The EDPB's opinion on the UK/US data access agreement under the CLOUD Act
Some of you may be aware that, in addition to the work I do more generally for telecoms providers and ISPs, I have a particular interest in investigatory powers, and obligations imposed by the state on telecommunications operator to assist in matters of law enforcement assistance and national security.
One of the thorny issues I've been grappling with over the last few months has been the CLOUD Act, and the UK/US data access agreement.
Earlier this week, the European Data Protection Board issued an opinion on the UK's agreement with the USA. It doesn’t make for promising reading.
What's the CLOUD Act?
(Skip this if you know the background.)
The CLOUD Act is a piece of legislation which enables law enforcement agencies outside the USA to obtain access to stored communications data from operators (basically, social media providers) in the USA. The quid pro quo is that an overseas agency can only do this if it grants reciprocal access to data held by telecoms operators in its country to USA lawful enforcement, by entering into a bilateral agreement with the USA.
The UK has done this — the agreement has the snappy to title of "Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime" — and so, in the near(ish?) future, UK telecoms operators might expect to receive inbound requests from US authorities.
The CLOUD Act and data protection
There are, in my view, a number of challenges for UK telecommunications operators in terms of responding to requests/demands from US authorities.
Some of these are practical issues, where systems and processes which exist in the UK to facilitate interaction by UK telecoms operators and UK agencies are not in place (and may be challenging to put in place) with the USA.
Others are legal issues, and, in particular, the interplay with an obligation arising under US law requiring the transfer of data from the UK to the USA still concerns me.
I'm not going to get into all the detail here but the gist of my concern is that a UK telecoms operator could be squeezed between a legally-binding demand from a US agency and its obligations under the GDPR.
The EDPB's opinion doesn't make me feel any more comfortable.
The EDPB's opinion
On Monday, the EDPB published an opinion on the UK's data access agreement with the USA, from a data protection point of view. It is, it stresses, only a "preliminary analysis", but it doesn't look great.
Perhaps the most concerning line is this:
the EDPB has doubts as to whether the safeguards in the agreement for access to personal data in the UK would apply in case of disclosure obligations applicable to providers of electronic communication service or remote computing service under the jurisdiction of the United States, regardless of whether the data requested is located within or outside of the United States
The EDPB goes on to note that:
It is also essential that the safeguards include a mandatory prior judicial authorisation as an essential guarantee for access to metadata and content data
This is not a surprising comment, given the developing case law in this area, and the EDPB could not identify a clear provision in the executive agreement covering this.
What is the impact of this opinion?
Immediately, probably not too much. I doubt it is going to lead to a change in the agreement.
More broadly, it probably adds to the pile of issues which some think will inhibit or lessen the likelihood of the UK getting an adequacy decision under Article 45 GDPR (which would make transfers of personal data from the EU easier).