Law Enforcement Directive
Guidance on Competent Authorities and Scope
What is the Law Enforcement Directive?
The Law Enforcement Directive, or ‘LED’, is a piece of EU legislation, parallel to the GDPR, which also has effect from May 2018. As suggested by its name, the LED deals with the processing of personal data by data controllers for ‘law enforcement purposes’ – which falls outside of the scope of the GDPR.
The LED is a Directive rather than a Regulation, and this requires transposition into Irish domestic law to take effect. This transposition is achieved through the Data Protection Act, 2018 (‘the Act’), primarily through ‘Part 5 – Processing of Personal Data for Law Enforcement Purposes’.
The Data Protection Commission (DPC) is set out in Part 5 of the Act as the ‘independent supervisory authority’ for the LED. Complaints regarding contraventions of the LED regime can be made to the DPC.
To Which Bodies Does the LED Apply?
It will be important to correctly identify cases in which the legal regime of the LED and Part 5 of the Data Protection Act, 2018 applies. The LED regime only applies in cases where the data controller is a ‘competent authority’, and the processing is done for ‘law enforcement purposes’.
However, this is not limited to processing by bodies who might be typically considered as ‘law enforcement authorities’ (such as An Garda Síochána), but to any processing for law enforcement purposes, carried out by a public or private body who fits the definition of ‘competent authority’ (such as local authorities when prosecuting litter fines, or Dublin Bus in relation to ticket offences). This means that a potentially very large number and variety of bodies might fall under the scope, and the applicability of this regime will need to be assessed on a case-by-case basis.
It is not as simple as presuming that all processing done by law enforcement authorities will fall under the LED regime, or that a private sector entity will not be subject to the LED – in the former case, the law enforcement authority may conduct data processing which has nothing to do with its law enforcement function (HR matters, procurement, etc.), and in the latter case, private sector entities may have been entrusted with public authority or be performing data processing contracted out to them by a public authority, where their processing is for law enforcement purposes.
There is effectively a two-step test to satisfy before you can determine whether the processing is question is within the scope of the LED and Part 5 of the Act;
- firstly, the data controller responsible for the processing in questions must be a ‘competent authority’ as defined by Section 69 of the Act; but
- secondly, the processing in question must actually be for ‘law enforcement purposes’, as defined in Section 70 of the Act.
If the first step of this test is met, but not the second, then – although the controller may ordinarily be a competent authority for the LED and Part 5 of the Act (such as An Garda Síochána) – in this case the processing in question does not fall under the scope. In such a case, the non-law enforcement processing being carried out by the competent authority, may fall within the scope of another legislative regime, such as the GDPR (for example processing for Garda HR matters).
Outlined below are some questions which may help data subjects and data controllers identify the cases in which processing will fall under the scope of the LED.
Key Questions when Determining if a Matter is within the Scope of the LED:
- the prevention of criminal offences
- the investigation of criminal offences
- the detection of criminal offences
- the prosecution of criminal offences
- the execution of criminal penalties