UK and US Data: What are the implications of the CLOUD Act and the UK Bilateral Agreement?
CLOUD stands for Clarifying Lawful Oversees Use of Data.
The aim of this Act is to speed up data sharing in relation to serious crime; ranging from terrorism, violent crime, sexual exploitation of children and cybercrime. Although an American law, a bilateral agreement (Data Access Agreement (“DAA”)) has been entered into between the US and the UK, which allows each country’s investigators better access to vital data in order to combat serious crime.
The initial Act was ratified in the US in March 2018. However, it is only more recently that the UK has signed the DAA, bringing the data sharing agreement into effect in the UK as of the 3rd October 2022. It is important to note that the CLOUD Act and consequently the DAA could result in special categories of personal data being shared between the UK and the US, including race, beliefs, health and biometric data. The point here is the fact that from a UK standpoint, we need to consider the effect that the new law will have on GDPR.
Where the UK has left the EU, in order for personal data to continue to be shared, the EU have granted the UK adequacy. As a brief overview of adequacy, the UK have been granted adequacy, subject to a review every four years. Therefore, the next review in 2025 could be affected by the DAA. This is because the US does not have a federal data protection law, data protection varies state on state and in sharing data with the UK, the EU may evaluate that this proposes a higher risk to the data of EU citizens being shared with the US and remove the adequacy decision. Should adequacy be removed, this would have a devastating effect on the UK economy.
This being said, while the CLOUD Act/DAA enables data sharing with the US, it does not create an obligation for the UK to transfer any data to the US. Breaking this down further, the US Department of Justice (“DoJ”) can make a request for information directly to UK telecommunications operators (“TO”), for the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution of a serious crime, including terrorist activity. A TO will need to consider the implications of complying with such a request from the perspective of data protection law. If it cannot rely on the lawful basis of “necessity to comply with a legal obligation”, the TO is probably looking at either “necessity to perform a task in the public interest”, or else “legitimate interests” – both of which require some thinking and documentation. However it is important to note that the UK is under no obligation to comply with any requests unless they fulfil one of the above requirements.
While the CLOUD Act/DAA ultimately aims to protect citizens by improving both nations’ ability to fight serious crime, while maintaining the democratic and civil liberties standards around the world, the fact is the UK does not have any obligation to comply with requests from the US. Therefore, in relation to adequacy, it would seem unlikely that the CLOUD Act would have an impact on the UK’s adequacy decision from the European Union.
From a business perspective, there is very little that is going to change in relation to your GDPR business practice unless you are in the telecommunications sector. Even then, any requests from the DOJ can be declined if they cannot rely on a legal basis under GDPR for sharing any relevant data.
For more information as well as advice and guidance, please do not hesitate to contact us at firstname.lastname@example.org, where we are the only UK law firm to specialise in data protection, privacy and cybersecurity.