Data Risk Intelligence
Automated Data Mapping
Do Not Sell/Do Not Share
Cookie Banner Solutions
Consent & Preferences
Data Rights RequestsCould a U.S. Law Derail the U.K.’s Post-Brexit Adequacy Determination?
At the end of the Brexit transition period in December of 2020, the United Kingdom will be regarded by the European Union as a “third country.” Although the GDPR allows for unrestricted data transfer between the members of the European Union, data transfers to the “third countries” requires special mechanisms, including a determination of whether the country has adequate level of data protection. Could the U.K.’s “adequacy” determination be derailed by the U.S. CLOUD Act?
The Clarifying Lawful Overseas Use of Data (CLOUD) Act, 18 U.S.C. § 2713, provides for trans-border access to communications data in criminal law enforcement investigations. The Act, among other things, permits federal officials to enter into executive agreements to allow providers in other countries to share communications content with the U.S. government. Such qualifying foreign partners would be required to remove legal barriers that could prevent the U.S. government from issuing orders to service providers within their borders. The U.S. and U.K. signed the first executive agreement under the Act in October of 2019.
In a June 15, 2020 letter to the Members of the European Parliament, the European Data Protection Board (EDBP) raised concerns about the UK-U.S. executive agreement’s effect on the post-Brexit adequacy decision for the U.K.
The EDPB concluded that it was unclear “whether the safeguards enshrined in the Agreement [for access to personal data in the U.K.] would apply to all, if any, requests for access made under the US CLOUD Act.” Furthermore, the EDPB noted that it is “essential that the safeguards include a mandatory prior judicial authorization . . . for access to metadata and content data. On the basis of its preliminary assessment, the EDPB . . . could not identify such a clear provision in the agreement concluded between the UK and the US.”
The EDPB concluded that “when it comes to a possible adequacy decision for the UK, the EDPB considers that the agreement concluded between the UK and the US will have to be taken into account by the European Commission in its overall assessment of the level of protection of personal data in the UK, in particular as regards the requirement to ensure continuity of protection in case of ‘onward transfers’ from the UK to another third country.”
Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653
