GDPR: Police Requesting Personal Data – Disclose?
"GDPR has legal force. What next? We were contacted by a prominent firm’s legal department seeking our opinion. The police sent them a request for personal data on a number of individuals. They were unsure how to handle the request under GDPR. Should they comply, or refuse the police’s request, insisting they obtain a court order first?
GDPR Exemption Legal Basis
The primacy of European Union law is a long-settled principle of jurisprudence. GDPR is European Union law; it is superior to UK law. Simply put, while the UK is a member of the EU, it cannot overrule an EU regulation by domestic legislation.
But GDPR itself provides Member States with limited empowerments to enact domestic legislation to circumscribe its provisions for limited purposes, per below:
GDPR states:
Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
(a) national security;
(b) defence;
(c) public security;
(d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
(e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
(f) the protection of judicial independence and judicial proceedings;
(g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
(h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
(i) the protection of the data subject or the rights and freedoms of others;
(j) the enforcement of civil law claims.
UK restrictions on GDPR
The UK has detailed its use of the above GDPR Article 23(1) empowerments to restrict GDPR in the domestic Data Protection Act 2018.
The principle exemptions are found in Schedule 2 listed here.
Germane to the discussion on disclosure of personal data to the police, s15 Clause 2(1) states:
The listed GDPR provisions and Article 34(1) and (4) of the GDPR (communication of personal data breach to the data subject) do not apply to personal data processed for any of the following purposes—
(a)the prevention or detection of crime,
(b)the apprehension or prosecution of offenders, or
(c)the assessment or collection of a tax or duty or an imposition of a similar nature,
The law applied to the police request
The fundamental question the firm’s data controller must answer is: what legal basis would I rely on, that allows disclosure to police; and under what circumstances is this basis valid?
The answer is that, as highlighted, GDPR and more explicitly in the Data Protection Act 2018 allows for a data controller to reveal personal data to the police for:
(a)the prevention or detection of crime,
(b)the apprehension or prosecution of offenders, or
In the particular request we were shown, the Police had declined to tick the box: If this personal data is not disclosed it will prejudice the prevention or detection of crime or the apprehension or prosecution of a criminal.
Since the police is not using the above s15 Clause 2(1) exemption (as highlighted in bold above) it is unclear, therefore, how disclosing personal data would be legal in this case.
Furthermore, we were troubled with the broadness of the police’s request. While it is not for the data controller to be privy to the intricacies of the police investigation, he has every right (some would say duty) to engage in a discussion with the police about what is necessary for the prevention or detection of crime.
We suggested the firm refuse this particular request, and seek clarification as to why they had declined to tick the box: If this personal data is not disclosed it will prejudice the prevention or detection of crime or the apprehension or prosecution of a criminal.
Summary
GDPR does not impede legitimate police or national security work. Legislators have baked in exemptions for the same in Article 23. Clearly, there are times when the police have a legitimate need to access Personal Data in order to do their work. However, the Data Controller, by definition is the gatekeeper of Data Subjects’ Personal Data and this exemption from GDPR should not give the police a carte blanche to run roughshod over data protection legislation simply because bulk obtaining of citizens’ Personal Data is easier than targeted police investigations.
The Data Controller must tread a fine line in not impeding legitimate police work and being overly forthcoming with Subject’s Personal Data when it may strictly speaking not be required.
Each request should be considered on its merit with the benefit of the doubt going to the authorities in borderline cases.
GDPR Article 23(1)
AI
