Law enforcement requests under the Data Protection Act 2018
Section 41(b) of the Data Protection Act 2018 permits a data controller to disclose personal data to a third party for a purpose other than the purpose for which it was collected where “necessary and proportionate for the purposes of preventing, detecting, investigating or prosecuting criminal offences”.
Intellectual Property & Data Protection Law 12/07/2023Section 41(b) of the Data Protection Act 2018 permits a data controller to disclose personal data to a third party for a purpose other than the purpose for which it was collected where “necessary and proportionate for the purposes of preventing, detecting, investigating or prosecuting criminal offences”. Requests for the disclosure of personal data from controllers in Ireland are commonly made by An Garda Siochána, the Revenue Commissioners, the Department of Social Protection or State regulatory bodies in the exercise of their functions, referred to as “law enforcement requests” or “LERs”.
Section 41(b) does not, by itself, impose a mandatory obligation on the recipient of such a request to disclose the data requested. Section 41(b) is permissive (by reference to the ‘purpose limitation’ principle in Article 5(1)(b) of the General Data Protection Regulation (GDPR) that would otherwise apply to potentially restrict the disclosure of personal data). The general principles of Article 5 GDPR should still be considered, as well as the applicable legal basis for processing under Article 6 and (where special category personal data is applicable) Article 9 of the GDPR.
In its Guidance on Legal Basis for Processing of December 2019, the Irish Data Protection Commission clarified that the obligation to disclose personal data must derive from European Union law or Member State law and be one “to which the controller is actually subject”. As a result, a request from law enforcement that merely cites Section 41(b) is not sufficient on its own to oblige the data controller to disclose the data or records requested.
On receipt of a law enforcement request for the disclosure of data, the following should be considered:
Has a formal request been made?
If a written formal request specifying the data being requested has not been made, the controller should obtain this from an identified member of the requesting authority, issued from an official email address or on official letterhead. The request should confirm that the records sought are necessary and proportionate for the purpose of the investigation and/or prosecution of a criminal offence.
Is there a legal basis for disclosing the personal data?
The controller receiving a request for disclosure of personal data from a law enforcement authority should identify a legal basis for disclosure of that personal data under Article 6 (and/or Article 9) of the GDPR. Examples would be:
-
production by the requesting authority of an Irish warrant or court order or an order issued by a regulator under its legislative powers will provide a legal basis for disclosure under Article 6(1)(c) where the personal data being disclosed is covered by the terms of the warrant or order, as disclosure would be necessary to comply with a legal obligation to which the controller is subject (in this instance the production of a warrant or court order may not necessarily be accompanied by a Section 41(b) notice request as there is a legal compulsion on the controller to comply with the terms of the warrant or court order);
-
citation in the request of a legislative basis compelling disclosure (e.g. criminal, revenue, social welfare or regulatory legislation), in which case the applicability of that legislation to the controller and to the personal data being requested should be verified (prior to disclosure of the personal data); and
-
the nature of the written request and circumstances may allow the controller to identify an alternative basis. For example: (i) necessity to protect the vital interests of a natural person under Article 6(1)(d), such as in cases of emergency or threat to life or health of an individual or (ii) where pursuant to Article 6(1)(f) of the GDPR, the disclosure is necessary and proportionate to pursue a legitimate interest of the controller which overrides the risks to the rights and freedoms of the data subject whose data is contained in the records.
If the decision is taken to share data with the relevant law enforcement authority, ensure to only share the minimum amount that is required by reference to the relevant legal basis and the purposes outlined by the requesting authority. Also, maintain a record of the lawful basis relied upon.