Lords committee warns about risks of the UK losing its EU data adequacy

New UK data protection laws

The EAC’s letter noted although much of the evidence provided to its inquiry focused on the previous government’s Data Protection and Digital Information Bill (DPDI Bill) – which was dropped from the legislative agenda during the pre-general election “wash up” period – the new government’s planned Digital Information and Smart Data (DISD) Bill covers some of the same issues.

The DISD was introduced to Parliament as the Data Use and Access (DUA) bill on 23 October 2024. Once passed, the DUA will therefore amend the UK’s implementation of both the GDPR and LED.

While the EC’s adequacy decision will rest on the exact contents of DISD Bill (which was only published online on 24 October), it will be looking to assess whether the framework provides an essentially equivalent level of data protection for EU citizens’ data.

This follows the Court of Justice of the European Union (CJEU) striking down the EU-US Privacy Shield data-sharing agreement on 16 July 2020 for failing to ensure that European citizens had adequate rights of redress when data can be collected by the US National Security Agency (NSA) and other US intelligence services.

The ruling – colloquially known as Schrems II after the Austrian lawyer who took the case to the CJEU – found that people must be given “essentially equivalent protection” for their data when it is transferred to the US and other countries as they would receive in the EU under the GDPR and the European Charter of Fundamental Rights, which guarantees people the right for private communications and the protection of their private data.

“The UK’s current GDPR regime is far from perfect. But the consequences of not reaching agreement with the EU are extremely harmful,” said Lord Ricketts. “There is clearly scope to reform and improve GDPR as part of the government’s new Digital Information and Smart Data Bill. But this must not jeopardise the UK’s adequacy status.”

Lord Clement-Jones – a Liberal Democrat peer and spokesman for the digital economy in the House of Lords – added that the EAC’s letter “illustrates only too clearly the fragility of the UK’s data adequacy situation and the importance of resisting significant changes proposed by the last government to the UK GDPR”.

Those previously suggested changes to the DPDI bill before it was dropped included removing the need to conduct data protection impact assessments and to have a data protection officer, loosening requirements around automated processing, and giving the secretary of state the power to directly appoint the information commissioner.

Threats to adequacy

In terms of the direct risks to data adequacy, the EAC said the UK faces “two distinct potential hurdles”, one being the EC’s renewal decision, and the potential of a legal case being brought against a positive renewal decision at the CJEU.

It added that while the EC itself is likely to want to renew the UK’s adequacy status due to a range of factors – including the economic benefits it would bring the bloc, the fact the UK is using already GDPR as a starting point, and the EC’s own political and strategic imperatives – it was more likely the UK would lose adequacy as a result of a legal challenge being brought to the CJEU.

“There was a large measure of consensus among our witnesses that, of the European Commission and the CJEU, the latter is the greater risk to the continuation of the UK’s adequacy status. For example, the not-for-profit technology organisation Reset called the CJEU ‘the more exacting forum of the two’ and said that the court ‘has in recent years consistently taken a more absolute line than the European Commission (and most of the Member States) in defence of fundamental privacy rights’,” it said.

“Several witnesses pointed out that, in its two Schrems rulings, the CJEU had struck down previous EU adequacy arrangements with a partner as important as the United States. (The key issue in the strike-down was the risk of disproportionate access – and the nature of oversight of the access – by US national security and law enforcement agencies to personal data held by private entities, and the risk of this including transferred data from the EU.)”

It added that several witnesses said that if the UK were to lose adequacy status, “they would expect the UK and European Commission to implement one or several immediate ‘workarounds’, to avoid the cliff-edge scenario and buy time in which to take steps that would see adequacy restored”.

Suggested alternatives to data adequacy include the use of multilateral agreements and legal mechanisms such as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR). However, doubt was cast on validity of the SCC route by Schrems II, which found although these were legally valid, companies still had a responsibility to ensure that those they shared the data with granted privacy protections equivalent to those contained in EU law.

According to Owen Sayers – an independent security consultant and enterprise architect with more than 25 years of experience in delivering secure solutions to policing – there is a risk the EAC has collapsed the distinction between GDPR and LED adequacy by too closely aligning them in form, function and nature, when they are “structurally veery different” to one another.

“Under GDPR you can quite simply transfer data if you have adequacy,” he said. “Under LED, it is very hard, and for some specific organisations is virtually impossible, to transfer data unless you have adequacy.

“These sound quite similar conditions, but they’re poles apart – ‘you can do if’ is intrinsically permissive in nature; whereas ‘you cannot do unless’ is a barrier control. Even if you do have LED adequacy, you are then restricted as to who in your target country you wish to send that data to.”

The EAC added there are a range of issues that would be of “interest and potential concern” to both the EC and CJEU as they consider the UK’s adequacy statuses.

This includes potential divergence on data protection standards that would make it harder for people to exercise their data rights; the possibility that the UK government undermines end-to-end encryption; the independence and effectiveness of the Information Commissioner’s Office (ICO); aspects of the UK’s national security regime under the Investigatory Powers Act 2016, including data collection and retention, surveillance powers and practices, and the role of the Investigatory Powers Tribunal; and any legal cases which provide grounds for concern about UK data protection standards.

The EAC also highlighted potential risks posed by onward transfers of data from the UK to other third countries, including under the UK-US Cloud Agreement.

“All this means that government and public services generally need to take a hard look at their governance of data and AI deployment ahead of their ambitious plans for tech adoption in the public sector,” Clement-Jones told Computer Weekly.

The police cloud issue

While the EAC itself did not assess the impacts on adequacy of IT systems already procured and in-use, the growing use of US-based public cloud services by UK police and the wider criminal justice sector has previously been cited to Computer Weekly as a potentially huge problem for the UK’s ability to obtain LED adequacy, primarily due to the potential for remote access to that data and its onward transfer to a non-adequate jurisdiction.

Since Computer Weekly revealed in December 2020 that dozens of UK police forces were processing more than a million people’s data unlawfully in Microsoft 365, data protection experts and police tech regulators have questioned various aspects of how hyperscale public cloud infrastructure has been deployed by UK policing, arguing that they are currently unable to comply with strict law enforcement-specific rules laid out in the DPA.

At the start of April 2023, Computer Weekly then revealed the Scottish government’s Digital Evidence Sharing Capability (DESC) service – contracted to body-worn video provider Axon for delivery and hosted on Microsoft Azure – was being piloted by Police Scotland despite a police watchdog raising concerns about how the use of Azure “would not be legal”.

Specifically, the police watchdog said that there were a number of other unresolved high risks to data subjects, such as US government access via the Cloud Act, which effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud; Microsoft’s use of generic, rather than specific, contracts; and Axon’s inability to comply with contractual clauses around data sovereignty.  

Computer Weekly also revealed that Microsoft, Axon and the ICO were all aware of these issues before processing in DESC began. The risks identified extend to every public cloud system used for a law enforcement purpose in the UK, as they are governed by the same data protection rules.

In June 2024, Computer Weekly then reported details of discussions between Microsoft and the Scottish Police Authority (SPA), in which the tech giant admitted it cannot guarantee the sovereignty of UK policing data hosted on its hyperscale public cloud infrastructure.

Specifically, it showed that data hosted in Microsoft infrastructure is routinely transferred and processed overseas; that the data processing agreement in place for DESC did not cover UK-specific data protection requirements; and that while the company claimed it has the ability to make technical changes to ensure data protection compliance, it is only prepared to make these changes for DESC partners and not other policing bodies because “no one else had asked”.

The documents also contain acknowledgements from Microsoft that international data transfers are inherent to its public cloud architecture, and that limiting transfers based on individual approvals by a Police Force – as required under DPA Part 3 – “cannot be operationalised”.

Although the ICO released its police cloud guidance in the same set of FOI disclosures – which highlights some potential data transfer mechanisms it thinks can clear up ongoing legal issues – data protection experts questioned the viability of the suggested routes on the basis the mechanisms are rooted in the GDPR rather than the law enforcement-specific rules contained in Part 3, and that is it not clear if they can in fact prevent US government access.

Computer Weekly contacted the Home Office about the how data protection issues with existing systems that have already been procured and deployed could affect LED adequacy, but received no response by time of publication.

Commenting on the issue of police data protection and sovereignty, Clement-Jones said: “The revelation of police forces’ failure to observe the requirements of Part Three raises real issues for ongoing adequacy, but also for any trust in the governance around the way technologies such as live facial recognition are deployed.”

According to Sayers, even if the mechanisms suggested by the ICO could prevent US government access, the transfers would be unlawful anyway as UK law lays down a series of specific steps that must be followed for each and every transfer of a specific piece of personal data under Part 3.

“These steps are not being followed, and Microsoft have made clear that they cannot be followed (actually, they said ‘impossible to operationalise’). Because the steps laid down in the DPA 2018 Part 3 are not and cannot be followed, that is one of the main reasons why the processing done on these clouds is in breach of UK law,” he said.

“It makes zero difference at all if the US government bogeyman tries to use Cloud Act to look at the data, as the data was illegally transferred regardless of cloud act.”

Sayers added that the EAC principally looked at what UK law says in relation to LED and what the impacts of this are, but missed a “huge area of consideration” in whether the UK actually adheres to its own data protection laws in practice.

“That is where the policing stuff becomes interesting, because if the EU examine the UK's operating track record of compliance with their own domestic version of LED (Part Three), then it’s clear that they absolutely do not comply with it to any real measure,” he said.

“To be adequate, the EU might simply look at the legislation in force; but I think they also need to consider the available evidence of UK behaviour (and if they do that the picture is far from rosy).
 
“The reason they need to consider the latter is that presently if an EU citizens data is sent to a UK law enforcement body, it is almost certainly going to be processed in contravention of UK DP laws. That means it’s certainly being processed in contravention of EU LED-based laws.”