![[2025] UKUT 319 (AAC)](https://backend.juristeca.com/files/emisores/logo_3a2BKne.png){kind=logo}
The Law Enforcement Directive
The Law Enforcement Directive
As we have set out above, Article 2(2)(d) of the GDPR excludes from scope the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. Such processing is addressed by a specific directive applicable to law enforcement: Directive (EU) 2016/679 (“the Law Enforcement Directive”).
A “competent authority” is defined by Article 3(7) of the Law Enforcement Directive in the following terms:
“(a) any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; or
(b) Any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”.
- Heading
- The decision of the Upper Tribunal is to allow the appeal The decision of the First-tier Tribunal made on 17 October 2023 was materially in error of law. It is SET ASIDE under section 12(2)(a) of the Tribunals, Courts and Enforcement Act 2007 (“TCEA
- REASONS FOR DECISION
- Introduction
- The decision under appeal
- A summary of the relevant factual background
- The FTT’s decision
- The FTT’s findings of fact
- The FTT’s conclusions
- The issues in this appeal
- Appeal ground 1
- Appeal ground 2
- Appeal ground 4
- Additional Reason 1
- The scope of the appeal - admitting the additional reasons arguments for consideration
- Permitting Privacy International to intervene in the appeal
- Permitting Clearview to rely on a written reply to Privacy International’s skeleton argument
- Reliance on the evidence filed by Privacy International
- Reliance on legal arguments not raised before the FTT
- Legal framework
- Relevant legislative provisions
- The GDPR
- The UK GDPR
- “Article 2 This Regulation applies to the automated or structured processing of personal data, including
- 1A. This Regulation also applies to the manual unstructured processing of personal data held by an FOI public authority This Regulation does not apply to
- “Article 3
- The 95 Directive
- The Law Enforcement Directive
- State immunity and foreign act of state
- Material scope: the caselaw
- Territorial scope: the caselaw
- The Travaux in respect of the GDPR
- The EDPB Guidelines
- Data subjects in the Union
- The burden of proof in appeals against ICO Notices
- Analysis
- The parties’ positions on material scope in brief
- What the FTT decided in relation to Article 2(2)(a)
- General approach to construction of the GDPRs
- Domestic authorities on comity, extra-territoriality and utility
- EU authorities on extra-territorial effect and comity
- Certainty and foreseeability
- Proportionality
- EU law authorities on the construction of Article 2(2)(a) of the GDPR
- Relevant comity principles
- Our construction of Article 2(2)(a)
- Analysis of Clearview’s proposed intersectional construction
- Alternative analysis based on the ICO’s construction
- Would regulation of Clearview’s data processing breach comity principles?
- Article 3(2)(b) GDPR: territorial scope
- What was the policy objective behind Article 3(2)(b)?
- The meaning of “related to” in Article 3(2)(b)
- The meaning of “behavioural monitoring” in Article 3(2)(b)
- Ground 1
- Ground 2
- Ground 3
- Ground 4
- Clearview’s Additional Reasons
- Additional Reason 1
- Additional Reason 2
- Additional Reason 3
- Additional Reason 4
- Conclusions