In a letter to Members of the European Parliament ("MEP"), the chair of the European Data Protection Board ("EDPB") has highlighted a potential issue which could make the path for the UK to obtain an adequacy decision from the European Commission under the GDPR more problematic. 

The EDPB in its letter to MEPs stressed this is a preliminary analysis in relation to questions regarding the agreement between the UK and US on Access to Electronic Data for the Purpose of Countering Serious Crime, which was signed on 3 October 2019. 

The EDPB noted it has doubts whether safeguards in the agreement regarding access to personal data in the UK (when read in conjunction with the US CLOUD Act) would apply in relation to disclosure obligations applicable to providers of electronic communications services or remote computing services under the jurisdictions of the US. Therefore, the EDPB  has doubts whether the safeguards in the agreement would apply to all, if any, requests for access made under the US Cloud Act.     

This may have an impact on any adequacy decision that could be granted by the European Commission in relation to the UK, as the EDPB notes that the agreement between the US and UK will have to be taken into account by the European Commission in its assessment of the level of protection of personal data in the UK, in particular regarding onward transfers of personal data from the UK.