The Information Commissioner Office (ICO) has made a mess of the legality of police forces using US-based cloud providers to process sensitive law enforcement data.
Computer Weekly exposed in 2020 that dozens of police forces are breaking the law using the cloud-based Microsoft 365 software to process more than a million people’s data.
A major Police Scotland IT system is using Microsoft’s Azure cloud despite having major data protection issues. The Scottish biometric commissioner (SBC) asked the ICO for advice about the system’s legality.
After a cosy meeting with information commissioner John Edwards in early December 2023, SBC Brian Plastow wrote a letter that said the ICO was happy to give the green light to the dodgy cloud deployments. He said the ICO believed that the UK and US governments signed a deal to share data, which overrules the UK’s data protection laws.
Plastow wrote to Police Scotland in a letter dated 14 December 2023: “The UK ICO is unlikely to say that the uploading of biometric data to… [US-based cloud infrastructure] by Police Scotland conflicts with UK data protection law. This is because Article 3 of the agreement between the US and UK governments on access to electronic data under the US Cloud Act requires each party to the agreement to make sure that its domestic laws do not get in the way of the agreement.”
But the letter has since vanished from the SBC website. The ICO refused to comment on the letter’s contents or disappearance. The SBC agreed to take it offline until the ICO gives clear advice on data protection law.
The ICO has now said that UK police can use cloud services that send sensitive law enforcement data overseas with “appropriate protections” in place. But it did not say what these protections are.
Experts say the ICO’s positions could risk the UK’s data deal with the European Union. This could stop the free flow of data between the two. They say this is because the deal is based on people having the same level of protection for their data when it is moved internationally.
They also say the ICO’s position in the letter shows the direction the government is taking with its new Data Protection and Digital Information (DPDI) Bill. This bill aims to change how many aspects of data protection law are applied.
Data protection experts and police tech watchdogs have questioned how UK police have used public cloud infrastructure. They say they cannot follow the strict rules in Part Three of the Data Protection Act (DPA) 2018.
In April 2023, it was revealed that the Scottish government’s Digital Evidence Sharing Capability (DESC) service – run by body-worn video provider Axon and hosted on Microsoft Azure – was being tested by Police Scotland. But a police watchdog said using Azure “would not be legal”.
The police watchdog said there were other high risks to data subjects. These include US government access via the Cloud Act, which lets the US government access any data stored anywhere by US companies in the cloud; Microsoft’s use of vague contracts; and Axon’s failure to follow clauses about data sovereignty.
Microsoft, Axon and the ICO knew about these issues before processing in DESC started. The risks affect every cloud system used for law enforcement purposes in the UK, as they have to follow the same data protection rules.
This made the SBC serve Police Scotland with a formal information notice in October. But the force’s response “did not make specific concerns go away” particularly about uploading sensitive biometric data to DESC. He then met with the information commissioner in December 2023, where he learned about the ICO’s position.
One data protection expert told Computer Weekly that the situation was “totally weird”. He said that the letter was about a cloud deployment by Police Scotland, but the implications are huge. He said it suggests that no domestic laws can stop the agreement to share data with the US.
He said: “Edwards can’t say that Police Scotland are not breaking UK DPA Part Three – they are. Edwards is saying that the US-UK Cloud agreement means that UK law has to be ignored, even though it is being broken, because no UK domestic law can stop the US-UK agreement.”
He also said that the US-UK data-sharing agreement is “not relevant” to general law enforcement data transfers in the way the ICO has used it. He said that the agreement only applies to very specific types of data transfers, and only to investigate “serious crime”, not just any information stored in public cloud infrastructure.
The government’s new Data Protection and Digital Information (DPDI) Bill will change how many aspects of data protection law are applied.
The DPDI Bill will give the power to the relevant secretary of state to decide if there is enough data protection in onward transfers. This means the government will be able to allow personal data transfers to other countries without much Parliamentary scrutiny, and without guarantees about the rights and remedies once the data has been transferred.
The European commissioner, Didier Reynders, has said before that the EU would step in if the UK did not keep its compatibility with EU data protection law.
He said: “The commission will watch closely how the UK system changes in the future, and we have made our decisions stronger to allow for this and for an intervention if needed. The EU has the highest standards for personal data protection, and these must not be lowered when personal data is transferred abroad.”