EU fires warning shot to UK over post-Brexit US data-sharing

The terms of a UK-US arrangement may not be compatible with EU data protection standards

Map of Britain

Safeguards outlined in a preliminary data-sharing agreement struck between the UK and US last year may not be sufficient, the EU’s data protection watchdog has declared.

The UK entered into an agreement with the US in October 2019 to reduce the barriers to data-sharing to better equip law enforcement agencies to fight crime. Subject to final approval through Parliament and Congress, the agreement would reduce the number of hoops through which law enforcement must currently jump to access sensitive data.

This terms of this agreement may undermine the UK’s hopes of achieving a data adequacy decision with the EU once the Brexit transition period ends on 31 December, however. Without an adequacy decision, free data flows between the EU and the UK would be disrupted, with data unable to flow from European countries to the UK. 

The European Data Protection Board (EDPB), which oversees the application of GDPR consistently across EU member states, has cast doubt over whether safeguards outlined in the agreement are compatible with existing data protection laws. 

Writing in a letter addressed to members of the European Parliament, EDPB director Andrea Jelinek has suggested the UK may, as a result, risk undermining its negotiating hand when it comes to requesting an adequacy decision.

Onward transfers from the UK to the US, in particular, has raised alarms. Specifically, there are doubts as to whether safeguards in the agreement for access to personal data in the UK would apply in cases where companies are obliged to disclose data by US authorities.

The EPDB has also cast doubt over whether the safeguards enshrined in the agreement would apply to any requests for access made under the US CLOUD Act.

“It is also essential that the safeguards include a mandatory prior judicial authorisation as an essential guarantee for access to metadata and content data,” Jelinek said. 

“On the basis of its preliminary assessment, the EDPB, while noting that the agreement refers to the application of domestic law, could not identify such a clear provision in the agreement concluded between the UK and the US.”

The terms of this agreement will inevitably factor into the Commission’s assessment of the overall level of data protection in the UK, she added. This is particularly with regards to needing to ensure the continuity of data protection in the case of “onward transfers” from the UK to a third country.

The European Commission has itself, meanwhile, noted that it’s entered into negotiations with the US over the conclusion of an EU-US agreement to allow data sharing in criminal investigations. Jelinek added that among the safeguards that must be in place are those ensuring data protection standards continue where data is shared with third countries.

Despite establishing a data-sharing arrangement in October, leaked trade discussions suggested the US is lobbying to establish watered-down regulations between itself and the UK for general international data transfers.

The documents suggest the UK has committed to abiding by the EU-US Privacy Sheild during the transitional period, which should give the parties adequate time to establish a future agreement. 

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Supreme Court rules Morrisons was not liable for 2014 data breach
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular

Windows XP source code allegedly leaked online
Microsoft Windows

Windows XP source code allegedly leaked online

25 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020