Law Enforcement Directive

Guidance on Competent Authorities and Scope

What is the Law Enforcement Directive?

The Law Enforcement Directive, or ‘LED’, is a piece of EU legislation, parallel to the GDPR, which also has effect from May 2018. As suggested by its name, the LED deals with the processing of personal data by data controllers for ‘law enforcement purposes’ – which falls outside of the scope of the GDPR.

The LED is a Directive rather than a Regulation, and this requires transposition into Irish domestic law to take effect. This transposition is achieved through the Data Protection Act 2018 (‘the Act’), primarily through ‘Part 5 – Processing of Personal Data for Law Enforcement Purposes’.

The Data Protection Commission (DPC) is set out in Part 5 of the Act as the ‘independent supervisory authority’ for the LED. Complaints regarding contraventions of the LED regime can be made to the DPC.

To Which Bodies Does the LED Apply?

It will be important to correctly identify cases in which the legal regime of the LED and Part 5 of the Data Protection Act 2018 applies. The LED regime only applies in cases where the data controller is a ‘competent authority’, and the processing is done for ‘law enforcement purposes’.

However, this is not limited to processing by bodies who might be typically considered as ‘law enforcement authorities’ (such as An Garda Síochána), but to any processing for law enforcement purposes, carried out by a public or private body who fits the definition of ‘competent authority’ (such as local authorities when prosecuting litter fines, or Dublin Bus in relation to ticket offences). This means that a potentially very large number and variety of bodies might fall under the scope, and the applicability of this regime will need to be assessed on a case-by-case basis.

It is not as simple as presuming that all processing done by law enforcement authorities will fall under the LED regime, or that a private sector entity will not be subject to the LED – in the former case, the law enforcement authority may conduct data processing which has nothing to do with its law enforcement function (HR matters, procurement, etc.), and in the latter case, private sector entities may have been entrusted with public authority or be performing data processing contracted out to them by a public authority, where their processing is for law enforcement purposes.

There is effectively a two-step test to satisfy before you can determine whether the processing is question is within the scope of the LED and Part 5 of the Act:

  • firstly, the data controller responsible for the processing in questions must be a ‘competent authority’ as defined by Section 69 of the Act; but
  • secondly, the processing in question must actually be for ‘law enforcement purposes’, as defined in Section 70 of the Act.

If the first step of this test is met, but not the second, then – although the controller may ordinarily be a competent authority for the LED and Part 5 of the Act (such as An Garda Síochána) – in this case the processing in question does not fall under the scope. In such a case, the non-law enforcement processing being carried out by the competent authority, may fall within the scope of another legislative regime, such as the GDPR (for example processing for Garda HR matters).

Outlined below are some questions which may help data subjects and data controllers identify the cases in which processing will fall under the scope of the LED.

 

Key Questions when Determining if a Matter is within the Scope of the LED

 

Is the body/entity in question a public authority, competent for law enforcement purposes?
Per Section 69(1)(a) of the Act; if so, then they may be a ‘competent authority’ and potentially subject to LED.
Is the body/entity in question any other body or entity authorized by law to exercise public authority and public powers for law enforcement purposes?
Per Section 69(1)(b) of the Act; if so, then they may be a ‘competent authority’ and potentially subject to LED.
Is the competent authority in question a data controller or processor?
See Section 69 of the Act for the definition of controller and processor.
Is the processing in question being carried out by or on behalf of the data controller?
Per Section 70(1), Part 5 only applies where processing is carried out by or on behalf of a data controller who is a competent authority.
Is the processing in question being carried out for the purposes of ;
  • the prevention of criminal offences
  • the investigation of criminal offences
  • the detection of criminal offences
  • the prosecution of criminal offences
  • the execution of criminal penalties
Per Section 70 of the Act, the LED and Part 5 may apply where the processing carried out by or on behalf of the controller is for any of the purposes listed. If the processing is for another purpose, and not for law enforcement purposes, the processing may not be in the scope of the LED and Part 5 – however it is then worth checking if the processing falls under the GDPR.
Is the processing in question occurring in the course of activity falling outside the scope of the law of the European Union ?
Per Section 70(2) of the Act, and Article 2(3) of the LED, such processing is not in the scope of Part 5 or the LED.
Is the processing in question being carried out by an institution, body, office or agency of the European Union?
Per Section 70(2) of the Act, and Article 2(3) of the LED, such processing is not in the scope of Part 5 or the LED.
Is the processing in question such to which section 8(1)(b) applies?
Per Section 70(2)(c) of the Act, such processing is not in the scope of Part 5. This covers processing under the Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 or the Vehicle Registration Data (Automated Searching and Exchange) Act 2018.