68
BIG BROTHER WATCH AND OTHERS v. THE UNITED KINGDOM JUDGMENT
7.14. If such an MLA request is accepted by the central authority, it will be referred
for consideration by the appropriate public authority in the UK. The application may
then be considered and, if appropriate, executed by that public authority under
section 22 of RIPA and in line with the guidance in this code of practice.
7.15. In order for a notice or authorisation to be granted, the United Kingdom
public authority must be satisfied that the application meets the same criteria of
necessity and proportionality as required for a domestic application.
Non-judicial co-operation
7.16. Public authorities in the United Kingdom can receive direct requests for
assistance from their counterparts in other countries. These can include requests for
the acquisition and disclosure of communications data for the purpose of preventing
or detecting crime. On receipt of such a request, the United Kingdom public authority
may consider seeking the acquisition or disclosure of the requested data under the
provisions of Chapter II of Part I of RIPA.
7.17. The United Kingdom public authority must be satisfied that the request
complies with United Kingdom obligations under human rights legislation. The
necessity and proportionality of each case must be considered before the authority
processes the authorisation or notice.
Disclosure of communications data to overseas authorities
7.18. Where a United Kingdom public authority is considering the acquisition of
communications data on behalf of an overseas authority and transferring the data to
that authority, it must consider whether the data will be adequately protected outside
the United Kingdom and what safeguards may be needed to ensure that. Such
safeguards might include attaching conditions to the processing, storage and
destruction of the data.
7.19. If the proposed transfer of data is to an authority within the European Union,
that authority will be bound by the European Data Protection Directive (95/46/EC)
and its national data protection legislation. Any data disclosed will be protected there
without need for additional safeguards.
7.20. If the proposed transfer is to an authority outside of the European Union and
the European Economic Area (Iceland, Liechtenstein and Norway), then it must not be
disclosed unless the overseas authority can ensure an adequate level of data
protection. The European Commission has determined that certain countries, for
example Switzerland, have laws providing an adequate level of protection where data
can be transferred without need for further safeguards.
7.21. In all other circumstances, the United Kingdom public authority must decide
in each case, before transferring any data overseas, whether the data will be
adequately protected there. The Information Commissioner has published guidance on
sending personal data outside the European Economic Area in compliance with the
Eighth Data Protection Principle, and, if necessary, his office can provide guidance.
7.22. The DPA recognises that it will not always be possible to ensure adequate
data protection in countries outside of the European Union and the European
Economic Area, and there are exemptions to the principle, for example if the transfer
of data is necessary for reasons of ‘substantial public interest’. There may be
circumstances when it is necessary, for example in the interests of national security,
for communications data to be disclosed to a third party country, even though that
country does not have adequate safeguards in place to protect the data. That is a