Furthermore, the European Commission is invited to monitor whether the UK US CLOUD Act Agreement ensures appropriate additional safeguards, taking into account the level of sensitivity of the categories of data concerned and the sole requirements of the transfer of electronic evidence directly by service providers rather than between authorities, also assessing under which circumstances safeguards may be provided by an appropriate implementation of the adaptation of the EU US Umbrella Agreement10

Next Article

Further, the EDPB notes that onward transfers can also take place from the UK to another third country based on transfer tools pursuant to the UK applicable data protection legislation11 Following Schrems II12, the EDPB invites the European Commission to provide reassurances in the

substantially affected by the provisions of the agreement concluded with the US, and impact on the level of protection for such data. The EDPB notes in this context that the European Commission refers to explanations given by UK authorities in recital 153 of its draft decision, without quoting or providing any concrete written assurance or commitment, nor pointing out specific legal provisions under UK law that would give effect to such explanations.

89. The EDPB has previously raised these concerns in a letter addressed to the European Parliament dated 15 June 202055. The EDPB had highlighted that based on the “EU acquis in the field of data protection, and in particular with the GDPR and the law enforcement directive” the EDPB has reservations as to whether the safeguards in the agreement for access to personal data in the UK would apply in certain circumstances requiring disclosure obligations to the US, as well as whether these safeguards are sufficient in light of the EU standards so as to not undermine the level of protection provided in the EU.

90. Furthermore, the provisions of the UK–US CLOUD Act Agreement may significantly affect the substantive and procedural conditions under which personal data held by controllers or processors in the UK can be directly accessed by US authorities, thus impacting on the level of protection guaranteed under UK law. To provide for a level of protection essentially equivalent to the one guaranteed under EU law, it is for example “essential that the safeguards as per such agreement include a mandatory prior judicial authorisation, as an essential guarantee for access to metadata and content data. On the basis of its preliminary assessment, the EDPB, while noting that the agreement refers to the application of domestic law, could not identify such a clear provision in the agreement concluded between the UK and the US”56 .

91. While the European Commission highlights that data obtained under this agreement would benefit from equivalent protections to the specific safeguards provided by the so-called “EU-US Umbrella Agreement”, the EDPB has concerns as to whether the incorporation of these safeguards into the UK-US CLOUD Act Agreement by a mere reference applying on a mutatis mutandis basis would meet the criteria of clear, precise and accessible rules when it comes to access to personal data, or would sufficiently enshrine such safeguards to be effective and actionable under UK law.

92. The EDPB therefore recommends that the European Commission clarifies how and based on which

legal instrument equivalent protections to the specific safeguards provided by the EU-US Umbrella Agreement would be given effect and have binding character under UK law.

93. The EDPB also notes that the provisions of the UK-US CLOUD Act Agreement, read in conjunction with section 3 US CLOUD Act57, raises questions as to the actual application of the safeguards offered by the agreement for the access, by US law enforcement authorities, to personal data in the UK processed by providers of electronic communication service or remote computing service (hereinafter “CSPs”) falling under the jurisdiction of the US. Indeed, should a CSP located in the UK be subject to US law (e.g., because it is the subsidiary of a US company), it remains to be ascertained whether US authorities would be bound to rely on the UK-US CLOUD Act Agreement to obtain that data. As the European Commission points out that “[p]articular attention will be given to the application and adaptation of the Umbrella Agreement’s protections to the specific type of transfers covered by the UK-US Agreement”, the EDPB stresses that on the basis of its preliminary assessment,

55 See EDPB response to MEPs Sophie in’t Veld and Moritz Körner on the US-UK agreement under the US Cloud Act, adopted on 15 June 2020, https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_letter_out_20200054-uk-usagreement.pdf. 56 See the abovementioned EDPB letter. 57 See US CLOUD Act, https://www.congress.gov/bill/115th-congress/senate-bill/2383/text.