Support Centre

International: UK-US data sharing agreement "may create difficulties between UK and EU in event of hard Brexit"

The UK Government published, on 7 October 2019, the Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime ('the Agreement').


In particular, the Agreement would allow the UK and US' ('the Parties') law enforcement agencies to request electronic data regarding serious crime, including terrorism, child sexual abuse, and cybercrime, directly from 'covered providers' based in either country, without legal barriers. The Agreement defines 'covered provider' as any private entity which provides to the public the ability to communicate, process or store computer data, by means of a computer or a telecommunications system, or process or store content of an electronic or wire communication. The Agreement will enter into force following a six month review by the UK Parliament and the U.S. Congress, as mandated by the US Clarifying Lawful Overseas Use of Data Act 2018 ('the CLOUD Act').

Tim Hickman, Partner at White & Case LLP, told OneTrust DataGuidance, "The European Data Protection Board and the European Data Protection Supervisor concluded in their Initial Legal Assessment of the Impact of the the CLOUD Act on the EU Legal Framework for the Protection of Personal Data and the Negotiations of An EU-US Agreement on Cross-Border Access to Electronic Evidence, that the CLOUD Act does not provide a valid justification for cross-border data transfers. Their conclusion is unsurprising, given that the CLOUD Act is a piece of US legislation that seeks to apply certain powers unilaterally, in part as a result of the United States v. Microsoft Corporation case [...] [Moreover,] the Agreement may create difficulties between the UK and the EU in the event of a hard Brexit. In that scenario, the UK will likely seek an adequacy decision from the European Commission in order to allow for the continued free flow of personal data between the EU and the UK. However, suspicions regarding intelligence sharing between the Parties have become a key reason why some EU politicians and bureaucrats are resistant to the idea of granting the UK an adequacy decision. The Agreement may well add to those suspicions and could mean that the UK is unable to secure an adequacy decision in the event of a hard Brexit. This would make it significantly harder for businesses to freely share data between the EU and the UK in a post-Brexit world."

Corporations are at relatively little direct risk as a result of the Agreement

In addition, the Agreement highlights that timely access to electronic data for authorised law enforcement purposes is essential for the purpose of protecting public safety and combating serious crime and terrorism. Moreover, the Agreement aims to provide standards of protection that comply with the Parties' laws regarding the treatment of electronic data containing personal data, and to create a legally binding and enforceable instrument between public authorities that provides appropriate safeguards for the same. Furthermore, the Agreement stipulates that the Parties will undertake measures to ensure that their domestic laws relating to the preservation, authentication, disclosure, and production of electronic data permit 'covered providers' to comply with the Parties' respective requirements to disclose or produce content, such as computer data stored or processed for a user, traffic data and subscriber information.

Hickman concluded, "Corporations are at relatively little direct risk as a result of the Agreement, because the Agreement does not compel disclosure of [certain categories of] data, as such. However, the Agreement does oblige the UK Government to make the necessary changes to the UK’s laws in order to give effect to the Agreement, and those changes may compel such disclosure. This is not directly contradictory to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), which permits processing, disclosure, and transfer, of personal data to the extent that such processing is required by applicable laws in the UK. If a business is obliged by the laws applicable to it in the UK to disclose personal data, the GDPR does not stand in the way of such disclosures."

Lucian-Gabriel Burcea Privacy Analyst