The UK’s data protection watchdog says UK police will likely allow the use of cloud services that can send sensitive law enforcement data overseas, including biometrics.
The arrangement will be possible thanks to the information-sharing agreement with the U.S. government known as the U.S. Cloud Act, Computer Weekly reports. The Information Commissioner Office (ICO) told the outlet that UK police can legally use cloud services to send sensitive law enforcement data overseas with “appropriate protections” in place. The Office did not specify what these protections are.
The statement is in line with previous announcements from Scottish Biometrics Commissioner Brian Plastow. In a letter published in December 2023, Plastow said that the ICO was likely to greenlight the deal because the agreement on data sharing between the UK and U.S. includes an article to prevent domestic laws like the UK’s data protection law from impeding the deal’s function. The letter has since been deleted pending a final decision from regulators.
Plastow’s statements have invited criticism from legal experts who claim that the decision goes against UK law and puts the UK’s data adequacy deal with the European Union at risk. The ICO decision reflects the government’s decision to reshape how data laws are applied under the upcoming Data Protection and Digital Information (DPDI) Bill, according to critics.
The UK police’s use of cloud services from U.S. companies has been a contentious issue due to the possibility that U.S. authorities will be able to access the data of UK citizens. The U.S. Cloud Act stipulates that federal law enforcement agencies can compel domestic companies to provide data stored on servers regardless of whether the data is owned by a firm based outside the U.S.
In 2020, Computer Weekly revealed that dozens of UK police were processing data using Microsoft’s products, raising questions about compliance with the Data Protection Act 2018. In April of last year, it was discovered that Scottish police were storing sensitive data, including biometrics, on servers maintained by Microsoft and Axon. The legality of the scheme is being reviewed by the ICO, and the Scottish Biometrics Commissioner is also scrutinizing the deal.
The question of the U.S. government’s access to foreign citizens’ data is not only a concern in the UK. The U.S. and the EU have spent months trying to regulate international data transfers. To circumvent the issue, large cloud service providers such as Amazon Web Services (AWS), Oracle and Microsoft have announced localized EU services.
Scottish biometrics watchdog says police compliant with relevant laws
The Scottish Police are working with the Police Investigations and Review Commissioner (PIRC), the police internal investigation unit, in line with regulations on the use of biometric data, the Scottish Biometrics Commissioner announced last week.
The conclusion is the result of the first annual assessment on compliance with the Scottish Police Code of Practice regulating the use of biometric data under the Scottish Biometrics Commissioner Act 2020. The Commissioner’s office also says that no complaints have been received about the inappropriate use of biometrics from data subjects.
Police in Scotland have recorded a sharp rise in the use of retrospective facial recognition, tripling the number of searches over the last five years, according to data obtained by local investigative outlets. The force ranks fourth in the use of the technology in the UK but plans to add even more face biometrics during the next five years, including real-time video processing.
Police in Scotland operate a distinct policy from other UK forces, only uploading custody images to the database once an individual has been charged with a crime and removing images of those found innocent after 6 months.