In a letter of 15 June 2020, in response to Member of the European Parliament with regard to the agreement between the UK and the US on Access to Electronic Data for the Purpose of Countering Serious Crime, signed on 3rdOctober 2019, the Chairman of the EDPB cast doubts as to the validity of a future adequacy decision between the EU and the UK.
The Context
Members of the European Parliament wrote a letter to the EDPB on 10 January 2020 regarding the agreement between the UK and the US on Access to Electronic Data for the Purpose of Countering Serious Crime, signed on 3rd October 2019.
In its responses dated 15 June 2020, the Chairman of the EDPB provided a preliminary analysis regarding:
(i) the compliance of this Agreement with the current European Data Protection Framework; and
(ii) its consequences on the future UK adequacy decision that would enable the free flow of personal data between the European Union (EU) and the United Kingdom (UK) in the post-Brexit era.
Specific Safeguards must be provided for in the UK-US Agreement
The Chairman referred to the ongoing negotiations between the Commission and the US for the conclusion of an EU-US agreement to facilitate access to electronic evidence in criminal investigations to remind the conditions under which this kind of intergovernmental agreement may be valid.
As a first condition, any future agreement between the EU and the US must prevail over US domestic laws
This agreement must also include appropriate data protection safeguards in order to be fully compatible with EU primary and secondary law, including in particular:
- ensuring the continuity of data protection in case of onward sharing and onward transfers, which includes the availability of judicial redress;
- providing for a mandatory prior judicial authorisation for access to metadata and content data.
The EDPB has doubts as to whether any such safeguards would apply in case of disclosure request made by the US under the US Cloud Act
Following a preliminary analysis of the UK-US agreement read in conjunction with the US Cloud Act, the EDPB did not manage to identify clear provisions in the Agreement that would ensure the safeguards for access to personal data in the UK would apply to requests for access made under the US CLOUD Act.
We understand from this statement that as such, the Agreement may not meet the abovementioned conditions and therefore may not be valid under European law. Besides, it would not ensure the continuity of data protection in case of onward transfer from the UK to the US in the post-Brexit era.
This lack of applicable safeguards may hinder the adoption of a future adequacy decision between the UK and the EU
The EDPB considers that Commission will have to take into account the agreement concluded between the UK and the US in its assessment of the level of protection of personal data in the UK in the post Brexit era, in particular, regarding the requirement to ensure continuity of protection in case of “onward transfers” from the UK to another third country.
As stated above, if there is no safeguard applicable to requests made under the US Cloud Act, it is very unlikely that such continuity is ensured in case of onward transfers to the US.
If this was the finding of the Commission, it may result in the refusal to grant adequacy to the UK or lead to the adoption of a legally weak decision.
For a full reading of the letter click here