England and Wales has no single body of cybersecurity law; instead a patchwork of statutes supplemented by the common law criminalise unauthorised access to data and regulate lawful access to it. This chapter sets out the key laws in the UK defending against unlawful access to data, the applicable statutory regimes when UK law enforcement agencies (UKLE) wish to obtain access to it and when data controllers process 'personal data', and the agencies that protect data in the UK. The chapter then discusses the data-related issues arising in non-state authority investigations, the role of legal professional privilege (LPP) in cyber investigations and the ongoing relevance of Britain's departure from the European Union for the UK's data protection regime.
Key legislation penalising unlawful access to data
The most significant UK laws imposing sanctions for unlawful access to data are the Computer Misuse Act 1990 (CMA), Part 1 of the Investigatory Powers Act 2016 (IPA), the Wireless Telegraphy Act 2006 (WTA) and the Data Protection Act 2018 (DPA).
Computer Misuse Act 1990
Despite its age, the CMA remains the principal criminal law deterrent to computer interference. Its basic offence is committed where: (1) a person causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured; (2) the access the person intends to secure or to enable is unauthorised; and (3) the person knows, at the time of causing the computer to perform the function, that this is the case.1
Securing access to a computer or a program encompasses many different actions, including using the computer or data, altering or erasing data, or copying or moving data.2 'Computer' is not defined in the CMA.3 Access is unauthorised if it is obtained by a person who is not entitled to control access without the consent of such a person.4 There is currently no 'public interest' defence for unauthorised access.5
The CMA creates further offences where unauthorised access is sought with a view to committing other offences (e.g., theft or fraud);6 or to impair the operation of a computer,7 which would include implanting viruses or spyware and distributed denial-of-service attacks. The CMA also criminalises the obtaining, making, adapting, supplying or offering of articles for use in committing CMA offences.8 The most serious offence under the CMA is committed if: (1) a person does any authorised act in relation to a computer; (2) at the time the person knows that the act is unauthorised; (3) the act causes or creates a significant risk of serious damage of a material kind; and (4) the person intends to cause serious damage of a material kind or is reckless as to whether such damage is caused.9 For the purposes of this offence, damage is of a 'material kind' if it constitutes damage to human welfare or the environment in any place, the economy of any country or any country's national security.10
The increasing number of incidents involving suspected computer misuse in England and Wales11 contrasts sharply with relatively infrequent prosecution for CMA offences.12In part, this reflects low reporting of such offences.13 However, another factor may be Crown Prosecution Service guidance, which states that, when a CMA offence is committed to facilitate a more serious offence (such as fraud or blackmail), prosecutors should consider only charging regarding the more serious offence.14
In February 2023, the Home Office consulted on possible amendments to the CMA, including the introduction of a power for law enforcement agencies to require the preservation of computer data before its seizure to prevent it being deleted where it may be needed for an investigation. As yet, no formal proposals for reform have been put forward.
Part 1 of the Investigatory Powers Act 2016
The IPA criminalises the intentional interception in the UK of a 'communication'15 in the course of its transmission by means of a public or private 'telecommunications system'16 where the person intercepting the communications does not have 'lawful authority'.17 Similarly, the IPA makes it a criminal offence for an officer of a public authority to obtain – intentionally or recklessly – 'communications data'18 from a 'telecommunications operator'19 without lawful authority.20 Both offences carry potential custodial penalties.21
Wireless Telegraphy Act 2006
Where 'bugging' would not already be caught by the prohibition on unlawful interception contained in the IPA, it may nevertheless be criminalised by the WTA if wireless telegraphy apparatus is used both without lawful authority and with the intention of obtaining information about the sender, content or addressee of a message, or where information obtained in this way is disclosed.22 The use of hidden recording devices for covert surveillance may be caught by these provisions. The maximum penalty for committing this offence is a fine.23
Data Protection Act 2018
The DPA contains a number of criminal offences protecting 'personal data'.24 The offences include knowingly or recklessly obtaining or disclosing personal data without the consent of the data controller ('blagging'), procuring such disclosure, or retaining personal data after obtaining it without the consent of the person who was the data controller when it was obtained.25 Statutory defences to these offences include where the obtaining, disclosing, procuring or retention was necessary for the purposes of preventing or detecting crime or was in the public interest.26 The DPA also makes it an offence to offer or sell 'blagged' personal data; to 're-identify' de-identified (anonymised or pseudonymised) personal data without the controller's consent; or to process such re-identified data.27
UK law enforcement access to data
The UK has multiple public authorities, many of which have dedicated 'general information-gathering powers'28 to perform their statutory functions. However, the key legislative means by which UKLE obtain access to data, particularly for the purposes of criminal investigations and prosecutions, are found in the IPA, the Crime (Overseas Production Orders) Act 2019 (COPOA), the Police and Criminal Evidence Act 1984 (PACE), the Proceeds of Crime Act 2002 (POCA), the Terrorism Act 2000 (TA), the Police Act 1997 (PA) and the Intelligence Services Act 1994 (ISA).
Investigatory Powers Act 2016
The IPA was introduced in response to heightened scrutiny of the surveillance activities of UK public authorities, including the collection and use of communications and communications data. It provides a comprehensive framework for public authorities to obtain communications and communications data; undertake electronic surveillance more generally (including through 'hacking'); and access personal data held in large datasets. Data obtained by these means may be used as intelligence or evidence, though the content of intercepted communications is generally inadmissible in legal proceedings.29
The powers in the IPA cover five primary areas of activity:
- interception warrants (specific and bulk);
- obtaining communications data (including bulk acquisition warrants);
- retention of communications data;
- equipment interference (including bulk equipment interference); and
- using bulk datasets.
The IPA imposes duties on telecommunications operators to comply with the warrants and notices issued under its provisions.30 'Telecommunications operator' is defined in such a way that these obligations are deemed to have extraterritorial effect.31 The obligation to comply with an interception warrant is reinforced by the possibility of criminal prosecution and civil proceedings for an injunction for specific performance.32 Where the IPA provides, other obligations may also be enforced by civil proceedings for an injunction requiring specific performance.33
The IPA provides a framework for oversight, which includes the establishment of the Investigatory Powers Commissioner and the Investigatory Powers Tribunal.34 It also aims to ensure compliance with the Human Rights Act 1998 and the European Convention on Human Rights.
Crime (Overseas Production Orders) Act 2019
Recognising the importance of international cooperation in tackling cross-border crime, the UK and US signed a Data Access Agreement (DAA) in 2019. This was principally aimed at facilitating the acquisition of electronic data from US tech companies by overcoming the lengthy delays experienced with Mutual Legal Assistance requests.35 In the UK, COPOA was enacted to facilitate the DAA's operation.
Under COPOA, specified law enforcement agencies including the Serious Fraud Office (SFO), Financial Conduct Authority (FCA) and His Majesty's Revenue & Customs (HMRC) may apply to the Crown Court for an order directly requiring persons36 to produce or grant access to electronic data for the purposes of investigating and prosecuting indictable or terrorist offences.37 Respondents must be given notice of applications unless the court directs otherwise, allowing for representations on the scope of the application and the practicality of compliance prior to an order being made. Recipients of an Overseas Production Order38 (OPO) must produce the data within a specified time frame or contempt proceedings.39
The DAA began operating in October 2022. A US report in November 2024 revealed that, in its first two operational years, just 37 OPOs were issued to US Covered Providers in support of criminal investigations by UK authorities. (By contrast, during the same period, over 20,000 IPA interception warrants and communications data notices, which are also transmitted under the aegis of the DAA, were issued).40
Police and Criminal Evidence Act 1984, Proceeds of Crime Act 2002 and Terrorism Act 2000
The police may obtain a search warrant from a magistrate authorising them to enter and search premises for material likely to be relevant evidence of an indictable offence.41 When, during the execution of a search warrant, it is not reasonably practicable for the police to ascertain on site whether an electronic device contains material they are entitled to seize, they may remove the device from the premises to make that determination elsewhere.42
Production Orders issued by a judge43 under PACE may also require the production of material that is likely to be relevant evidence to the investigation of an indictable offence.44 Production orders are also available under POCA and the TA.
Police Act 1997 and Intelligence Services Act 1994
Actions that would otherwise be considered unlawful in relation to private property are permitted when taken by state agencies in the interests of national security, and for the prevention and detection of serious crime, in accordance with the various authorisation regimes established under the IPA, the PA and the ISA.
The PA permits the authorisation of interference with property and wireless telegraphy where it is necessary and proportionate.45 Authorisation may be issued by an authorising officer. However, where the property affected is someone's home, office premises or where there is knowledge that confidential, journalistic or legal professional privilege (LPP) material will likely be acquired, prior approval of a Judicial Commissioner is required.46
The ISA provides a mechanism, on an application by intelligence agencies, for the Secretary of State to authorise interference with property or wireless telegraphy (subject to the requirements of necessity and proportionality).47
Processing of personal data by controllers
When 'processing'48 personal data, 'controllers'49 must comply with the provisions of the UK General Data Protection Regulation (UK GDPR).
UK General Data Protection Regulation
The UK's data protection regime has remained largely unchanged since before Brexit. On 28 June 2021, the European Commission (EC) adopted a data protection 'adequacy decision' in favour of the UK allowing the continued free flow of data between the EU and the UK.
The UK GDPR applies to the processing of personal data by both organisations operating within the UK and those operating outside the UK that offer goods or services to individuals in the UK. It also applies to the monitoring of behaviour taking place in the UK.50 It does not apply to processing by 'competent authorities' (e.g., the police or National Crime Agency (NCA)) for law enforcement purposes,51 by the intelligence services52 or by individuals for purely domestic or household activities.53
Article 5 of the UK GDPR stipulates that personal data must be processed in accordance with seven core principles including lawfulness, fairness and transparency, accuracy, and integrity and confidentiality. Breaches of these principles can lead to the Information Commissioner's Office (ICO) enforcement (see below). 54 There is no automatic entitlement to damages as a result of a breach,55 but those suffering some damage (including distress) from a breach may seek compensation from the controller or processor concerned.56 There have been relatively few reported decisions about the appropriate level of damages for distress claims. Awards tend to be in the low thousands,57 although awards of £250 may be made for cases 'at the lowest end of the spectrum'.58
Amplifying the lawfulness, fairness and transparency principle, Article 6 of the UK GDPR provides six bases for the lawful processing of personal data, including consent, compliance with a legal obligation, legitimate interest and public interest.
The UK GDPR also distinguishes between personal data and 'special category personal data', the latter including data identifying a person's sexual orientation, political opinions or ethnic origin, health data or biometric data.59 Under Article 9, the processing of these types of data is unlawful unless one of the exceptions in Article 9(2) applies, one of which is explicit consent (the word 'explicit' implying a higher degree of consent than under Article 6).
In June 2025, the UK Parliament passed the Data (Use and Access) Bill. Once it comes into force, the Data (Use and Access) Act (DUAA) will not alter the fundamental principles of the current UK data protection regime, but it will introduce several significant changes. These include a list of recognised 'legitimate interests' that would automatically meet the lawful processing threshold (discussed further below). The Secretary of State will have the power to add or vary the list of recognised legitimate interests and to designate new special categories of personal data and processing activities that fall under the processing prohibition in Article 9(1). The DUAA will also abolish the ICO and transfers its functions to a new Information Commission.
Law enforcement agencies and other bodies involved in UK data protection
The National Cyber Security Centre (NCSC)60 performs both a preventative and an incident response function, deploying expert technical skills to mitigate the impact of serious cyber security incidents. In the King's Speech in July 2024, the Labour Government announced plans to publish a Cyber Security and Resilience Bill to update the UK's legacy cyber regulatory framework, and to ensure essential safety measures are being implemented.61 Further details of the scope of the proposed legislation were published by the government in April 2025.62
The NCSC's work is complemented by that of the National Cyber Force (NCF), established in 2020, which draws on the resources of Government Communications Headquarters (GCHQ), the Ministry of Defence (MoD), the Defence Science and Technology Laboratory and the Secret Intelligence Service (SIS).63 The NCF is responsible for countering online threat actors, supporting the NCSC's work regarding the confidentiality, integrity and availability of data and services in cyberspace and enabling UK defence operations.
The ICO enforces the DPA and the UK GDPR, both through administrative and civil means, and by bringing criminal prosecutions for DPA offences. Additionally, the ICO regulates compliance with the Network and Information Systems Regulations 2008, the Privacy and Electronic Communications Regulations 2003 and the Freedom of Information Act 2000.
The NCA64 is the law enforcement body with primary responsibility for investigating and prosecuting cyber-attacks. It operates within the UK's National Cyber Crime Network, an integrated nationwide system operating at national, regional and local levels. The NCA's National Cyber Crime Unit (NCCU) tackles serious cybercrime incidents, both nationally and internationally, and offers technical assistance within the NCA itself and to other law enforcement agencies, including through technical interception of communications. The NCCU works in conjunction with the UK's Regional Organised Crime Units (ROCUs), the Metropolitan Police Cyber Crime Unit and other strategic partners to tackle serious and organised crime including cyber-attacks. The NCCU and ROCUs are complemented by Local Cyber Crime Units embedded within each police force.
Voluntary disclosure to the NCA of information relevant to its functions is encouraged using the information sharing gateway created by the Crime and Courts Act 2013. This gateway absolves informants using it from actions for breach of confidence in the UK and disapplies other restrictions on disclosure.65 As with other offences, criminal cases prosecuted by the NCA must satisfy the Full Code Test in The Code for Crown Prosecutors,66 meaning there must be a reasonable prospect of conviction and any prosecution must be in the public interest.
Other bodies have assumed secondary regulatory oversight roles for cybersecurity. For example, Principle 11 of the Financial Conduct Authority (FCA) Handbook, requires regulated firms to notify the FCA of 'material cyber incidents' (e.g., those resulting in significant data loss affecting a large number of customers).67 In 2023, the FCA fined Equifax Ltd over £11 million for inadequate cybersecurity, which allowed hackers to access the personal data of more than 13 million UK individuals.
ICO enforcement regime & activity
The ICO's role includes monitoring and enforcement, promoting awareness of controller and processor obligations, and providing mutual assistance to overseas supervisory authorities.68
The ICO's specific enforcement powers are detailed in Parts 5 and 6 of the DPA, and include the right to seek a warrant for entry and inspection where controllers or processors of personal data are suspected of failing to comply with certain UK GDPR provisions, or where a DPA offence is suspected.69 A warrant may only be granted where a judge is satisfied that the matter is urgent or that advance warning would undermine the search. In all other cases, the ICO must give seven days' written notice to the occupier as one of several preconditions for the issue of a search warrant.70 Prudent controllers and processors will have a 'dawn raid' plan in place for 'no-notice search warrants', which would include ensuring reception staff know who to contact, and having an internal and external team in place to deal with incidents, including the identification of legally privileged material exempt from inspection and seizure.71 Once the DUAA comes into force, the DPA will be amended to give the ICO the power to compel controllers, processors and current or former employees to attend for interview where certain breaches of the UK GDPR or criminal offences under the DPA are suspected.72
It is a criminal offence intentionally to obstruct the ICO in the execution of a search warrant, to fail to provide reasonable assistance in the execution of the search warrant without reasonable excuse, or to give a deliberately or recklessly false explanation of any document or other material found on the premises.73 During the execution of a search warrant, occupiers should make careful records (and where possible take copies) of all information and systems accessed by the ICO. The ICO may exercise reasonable force when executing a search warrant.74
Article 83 of the UK GDPR sets out two categories of UK GDPR infringement. Monetary penalty notices (MPNs) for such infringements can be as high as 4 per cent of global annual turnover or £17.5 million, whichever is higher, for the most serious incidents. Before issuing an MPN, the ICO must serve a notice of intent, setting out the circumstances of the breach, the ICO's investigation findings, and the proposed level of penalty, with the recipient having 21 days to make representations about the imposition of a penalty and its level, prior to final decision.75 A recipient may appeal an MPN to the First Tier Tribunal (Information Rights Chamber).76
In 2022, the ICO began trialling a 'public sector approach' (PSA) in which, to improve data protection compliance by the public sector, the data regulator would make greater use of its powers to issue warnings, reprimands and enforcement notices, and would issue MPNs only in egregious cases. During the trial period, the ICO issued just four MPNs to public sector organisations totalling just £1.2 million.77 In its post-implementation review in September 2024, the ICO found that published reprimands, which carry reputational risk and thus drive organisational change, were regarded as an effective deterrent to infringements of data protection rules and were a means of raising data protection standards by sharing best practices.78 As a result, the ICO has decided to adopt the PSA as a standard part of its approach, albeit the regulator announced a consultation to refine the scope of the entities to which the PSA might be applied and the circumstances that might lead to the imposition of an MPN on public sector organisations.79
More generally, unfavourable comparisons have been drawn between the ICO's unwillingness to impose MPNs and the approach taken by EU data supervisory authorities. During 2024, the ICO imposed a total of 18 MPNs to the value of £2.7 million. During the same period, by contrast, the Irish Data Protection Commission (DPC) imposed fines totalling over £500 million and the Dutch supervisory authority imposed a fine of £241 million on Uber alone.80 Notwithstanding criticism, the UK's Information Commissioner has doubled down on his approach, arguing in the media that he did not believe that the quantum or volume of fines was a proxy for regulatory impact.81 Where appropriate, the ICO continues to prosecute criminal breaches of the laws protecting data.82
Non-state authority investigations
Organisations wishing to investigate suspicions of wrongdoing or seeking to ensure they meet ongoing legal, regulatory and employment obligations may undertake internal investigations. Such investigations engage a variety of legal frameworks including criminal, employment and whistleblowing protection. They usually also involve processing personal data, meaning that data protection laws must also be considered. As far as the UK is concerned, this necessitates consideration of the requirements in the UK GDPR and the DPA.83
The key obligations under UK data protection law are transparency,84 lawful processing,85 data minimisation and (where data will be transferred overseas from the UK) ensuring that the transfer is permitted under Chapter V of the UK GDPR.
Meeting transparency obligations involves informing individuals in an accessible and straightforward manner about certain minimum information including how their personal data is being used, the lawful basis for doing so, who will receive their personal data and the data retention period.86 Several exemptions apply to transparency obligations. In the context of internal investigations, those most likely to be relevant are where the data subjects already have the information,87 where compliance would seriously impair the achievement of the objectives of the processing88 or where it would be likely to prejudice the prevention or detection of crime.89 Where employee communications (e.g., voicemail) are accessed as part of an internal investigation, this constitutes 'interception' for the purposes of the IPA90 and could result in the commission of a criminal offence unless done with 'lawful authority'. 91 In the context of internal investigations, this means with the consent of the parties to the communication92 or in compliance with the Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018.93
For the processing of personal data to be lawful, one of the lawful bases in Article 6 of the UK GDPR must apply. As regards internal investigations, 'legitimate interests' is likely to be the most appropriate lawful basis,94 though data controllers should satisfy themselves of this by undertaking a 'legitimate interests assessment' (LIA).95 When the DUAA is brought into force, certain 'recognised legitimate interests' will automatically justify the processing of personal data without the need for an LIA, including where processing for the purposes of detecting, investigation or preventing crime.96 Where 'special category personal data' (see above) and 'criminal offence'97 data will be processed, consideration must also be given to the additional processing requirements in Articles 9 and 10 of the UK GDPR.
Satisfying the data minimisation principle98 requires that no more personal data is processed than is necessary to achieve the purpose of the processing.99 The scope of the internal investigation should therefore be clearly defined at the outset and precautions taken (e.g., date ranges, particular custodians, etc.) to ensure that only relevant personal data is processed.
Where personal data is transferred outside the UK as part of an internal investigation, care must be taken to ensure compliance with one of the conditions described in Articles 45–49 of the UK GDPR. In some instances, an adequacy decision will be in place confirming an appropriate level of data protection in 'third countries'. 100 For example, as a result of adequacy decisions in each other's favour, the UK and EU may at present freely exchange personal data. Similarly, by virtue of the EU–US Data Privacy Framework and the UK Extension,101 UK and EU data controllers may transfer personal data to participating organisations in the US. Data controllers wishing to send personal data to US organisations that are not EU–US Data Privacy Framework participants, or to another third country should undertake a Transfer Risk Assessment102 to identify a suitable alternative legal mechanism for transferring personal data while maintaining appropriate levels of data protection.103
Privileged investigations in the UK
LPP grants parties the right to withhold documents from inspection by the courts and public authorities, including the police and regulatory agencies.
What is LPP?
The UK Supreme Court has emphasised that LPP is a 'fundamental condition on which the administration of justice as a whole rests'.104 It grants parties the right to withhold certain documents or information from production in court. It protects the right of individuals to consult legal advisers without fearing that the communication will be revealed. LPP can also protect communications in the context of legal proceedings.
Once LPP attaches to a document, it will remain in place unless it is expressly waived by the client, or by their legal adviser with the client's consent.105 Whether or not LPP attaches to a document involves the application of English legal principles regardless of whether the advice was given by domestic or foreign lawyers, concerns foreign law106 or would not be privileged in a foreign jurisdiction.107
There are two types of LPP: litigation privilege and legal advice privilege.
Litigation privilege
Litigation privilege attaches to confidential communications between clients and lawyers or third parties where the communication is created for the dominant purpose of ongoing or reasonably contemplated civil or criminal litigation.108
For litigation privilege to apply, it is crucial that adversarial legal proceedings are either in existence or are reasonably contemplated. Establishing whether criminal proceedings are in reasonable contemplation is a fact-specific exercise.109
Legal advice privilege
Legal advice privilege attaches to confidential communications between clients and lawyers where the purpose of the communication is for giving or receiving legal advice.110 It extends to communications made and documents created in the course of providing that legal advice, including a lawyer's attendance note of a privileged conversation with their client111 and documents created by a lawyer's client relating to the subject matter of legal advice where the dominant purpose of the document is to obtain legal advice.112
Where separate privileged and non-privileged parts of a document could be identified, a claim to legal advice privilege may be maintained over the privileged sections.113 Legal advice privilege attaches only to communications between the lawyer and those individuals who are authorised to obtain legal advice on an entity's behalf. It does not extend to communications between the solicitors and unauthorised employees or officers of the client. 114
Statutory exceptions to LPP
Parliament can abrogate the right to LPP through express statutory words or necessary implication.115 Examples of this are found in the IPA, which, subject to strict statutory safeguards, provide for the authorisation of warrants involving LPP material.
UK government's guidance for investigations concerning electronic data and LPP
The Attorney General's Guidelines on Disclosure (the 'Guidelines') state that digital material should not be seized if there are reasonable grounds to believe it is subject to LPP, unless it is seized under statutory seize and sift powers in the Criminal Justice and Police Act 2001.116
The Guidelines prescribe the steps investigators must take when they seize LPP material or material suspected of being LPP, including:117
- LPP material must be isolated from other seized material and members of investigative or prosecution teams should not have access to it;
- potential LPP material must be reviewed by an independent lawyer; and
- if search terms or other filters are used to search for LPP in large volumes of material, this must be done by someone independent and not connected with the investigation.
The independent lawyer and anyone else who deals with LPP material must record how it was handled, who had access to it and the decisions made in relation to it.
Implications of Brexit for UK data regulation
In June 2021, in the wake of the UK's departure from the EU, the EC granted a data adequacy decision in the UK's favour. However, the decision was subject to a four-year 'sunset clause', meaning that the decision would have automatically expired on 27 June 2025 unless renewed. In the meantime, the EC warned that it would monitor standards of UK data protection in case they deviated from the level of protection throughout the EU.118 Concern was expressed in some quarters that elements of the previous government's data reform proposals were jeopardising the essential equivalence of data protection standards between the UK and EU.119
In October 2024, the House of Lords European Affairs Committee wrote to the Secretary of State for Science, Innovation and Technology highlighting the grave consequences of losing data adequacy and urging the government to engage with the EC expeditiously to ensure its renewal.120 In reply, the Secretary of State made clear the importance that the government placed on maintaining 'adequacy' and indicated that the Data (Use and Access) Bill (see above) had been developed with the adequacy decision in mind. Highlighting the ongoing EU influence on UK data protection, the Secretary of State indicated that Home Office officials were updating the EC on the Bill's progress as it passed through Parliament.
In March 2024, the EC proposed a six-month extension to the UK's adequacy decision until 27 December 2025 to allow time for the Data (Use and Access) Bill to complete its parliamentary stages.121 Following this, the EC will reassess adequacy based on the UK's data protection framework as amended by the DUAA.
Cyber investigative trends
Given the volume of digital material involved in many investigations, it is unsurprising that state authorities are increasingly turning to artificial intelligence as a means of saving manpower, conserving resources and achieving swifter outcomes.122 Despite concerns over privacy, inadequate transparency and inaccuracy, the possibility of making evidential connections between clues strewn across multiple disparate databases and open-source intelligence is an alluring prospect for investigators. Some estimates put the potential time saving for law enforcement investigations as high as 35 per cent.123 While many people would applaud the efficiencies of algorithmic investigative techniques, they risk provoking significant unease as their use becomes more widespread and they are exploited for new and controversial purposes.124
Footnotes
1 Section 1 of the CMA, carrying a maximum sentence of two years' imprisonment.
2 Section 17(2) of the CMA.
3 In DPP v. McKeown; DPP v. Jones [1997] 2 Cr. App. R. 155 HL, Lord Hoffman defined a 'computer' as 'a device for storing, processing and retrieving information.' The Budapest Convention defines a 'computer system' as 'any device or a group of interconnected or related devices, one or more of which, pursuant to a program, performs automatic processing of data.
4 Section 17(5) of the CMA.
5 R v. Coltman [2018] EWCA Crim 2059.
6 Section 2 of the CMA, carrying a maximum sentence of five years' imprisonment.
7 Section 3 of the CMA, carrying a maximum sentence of 10 years' imprisonment.
8 Section 3A of the CMA, carrying a maximum sentence of two years' imprisonment.
9 Section 3ZA of the CMA, carrying a maximum sentence of life imprisonment.
10 Section 3ZA(2)(d).
12 In 2020, there were only 45 prosecutions under the CMA (https://hansard.parliament.uk/commons/2022-04-19/debates/AE9413F3-D4F2-44EC-890E-75B0250328C4/ComputerMisuseAct1990#:~:text=Coupled%20with%20that %2C%20 there%20were,average%20fine%20just%20%C2%A31%2C203).
13 The Office for National Statistics reports that 1 in 15 computer misuse offences were reported to the police or Action Fraud in the year ending September 2024 (https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/ bulletins/crimeinenglandandwales/yearendingseptember2024#computer-misuse).
14 https://www.cps.gov.uk/legal-guidance/computer-misuse-act.
15 Broadly defined in Section 261(2) of the IPA, and including anything comprising speech, music, sounds, visual images or data of any description.
16 Defined in Section 261(13) of the IPA.
17 Defined in Section 6 of the IPA.
18 Defined in Section 261(5) of the IPA.
19 Defined in Section 261(10) of the IPA.
20 Section 11 of the IPA.
21 See Sections 3(6) and 11(4) of the IPA.
22 Section 48 of the WTA.
23 Section 48(4) of the WTA.
24 Defined as any information relating to an identified or identifiable living individual – Section 3(2) of the DPA.
25 Section 170(1) of the DPA.
26 Section 170(2) of the DPA.
27 See Sections 170 and 171 of the DPA.
28 Defined in Section 12(5) of the IPA.
29 See Section 56 of the IPA. This general rule is subject to exceptions set out in Schedule 3 of the IPA.
30 See Sections 43, 66, 95, 128 and 170 of the IPA.
31 See Section 261(1) of the IPA.
32 Sections 43(7) and (8) of the IPA.
33 See Sections 255(9), 66(5), 170, 95(5) and 128 of the IPA.
34 See Part 8, Chapters 1 and 2 of the IPA.
35 https://researchbriefings.files.parliament.uk/documents/LLN-2018-0076/LLN-2018-0076.pdf.
36 Including companies – see paragraph 1 of Schedule 1 to the Interpretation Act 1978.
37 See Sections 1–15 of COPOA.
38 Made under Section 1(1) of COPOA.
39 Criminal Procedure Rule 47.68.
41 Section 8 of PACE.
42 Section 50 of the Criminal Justice and Police Act 2001.
43 Usually, a Crown Court Judge but see the wider definition of 'judge' in paragraph 17 of Schedule 1 of PACE.
44 Schedule 1 of PACE.
45 Section 93(1) of the PA.
46 Section 97(1) of the PA.
47See Sections 5–7 of the ISA.
48 'Processing' is a broadly defined term encompassing any operation or set of operations performed on personal data, whether or not by automated means, such as the collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure, making available, restriction, erasure or destruction – Article 4(2) of the UK GDPR.
49 The natural legal person which determines the purposes and means of processing – Article 3(7) of the UK GDPR.
50 Article 3(2) of the UK GDPR.
51 Article 2(2)(b) of the UK GDPR.
52 Article 2(2)(c) of the UK GDPR.
53 Article 2(2)(a) of the UIK GDPR.
55 Google LLC v. Lloyd [2021] UKSC 50.
56 Article 82(1) of the UK GDPR.
57 Secretary of State for the Home Department v. TLT [2018] EWCA] Civ 2217.
58 Driver v. Crown Prosecution Service [2022] EWHC 2500.
59 Article 9 of the UK GDPR.
60 www.ncsc.gov.uk.
61 https://assets.publishing.service.gov.uk/media/6697f5c10808eaf43b50d18e/ The_King_s_Speech_2024 _background_briefing_notes.pdf at pages 94–95.
62 https://www.gov.uk/government/news/new-cyber-laws-to-safeguard-uk-economy-secure-long-term-growth.
64 https://nationalcrimeagency.gov.uk.
65 Crime and Courts Act 2013, Section 7.
66 www.cps.gov.uk/publication/code-crown-prosecutors.
67 https://www.fca.org.uk/publication/documents/cyber-security-infographic.pdf.
68 UK GDPR Articles 57 and 58 respectively.
69 Section 154 and Schedule15 of the DPA.
70 Schedule 15, para 4 of the DPA.
71 Schedule 15, para 11 of the DPA.
72 Section 100 of the DUAA, inserting Section 148A of the DPA.
73 Schedule 15, para 15 of the DPA.
74 Schedule 15, para 7 of the DPA.
75 See page 25 of the ICO's Regulatory Action Policy.
76 Section 162 of the DPA.
77 https://ico.org.uk/media/about-the-ico/reports/4032016/psa-post-implementation-review-report.pdf at page 6.
78 https://ico.org.uk/media/about-the-ico/reports/4032016/psa-post-implementation-review-report.pdf at page 5.
81 John Edwards, The Times, 18 November 2024.
82 In 2024, the ICO prosecuted four individuals for breaches of data protection or CMA offences (https://ico.org.uk/action-weve-taken/enforcement/?entype=prosecutions&from=2024-01-01&to=2024-12-31).
83 Where internal investigations involve processing of personal data held outside the UK, consideration must also be given to local data protection laws as applicable.
84 Article 5(1)(a) of the UK GDPR.
85 Articles 5(1)(a) and 6(1) of the UK GDPR.
86 Articles 13 and 14 of the UK GDPR.
87 Articles 13(4) and 14(5)(a) of the UK GDPR.
88 Article 14(5)(b) of the UK GDPR.
89 Para 2(1) of Schedule 2 to the DPA.
90 Section 4(4)(b) of the IPA.
91 Under Section 4(1) of the IPA.
92 Section 44 of the IPA.
93 Made under Section 46(2) of the IPA.
94 Article 6(1)(f) of the UK GDPR.
96 Section 70 and Sched. 4 of the DUAA, inserting Article 6(1)(ea) and Annex 1 to the DPA.
98 Article 5(1)(c) of the UK GDPR.
100 Under Article 45 of the UK GDPR.
101 https://www.dataprivacyframework.gov/.
103 Listed in Article 46 of the UK GDPR.
104 Regina v. Derby Magistrates' Court, Ex parte B [1996] A.C. 487 at 508.
105 Regina v. Derby Magistrates' Court, Ex parte B [1996] A.C. 487 at para 508.
106 Re Duncan (Deceased) [1968] P 306.
107 Bourns Inc v. Raychem Corp (No 3) [1999] 3 All ER 154.
108 Waugh v. British Railways Board [1980] A.C. 521.
109 SFO Director v. Eurasian Natural Resources Corporation Limited [2018] EWCA Civ 2006.
110 Three Rivers DC v. Bank of England [2004] UKHL 48 at para 50.
111 USP Strategies Plc v. London General Holdings Ltd (No. 20) [2004] EWHC 373 (Ch).
112 The Southwark and Vauxhall Water Company v. Quick (1878) 3 QB 315.
113 R (on the application of Jet2.com Ltd) v. Civil Aviation Authority [2020] EWCA Civ 35.
114 Three Rivers District Council v. Governor and Co of the Bank of England [2003] EWCA Civ 474.
115 R v. Derby Magistrates' Court [1996] AC 487.
116 Attorney General's Guidelines on Disclosure (2024), page 32, para 26. https://assets.publishing.service.gov.uk/media/65e1ab9d2f2b3b00117cd803/Attorney_General_s_Guidelines_on_Disclosure_-_2024.pdf.
117 Attorney General's Guidelines on Disclosure (2024), page 32, paras 26–32. https://assets.publishing.service.gov.uk/media/65e1ab9d2f2b3b00117cd803/Attorney_General_s_Guidelines_on_Disclosure_-_2024.pdf.
120 https://committees.parliament.uk/publications/45388/documents/225096/default/.
121 https://www.eubusiness.com/research/brussels-proposes-extension-of-uk-data-flow-adequacy-decisions/.
123 'AI there, you're nicked! Tech is reshaping how we fight crime' – The Times, 24 January 2025 (https://www.thetimes.com/article/3fb7e3c5-d95a-4905-a420-d4ff42b10094).
124 https://www.404media.co/podcast-the-websites-an-ice-contractor-is-monitoring/.
Originally published by Global Investigations Review, 31 July 2025
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
