The Information Commissioner Office (ICO) has sown confusion over the legality of police forces using US-based cloud providers to process sensitive law enforcement data.
Computer Weekly revealed in 2020 that dozens of police forces are processing more than a million people’s data unlawfully using the cloud-based Microsoft 365 software.
Following Computer Weekly’s subsequent discovery that a major Police Scotland IT system is similarly using Microsoft’s Azure cloud despite major unresolved data protection issues, the Scottish biometric commissioner (SBC) sought advice from ICO about the system’s legality.
As a result of an in-person meeting with information commissioner John Edwards in early December 2023, SBC Brian Plastow published a letter that said the ICO was likely to greenlight the controversial cloud deployments, because it believed an information-sharing deal signed by the UK and US governments supersedes the UK’s data protection laws.
“From our discussions, the UK ICO is unlikely to opine that the uploading of biometric data to… [US-based cloud infrastructure] by Police Scotland conflicts with UK data protection law,” he wrote to Police Scotland in a letter dated 14 December 2023.
“This is because Article 3 of the agreement between the US and UK government’s on access to electronic data under the US Cloud Act requires each party to the agreement to ensure that its domestic laws do not frustrate or impair the operation of the agreement.”
However, the letter has since been deleted from the SBC website. While the ICO declined to comment on the letter’s contents or removal, the SBC informed Computer Weekly that it was taken offline by mutual agreement with the ICO, pending definitive advice on data protection law from the regulator.
The ICO has since clarified to Computer Weekly that UK police can legally use cloud services that send sensitive law enforcement data overseas with “appropriate protections” in place, but it declined to specify what these protection are.
If adopted, experts say the ICO’s positions could pose a threat to the UK’s data adequacy deal with the European Union – ultimately ending the free flow of data between the two – as it is predicated in part on people being ensured the same level of protection for their data when it is moved internationally.
They also say the ICO’s position in the letter reflects the direction of travel being taken by the government under its forthcoming Data Protection and Digital Information (DPDI) Bill, which aims to reshape how many aspects of data protection law are applied.
Ongoing police cloud concerns
Since Computer Weekly revealed in December 2020 that dozens of UK police were processing over a million’s people data unlawfully in Microsoft 365, data protection experts and police tech regulators have questioned various aspects of how hyperscale public cloud infrastructure has been deployed by UK police, arguing they are currently unable to comply with strict law enforcement-specific rules laid out in Part Three of the Data Protection Act (DPA) 2018
At the start of April 2023, Computer Weekly then revealed the Scottish government’s Digital Evidence Sharing Capability (DESC) service – contracted to body-worn video provider Axon for delivery and hosted on Microsoft Azure – was being piloted by Police Scotland despite a police watchdog raising concerns about how the use of Azure “would not be legal”.
Specifically, the police watchdog said there were a number of other unresolved high risks to data subjects, such as US government access via the Cloud Act, which effectively gives the US government access to any data, stored anywhere, by US corporations in the cloud; Microsoft’s use of generic rather than specific contracts; and Axon’s inability to comply with contractual clauses around data sovereignty.
Computer Weekly also revealed that Microsoft, Axon and the ICO were all aware of these issues before processing in DESC began. The risks identified extend to every cloud system used for a law enforcement purpose in the UK, as they are governed by the same data protection rules.
This prompted the SBC to serve Police Scotland with a formal information notice later that month, but in October he wrote the force’s response “did not ameliorate my specific concerns” around the uploading of sensitive biometric data to DESC. He then met two months later with the information commissioner in December 2023, where he was informed of the ICO’s position.
Speaking with Computer Weekly about the contents of the SBC’s letter, one data protection expert described the situation as “wholly bizarre”, noting that while the correspondence revolves around a cloud deployment by Police Scotland, the implications are potentially huge because it suggests that no domestic laws can interfere with the agreement to share data with the US.
“Edwards isn’t actually able to say that Police Scotland are not in contravention of UK DPA Part Three – they very clearly are,” said Owen Sayers, an independent security consultant and enterprise architect with over 20 years’ experience in delivering national policing systems.
“What Edwards is actually saying is that the US-UK Cloud agreement means that UK law has to be set aside and ignored, even though it is manifestly being broken, because no UK domestic law can interfere with the US-UK agreement.”
Sayers also contends that the US-UK data sharing agreement is “contextually inapplicable” to general law enforcement data transfers in the way the ICO has tried to use it, because that agreement only relates to very specific types of data transfers, and even then only to investigation of “serious crime”, not simply any information stored in hyperscale public cloud infrastructure.
Computer Weekly contacted the ICO about these claims, but received no response on these points.
In response to whether it also uses US-based hyperscale public cloud services for its own law enforcement processing functions, the ICO provided Computer Weekly with a bundle of DPIAs 495-pages long, detailing a number of systems in use by the ICO.
According to these documents, the ICO is explicit that it uses a range of services that sit on Microsoft Azure cloud infrastructure for law enforcement processing purposes.
Computer Weekly asked if the ICO about its legal basis for conducting such processing, and the extent to which its own use of these cloud services has prevented it from reaching formal position on whether the use of these services conflicts with UK data protection rules, but the regulator declined to comment further.
“Given the disclosure to Computer Weekly that ICO have themselves been using Azure for law enforcement processing, it is surprising to me that they have not as yet shared their experience in the form of clear guidance to the DESC partners,” said Sayers.
‘Fundamental level of protection’
Commenting on the ICO’s position in the letter, Mariano delli Santi, a legal and policy officer at the Open Rights Group (ORG), said that under the UK’s data protection laws, international data transfers can take place only if it can be ensured that the transfer will not undermine the level of protection guaranteed by the UK GDPR and DPA 18.
He added the ICO therefore cannot conclude the data transfers would always be legal because of the existence of an international treaty between the UK and US, and instead must assess whether the Cloud Act Agreement contains procedural and substantive safeguards that would be able to ensure to UK data subjects the same level of protection to personal data they enjoy under UK law.
According to the ICO’s own assessment of the UK government’s decision to green light the ‘UK data bridge’ – in which the secretary of state concluded, separately to the US-UK agreement above, the US provides an adequate level of protection for data – there is “a risk that the protections [for data transfers to the US] may not be applied in practice” with regard to “biometric, genetic, sexual orientation and criminal offence data”.
It also noted that “For criminal offence data, there may be some risks … [because] there are no equivalent protections to those set out in the UK’s Rehabilitation of Offenders Act 1974”, and that the UK data bridge lacks a “substantially similar right to the UK GDPR’s right to be forgotten” and lacks “the right to obtain a review of an automated decision by a human”.
For Mariano delli Santi, the ICO has therefore “identified obvious risks that may arise with regard to data transfers to the US operated by the Police Scotland DSEC system”.
“UK data protection requirements being ignored because of an international agreement effectively undermines much of the premises upon which the UK adequacy decision was adopted,” he said, adding that the ICO’s interpretation that data protection law can be overwritten by international treaties is a “big red line that they shouldn’t have crossed” due to the potential impact on the UK’s adequacy as a result.
He added: “Losing adequacy decision would be fundamentally catastrophic for the digital economy of the UK because it means that they can’t transfer personal data from to the European Union anymore, which is one of the biggest trade partners.”
Things to come
Commenting on the government’s forthcoming Data Protection and Digital Information (DPDI) Bill – which ORG and other civil society groups have previously described as “a wholesale deregulation of the UK data protection framework” – delli Santi said that the ICO is “starting to take a lot of interpretations that are not supported at all by the existing framework, but do seem to be backed up by the reforms that are being introduced”.
Under the DPDI Bill, the relevant secretary of state will have the power to decide whether or not there is an adequate level of data protection in onward transfers, which in practice means the government will able to authorise personal data transfers to third countries in the absence of meaningful Parliamentary scrutiny, and without guarantees concerning the retention of enforceable rights and effective remedies once the data has been transferred.
“The changes to the international transfer regime fundamentally gives political discretion to the secretary of state to authorise international data transfers, when the secretary of state is satisfied that this is desirable,” said deli Santi, adding that there is a risk of such authorisations being embedded in international agreements like the one currently in effect between the UK and US. “This would line up with the position the ICO is taking concerning the Cloud Act.”
For delli Santi, the ICO’s argument that police cloud deployments do not conflict with UK data protection laws because of an international agreement in place between the UK and a foreign government is a precursor of how “things will play out in practice” if the DPDI Bill becomes law.
The European commissioner, Didier Reynders, has previously said that the EU would intervene if the UK did not maintain its compatibility with EU data protection law: “The commission will be closely monitoring how the UK system evolves in the future, and we have reinforced our decisions to allow for this and for an intervention if needed. The EU has the highest standards when it comes to personal data protection, and these must not be compromised when personal data is transferred abroad.”
The commission’s adequacy decision was accompanied by a four-year sunset clause, meaning mechanisms are already in place that could be used to revoke the decision.
Computer Weekly contacted the ICO about the implications of its position on the US-UK international agreement for data adequacy, but received no response on this point.