Assessing UK law enforcement data adequacy

Essentially equivalent protection

 On 16 July 2020, the CJEU struck down the EU-US Privacy Shield data-sharing agreement for failing to ensure that European citizens had adequate rights of redress when data can be collected by the US National Security Agency (NSA) and other US intelligence services.

The ruling, colloquially known as Schrems II after the Austrian lawyer who took the case to the CJEU, found that people must be given “essentially equivalent protection” for their data when it is transferred to the US and other countries as they would receive in the EU under the GDPR and the European Charter of Fundamental Rights, which guarantees people the right for private communications and the protection of their private data.

In exiting the EU, the UK is set to become a “third country” under the bloc’s rules, which means the EC will have to assess whether it does provide an essentially equivalent level of data protection for EU citizens’ data. The EC will have to make this determination under both the GDPR and the LED.

The EDPB wrote: “On substance, adequacy decisions should focus on the assessment of the existing legislation of the third country concerned as a whole, in theory and practice, in light of the assessment criteria set out in the LED. Any meaningful analysis of adequate protection must comprise two basic elements: the content of the rules applicable and the means for ensuring their effective implementation in practice.

“It is upon the European Commission to verify – on a regular basis – that the rules in place are effective in practice.”

Specifically, the EC will need to take into account consideration of the rule of law; respect for human rights and fundamental freedoms; and relevant legislation, as well as its implementation – essentially meaning that the laws will have to be assessed on how they work in practice, rather than in theory. 

It will also need to look at the extent to which data rights in the UK are enforceable, and particularly whether there is effective administrative and judicial redress for subjects whose personal data is transferred.

For example, the DPA 18 includes the rights to rectification, erasure, and not to be subject to automated decision-making, but if the right to access is weak and people cannot access data held about them, then they are indirectly precluded from exercising these other data rights.

In December 2020, Computer Weekly reported that the Metropolitan Police had failed to comply fully with an enforcement notice issued by the Information Commissioner’s Office (ICO) for the force’s failure to fulfil subject access requests (SARs), and that despite still having hundreds of overdue requests, the regulator did not take further action.

A report published by the ICO a month before also found that a quarter of all requests for information (including both FOIs and SARs) from the police were not completed on time.

Finally, the EC will also need to assess how well UK independent supervisory authorities, such as the ICO, function, as well as the international commitments the UK has entered into with other third countries.

This would include the UK’s involvement in the Five Eyes Alliance, for example, which links it to the surveillance and data-sharing practices of Canada, Australia, New Zealand and the US, as well as any international agreements or treaties the UK is party to.

The EC chose not to respond to Computer Weekly’s questions about the EDPB guidance. 

If the EC decides the UK is adequate under the LED and member states also approve, it will mark the first time such an adequacy decision has been made under the directive, with most law enforcement data transfers from the EU currently governed by international agreements that do not take into account the standard of essential equivalence that now exists.

What the EC will be looking at

Twelve adequacy decisions have been made under the GDPR since it came into effect in May 2018, with Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay all being recognised as adequate jurisdictions by the EC.

According to a 2020 research paper comparing GDPR and LED adequacy, published by Laura Drechsler, a PhD researcher at the Vrije Universiteit Brussels who focuses on data transfers under the LED, the two decisions need to “be properly separated…as even though they aim to achieve the same standard of essential equivalence, their system of protection for issues connected to the processing of personal data in a law enforcement context differs”.

However, although data protection experts have told Computer Weekly that the UK’s LED commitments are there on paper through its transposition in the DPA 18, certain practices within its intelligence services and CJS could undermine the country’s ability to secure a positive adequacy decision under the directive.

Specifically, they cited the close relationship between the UK and the US, the latter of which has been found in both Schrems I and Schrems II to be lacking adequate data protection standards, as well as the UK’s own intrusive surveillance regime, which has been enshrined in the Investigatory Powers Act 2016, otherwise known as the “Snooper’s Charter”.

The growing use of US-based public cloud services by UK police and the wider CJS was also cited as a potentially huge problem for the UK’s ability to obtain LED adequacy because of the potential for remote access to that data and its onward transfer to a non-adequate jurisdiction.

Experts claim any positive LED adequacy decision granted by the EC in this context could undermine the fundamental rights of EU citizens by allowing their data to be sent to a jurisdiction with lower protections, as well as opening the decision up to legal challenges in the European courts.

Owen Sayers, an independent privacy consultant with over 20 years’ experience in the delivery of national policing systems for the UK CJS, said: “CJEU rulings on Schrems under GDPR cannot simply be applied to LED, but it seems likely that the court would apply broadly the same logic, while perhaps setting the bar of assurance higher due to the greater potential harm arising from misuse of law enforcement personal data.

“This is, after all, principally why the LED is a distinct piece of legislation from the GDPR.”

Assessing the UK’s data practices

Writing in an op-ed response to the EDPB publication, Drechsler noted that although it is not known what other countries are even being considered for LED adequacy, the EDPB document was intended as “general guidance” and “offers very little insight into the specific case of the UK”.

A number of issues raised regarding GDPR adequacy also apply to LED adequacy, she said, but “the close relationship between the UK and the United States could in particular create headaches for LED adequacy”.

Drechsler added: “With the UK being a third country, any transfer from a UK law enforcement authority to the US would qualify as an ‘onward transfer’. As also noted by the EDPB, such onward transfers need to be especially secure under the LED. They always need the authorisation of the authority in the member state in the EU that the data originated from. In practice, it should mean that there can be no sort of seamless access by US authorities to data coming from the EU that is held by UK law enforcement authorities.”

Whether or not the UK will achieve LED adequacy remains an open question, she said, but “it is to be hoped the commission’s assessment of the UK for GDPR adequacy does not completely take away all resources from the LED adequacy decision”.

“The issue of potential access by US authorities to data held by UK law enforcement authorities originally transferred from the EU in particular must not fall through the cracks.”

Speaking with Computer Weekly, Drechsler said: “I do think there are some problems in the UK that are fundamental and that I’m not sure can be so easily fixed.” Previous legal judgments have pointed out the incompatibility of the UK’s surveillance regime with fundamental human rights, she added.

“There’s this case in Strasbourg…that basically discusses the whole surveillance law system in the UK, and the first decision was already pretty strict, finding some really big flaws in remedies and procedures, which are the things the court always insists on,” she said.

“I definitely think an adequacy decision alone will not cut it, so they will have to do some sort of additional arrangement, like they did with Japan. I fear there will be something after this six-month [bridging] period [provided by the Trade and Cooperation Agreement], because there is so much pressure.”

Sajfert noted that the “biggest difficulties in this adequacy assessment will appear” when examining the capabilities of the UK’s national security apparatus, particularly GCHQ, and the “ways in which they can intercept and access this data coming from the EU”.

Apart from the UK’s bulk interception practices, which a preliminary legal opinion by the advocate general of the European Court of Justice found were unlawful in January 2020, and its close-knit relationship with the US intelligence services, Sajfert said the en-masse adoption of public cloud services by UK police “will definitely create a huge problem”.

UK police turn to Microsoft 365 en masse

Following a freedom of information (FoI) investigation, Computer Weekly revealed in December 2020 that UK police forces were unlawfully processing more than a million people’s personal data on the hyperscale public cloud service Microsoft 365 (M365) after failing to conduct data protection checks before deployment.

Computer Weekly also found police forces had failed to comply with key contractual and processing requirements of the DPA 2018, such as the restrictions placed on international transfers.

Police forces claimed the data was being stored in Microsoft’s UK datacentre region, but the company said on its own website that there were exceptions for cloud services such as M365, “which back up web- and worker-role software deployment packages to the United States regardless of the deployment region”.

Meanwhile, a national data protection impact assessment (DPIA) obtained by Computer Weekly does not even mention Microsoft as a processor.

Its omission from the document means the risks associated with it being a US company subject to a wide range of US government surveillance powers have not been clearly addressed or effectively mitigated, even as the number of police forces adopting the service is increasing and all forces in England and Wales have now signed up to rolling the programme out.

Drechsler agreed that the increasing adoption of public cloud services by UK police “is definitely something the commission should look at”, adding that a major problem was the potential onward transfer of EU citizens’ data to the US.

“For me, I see a problem in the onward transfer,” she said. “So you transfer data to the UK, included in this cloud, and basically with that, they’re transferring data onwards to the US. This is usually something in the LED which would have to be based on the authorisation of the law enforcement authority where the data is coming from.”

Although Drechsler said there could be technical measures that solve the issue of remote access by Microsoft or US public authorities, she was not sure what these could be, and there needs to be something in place to ensure every onward transfer is properly authorised.

Despite the focus on overseas data transfers in the LED, and their centrality to adequacy decisions, Drechsler also noted that there is no actual definition of what constitutes an international data transfer in either the LED or the GDPR.

“For example, it is unclear whether the uploading of information on an internet page or the use of a cloud server in a third country always also constitutes an international transfer of that personal data,” she wrote in a research paper published in January 2021. “This means it becomes increasingly difficult to determine whether a personal data processing operation (also) constitutes a transfer of personal data.”

Drechsler told Computer Weekly that the European courts have never specifically determined what, on a technical level, constitutes a transfer in case law.

“If you look a bit into definitions that have been proposed over the years, by EDPS but also by the commission, they often try to include this element that a transfer has to be intentional or with knowledge,” she said. “I don’t think there’s any support for this in the case of the Court of Justice, which just never discusses this. In the paper, I say whenever it’s accessible, it’s a transfer, and I think that’s the minimum we have.”

EDPB moves to define transfers

In November 2020, the EDPB published guidance on supplementary measures that could facilitate transfers under the GDPR in the wake of Schrems II. Although the document did not mention the LED, it said in the footnotes that “remote access by an entity from a third country to data located in the EEA is also considered a transfer”, indicating that the EDPB at least, if not the EC, is taking a similar view to Drechsler of what constitutes an international transfer.

Sajfert was not as concerned by the lack of formal definitions for international transfers, largely because future technological developments could change how data moves from one place to another and therefore make the definition redundant. “For me, an international transfer is, to put it very simply, every time data leaves the EU – including when it’s being accessed from – or stored in a third country,” he said.

“If law enforcement authorities decide to store data outside of the EU, by using cloud service providers or whatnot, they have to be aware that the moment they decide to do so, they trigger the application of Chapter Five of the LED and all the requirements on international transfers have to be met.”

Cloud use by EU law enforcement and wider UK CJS

Sajfert further noted that many EU-based law enforcement authorities also use US companies or cloud services. “These are practices that are often not compliant with the LED, but then the supervision, the enforcement and the ex-post control is weak,” he said. “If you have your own law enforcement authorities doing the same thing, then the UK will probably raise that as an argument.”

If the EC finds that certain practices in the UK preclude it from adequacy, said Sajfert, “that will inevitably have the consequence of making the 27 member states urgently do something about correcting these deficiencies that they have in their in their own practices”.

The growing use of non-EU or UK-based cloud services is not limited to police, however, and there is evidence that it could be a problem across the UK’s wider CJS. 

For example, the Common Platform currently being rolled out by the Ministry of Justice (MoJ) to courts in England and Wales is intended to deliver a unified way of digital working for Her Majesty’s Courts and Tribunals Service (HMCTS) and Crown Prosecution Service (CPS) staff, as well as other participants in the criminal case management process.

However, it is also being hosted on Microsoft Azure, according to information in a DPIA released under FOI and seen by Computer Weekly.

Like its M365 counterpart, the platform’s DPIA seen does not appear to address the risk of using a US-based cloud provider for these services, despite defendant, witness, victim and lawyer details being shared and transferred over the system.

According to Sayers, even if the UK receives LED adequacy, the DPA 18 expects transfers to non-law enforcement recipients to be done “infrequently and only by exception”, adding that as a result, any use of non-UK-based IT services or public hyperscale clouds will now be legally difficult.

“Home Office, police, court and CPS use of M365, Azure or AWS in particular have thus become even more complex since the UK exited the EU and all their DPIAs and terms of service need to be reviewed urgently,” said Sayers.

“I cannot see how continued use can in fact be justified or lawfully achieved in a post-Brexit UK DPA landscape, and any programmes promoting or relying on them are unlikely to be able to proceed without long-term pervasive risks being accepted, and some parts of UK law being ignored.”

He added: “LED adequacy will do nothing to address data transfers to the Commonwealth, British Overseas Territories, or other [third] countries – and any effort on the part of the UK to add them to its own list of adequate regimes will endanger that EU adequacy.

“The UK and the EU will thus need to remain broadly aligned over the long term to maintain a data transfer regime, and this may not play well in Westminster.”

The EC was asked if the growing use of cloud in the UK’s CJS would be considered in an LED adequacy decision, but received no response.

LED adequacy versus other transfer mechanisms

Without an LED adequacy decision, authorities would have to rely on either international agreements or self-assessed safeguards to transfer data for law enforcement purposes, but, according to Drechsler, these are riddled with problems.

“It is worrisome that the LED sets up a system that, in practice, makes international data transfers for law enforcement purposes occur either under pre-existing international agreements that lack in the protection of fundamental rights, or on the basis of a self-assessment for fundamental rights by the law enforcement authority conducting the transfer,” she wrote in the research paper.

“Especially the latter option is concerning from the perspective of fundamental rights due to a lack of any in-built ex-ante or ex-post scrutiny of the assessment.”

Currently, most international data transfers are conducted under international agreements such as a mutual legal assistance treaty (MLAT), but Drechsler noted that many of these agreements do not address human rights concerns or offer effective additional safeguards because they were written before the Schrems judgments.

“Originally, the EU and the US had concluded a MLAT to enable exchanges of personal data by law enforcement authorities,” she wrote. “However, this agreement did not include enough safeguards for EU fundamental rights (a problem that became urgent with the CJEU decision in Schrems), therefore the EU and the US concluded the umbrella agreement to offer additional data protection safeguards.

“According to the commission, the umbrella agreement ‘retroactively’ solved all data protection issues, that law enforcement transfers had to the US, and should even serve as a model for future agreements on law enforcement exchanges.”

However, Drechsler further noted that “a quick analysis of the umbrella agreement reveals that it most likely would not pass the scrutiny of the CJEU applied in Schrems and Schrems II”, the main issue being that the agreement does not discuss the provisions of US law that are required to assess whether a third country does indeed provide essentially equivalent protections.

“The issue that existing international agreements in the area of law enforcement fail to meet the standard of essential equivalence is further aggravated by the fact that an update of many of these international agreements seems unlikely,” she wrote, adding that in the light of these difficulties, “LED adequacy decisions represent an opportunity for improvement”.

Computer Weekly asked the EC whether it is looking to bring international agreements into line with the standard of equivalent protection, but was sent a link to an online press briefing instead in which a spokesperson answered questions about the UK’s surveillance regime.

An EC spokesperson said: “We are, of course, very well aware of the issues that you raise, but you will understand that before a decision is taken, I am not able to comment. The European Commission is working on its so-called adequacy decision for the United Kingdom, the EU-UK Trade and Cooperation provides a bridging solution to provide stability and continuity of data flows until the end of June.

“The adequacy talks with the UK are well advanced and the adoption process is foreseen to start very soon. The adoption of an adequacy decision requires an opinion from the European Data Protection Board and the green light from member states. The ratification process will be conducted in a transparent manner.”

There was no clarification by the spokesperson about whether this adequacy decision was being made under the LED, the GDPR, or both.

Divergence between LED and GDPR

According to Sajfert, the divergence between the LED and the GDPR can be traced back to the Lisbon Treaty, which came into force in 2009.

“Because the Lisbon Treaty had attached a declaration to it – Declaration Number 21 – saying that, while the EU will now have a strong legal base to legislate on personal data protection, it should take into account the specificities of the police and criminal justice authorities, and legislate differently on them,” he said.

Sajfert added that when the EC came to making new proposals in 2012, “it did not propose one data protection law with specific provisions for police and criminal justice authorities; instead, it decided to have a regulation for everything else but police and criminal justice – so I think that’s the starting point of this difference between the two”.

He also said the GDPR side had attracted significantly more attention, largely because of its much wider scope and application to both the public and private sectors.

“The directive is a much smaller instrument in scope – it only applies to police and criminal justice authorities and only when they process personal data for certain purpose – so it’s a much more limited instrument,” he said, adding that the parallel negotiations taking place with the GDPR took all the attention, something that continued after both directives came into force.

“Most of the efforts of the data protection supervisory authorities and the European institutions are focused on GDPR – there is no space or resources for the directive,” he said. “There are very few people that actually deal with the LED. With GDPR, there’s an enormous amount of people working on it, or trying to be an expert or specialist, because it’s lucrative. The directive is not – you’re not going to make money out of this, so there are very few of us who are doing this out of their own interest.”