it is unclear whether the safeguards enshrined in the UK-US CLOUD Act Agreement, and therefore the one provided by the EU-US Umbrella Agreement, would apply to all, if any, requests for access to data in the UK made by US authorities under the US CLOUD Act. 94.
There may be other future international agreements or commitments with third countries the UK might be entering into in the future, and that would apply to personal data transferred from the EEA to the UK under the draft decision58. Depending on the provisions of these agreements and the application of specific safeguard clauses, these international agreements, by affecting the UK Data Protection Framework may also significantly impact on the substantive and procedural conditions for access to personal data in the UK by third country authorities. This is in particular the case for the draft second additional protocol to the Council of Europe Convention on Cybercrime (hereinafter “Budapest Convention”) currently being negotiated among the parties to this Convention, which include several non-EU countries. Indeed, the draft protocol includes clauses which can be discretionally activated by the parties, for instance concerning the authorisation to grant access to content data or not. While all EU Member States would activate the clauses in compliance with EU data protection rules, no guarantee has been provided concerning the UK, which could substantially deviate from the level of protection that would then be offered within the EU. Another example of the issues presented above, is the Agreement between the UK and Japan for a Comprehensive Economic Partnership59 (“CEPA”), the UK’s first post-Brexit trade deal that entered into force on 1 January 202160 and that includes provisions on personal data61. The EDPB furthermore notes that the UK has also formally announced on 1 February 2021 its request to join the Comprehensive and Progressive Trans-Pacific Partnership (“CPTPP”) which incorporates the Trans-Pacific Partnership Agreement (“TPP”)62.
95.
The EDPB notes that, apart from the UK-US CLOUD Act Agreement, the international agreements mentioned above are not addressed in the draft decision.
96.
The EDPB invites the European Commission to: -
Examine the interplay between the UK Data Protection Framework and its international commitments, beyond the UK-US CLOUD Act Agreement, in particular to ensure the continuity of the level of protection in case of onward transfers to other third countries of personal data transferred from the EEA to the UK on the basis of a UK adequacy decision; and to continuously monitor and take action, where needed, with regard to the conclusion of other international agreements between the UK and third countries that risk to undermine the level of protection of personal data provided for in the EU.
58
See section 2.3.3 above. See UK/Japan: Agreement for a Comprehensive Economic Partnership [CS Japan No.1/2020], https://www.gov.uk/government/publications/ukjapan-agreement-for-a-comprehensive-economicpartnership-cs-japan-no12020. 60 See UK Government’s guidance on UK trade agreements with non-EU countries, https://www.gov.uk/guidance/uk-trade-agreements-with-non-eu-countries. 61 Pursuant to Article 8.80 para. 5 CEPA, the parties commit to encourage the development of mechanisms to promote compatibility between their different legal approaches to (personal) data protection. Pursuant to Article 8.84, the parties commit not to prohibit or restrict the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person within the meaning of CEPA. 62 Pursuant to Article 14.11 para. 2 TPP, each party shall allow the cross-border transfer of transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person. 59
Adopted
24
