Why saying "Police use of Public Cloud is Illegal" is only mostly (and practically) true...
I'm sometimes quoted saying that Police use of Microsoft and AWS platforms is illegal because it contravenes the UK Data Protection Act 2018 Part 3 - that's true, mostly...
Why Hyperscalers are a problem:
Loads of people and companies all around the world use the two major Hyperscalers (AWS & Microsoft) that are now commonly used by UK Policing (and also by Prisons, Offender Management orgs, MoJ, Home Office, Courts, CPS, and those parts of HMRC/DWP/MOD/etc.) that are deemed to be conducting a "Law Enforcement" activity.
By and large that generic use is fine - these platforms are generally entirely OK for non-sensitive, low value, personal and non-personal data. They're not however designed for processing that has special requirements, which is why (other than in the UK*) very few national governments and public services rely on them.
* Yes I know the US Gov make huge use of these Hyperscalers, but those operate under FedRAMP and are completely different platforms to the ones that UK Gov have access to, which are exactly the same ones as you and I can use upon payment and accessed over the Internet.
IMPORTANT NOTE: I'll refer to 'Police" here, but in many cases the same rules apply to the hundreds of Law Enforcement Competent Authorities defined in Schedule 7 of the DPA 2018 HERE, and their suppliers, processors and partners.
Police agencies are allowed to process a lot of really very sensitive and invasive information about the people they come into contact with when they do their job, typically these are - victims, witnesses, suspects, offenders and bystanders.
They don't have a RIGHT to do so, this processing is permitted only under the strict terms of policies, standards and regulatory measures (legislation as well as codes of practice, etc.) that govern how the Police can operate.
People have RIGHTS, Public Bodies have OBLIGATIONS
These obligations have been developed over many years, and informed by multiple court rulings, public enquiries and parliamentary measures to ensure that a balance between the Police need to know something about a person matches the persons right not to have their private life interfered with.
This is important stuff - in fact its fundamental to the safe, legal and proper operation of the UK as a country.
So here's the issue in a nutshell:
UK Police and their suppliers and partners (processors) have to comply with lots of legislation, policies, and stuff that their selected Cloud Providers Microsoft and AWS don't, and can't, adhere to.
This includes:
I'm not going to probe into the issues outside of DPA 2018 Part 3 in this article, because they're complex enough for one sitting, but as time permits I'll explain the other legislations and rules separately - just take it as read that Police (in all their forms) are extremely regulated...
I've also covered the many reasons why Hyperscaler Cloud Providers fail to meet the requirements HERE (I'll update this analysis soon BTW, because its nearly 18 months old and since it was done Microsoft have divulged that offshore transfers are in fact intrinsic to operation of their Cloud services).
What the Law (DPA 2018 Part 3) requires:
The DPA 2018 Part 3 is the UK's transcription of the EU's 2016/680 Law Enforcement Directive [LED], which of course the UK also contributed to at the time of writing.
The explanatory notes for Part 3 make clear that wherever possible the UK just lifted the LED provisions as they were written (literally verbatim in some case), except where there was a legitimate derogation (a legal term to say "you can change this bit/adjust as applicable").
This makes assessments of what happens if and when the UK changes Part 3 with respect to LED really easy: each change made is going to be a deviation from the EU Directive.
When it comes to Cloud providers processing of data the important bits are in Part 3 Chapters 4 & 5. These cover 'Controllers & Processors' and 'Transfers of Personal Data to Third Countries' respectively.
Chapter 4 - Processor Obligations
Chapter 4 has a number of provisions that lay down specific guarantees and undertakings that every processor must give to a Controller (the 'Police' in this case) to be able to legally process their data.
The AWS assessment shows that only one of these (ICO Co-operation - which has been assumed rather than explicitly stated) is actually met.
The positon for Microsoft is - on the face of it - no different, but there is a growing body of evidence from examination of the Scottish Government DESC system that shows the assessment below is probably over-generous in some respects. They don't so much 'narrowly miss' some of the elements, they miss them by a mile (and a bit).
This is the first part of why processing of Law Enforcement Personal Data on AWS or Microsoft is almost certainly in breach of the DAP 2018 Part 3/not lawful/illegal*
* You can delete as you prefer but all of these are applicable terms to use.
Because neither Microsoft or AWS meet the requirements of Chapter 4 they cannot be legal platforms for processing of Law Enforcement Data.
So this is the first issue; but recently (June) Microsoft said they would change their terms of service for the Scottish Police Authority to give them these gaurantees.
They also however daid that they had to send the data overseas for processing and that getting case by case permission beforehand was "impossible to operationalise" - so they still fail at least Element 7 : Close, but definitely no cigar...
Lets assume for now however that (by some miracle) Microsoft and AWS CAN and DO change their terms of service and can meet all these 13 Elements. It would be legal to use them then right?
Well that's when Chapter 5 itself comes directly into play...
Why Hyperscalers are also impractical to legally use
This is a more challenging set of issues - but they still come from the DPA 2018 Part 3 (this time from Chapter 5, relating to International Transfers).
Even if you could find a Hyperscaler who gave you a 100% cast iron gaurantee on all their obligations from Chapter 4, then Chapter 5 lays down processes that must be foillowed by the Policing body using that service.
Before we dive into this its important to understand the following:
Unlike GDPR where International Data Transfer is conditionally allowable, LED expects them to be exceptional & managed on a case-by-case basis
Let's allow that to sink in for a second, because this is really important to understand:
This is why measures such as GDPR "Standard Contractual Clauses", "International Data Transfer Agreements" and "Transfer Risk Assessments", relevant to GDPR Article 46, etc. really have zero applicability/relevance to LED transfers like Chapter 5 of DPA 2018 Part 3.
There is no presumption in LED that you are permitted to transfer personal data - in fact the opposite's true: you're not allowed to unless you can show its necessary to do so.
Chapter 5 DPA contains just 8 sections, and the UK have already adjusted them (with EU approval) to reflect Brexit. Some of these changes were really just 'find-and-replace' changes of "EU Member State and EEA" to "United Kingdom", and that's a shame because they do cause us a lot of issues. AWS might have been just about legal to use (not quite but close) if those Brexit clasues hadn't in fact been changed. Microsoft? No difference.
I'm not going to go into these sections line by line, because since 2018 (and through all the changes of Brexit) I've been keeping a flow chart model pretty much up to date that shows all the steps you need to do if you wish to legally send Law Enforcement Personal Data outside of the UK (including to Europe).
This is in 2 parts, the first bit of which applies to ALL "Police-type" organisations in the UK.
The second part is only relevant when you want to send data to someone who is not an overseas Law Enforcement organisation (which is called a "relevant authority or International Organisation" - like the FBI or InterPol respectively), such as a Cloud Provider.
Only some organisations are permitted to do that however (listed in the graphic below).
No-one else is ever allowed to send data to a non-Law Enforcement recipient, for the simple reason that its not necessary for them to do so (actually it still needs to be strictly necessary even for Police to do so and that's a much higher legal test bar than most folks realise).
For those orgs who ARE allowed to transfer data to a Cloud Provider, they can only do so if they go through a lot of steps.
I'll post the full flow chart, then the two parts seperately and discuss them:
If this looks scary - wait till you see the new one that would apply if the DUAB becomes law ;)
Remember that this process needs to be done for each and every transfer - though to be fair the bits in the first part (Path 1 & maybe Path 2) might be something you can do once and rely upon thereafter for similar transfers; whilst the bits in the second part absolutely need to be done every single time you put a piece of LE personal data into the Cloud.
First part of the flowchart:
The first part of the flowchart is simply about identifying the lawful basis of your transfer:
It is conceivable that for 'Path 1' above (and maybe Path 2), a one-off exercise could be done to confirm that a particular country (or for Path 2 a specific International Organisation) is "good enough" to send data to.
The ICo has previously confirmed that they know a small number of LE Competent Authorities who have determined that the US and Australia ARE in fact countries with suitable safeguards, but they refuse to disclose who those organisations are or the basis for that assertion.
I think that's hokum BTW - there's no way those regimes provide that level of suitable safeguards, but without the ICO disclosing more info its impossible to analyse this.
Its also worth noting that the UK already deviates from the EU in that the UK has deemed Geurnsey (and now also Jersey and Isle of Manm tho' not shown on this graphic) as being adequate for receipt of LE data, whilst the EU still has not.
A transfer under Path 3 is context specific and always needs a case by case analysis.
If none of these apply then of course you can't send the data at all.
Second part of the flowchart:
The Second Part applies only when you want to send the data to a non-Law Enforcement recipient, which is the point of this article TBH:
The following steps need to be done - in order - each and every time a Police Officer wishes to send even a single piece of personal data that is being processed for a LE purpose to the Microsoft or AWS Cloud
Let's just be clear - this means you need to go through this process for:
Things to note here are that only those organisations specifically listed in Box A are ever allowed to do this type of transfer, and although the ICO has claimed otherwise in responses to specific Computer Weekly questions they are not in fact legally allowed to use these services today; though this position will change if the Data (Access & Use) Bill is passed into law. Then everyone in the Law Enforcement space will be able to use Hyperscaler Cloud, but that's a different article...
ICO aren't alone of course; a lot of organisations who today use Digital Evidence Management Services are not listed in Box A (like the IOPC for example who use NICE which sits on Azure and as such definitely can't provide a service compatible with Part 3).
So what does this mean in practice?
Let's assume you're a Police Officer in a Force that uses Body Worn Video (doesn't matter what brand because although a couple of them don't use Azure or AWS Cloud for data storage, those majorly used in Policing generally do).
You attend an assault, take some BWV video, collect statements, grab some CCTV and ask some witnesses to upload photo's and video from their phones to your Force evidence portal on the web.
You need to ask a colleague to go and get a statement from an additional witness tomorrow morning when you're off shift, so you email that request to them with details of the witness on your internal Force M365 service.
In creating the material you have to legitimately produce and manage for your simple assault case, you've also had to create half a dozen Data Protection transfer impact assessment reports and to send them to the ICO.
The legal need for huge volumes of additional work to process even simple case files on a Hyperscaler Cloud make them impractical for daily Police use: and evidence from ICO FOI's shows actually no-one does it. They just process that personal data illegally.
So the UK's law hasn't kept pace with the Tech then?
Well that's absolutely the narrative pushed by NPCC, PDS, Home Office, and basically anyone using these Public Cloud Hyperscalers for a 'Police' purpose today.
Its also total rubbish.
The reality is that the law predated Police decisions to use these Hyperscalers: LED was passed in May 2016, and written into DPA 2018 in May 2018. It was known about and warned about when decisions were made to adopt these services.
Seniors were warned about the implications of using these platforms, but ignored those warnings. Major HMG projects like the MoJ Common Platform pressed ahead with deployment on to Microsoft Azure, whilst Home Office actively funded adoption of M365 by Forces in the National Enabling Programme.
All that programme did was enable illegal processing by every Force in the country.
This isn't a problem with the law - it's a problem rooted in bad technology choices, initally by a small group of individuals and then accelrated into a headlong national programme.
The issue is that today the UK has already spent £100m's on Hyperscalers for use in Law Enforcement environments over the past half decade (and that's a "high £100m's" figure - Common Platform alone was reportedly a £275m programme, so it might well be £bn's now).
So what to do about it?
This isn't a problem that will just go away. Its only getting worse day by day, hour by hour.
In fact there's every reason to assume that its going to get progressively worse at an accelerating pace: the new UK Government wants to change laws to make this more permissive, putting them on a direct collision course with the EU, whilst the Scottish Government recently approved national roll-out of DESC even though its provably illegal for the Law Enforcement purposes and processes it is supposed to directly support.
It CAN be fixed, but to do so requires the Police Forces to reach out to folks who understand the legislation - not 'GDPR folks who dabble' which is surprisingly commonly the case - and for the Government to take action to stop things getting worse.
So far, neither of those seem to be on the cards.
Explaining UK Data Protection Act 2018 obligations (& implications) to Law Enforcement Competent Authorities & partners
1moEDITED: To correct numerous typos picked out as ever by the eagle eye of Rob Baskerville (TY).
Digital and Cloud strategist - VikramMohan.com
1moThe big question is, why is no one taking the Law Enforcement agencies to the High Court and performing a judicial review? This should iron out what the Judiciary thinks about this and provide a formal interpretation of the law.