Confusing ICO Raises Questions About Legality of Police Cloud

The Information Commissioner’s Office (ICO) has caused confusion regarding the legality of police forces using US-based cloud providers to process sensitive law enforcement data. Computer Weekly previously reported that numerous police forces were unlawfully processing data using Microsoft 365 software. Recently, it was discovered that a major Police Scotland IT system also used Microsoft’s Azure cloud despite unresolved data protection issues. The Scottish biometric commissioner sought advice from the ICO about the system’s legality, and the ICO indicated that it would likely approve the controversial cloud deployments based on an information-sharing deal between the UK and US governments. However, the letter from the SBC stating this has been deleted from the SBC website, and the ICO declined to comment on the issue. The ICO clarified to Computer Weekly that UK police can use cloud services to transfer sensitive law enforcement data overseas, as long as appropriate protections are in place. However, experts believe that this position could jeopardize the UK’s data adequacy deal with the European Union and impact the free flow of data between the two. The ICO’s position in the letter also aligns with the direction the government is taking under the forthcoming Data Protection and Digital Information Bill. Concerns have been raised about how UK police have deployed hyperscale public cloud infrastructure, as they may not be able to comply with law enforcement-specific rules outlined in the Data Protection Act. Furthermore, it was revealed that Police Scotland’s Digital Evidence Sharing Capability (DESC) service, hosted on Microsoft Azure, was being piloted despite concerns raised by a police watchdog about its legality. The watchdog cited unresolved risks related to US government access via the Cloud Act, Microsoft’s use of generic contracts, and Axon’s inability to comply with data sovereignty clauses. The SBC issued an information notice to Police Scotland, but the force’s response did not address specific concerns. The SBC met with the information commissioner, who informed him of the ICO’s position. A data protection expert noted that the situation is peculiar because the correspondence revolves around a cloud deployment by Police Scotland, but its implications are significant as they imply that no domestic laws can interfere with the data-sharing agreement with the US. The expert argues that the Cloud Act Agreement is not applicable to general law enforcement data transfers as stated by the ICO. The ICO’s interpretation that data protection law can be superseded by international treaties could have negative implications for the UK’s adequacy decision with the EU. The forthcoming DPDI Bill has also raised concerns among civil society groups, as it could deregulate the UK’s data protection framework and grant the secretary of state the power to authorize personal data transfers without sufficient scrutiny. While the ICO’s position aligns with the reforms introduced in the DPDI Bill, it could have implications for the UK’s compliance with EU data protection law. The European Commission has warned that it will closely monitor the UK’s compliance and intervene if necessary to protect personal data transferred abroad. The commission’s adequacy decision includes a four-year sunset clause, providing mechanisms for revocation if needed. Computer Weekly contacted the ICO about the implications of its position on the US-UK international agreement for data adequacy but received no response.

Unlock your business potential with our expert guidance. Get in touch now!