In a letter to Members of the European Parliament ("MEP"), the chair of the European Data Protection Board ("EDPB") has highlighted a potential issue which could make the path for the UK to obtain an adequacy decision from the European Commission under the GDPR more problematic.
The EDPB in its letter to MEPs stressed this is a preliminary analysis in relation to questions regarding the agreement between the UK and US on Access to Electronic Data for the Purpose of Countering Serious Crime, which was signed on 3 October 2019.
The EDPB noted it has doubts whether safeguards in the agreement regarding access to personal data in the UK (when read in conjunction with the US CLOUD Act) would apply in relation to disclosure obligations applicable to providers of electronic communications services or remote computing services under the jurisdictions of the US. Therefore, the EDPB has doubts whether the safeguards in the agreement would apply to all, if any, requests for access made under the US Cloud Act.
This may have an impact on any adequacy decision that could be granted by the European Commission in relation to the UK, as the EDPB notes that the agreement between the US and UK will have to be taken into account by the European Commission in its assessment of the level of protection of personal data in the UK, in particular regarding onward transfers of personal data from the UK.
Considering the provisions of the agreement, read in conjunction with Sections 3 of the US CLOUD Act, the EDPB has doubts as to whether the safeguards in the agreement for access to personal data in the UK would apply in case of disclosure obligations applicable to providers of electronic communication service or remote computing service under the jurisdiction of the United States, regardless of whether the data requested is located within or outside of the United States. Following this preliminary assessment, it is unclear whether the safeguards enshrined in the Agreement would apply to all, if any, requests for access made under the US CLOUD Act. ........ Finally, when it comes to a possible adequacy decision for the UK, the EDPB considers that the agreement concluded between the UK and the US will have to be taken into account by the European Commission in its overall assessment of the level of protection of personal data in the UK, in particular as regards the requirement to ensure continuity of protection in case of “onward transfers” from the UK to another third country.