Alsu - stock.adobe.comNewsUK law enforcement data adequacy at riskThe UK government says reforms to police data protection rules will help to simplify law enforcement data processing, but critics argue the changes will lower protection to the point where the UK risks losing its European data adequacy BySebastian Klovig Skelton,Data & ethics editorPublished: 31 Mar 2025 15:55 The UK government has introduced its Data Use and Access Bill (DUAB) to Parliament, but proposed reforms to police data protection rules could undermine law enforcement data adequacy with the European Union (EU).Currently going through the committee stage of Parliamentary scrutiny, theDUABwill amend the UKs implementation of the EU Law Enforcement Directive (LED), which is transposed into UK law via the current Data Protection Act (DPA) 2018 and represented in Part Three of the DPA, specifically.In combination with the current data handling practices of UK law enforcement bodies, the bills proposed amendments to Part Three which include allowing routine transfer of data to offshore cloud providers, removing the need for police to log justifications when accessing data, and enabling police and intelligence services to share data outside of the LED rules could present a challenge for UK data adequacy.In June 2021, theEuropean Commission granted data adequacy to the UKfollowing its exit from the EU, allowing the free flow of personal data to and from the bloc to continue, butwarnedthe decision may yet be revoked if future data protection laws diverge significantly from those in Europe.While Computer Weeklys previous reporting on police hyperscale cloud use has identified major problems with the ability of these services to comply with Part Three, the governments DUAB changes are seeking to solve the issue by simply removing the requirements that are not being complied with.For example, while the DPA 2018 does allow for overseas transfers to non-law enforcement recipients that is, cloud providers this is only permissibleHowever, in June 2024, Computer Weekly confirmed that UK policing data uploaded to Microsoft services is routinely sent offshore for some forms of processing, while IT support is provided on a global follow-the-sun model.To circumvent the lack of compliance with these transfer requirements, the government has simply dropped them from the DUAB, meaning policing bodies will no longer be required to assess the suitability of the transfer or report it to the data regulator.Commenting on the transfer issue during a DUAB debate in the House of Lords, Liberal Democrat peer Tim Clement-Jones highlighted how, as it stands, cloud service providers routinely process data outside the UK, and are unable to provide necessary contractual guarantees to policing bodies as required by Part Three: As a result, their use for law enforcement data processing is, on the face of it, not lawful.He added: The governments attempts to change the law highlight the issue and suggest that past processing on cloud service providers has not been in conformity with the UK GDPR [General Data Protection Regulation] and the DPA.Through the DUAB, the government has also expanded the list of lawful recipients to now include a processor whose processing is governed by, or authorised in accordance with, a contract with the controller that complies with section 59, which outlines key elements that must be contained in any contract between a law enforcement controller and processor.This includes specific details of the exact types of data, the categories of data subjects and the specific purpose of the processing, as well as explicit guarantees from the processor about how it will comply with all the requirements of Part Three.However, given the international nature of the data sharing that takes place on commodity hyperscale architecture, cloud providers are either unable or unwilling to make contractual guarantees that satisfy all aspects of Part Three.As Microsoft told the Scottish Police Authority (SPA), in relation to its Azure-hosted Digital Evidence Sharing Capability, the company cannot accept specific consent [to transfer data internationally] on a case-by-case basis as this would be impossible to operationalise.All of this effectively means that under the DUAB, the data can be routinely offshored to jurisdictions with lower data protection standards, without adherence to LED conditions around strict necessity.Similarly, while the LED provided a five-year grace period to ensure all legacy police systems could record justification logs for why a particular piece of information has been accessed with systems procured after May 2016 were required to have this capability from the start most policing systems in the UK still do not have this capability.Instead, the UK government has simply removed the requirement to record these justifications, arguing that the change will save police time and that the data has little evidentiary value because people are unlikely to record an honest justification anyway.According to Owen Sayers a long-term commentator on DPA Part Three compliance issues with more than 25 years of experience in delivering secure solutions to policing and the wider criminal justice sector changing the law in this way will permanently diverge UK law from the LED requirements.He added that while UK police have been breaking the law in practice since the DPA came into effect in May 2018, the law they were breaking was at least aligned to those in the European Union.Even though in practical terms the UK hasnt actually been protecting personal data as theyre required to under the LED, their law did at least give recourse to a data subject to take action about this processing (even if no one actually did so), he said.Once DUAB comes into force, however, the landscape has totally changed. Not only will UK law enforcement bodies be sending massive amounts of personal data (including a lot of data about EU citizens) offshore to a range of countries not deemed adequate by the EU, but UK law will have change to make it legal for them to do so.By making these changes under DUAB, the government have thrown into sharp relief that law enforcement bodies are breaching the law today theyve literally confirmed it by modifying the law to give Microsoft and AWS this special status.Computer Weekly contacted the Home Office about the threat to the UKs LED adequacy created by the governments proposed changes to the law enforcement data protection regime.We have introduced some targeted amendments in the Data Use and Access Bill to improve public trust and to drive up law enforcement efficiency by simplifying the legislation. We are committed to data adequacy and had the UKs adequacy decisions in mind when producing this bill, said a spokesperson. Any changes to our data protection regime must not come at the expense of security, and high standards of protection will continue to be applied.A Home Office source told Computer Weekly that that the use of cloud providers in particular has caused some confusion, and that measures contained within the bill are intended to give law enforcement the confidence to use cloud processors. However, they said the use of cloud services must not come at the expense of security and high standards of protection will continue to be applied.Read more about police technologyDriving licence data could be used for police facial recognition: The governments Crime and Policing Bill could allow police to access the UK driving licence database for use in facial recognition watchlists, but the Home Office denies biometric data would be repurposed in this way.Axon still in possession of Police Scotland encryption keys: Suppliers possession of encryption keys for Police Scotland data sharing system opens potential for access and transfer of sensitive data without the knowledge or consent of the force.UK police forces supercharging racism with predictive policing: Amnesty International says predictive policing systems are supercharging racism in the UK by taking historically biased data to further target poor and racialised communities.In The Current Issue:Can a future digital NHS survive another change?Digital twins drive efficiency across machines and infrastructureDownload Current IssueWhat to expect from Atlassian Team 25 conference CW Developer NetworkSLM series - Nooks: Downsizing AI without shrinking its smarts CW Developer NetworkView All Blogs