA offence is suspected.[50] A warrant may only be granted if a judge is satisfied that the matter is urgent or that advance warning would undermine the search. In all other cases, the ICO must give seven days’ written notice to the occupier as one of several preconditions for the issue of a search warrant.[51] Prudent controllers and processors will have a ‘dawn raid’ plan in place for ‘no-notice search warrants’, which would include ensuring that reception staff know who to contact and having an internal and external team in place to deal with incidents, including the identification of legally privileged material that is exempt from inspection and seizure.[52]

It is a criminal offence to intentionally obstruct the ICO in the execution of a search warrant, to fail to provide reasonable assistance in the execution of the search warrant without a reasonable excuse, or to give a deliberately or recklessly false explanation of any document or other material found on the premises.[53] During the execution of a search warrant, occupiers should make careful records (and, where possible, take copies) of all information and systems accessed by the ICO. The ICO may exercise reasonable force when executing a search warrant.[54]

Article 83 of the UK GDPR sets out two categories of infringement, each with different penalties. The first category carries a maximum penalty of 2 per cent of global annual turnover or £8.7 million, whichever is the greater. Included in this first category is failure to (1) take adequate security measures to protect personal data, (2) comply with record-keeping obligations, (3) designate a data protection officer when required to do so and (4) cooperate with the ICO. The second category of infringement carries a maximum penalty of 4 per cent of global annual turnover or £17.5 million, whichever is greater. Within this category are individual offences concerning the processing principles, the rights of data subjects and obstruction of the ICO.[55]

Before issuing a penalty notice, the ICO must serve a notice of intent, setting out the circumstances of the breach, the findings of its investigations and the proposed level of penalty. The recipient has 21 days to make representations about the imposition of a penalty and its level, prior to the ICO’s final decision.[56] A recipient may appeal a penalty notice to the First Tier Tribunal (Information Rights Chamber).[57] In addition to its civil enforcement powers, the ICO may prosecute DPA offences.[58] A separate Prosecution Policy Statement contains the ICO’s guidelines for prosecuting criminal offences.[59] As DPA offences are non-custodial,[60] the ICO has sometimes prosecuted individuals for imprisonable CMA offences.[61]

ICO enforcement activity

The majority of financial penalties imposed by the ICO have been for breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003/2426, whereas the regulator has used fines for breaches of the UK GDPR sparingly, issuing only five such penalties in 2022.[62] When the ICO has initially signalled an intention to impose multimillion-pound penalties for UK GDPR breaches, these are frequently reduced[63] in accordance with the modified approach adopted by a number of regulators to account for the economic effects of the coronavirus pandemic,[64] the penalties having been significantly lower than those imposed by other European data supervisory authorities.[65] The ICO has downplayed the significance of financial penalties as a measure of regulatory success, instead emphasising a graduated, transparent and accountable approach to non-compliance,[66] as reflected by its decision to publish all reprimands issued from January 2022 onwards unless there is good reason not to.

From June 2022, the ICO is trialling a ‘partnership approach’ to encourage data protection compliance within the public sector, under which financial penalties will be imposed only in the most egregious cases. The ICO will use its discretion to reduce financial penalties where they would merely drain public funds, instead issuing public reprimands and enforcement notices more frequently.[67]

To reduce the data compliance burden on businesses, from February 2023, the ICO will not normally penalise electronic communications service providers for failing to notify a personal data breach within 24 hours of becoming aware of it. Instead, reports must be made to the ICO within 72 hours, consistent with the reporting timescale under the UK GDPR.[68]

Non-state authority investigations

Although relatively well resourced, UK law enforcement’s cyber capability inevitably faces practical limits in tackling increasing levels of cybercrime. With the number of private prosecutions for all manner of offences increasing, future victims of cybercrime who have the resources may wish to conduct their own investigations, including ‘active defence’ (colloquially known as ‘hacking back’). UK law currently obstructs this approach: the consent of the DPP is required for a DPA prosecution not brought by the ICO,[69] and the ‘unauthorised access’ element of the CMA is of sufficient breadth to criminalise hacking back, even when undertaken to protect the rights and properties of those affected. Consequently, non-public entities are limited to working with computers and data in their control, or to which voluntary access is given. Voluntary access may be unlikely, given the potential liabilities for both those giving access and the intermediaries facilitating it.

Without voluntary access to third-party data, private investigators will need to seek the assistance of the courts in the form of Norwich Pharmacal orders (NPOs),[70] obliging innocent third parties entangled in the wrongdoing to disclose the identity of perpetrators of cybercrime. Recent changes to the Civil Procedure Rules have made it easier to serve NPOs on foreign entities but this may be costly and time-consuming. Alternatively, private investigators may seek the assistance of the relevant authorities, most likely the NCA (subject to the NCA having a necessary criminal justice justification for acting).

Privileged investigations in the United Kingdom

Whenever investigations are undertaken, legal professional privilege (comprising legal advice privilege and litigation privilege) is likely to be a consideration and, in some respects, it is difficult to imagine an investigation that does not involve some element of electronic data, information technology and computer networks. Whatever the genesis and form of a cyber investigation, it will be important to bear in mind the definitions of privilege and the complex rules that are features of it.

In very broad terms, legal advice privilege attaches to communications between a client and a lawyer in connection with the giving or receiving of legal advice. Litigation privilege attaches to documents created for the dominant purpose of conducting existing or reasonably contemplated adversarial litigation (here, privilege may extend to third parties as well as clients and lawyers). Crucial to establishing and maintaining either form of privilege, particularly in the face of investigations by regulators and law enforcement, are the existence of client–lawyer (including in-house lawyer) relationships and confidentiality of documentation. In most circumstances, privilege does not attach to existing documents or non-privileged email attachments merely by sending such material to lawyers.

Those involved in an investigation should have the following points in mind from the earliest stages:

  • External legal counsel should be engaged promptly to ensure the requisite creation of a client–lawyer relationship. Although privilege attaches to communications between a client and in-house counsel, the role of in-house lawyers is not always exclusively the provision of legal advice. To avoid arguments about the dominant purpose of in-house counsel’s communications, it may be prudent to engage external lawyers from the outset.
  • The nature of the advice sought should be referred to in outline in the letter of engagement if privilege over that document is to be maintained.
  • The identity of the ‘client’ should be carefully established from the outset, preferably in the letter of engagement. Legal advice privilege attaches only to communications between lawyers and a client (or a client’s agent in certain circumstances), that is, those individuals tasked with seeking and receiving legal advice on behalf of an entity.
  • Since confidentiality is a prerequisite for the existence of privilege, care should be taken to ensure privileged material is held separately from non-privileged material and is circulated only on a need-to-know basis. Before sharing detailed information with third parties, such as insurers, non-disclosure agreements should be negotiated.
  • Where privileged material is referenced at internal meetings, it may be prudent to record privileged discussions in a separate document rather than in general minutes. Similarly, warnings should be given about making manuscript notes of privileged advice that may in themselves not be privileged.
  • All legally privileged material created during the course of an investigation should be marked appropriately, for example by including the words ‘Confidential – Subject to Legal Professional Privilege’. While characterising communications in this way is not determinative of privilege, it should raise the issue in the mind of any external regulators and law enforcement agencies, will assist subsequent identification, and may ensure that caution is exercised when disseminating communications.
  • Since litigation privilege attaches only where adversarial proceedings are in reasonable contemplation at the time a particular communication is made, careful consideration must be given to whether the facts give rise to the necessary circumstances.
  • The use of third parties (e.g., an external IT forensic team) should be carefully considered and care must be taken to ensure their work is protected by privilege – generally by ensuring instruction through external counsel appointed to advise on or handle the investigation.

Although regulators and law enforcement agencies are not permitted to seize privileged communications, when exercising their investigatory powers, there are inevitably circumstances in which it is not possible to separate privileged from non-privileged material onsite. In such circumstances, provision is made that allows for the uplifting and subsequent sifting of such ‘mixed material’.[71] Where electronic data is seized in this way, electronic search terms are often sought to identify privileged (and relevant) material. Those advising individuals and companies whose material has been seized will wish to ensure that any risk to their clients’ privilege is minimised during this process.[72]

Cyber investigations – cross-border data sharing

In the context of cross-border investigations, there is now a discernible trend towards greater international sharing of information and evidence, no more so than in cyber investigations.

Recognising the importance of international cooperation in tackling cross-border crime, the United Kingdom and the United States signed a Data Access Agreement (DAA) in 2019, which expedited the acquisition of electronic data from each other’s law enforcement agencies, thus overcoming the lengthy delays experienced with mutual legal assistance requests.[73] In the United Kingdom, the Crime (Overseas Production Orders) Act 2019 (COPOA) was enacted to facilitate the DAA.

Under the COPOA, appropriate officers of law enforcement agencies, including the Serious Fraud Office, the FCA and HM Revenue and Customs, may apply to the respective crown court for an order directly requiring overseas service providers to produce or grant access to electronic data for the purposes of investigating and prosecuting indictable or terrorist offences.[74] Respondents must be given notice of applications unless the court directs otherwise, allowing for representations on the scope of the application, and practicality of compliance prior to an order being made. Recipients of an order must produce the data within a specified time frame or risk facing contempt proceedings.[75] Further procedural details may be found in the Criminal Procedure Rules.[76] The DAA has been operational since October 2022.[77]

Cyber regulatory trends

Governments around the world have been developing a stricter, more aligned approach to online regulation.[78] In the United Kingdom, this process began with an online harms consultation in 2019, followed by the introduction to Parliament of the Online Safety Bill, which is expected to be enacted in 2023 and implemented in the ensuing 18 to 24 months.[79] The Bill has aroused controversy, including with regard to encryption, which critics argue is threatened by the proposed ability to require internet services, such as social media sites, to monitor both public and private messaging for terrorist and content concerning child sexual exploitation and abuse. Once in force, the online safety regime will be enforced by the communications regulator Ofcom, which will have the power to impose administrative penalties of £10 million or 10 per cent of the parent company’s annual global turnover, whichever is the greater.

Implications of Brexit for UK data regulation and cyber investigations

Although there is no immediate threat to the EC’s post-Brexit ‘adequacy decision’ in favour of the United Kingdom, elements of the DPDIB, including greater government control of the ICO and a possible UK adequacy decision in favour of the United States – have raised concerns about the sustainability of the United Kingdom’s status.[80] Were adequacy to be withdrawn, the government estimates significant costs to UK businesses in terms of one-off compliance and lost export revenue.[81] Following the conclusion of the post-Brexit Trade and Co-operation Agreement between the United Kingdom and the European Union, the United Kingdom may – by invitation – participate in certain activities with the European Union’s Cybersecurity Agency ENISA, CERT-EU[82] and the EU CSIRT network.[83] In practice, given the international nature of cyberthreats and the United Kingdom’s capability in these areas, close but low-key UK–EU cooperation is likely to continue.

At a day-to-day law enforcement level, the United Kingdom retains access to EU passenger name records and the Prüm database of biometric data.[84] The United Kingdom is no longer a member of the European Union’s law enforcement agency, Europol, but UK liaison officers, with access to Europol’s SIENA secure messaging service, maintain cross-border cooperation. The United Kingdom no longer has access to the Schengen Information System, SIS II, Europe’s largest public security information database offering ‘real-time’ alerts about wanted and missing persons or objects across the European Union; however, the Home Office is developing an international law enforcement alerts platform, I-LEAP, the aim of which is to compensate for this by utilising and improving the Interpol alert system.[85]


[1] Michael Drury and Julian Hayes are partners and Samuel McCann is an associate at BCL Solicitors LLP.

[2] Computer Misuse Act 1990 (CMA), Section 1, carrying a maximum sentence of two years’ imprisonment.

[3] In DPP v. McKeown; DPP v. Jones [1997] 2 Cr. App. R. 155 HL, Lord Hoffman defined a ‘computer’ as ‘a device for storing, processing and retrieving information’. The Budapest Convention on Cybercrime defines a ‘computer system’ as ‘any device or a group of interconnected or related devices, one or more of which, pursuant to a program, performs automatic processing of data.

[4] CMA, Section 17(2).

[5] ibid., Section 17(5).

[6] R v. Coltman [2018] EWCA Crim 2059.

[7] CMA, Section 2, carrying a maximum sentence of five years’ imprisonment.

[8] ibid., Section 3, carrying a maximum sentence of 10 years’ imprisonment.

[9] ibid., Section 3A, carrying a maximum sentence of two years’ imprisonment.

[10] ibid., Section 3ZA, carrying a maximum sentence of life imprisonment.

[11] ibid., Section 3ZA(2)(d).

[13] CMA – see ‘Alternative Offences’ ( (last accessed 4 April 2023).

[15] Defined in the Investigatory Powers Act 2016 (IPA) at Section 261(10).

[16] IPA, Section 253.

[17] ibid., Section 253(1).

[18] ibid., Section 254.

[19] See ibid., Part 8, Chapters 1 and 2.

[20] Investigatory Powers Commissioner’s Office, Annual Report of the Investigatory Powers Commissioner 2021 (published March 2023), paras. 2.9–2.16 ( (last accessed 6 April 2023)).

[22] Wireless Telegraphy Act 2006, Section 48.

[24] United Kingdom General Data Protection Regulation (UK GDPR), Article 3(2)(a).

[25] (last accessed 29 March 2023).

[26] UK GDPR, Article 2(2).

[27] Driver v. Crown Prosecution Service [2022] EWHC 2500.

[28] UK GDPR, Article 9.

[29] See DPA, Sections 170 and 171.

[30] See Network and Information Systems Regulations 2018 (NISR), Part 3.

[31] See NISR, Part 4.

[32] See, for example, ibid., Regulation 11.

[34] See Intelligence Services Act 1994, Sections 5 to 7.

[35] (last accessed 29 March 2023).

[37] National Cyber Force, ‘Responsible Cyber Power in Practice’ (March 2023) ( (last accessed 6 April 2023)).

[38] (last accessed 29 March 2023).

[39] Through the Privacy and Electronic Communications (EC Directive) Regulations 2003/2426, now retained EU law under the European Union (Withdrawal) Act 2018.

[40] Electronic Identification and Trust Services for Electronic Transactions Regulations 2016, also retained EU law.

[41] Crime and Courts Act 2013, Section 7.

[45] UK GDPR, Articles 57 and 58, respectively.

[46] ‘ICO25 – Empowering you through information’ ( (last accessed 29 March 2023)).

[47] ‘ICO25 – Our regulatory approach’, 7 November 2022 ( (last accessed 29 March 2023)).

[50] DPA, Section 154 and Schedule15.

[51] ibid., Schedule 15, para. 4.

[52] ibid., Schedule 15, para. 11.

[53] ibid., Schedule 15, para. 15.

[54] ibid., Schedule 15, para. 7.

[55] UK GDPR, Article 83(6).

[56] See ICO, Regulatory Action Policy, page 25.

[57] DPA, Section 162.

[58] For example, ibid., Sections 170 to 173.

[60] DPA, Section 196.

[61] See footnote 59.

[63] See Penalty Notice, Section 155, Data Protection Act 2018, Case ref: COM0783542, para. 7.47 ( (last accessed 6 April 2023).

[65] See, for example, (last accessed 29 March 2023).

[67] ‘Open letter from UK Information Commissioner John Edwards to public authorities’, 30 June 2022 ( (last accessed 29 March 2023)).

[68] ‘Update on the ICO’s change of approach to regulating communication service providers’, 2 February 2023 ( (last accessed 29 March 2023)).

[69] DPA, Section 197.

[70] The first Norwich Pharmacal order was granted in 1974 by the House of Lords in Norwich Pharmacal Company & Ors v. Customs And Excise [1973] UKHL 6, [1974] AC 133 (26 June 1973).

[71] Criminal Justice and Police Act 2001, Part 2.

[72] R (McKenzie) v. Director of the Serious Fraud Office [2016] EWHC 102 (Admin).

[73] See House of Lords Briefing on the Crime (Overseas Production Orders) Bill ( (last accessed 6 April 2023)).

[74] See Crime (Overseas Production Orders) Act 2019, Sections 1 to 15.

[75] The Criminal Procedure Rules 2020, Rule 47.68.

[76] ibid., Rules 47.63 to 47.68.

[79] ‘Online Safety Bill: Ofcom’s roadmap to regulation’, 6 July 2022 ( (last accessed 29 March 2023)).

[81] ‘Data Protection and Digital Information Bill – Impact Assessment Update’, at page 9 ( (last accessed 6 April 2023)).

[82] The Computer Emergency Response Team, which responds to information security incidents and cyberthreats.

[83] Computer security incident response teams, which deal with network and information systems (see (last accessed 29 March 2023)).

Unlock unlimited access to all Global Investigations Review content