October 11, 2019
Potential difficulties with EU/UK data transfers post-Brexit, particularly in the case of a hard no-deal Brexit, may yet become more complex, with the recent announcement that the UK and the U.S. have signed a bilateral agreement allowing their respective law enforcement agencies to directly demand electronic data relating to serious crimes from tech companies in the other jurisdiction.
The UK-U.S. Bilateral Data Access Agreement, a global first, was made under both the UK’s new Crime (Overseas Production Orders) Act 2019, which became law in February, and the U.S.’s CLOUD Act, which passed last year.
U.S. Attorney General Barr said: “This agreement will enhance the ability of the United States and the United Kingdom to fight serious crime… by allowing more efficient and effective access to data needed for quick-moving investigations.
With a hard Brexit, the UK will need an “adequacy decision” from the EU in order to transfer data seamlessly from EU member countries, Norway, Iceland, or Liechtenstein.
BEERG's Derek Mooney writes: "The important point about adequacy decisions, referring to the adequacy of the data protections for EU personal data in a third country, is that they are not negotiated or agreed with the third country but are made unilaterally by the European Commission—and can be cancelled by it at any time. Only a dozen countries, or so, have such decisions. The quickest decision took around eighteen months, but they can take up to five years."
Takeaway: BEERG has already warned about the uncertainty of the UK getting a swift adequacy decision because of the UK’s Investigative Powers Act, AKA “The Snoopers’ Charter,” and the access British law enforcement and security agencies have to personal data held by UK communication service providers. How much more complex has it now become with U.S. agencies having "more efficient and effective access" under this new bilateral agreement?