Data Privacy & Transfer in Investigations: United Kingdom

1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?

United Kingdom

Legislation

The principal laws regulating the collection and processing of personal data in the UK are the:

• Data Protection Act 2018 (DPA 2018); and
• EU General Data Protection Regulation (2016/679) (EU GDPR) as it forms part of the law in the United Kingdom by virtue of the European Union (Withdrawal) Act 2018 (the UK GDPR).

The UK GDPR contains the primary legal framework for the processing of personal data in the UK (other than in relation to law enforcement and intelligence agencies). The UK GDPR does not currently differ substantively from the EU GDPR in relation to data protection principles, rights and obligations, though it has been amended for a UK context (such as replacing references to the EU with references to the UK). The DPA 2018 sits alongside and supplements the UK GDPR, including by implementing exemptions to the UK GDPR and outlining the powers of the Information Commissioner’s Office (ICO) (as the regulator responsible for enforcing the UK GDPR and the DPA 2018 in the UK).

The UK GDPR prohibits transfers of personal data in the UK (or otherwise subject to UK GDPR) to countries, territories and jurisdictions outside the UK, unless appropriate safeguards are in place or the destination country is considered as providing adequate protection for individuals’ rights and freedoms (in relation to their personal data).

Reform to UK law

In June 2022, the UK government indicated how it planned to reform the UK data protection regime, including the UK GDPR and DPA 2018 (available here). In July 2022 the UK government codified these proposals in the first draft of the Data Protection and Digital Information Bill, which was introduced to parliament on 18 July 2022 and is subject to the legislative process. This note does not consider the draft reforms proposed by the Bill, which are subject to change. 

Brexit

On 1 January 2021, the Brexit withdrawal transition period ended – following the UK’s formal withdrawal from the EU on 31 January 2020.

For transfers subject to UK GDPR, the UK considers the EEA and all countries, territories and international organisations that were covered by adequacy decisions adopted by the European Commission as at 31 December 2020, to provide an adequate level of data protection. This means that personal data can be transferred from the UK to these EEA without the need for appropriate contractual safeguards, or supplementary safety measures.   

On 28 June 2021, for transfers subject to EU GDPR, the European Commission approved the UK as offering an adequate level of protection under the EU GDPR and the Law Enforcement Directive. This means personal data can be transferred from the EEA to the UK without the need for appropriate contractual safeguards, or supplementary safety measures. The EU GDPR adequacy decision does not cover transfers of personal data for the purposes of UK immigration control.

The two adequacy decisions (one for the EU GDPR, and one for the Law Enforcement Directive) are expected to last until 27 June 2025, at which point the European Commission can opt to extend the adequacy decision for a further four-year period. The European Commission can retract the adequacy decision prior to 27 June 2025 if it deems that the UK no longer continues to provide an equivalent level of protection. The Court of Justice of the European Union (CJEU) can also hear challenges to the adequacy decisions brought by EU data subjects or EU data protection authorities, and has the power to strike down an adequacy decision.

The adequacy decisions are based on the UK’s current domestic data protection regime and the UK’s international commitments (in particular, adherence to the European Convention of Human Rights, and submission to the jurisdiction of the European Court of Human Rights). For the UK to maintain an adequacy decision under the EU GDPR, the UK is required to maintain a level of protection that is essentially equivalent to that in the EU.

The rules about when a court in the UK can depart from a decision of the CJEU (prior to 31 December 2020), and which affect the collection and processing of personal data, are complex and subject to, among other things, when the relevant event giving rise to liability occurred and the seniority of the relevant UK court.

Relevance to investigations

A number of provisions have particular relevance in the context of investigations. All processing must have a valid legal basis under GDPR. Establishing a legal basis, in the context of an investigation, is not always straightforward, particularly where investigations involve foreign authorities or courts and particularly where the data involved includes sensitive data. Restrictions on international transfers create additional complexity in the context of cross-border investigations, both in relation to transfers within an organisation (and with its advisers) and in relation to transfers to foreign authorities, courts and counterparties in litigation. All processing must comply with the data protection principles under the UK GDPR, including the principle that processing must be fair, lawful and transparent and the principle of data minimisation. It can be challenging to ensure compliance with these principles in the context of an investigation. 

2. What other laws and regulations, besides data protection laws, may prevent data sharing in the context of an investigation?

United Kingdom

The following elements of English law may prevent the sharing of data in the context of an investigation.

Confidentiality

A duty of confidentiality may arise, even without a contract, where:

• information to be disclosed has the “necessary quality of confidence”; and
• it is disclosed in circumstances importing an obligation of confidence (this could be as simple as stating that the information is confidential, provided it is in fact).

Generally, the person in possession of confidential information must not make use of it to the prejudice of the person who provided it, without obtaining their consent.

The confidentiality obligation can be breached by either unauthorised disclosure or unauthorised use of the confidential information.

Banking confidentiality

There is also a common law duty of confidentiality between a "banking business" and its customers. This implied duty means that a bank may not divulge confidential information about its customers unless the customer in question has consented or an exemption applies.

The meaning of a "banking business" relates to the business carried on by the entity instead of any regulated status. The three main factors that indicate a banking transaction are:

• keeping current accounts for customers, in which credits and debits are entered; 
• accepting money from and collecting cheques for customers and placing them in credit; and 
• paying cheques drawn on the relevant account and debiting customers accordingly.

The general duty of banking confidentiality can therefore apply to any business engaging in these activities, even if that institution does not consider itself to be a bank.

The implied duty applies to any information about a customer (both natural and legal persons) that the bank acquires in the course of providing services.

Customer consent to a transfer of confidential information should be informed but may be obtained via a website or standard terms and conditions.

Exemptions to the common law duty of banking confidentiality have been found in certain limited circumstances, including where:

• there is a compelling public interest reason for the disclosure; 
• there is compulsion by law; 
• the disclosure is under compulsion by order of court; or 
• disclosure is necessary in the interests of the bank.

Legal professional privilege

There are two heads of legal professional privilege under English law: legal advice privilege and litigation privilege. While neither acts to prevent the sharing of personal data of itself, when considering whether confidential communications should be disclosed more generally, it is important to consider whether privilege may arise.

Legal advice privilege applies to confidential communications that pass between a lawyer and his or her client and that have come into existence for the dominant purpose of giving and receiving legal advice about what should be prudently and sensibly done in the relevant legal context. The English courts have held that the “client” for the purposes of legal advice privilege is any individual authorised to seek and receive legal advice.

Litigation privilege applies to confidential communications between (i) a client and a lawyer, (ii) a lawyer and a third party, or (iii) a client and a third party, that were made for the dominant purpose of seeking or obtaining legal advice or evidence in connection with the conduct of (adversarial) litigation where that litigation was pending, reasonably in prospect or existing.

In recent years, there have been a number of decisions of the English Court of Appeal considering both legal advice and litigation privilege. Once established, legal professional privilege is a substantive right to withhold disclosure of privileged documents from various third parties.

Other

There are other laws and regulations relating to the sharing of data in a criminal context, which may be relevant for the purposes of an investigation depending on the specific context. These include: the Proceeds of Crime Act 2002; the Crime (International Co-operation) Act 2003; Part 49 of the Criminal Procedure Rules 2015 (SI 2015/1490); the Criminal Justice (European Investigation Order) Regulations 2017; and the Crime (Overseas Production Orders) Act 2019.

3. What constitutes personal data for the purposes of data protection laws?

United Kingdom

The UK GDPR, like the EU GDPR, defines personal data as any data relating to a living individual who can be identified directly or indirectly from that data, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that living person.

Data that is truly anonymised – information that no longer relates to an identified or identifiable individual, or is rendered in such a way that individuals are not or are no longer identified or identifiable – will not be “personal data" for the purposes of the UK GDPR, as it does not identify the individual.

Data is not truly anonymised if the data may re-identify the individuals to which the data relates by reasonably available means. Pseudonymised data – information no longer attributable to a specific data subject without the use of additional information, kept separately and subject to appropriate measures – remains personal data for the purposes of the UK GDPR.

4. What is the scope of application of data protection laws in your jurisdiction? What activities trigger the application of data protection laws, to whom do they apply and what is their territorial extent?

United Kingdom

The UK GDPR, like the EU GDPR, applies to the “processing” of “personal data”. Personal data means any information relating to an identifiable natural living person; it does not cover legal persons or deceased natural persons. Processing refers to any operation performed on personal data, including its collection, use, disclosure and destruction.

The UK GDPR, like the EU GDPR, imposes obligations on “controllers” and “processors”. A controller is defined as a person who (either alone or jointly with others) determines the purposes and means of the processing of personal data. A processor is defined as a person who processes personal data on behalf of the controller.

The UK GDPR has extraterritorial scope. It covers:

• the processing of personal data in the context of the activities of an establishment of a controller or a processor in the UK, regardless of where the processing takes place; and
• the processing of personal data of data subjects who are in the UK, where the processing activities relate to the offering of goods and services to them or the monitoring of their behaviour in the UK.

An organisation is “established” for the purposes of the first limb where it exercises “any real and effective activity – even a minimal one” through “stable arrangements” in the UK.

The DPA 2018 extends a modified version of the UK GDPR to certain processing activities that are not contained in the EU GDPR (eg, freedom of information rules, handling of manual unstructured data in the public sector, processing for national security). It has the same territorial scope as the UK GDPR.

5. What are the principal requirements under data protection laws that are relevant in the context of investigations?

United Kingdom

UK data laws address the processing of personal data in general, not specifically in the context of investigations. For example, the UK GDPR sets out a number of core data protection principles, with which controllers must comply, including in relation to an investigation.

Principle 1 is that personal data must be processed “lawfully, fairly and in a transparent manner”. This means that data cannot be processed unless there is a legal basis under article 6 of the UK GDPR. The following legal bases are available:

• the data subject has given their consent to the processing for one or more specific purposes; 
• the processing is necessary for the performance of a contract to which the data subject is a party or for the taking of steps at the request of the data subject with a view to entering into a contract; 
• the processing is necessary for compliance with a legal obligation to which the controller is subject; 
• the processing is necessary to protect the vital interests of the data subject or another natural person; 
• the processing is necessary for performing tasks in the public interest or in the exercise of official functions by the controller (further clarification on this point is set out in section 8 of the DPA 2018); or 
• the processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where the processing is unwarranted by reason of prejudice to the interests and fundamental rights and freedoms of the data subject.

For sensitive data (or “special categories of personal data”), the processing must also comply with one of the stricter legal bases (special conditions) set out in article 9 of the UK GDPR, and section 10 and Schedule 1, Part 1 of the DPA 2018. As with the EU GDPR, sensitive data is defined in the UK GDPR as information relating to: racial or ethnic origin; political opinions; religious and philosophical beliefs; trade union membership; genetic data and biometric data for the purpose of uniquely identifying a natural person; data concerning health; and sex life and sexual orientation.

In an investigations context, relevant conditions for the processing of sensitive data may include where:

• the individual has given their explicit consent to the processing for one or more specified purposes;
• the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; or
• the processing is necessary for reasons of substantial public interest, on the basis of Union or member state law, where this is proportionate to the relevant aim and safeguards the rights and interests of data subjects.

The processing of data about criminal convictions and offences is dealt with separately to sensitive data, under article 10 of the UK GDPR. This provides that such data can only be processed where authorised under domestic law (for the UK, this would be the DPA 2018). The DPA 2018 provides further information on what is considered the “public interest” in the UK and limits the application of certain provisions of the UK GDPR where personal data is processed for the detection or prevention of crime or the operation of the justice system.

Both controllers and processors must comply, and controllers are responsible for and able to demonstrate compliance, with the following data protection principles:

• Principle 2: personal data should be obtained only for specified, explicit and legitimate purposes and should not be further processed in any manner incompatible with those purposes (“purpose limitation”); 
• Principle 3: personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (“data minimisation”); 
• Principle 4: personal data should be accurate and, where necessary, kept up to date (“accuracy”); 
• Principle 5: personal data should be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (“storage limitation”); 
• Principle 6: personal data should be processed in a manner that ensures appropriate security of that personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”); and
• the controller must also be able to demonstrate compliance with each of these principles (“accountability”).

In addition, under Chapter V of the UK GDPR, personal data may not be transferred out of the UK unless it is based on UK adequacy regulations made by the UK ICO or Secretary of State pursuant to the DPA 2018, or if the controller or processor has provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

Competent authorities processing personal data for criminal law enforcement purposes must adhere to slightly different requirements under Part 3 of the DPA 2018. For example, for Principle 1, there is no requirement for processing to be transparent (given the possibility of this prejudicing an investigation). Additionally, for the processing of sensitive personal data, competent authorities must have in place an appropriate policy document explaining how they ensure compliance with these requirements (in addition to there being an appropriate lawful basis for the processing).

In the context of investigations, it may also be necessary to consider Articles 13 and 14 of the UK GDPR, which require information to be provided to a data subject where personal data is collected directly or indirectly. Typically, as part of standard UK GDPR compliance, a privacy notice is required to have been provided to a data subject at the time the personal data is obtained (unless an exemption applies). It may be the case, in an investigation, that personal data has not been obtained directly from the data subject. If so, article 14 of the UK GDPR will apply (subject to certain limited exceptions) and the fair processing information given to the data subject must also include the categories of personal data processed, the source of personal data and details of any personal data obtained from directly accessible sources.

Depending on the circumstances, it may not be appropriate to provide a privacy notice to data subjects involved in an investigation, for example, if providing such notice would prejudice an investigation. In such circumstances, one of the limited exemptions under the UK GDPR may apply, though such exemptions must be construed narrowly. Relevant exemptions (that relieve a controller from complying with articles 13 and 14) under the UK GDPR, as contained in DPA 2018, include, among others:

• the prevention and detection of a crime, apprehension or prosecution of offenders, or the assessment or collection of a tax or duty or an imposition of a similar nature. For example, if a bank conducts an investigation into suspected financial fraud, the investigation and any disclosures to UK authorities are for the purposes of the prevention and detection of crime. If the bank were to inform individuals about the processing, they may prejudice the investigation;
• a requirement to disclose information under UK law or in connection with legal proceedings (including legal proceedings, obtaining legal advice, or establishing, exercising or defending legal rights), for example, if an employer receives an order from a UK court to provide personnel details of an employee to an insurance company for the assessment of a claim; and
• legal professional privilege, in respect of which a duty of confidentiality is owed by a professional legal adviser to a client, or to which a claim to legal professional privilege (or confidentiality of communications) could be maintained. 

6. Identify the data protection requirements relevant to a company carrying out an internal investigation and to a party assisting with an investigation.

United Kingdom

In the context of an internal investigation, any data processing and transfers need to be analysed in the same way as any other processing and transfers of personal data, and so must be carried out in compliance with the UK GDPR, DPA 2018, and the principles relating to the processing of personal data.

When considering the legal basis (under article 6 UK GDPR) applicable to the processing activity, a company conducting an internal investigation may find that the most likely legal basis for conducting an internal investigation is for the purposes of legitimate interests pursued by the controller or by a third party, except where the processing is unwarranted by reason of prejudice to the interests and fundamental rights and freedoms of the data subject.

It is advisable to check that data generated outside the UK was transferred to, or within, the UK in compliance with relevant data protection laws and regulations. This may include:

• ascertaining what data has been transferred to, or within, the jurisdiction and the natural and/or legal persons to which that data relates; 
• reviewing the privacy notice provided to data subjects; 
• ascertaining the legal basis for the processing; and/or 
• determining whether a contract or other safeguard applies to the transfer of that data (eg, a data processing agreement, data transfer agreement or binding corporate rules, as appropriate).

In particular, the above may inform whether certain restrictions may apply to further processing of that data.

Parties assisting with an investigation will also need to ensure that they consider their own data privacy obligations. For example, is that party jointly determining the purposes and means of the processing of personal data, and thereby acting as a joint controller, or simply processing the personal data on behalf of the (sole) controller? Under Chapter IV of the UK GDPR, controllers and processors are subject to different requirements.

Where a company (acting as controller) instructs a third party (including within the same corporate group) to process personal data on their behalf (acting as processor), the parties are required to enter into a written contract that reflects the minimum content requirements of article 28 UK GDPR.

7. Is the consent of the data subject mandatory for the processing of personal data as part of an investigation?

United Kingdom

Data subject consent is not mandatory for the processing of personal data. Consent is only one possible article 6 legal basis for processing personal data under the UK GDPR, and explicit consent is only one possible special condition for processing sensitive data (or special category data) under article 9 UK GDPR.

8. If not mandatory, should consent still be considered when planning and carrying out an investigation?

United Kingdom

Consent may be considered as an enabling action when planning an investigation. However, obtaining consent to the processing of personal data (ie, as the legal basis under the UK GDPR to process such data) can be practically challenging, and proceeding with the processing of personal data in reliance solely on this ground is rarely appropriate. One reason is that consent must be capable of being withdrawn at any time (a right that it is not possible to contract out of, which would be difficult to manage in the context of the investigation).

The ICO states that if a controller cannot, for any reason, offer individuals genuine choice over how they use their personal data, consent is unlikely to be an appropriate legal basis for processing. This may be the case if the controller can and would still process the data on a different lawful basis (such as legal obligation or legitimate interests) if consent were refused or withdrawn.

9. Is consent given by employees likely to be valid in an investigation carried out by their employer?

United Kingdom

Consent is not freely given (and so is invalid) if a data subject has no genuine or free choice or cannot refuse or withdraw consent without detriment, or there is a clear imbalance between the parties. Consent included within an employment contract, or obtained generally by an employer from an employee, is unlikely to be valid for this reason.

10. How can consent be given by a data subject? Is it possible for data subjects to give their consent to processing in advance?

United Kingdom

There is no prescribed or universal form for consent, and consent can be obtained through a website or other electronic means. However, consent must be freely given, specific, informed, unambiguous (ie, involve a clear affirmative action, such as an opt-in) and unbundled (ie, be separate from other terms and conditions). Consent must also be able to be withdrawn at any time and must be as easy to withdraw as to give.

If a controller wishes to rely upon consent, the consent must specifically name the controller (and any other third-party controllers who will rely on the consent), the purposes of processing, the types of processing activity and the individual’s right to withdraw the consent at any time. The controller must also keep clear records of such consent, not least to demonstrate that the individual consented to the particular processing activities, and in order to respond to requests to withdraw consent.

If the controller wishes to rely upon explicit consent to process sensitive data (under article 9 UK GDPR) or to transfer the data internationally, the controller may wish to obtain consent by means of an additional formality to demonstrate “explicit” consent (eg, a wet ink signature or a tick box that expressly uses the word “consent”).

Whether consent given in advance, such as through general terms and conditions or account opening information, is sufficient for the purposes of the UK GDPR depends, among other things, on the form and substance of the consent (was it specific to the processing?), whether the data subject provided an unambiguous indication of consent (did they positively opt in?), whether the consent was unbundled (was it separate from other terms and conditions?), and on the balance of power between the controller and the data subject (did the data subject have genuine choice?).

11. What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?

United Kingdom

Right of access

A data subject has a right to request information from a controller regarding whether their personal data is being processed, known as a data subject access request. The information that can be requested includes a description of the data, the purpose for which it is being processed and to whom it may be disclosed. The controller must also provide a copy of the personal data to the data subject. The ICO has produced detailed guidance on responding to a data subject access request here.

Following decisions of the English Court of Appeal, the motive behind a data subject access request (eg, if it is made to assist in litigation) does not affect a controller’s duty to respond to it. Provided the request is not an abuse of the court’s process and does not result in a conflict of interest, the court will not use the purpose of a request as a reason to limit the exercise of its discretion to compel an organisation to respond. Material that is privileged as a matter of English law can be withheld. However, it is not appropriate to make a blanket assertion of privilege to avoid searching for non-exempt materials.

A controller is not required to provide personal data in response to a “manifestly unfounded or excessive” request from a data subject (article 12(5) of the UK GDPR). If relying on this exemption, a controller should retain evidence to demonstrate why it considers the request to be unfounded or excessive. If a controller refuses to act on a request, they must also inform the data subject of the reason why and tell the data subject that they can complain to their relevant supervisory authority and enforce their right through judicial remedy.

Right of erasure

Data subjects have the right to request rectification of any personal data relating to them that is inaccurate, and completion of any incomplete data, including by way of a supplementary statement. There is an obligation on a controller under the UK GDPR to ensure the personal data it keeps is accurate.

Data subjects have the right to obtain from the controller the erasure of their personal data without undue delay if one of the specified grounds applies. This includes where the data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, or where the data subject has withdrawn consent (and there is no other legal ground for the processing).

Right to object

In certain circumstances, such as when a controller is relying upon their legitimate interests (or those of a third party) or the processing is necessary for performing tasks in the public interest or in the exercise of official functions, data subjects have a right to object to the processing of personal data concerning them at any time. A controller must adhere to this objection unless it can demonstrate a legitimate basis for the processing that overrides the interests of the data subject, or if the processing is necessary within legal proceedings. A data subject also has a right to obtain a restriction of processing from the controller where it believes the relevant personal data is inaccurate, the processing is unlawful or the controller no longer needs the data for the purposes of the processing. If the latter is the case, the data subject can require the controller to limit the processing to that required in the context of legal proceedings.

Note that where data is processed by competent authorities for criminal law enforcement purposes pursuant to Part 3 of the DPA 2018, certain rights of data subjects are excluded or restricted. For example, data subjects have no right to object to processing by a competent authority for this purpose. Moreover, data subjects’ rights to receive information, rights of access, rights to rectification and rights to erasure or restriction may be limited or restricted where necessary and proportionate, for example, to protect national or public security, or avoid prejudicing a criminal investigation or prosecution.

Exemptions

The DPA 2018 provides certain exemptions to the UK GDPR that can, in certain circumstances, relieve a controller from obligations to comply with the right of access and dealing with other individual rights. Such exemptions should not be routinely relied upon or applied in a blanket fashion; a controller must consider each exemption on a case-by-case basis. When relying upon an exemption under DPA 2018 in relation to responding to a data subject right, the controller should justify and document its rationale and reasons for relying on the exemption (ie, refusing to give effect to the data subject right). Relevant exemptions that apply to certain individual rights under the UK GDPR include, among others:

• the prevention and detection of crime, the apprehension of offenders, or the assessment or collection of a tax or duty or an imposition of a similar nature (to the extent that complying with the request would prejudice your purposes of processing);
• a requirement to disclose information under UK law or in connection with legal proceedings (including legal proceedings, obtaining legal advice, or establishing, exercising or defending legal rights); and
• legal professional privilege, in respect of which a duty of confidentiality is owed by a professional legal adviser to a client, or to which a claim to legal professional privilege (or confidentiality of communications) could be maintained. 

12. Are there specific requirements to consider where third parties are appointed to process personal data in connection with an investigation?

United Kingdom

There may be additional requirements under the UK GDPR where third parties are appointed to process personal data in connection with an investigation if they are data processors as opposed to controllers. A party can also act as both controller and processor of personal data, and in some cases both a controller and processor for the same personal data (if it processes the data for different purposes). 

Whether the third party is a processor or controller (either joint or separate) will depend on a number of factors, including their role in and degree of influence over the processing activity. An organisation is more likely to be a controller if it decides on the legal basis for the processing, which personal data to process, and the purpose for which and the manner in which to process the personal data.

However, though a data processor will process personal data on behalf of the controller, it may also have a degree of discretion as to the method of processing, how to store such personal data, and relevant security measures. For example, there may be circumstances where, if allowed under the contract, a processor has the freedom to carry out certain activities on the controller's behalf (though it cannot take overarching decisions as to what personal data to collect or the purposes of processing). 

Additional provisions of the UK GDPR apply where the data is processed by a processor on behalf of the controller. The primary factor considered is control of the data rather than its possession, so the controller must ensure that the third-party processor is complying with the requirements on the security of data set out in the UK GDPR. A written contract to this effect must be entered into between the processor and controller (article 28 of the UK GDPR). This contract must include a description of the data processing activities and require the processor, among other things, to:

• act only on the documented instructions of the controller (including with regard to international transfers of data to a third country); 
• ensure that persons who process the data have committed to confidentiality or are under a statutory duty of confidentiality; 
• implement appropriate security measures in accordance with the UK GDPR; 
• engage a sub-processor only with the prior authorisation of the controller; 
• assist the controller in carrying out its obligations to respond to requests by data subjects to exercise their rights under the UK GDPR; and 
• assist the controller in ensuring its compliance with its data security obligations.

Where a processor engages a sub-processor, the contract between them must reflect the same data protection obligations as set out in the contract between the controller and the processor.

These provisions of the UK GDPR apply to processors within the same corporate group in the same way as to other third-party processors.

The UK GDPR also imposes certain direct obligations on processors. These include an obligation to: (i) maintain a written record of processing activities carried out on behalf of each controller; (ii) designate a data protection officer where required; (iii) appoint a representative (when not established in the UK) in certain circumstances; and (iv) notify the controller without undue delay on becoming aware of a personal data breach.

13. Is it permitted to share personal data with law firms for the purpose of providing legal advice?

United Kingdom

A transfer of personal data to a third-party law firm for the purposes of providing legal advice needs to be analysed in the same way as any other transfer of personal data, and so must be carried out in compliance with the UK GDPR and the principles relating to the processing of personal data.

In the context of an investigation, the most likely legal basis for the transfer is that the processing is necessary for the purposes of legitimate interests pursued by the controller (here, the client) or by a third party, except where the processing is unwarranted by reason of prejudice to the interests and fundamental rights and freedoms of the data subject.

14. What is the position and status of law firms under data protection laws? Are law firms directly accountable for data processing under data protection laws, or is responsibility for processing by law firms shared between the law firm and the client?

United Kingdom

UK ICO guidance suggests that law firms (and other professional service providers) are generally characterised as controllers in their own right in addition to their clients.

This is on the grounds that the law firm generally determines what information is obtained and processed in order to perform its work and because the law firm is answerable for the content of its work. The UK ICO also cites the fact that lawyers have their own professional responsibilities (in areas such as record-keeping and confidentiality of communications) as further indicating lawyers are controllers in their own right.

15. What is the position and status of legal process outsourcing firms under data protection laws?

United Kingdom

A legal process outsourcing firm is likely to be considered a third-party processor in relation to the processing of personal data relating to its clients.

16. Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?

United Kingdom

Additional restrictions and limitations may apply depending on whether the disclosing party is subject to industry or sector specific regulation. For example, the UK Financial Conduct Authority's Handbook requires firms which the FCA regulates to organise and control their affairs responsibly and effectively, with adequate risk management systems (FCA Principle 3). Before transferring clients’ personal data, the FCA has stated that firms should consider whether this is fair to and in the interests of their clients (FCA Principle 6). The FCA has also stated that firms should pay due regard to the information needs of their clients and communicate with them clearly and fairly (FCA Principle 7).  

17. What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?

United Kingdom

Personal data that is subject to the UK GDPR cannot be transferred to a third country or territory outside the UK unless that third country or territory provides an adequate level of protection for personal data.

Adequacy decisions

There are certain jurisdictions that have been found to ensure an adequate level of protection of personal data under the UK GDPR. As at 1 August 2022 these include:

• the European Economic Area (EEA) countries (comprising the EU member states Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden; and, the EFTA states Iceland, Norway and Liechtenstein);
• Andorra, Argentina, Israel, New Zealand, Switzerland, Uruguay; and
• Faroe Isles, Gibraltar Guernsey, Isle of Man, Jersey.

There have been partial findings of adequacy in relation to:

• Canada (covering data that is subject to Canada's Personal Information Protection and Electronic Documents Act); and
• Japan (covering private sector organisations).

On 5 July 2022, the UK also signed a "data adequacy agreement in principle" with South Korea (see here). 

For the purposes of the UK GDPR, the US is not an adequate country.

For the latest position see here.

Appropriate safeguards

For other jurisdictions, a party can transfer personal data that is subject to the UK GDPR to a third country or territory outside the UK by putting in place "appropriate safeguards", which most commonly includes:

• entering into a contract incorporating standard contractual clauses recognised or issued in accordance with the UK data protection regime (eg, approved by the UK ICO); or
• for transfers within the same group, adoption of binding corporate rules.

Standard contractual clauses impose contractual obligations on the party sending the data (the data exporter) and the party receiving the data (the data importer), and provide rights for the individuals whose personal data is transferred. These individuals can enforce such rights directly against the data importer and data exporter.

Post-Brexit and in response to "Schrems II" (see below), the UK ICO issued new standard contractual clauses (for use under UK GDPR) for what it terms "restricted transfers", which will replace the old standard contractual clauses adopted by the European Commission under the Data Protection Directive 95/46/EC, which were in force as at 31 December 2020 and previously valid for UK transfers (Directive SCCs).

The ICO issued two transfer tools, both of which constitute valid standard contractual clauses under UK GDPR: (1) the new International Data Transfer Agreement (IDTA); and (2) the new International Data Transfer Addendum to the new European Commission SCCs (Addendum). The IDTA is a long-form, transfer-agnostic (ie, one-size-fits-all) transfer agreement. The Addendum applies the obligations of the new European Commission SCCs (adopted for transfers subject to EU GDPR in June 2021) to UK transfers, as amended to reflect UK laws. The Addendum can be used as a standalone transfer agreement (ie, does not require existing European Commission SCC) or as an addendum to existing European Commission SCC to capture UK transfers. 

The Directive SCC can continue to be used for data transfers subject to UK GDPR until 21 September 2022. Contracts based on the Directive SCC prior to 21 September 2022 will continue to provide "appropriate safeguards" for the purpose of UK GDPR until 21 March 2024, provided that the processing operations remain unchanged and the transferor ensures an appropriate level of protection. The ICO has published transitional provisions (information on the transition from the Directive SCC to the IDTA and Addendum), available here.  

When entering into a contract on the basis of the IDTA or the Addendum, the party exporting the data must still carry out a risk assessment. This is to ensure that the actual protection provided by the IDTA or Addendum, given the actual circumstances of the restricted transfer, is sufficiently similar to the principles underpinning UK data protection laws.

Derogations

Data can otherwise be transferred if one of the following derogations, among others, applies:

• the data subject has provided valid consent to the transfer (this consent should be explicit as well as freely given, specific, informed and unambiguous. The individual must also be informed of the potential risks in conducting the international transfer to territories or countries that do not provide adequate protection without appropriate safeguards in place). Consent is rarely an appropriate mechanism for conducting international transfers; 
• the transfer is necessary for the performance of a contract between the data subject and controller or the implementation of pre-contractual measures taken at the data subject’s request (this is only available for occasional transfers); 
• the transfer is necessary for the conclusion of a contract between the controller and a person other than the data subject, which is entered into in the data subject’s interests (this is only available for occasional transfers); 
• the transfer is necessary for important reasons of public interest (this can be relied upon by both public and private entities, though a UK law must state or imply that the relevant type of transfer is allowed for reasons of public interest);  
• the transfer is necessary for the establishment, exercise or defence of legal claims (the claim must have a basis in law and a formally legally defined process, but is not available if there is only a mere possibility that a legal claim or other formal proceeding may be brought in the future); or 
• the transfer is necessary to protect the vital interests of the data subject (this applies in a medical emergency where the transfer is needed to provide the necessary medical care – it is not available for general medical research, or if the data subject is legally and physically capable of providing consent).

Where none of the above derogations is available, a transfer to a third country (that is not the subject of a UK adequacy decision) may take place if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests of the controller (which are not overridden by the interests or rights and freedoms of the data subject), and the controller has assessed all the circumstances surrounding the transfer and has, on the basis of that assessment, provided suitable safeguards with regard to protection of personal data. This ground for processing may only be relied upon where no other legal basis is available, no other exceptions (ie, derogations) apply, and the controller is unable to use any of the above safeguards (ie, those in article 46 UK GDPR). The controller shall inform the ICO of the transfer and, in addition to providing the information referred to in articles 13 and 14, shall inform the data subject of the transfer and of the compelling legitimate interests pursued. As such, this derogation is unlikely to be of practical application in the context of an investigation.

Schrems II

In a judgment issued on 16 July 2020, the CJEU in Schrems II held that standard contractual clauses should be viewed as offering only the basic level of protection and they may only be used where the protection provided by the contract is not undermined in the particular circumstances. This means that entering into standard contractual clauses (eg, the IDTA or Addendum) is not enough to ensure an adequate level of protection when transferring data to a non-adequate third country. The Schrems II judgment remains binding and applicable to the UK data protection regime.

This means that controllers exporting personal data and looking to rely on the IDTA or Addendum (or the Directive SCC, for the transitional period) must conduct a transfer adequacy and risk assessment to assess on a case-by-case basis whether additional safeguards (supplementary measures) are needed to remedy any identified deficiency and ensure adequate data protection.

In August 2021, the ICO published a draft transfer adequacy tool (for public consultation) to assist controllers to undertake such risk assessments (available here). As at the time of writing, this tool has not been finalised.

The European Data Protection Board (EDPB) has also published recommendations on measures to supplement transfer tools (including standard contractual clauses) here. Though EDPB guidance is no longer directly applicable in the UK, the ICO currently refers to such recommendations as a useful reference for additional measures.

18. Are there specific exemptions, derogations or mechanisms to enable international transfers of personal data in connection with investigations?

United Kingdom

The derogations most relevant to enable the international transfers of personal data in connection with investigations are that:

• the transfer is necessary for important reasons of public interest; and
• the transfer is necessary for the establishment, exercise or defence of legal claims.

In relation to the public interest derogation, if a party is a recipient of a request for data from a non-EEA authority, and there is an international agreement (such as a mutual assistance treaty) relevant to the request, the ICO notes that the recipient should consider referring the requestor to the existing treaty.

In relation to the public interest derogation, please see this letter from the UK ICO to the US SEC.

19. Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?

United Kingdom

The transfer of personal data to regulators and enforcement authorities within the UK must comply with the UK GDPR and the principles relating to the processing of personal data in the same way as any other processing. In particular, a legal basis must be established.

There are exemptions from certain UK GDPR provisions that may apply. In particular, Schedule 1 of the DPA 2018 sets out the conditions for processing of sensitive data to be considered in the “public interest” for the purposes of article 9(2) of the UK GDPR. These include that the processing is necessary for:

• the prevention or detection of an unlawful act, or for taking steps to establish whether an unlawful act has been committed;
• protecting the public against dishonesty or malpractice;
• the purpose of, or in connection with, legal proceedings (including prospective legal proceedings); or
• the prevention of fraud.

Additionally, Schedule 2 of the DPA 2018 disapplies certain provisions of the UK GDPR where the disclosure of personal data is necessary for the prevention of crime or where disclosure is required by a court or tribunal. The disapplied provisions include the rights afforded to data subjects and the requirement to provide a privacy notice.

When processing personal data for the purposes of criminal law enforcement purposes, competent authorities must adhere to Part 3 of the DPA 2018. Competent authorities include: the government, the police, the courts, authorities with investigatory functions such as the Financial Conduct Authority, Her Majesty's Revenue and Customs, the Serious Fraud Office, the National Crime Agency, the Competition and Markets Authority and other authorities such as the UK ICO and the Director of Public Prosecutions. The processing must be for the primary purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, in order for Part 3 to apply.

The UK and US governments have entered into a bilateral agreement for accessing electronic data in cases of serious crime. This allows UK and US domestic criminal law enforcement authorities to obtain electronic data directly from a range of telecommunications companies in the other country – without any need to go through the domestic authorities in the recipient country, a mutual legal assistance treaty, or existing alternative routes currently used. The UK government can, therefore, issue an order directly to a telecommunications company covered under this bilateral agreement once it has obtained a court order. The bilateral agreement has been implemented into UK law via the Crime (Overseas Production Orders) Act 2019.

The Crime (Overseas Production Orders) Act 2019 states that any person subject to an overseas production order is not required to do anything that would contravene data protection legislation (such as the UK GDPR and the DPA 2018). Though the bilateral agreement states that the processing and transfer of data under the agreement are compatible with the parties’ respective applicable laws regarding privacy and data protection, the UK Investigatory Powers Commissioner will be responsible for providing independent oversight of the UK’s use of the bilateral agreement to ensure standards of data protection and privacy safeguards.

20. Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?

United Kingdom

The provisions applying to cross-border data transfers generally also apply to the transfer of data to regulators and law enforcement authorities out of the jurisdiction. Any transfer to an overseas regulator would have to comply with the UK GDPR and the DPA 2018 in the same way as any other processing.

Any disclosure of personal data to an overseas regulator or law enforcement authority would engage the first data protection principle (including the requirement to establish a legal basis) and prohibitions on cross-border transfers of personal data. In particular, the first principle provides that processing of personal data must be fair, lawful and transparent.

Any transfer of personal data to an overseas regulator or law enforcement authority may breach this principle if this is not a purpose about which the data subjects will have been sufficiently informed (ie, is not contained as a purpose of processing in the privacy notice). The UK GDPR sets out exemptions to providing a privacy notice where this is impossible or would involve disproportionate effort on the part of the controller, but these exemptions are interpreted narrowly.

The cross-border transfer of personal data would additionally require safeguards for the relevant transfer and a legal basis for processing. There is no clear exemption or derogation from either the first principle, the requirement for a legal basis for processing, or the prohibition on cross-border transfers that will routinely cover requests for data by a foreign regulator or law enforcement authority.

The transfer may lack a legal basis, depending on the circumstances of the processing. However, the possible legal bases that a controller may rely on in this context include:

• the consent of each affected data subject to the disclosure and transfer. However, this can be problematic to obtain, can be withdrawn at any time and (in the case of sensitive data) must be explicit;
• that the processing is necessary for compliance with a UK legal obligation;
• that the processing is necessary for the performance of a task carried out in the public interest; or
• that the processing is in the legitimate interests of the controller except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

The prohibition on cross-border transfers provides that personal data should not be transferred to a country outside the UK that does not provide an adequate level of protection, unless an exemption applies or safeguards for the personal data are in place (such as standard contractual clauses). Following the Schrems II judgment, controllers wishing to rely on standard contractual clauses to transfer data to a regulator or authority in a country that is not subject to a UK adequacy decision are required to conduct a transfer adequacy assessment.

Derogations (to the requirement for an adequacy decision or implementing safeguards) are available in certain circumstances, including where:

• the transfer is necessary for important reasons of public interest;
• the transfer is necessary for the establishment, exercise or defence of legal claims (which includes administrative or regulatory procedures, such as defending an investigation or potential investigation); or
• the transfer is a one-off restricted transfer to be made in the compelling legitimate interests of the controller.

The UK ICO has stated that if a request is made by a non-EEA authority, requesting a restrictive transfer under this exception, and there is an international agreement such as a mutual legal assistance treaty, you should consider referring the request to the existing treaty.

In relation to the public interest derogation, please see this letter from the UK ICO to the US SEC.

21. What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?

United Kingdom

The recipient of such a request may consider taking the following steps, among others:

• consider if there is a legal obligation to respond to the request and, if so, to what extent;  
• seek further information in writing from the requesting regulator to evaluate the purpose of the request;  
• if possible, negotiate the scope of the request: for example, to target the specific information required for the purposes of the regulatory investigation;  
• in accordance with principles of data minimisation and anonymisation, limit the scope of any data disclosed and transferred to that necessary for the purpose;  
• consider whether it is practicable to obtain data subject consent and/or give a further privacy notice;
• put in place a data processing agreement if data will be transferred to an affiliate or third party (acting as a processor); and
• consider transfer via a mutual legal assistance treaty as, in some cases, it may be possible to request that the court or regulator requests data via this treaty or other international agreement.

22. What are the sanctions and penalties for non-compliance with data protection laws?

United Kingdom

There is a two-tiered approach to penalties for breaches of the UK GDPR. This permits the UK ICO to impose fines for specified (more serious) infringements of up to, the higher of 4 per cent of annual worldwide turnover for the preceding financial year or £17.5 million. The UK GDPR applies this higher maximum to any failure to comply with any of the data protection principles, conditions for consent, any rights an individual may have under the UK GDPR, or in relation to transfers of data to third countries.

Other specified infringements can attract a fine of up to, the higher of 2 per cent of annual worldwide turnover or £8.7 million. The UK GDPR applies this standard maximum to, among others, administrative and contractual obligations of the controller and processor.

The UK ICO notes that any penalty it issues is intended to be effective, proportionate and dissuasive and will be decided on a case-by-case basis. The UK GDPR contains a list of points to consider when imposing fines, such as the nature, gravity and duration of the infringement. The UK ICO also publishes its Regulatory Action Policy, which provides an overview of the UK ICO’s regulatory approach.

While the UK ICO is responsible for enforcing the UK GDPR, in certain circumstances enforcement will be conducted through the courts (eg, data subjects have a right to an “effective judicial remedy” where they consider their rights under the UK GDPR to have been infringed as a result of non-compliant processing of their personal data).

There are a number of criminal offences under the DPA 2018 (eg, the re-identification of personal data that has been “de-identified” without consent or making a false statement in response to an information notice). The maximum penalty for criminal offences under the DPA is an unlimited fine.

Where any offence under the UK GDPR is committed by a body corporate with the consent of an officer such as a director or manager, that officer will also be guilty of the offence and will be liable to punishment under the DPA 2018 accordingly.

The UK ICO also has investigatory and corrective powers to:

• serve information notices requiring organisations to provide the UK ICO with specified information within a certain time period; 
• issue undertakings committing an organisation to a course of action to improve its compliance; 
• serve enforcement notices and “stop now” orders where there has been a breach, requiring organisations to take specified steps to ensure compliance with the law; 
• conduct consensual audits to assess an organisation’s compliance;
• serve assessment notices to conduct compulsory audits;
• prosecute those who commit offences under UK data protection laws; and 
• report to the UK Parliament on issues of concern.

A data subject who suffers material or non-material damage as a result of a breach of the UK GDPR by a controller may bring a civil claim for compensation. The DPA 2018 extends this to include any other data protection legislation in the UK and clarifies that “non-material damage” includes distress.

23. Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.

United Kingdom

UK General Data Protection Regulation (Retained EU 2016/679)

UK Data Protection Act 2018

ICO ‘Guide to the UK General Data Protection Regulation’

ICO guidance on international transfers

ICO international data transfer agreements (IDTA and Addendum)

ICO guidance on exemptions under the GDPR

ICO guidance on data protection and the EU

ICO guidance for data protection officers

Recent action taken by the ICO

ICO regulatory action policy

Data Protection and Digital Information Bill (Draft Bill - as introduced to parliament on 18 July 2022)

UK government: Consultation outcome ("Data: a new direction - government response to consultation")

UK government: Impact assessment on Data Protection and Digital Information Bill