UK authorities should not be granted access to data held by American companies because British laws don't meet human rights obligations, nine nonprofits have said.
In a letter to the US Department of Justice, organisations including Human Rights Watch and the Electronic Frontier Foundation set out their concerns about the UK's surveillance and data retention regimes.
They argue that the nation doesn't adhere to human rights obligations and commitments, and therefore it should not be allowed to request data from US companies under the CLOUD Act, which Congress slipped into the Omnibus Spending Bill earlier this year.
The law allows US government to sign formal, bilateral agreements with other countries setting standards for cross-border investigative requests for digital evidence related to serious crime and terrorism.
It requires that these countries "adhere to applicable international human rights obligations and commitments or demonstrate respect for international universal human rights". The civil rights groups say the UK fails to make the grade.
As such, it urged the US administration not to sign an executive order allowing the UK to request access to data, communications content and associated metadata, noting that the CLOUD Act "implicitly acknowledges" some of the info gathered might relate to US folk.
Critics are concerned this could then be shared with US law enforcement, thus breaking the Fourth Amendment, which requires a warrant to be served for the collection of such data.
Setting out the areas in which the UK falls short, the letter pointed to pending laws on counter-terrorism, saying that, as drafted they would "excessively restrict freedom of expression by criminalizing clicking on certain types of online content".
Top Euro court: UK's former snooping regime breached human rightsREAD MORE
Meanwhile, the UK's surveillance regime has repeatedly been found to fall short of European standards. The letter noted a recent ruling from the European Court of Human Rights that found various failings on the government's oversight of bulk interception of communications.
Although this ruling related to a previous regime, the human rights groups said they "do not believe" that the Investigatory Powers Act – brought in to replace the previous regime – "has cured this defect".
UK-based civil liberties groups agreed with this assessment at the time. Similarly, they were unconvinced that changes the government made to the Data Retention and Acquisition Regulations satisfy a ruling from the Court of Justice of the European Union.
The letter from the US groups echoed this, stating: "We urge you to keep abreast of any challenges to the compliance of these regulations, either as written or as applied, with EU law or the ECHR."
Finally, the groups said the Crime (Overseas Production Orders) bill – introduced to Parliament this summer – contains "numerous" provisions that would violate the UK's obligations or the provisions of the CLOUD Act, or be "gravely inconsistent" with the Fourth Amendment.
For instance, the groups claimed the bill's language is too broad about when overseas production orders can be issued, which it said was inconsistent with the Fourth Amendment, and that it fails to limit the duration of the data production or access under the order – which is a requirement of the CLOUD Act.
"For the reasons stated above, we believe an executive agreement permitting UK authorities to order the disclosure of, or access to, data held by US companies pursuant to the CLOUD Act should not be concluded at this time," the letter concluded. ®
Sponsored: Webcast: Simplify data protection on AWS