Effect of US Cloud Act coming into force in 2018 on the Cabinet Office IT infrastructure arrangements

Response to this request is long overdue. By law, under all circumstances, Cabinet Office should have responded by now (details). You can complain by requesting an internal review.

Dear Cabinet Office

I understand that the IT infrastructure for the Cabinet Office is provided by Google, an American technology company. My Freedom of Information request is for any information about

(a) when the contract for supplying the IT infrastructure for the Cabinet Office was advertised in the OJEU, as required by EU law;

(b) how many tendering companies were short-listed;

(c) when the contract was awarded to Google;

(d) when will the Cabinet Office be making arrangements to replace its IT infrastructure supplier and/or put the work out to tender anew, because the US Cloud Act came into force in 2018?

Thank you.
Yours faithfully
Rachel Mawhood

FOI Team Mailbox, Cabinet Office

CABINET OFFICE REFERENCE:  FOI327251

Dear RACHEL MAWHOOD

Thank you for your request for information. Your request was received
on 28/11/18 and we are considering if it is appropriate to deal with under
the terms of the Freedom of Information Act 2000.

This email is just a short acknowledgement of your request.

When corresponding with the Cabinet Office, you may wish to be aware of
how we treat your personal Information.  This is set out in our personal
information charter, at the following
link: [1]https://www.gov.uk/government/organisati...

If you have any queries about this email, please contact the FOI team.
Please remember to quote the reference number above in any future
communications.

Yours sincerely,

 Knowledge and Information Management Unit

Cabinet Office

E: [2][Cabinet Office request email]

References

Visible links
1. https://www.gov.uk/government/organisati...
2. mailto:[email address]

Dear FOI Team at the Cabinet Office

"Page not found" on that link you included for your personal information charter.

The Cabinet Office's own domain name seems to have been transferred already to name servers in the USA, in Delaware, see

https://twitter.com/longitude0/status/10...

so any data held there (a) is already subject to surveillance under the US Cloud Act 2018 and (b) is already in breach of the EU "Police Directive" 2016/680.

Yours faithfully
Rachel Mawhood

FOI Team Mailbox, Cabinet Office

1 Attachment

Please find attached the reply to your FOI request

 

 

 

Regards

 

 

FOI Team

Room 405

70 Whitehall,

London, SW1A 2AS

E-mail -[1][Cabinet Office request email] 

References

Visible links
1. mailto:[email address]

Dear FOI Team, Cabinet Office

Thank you for your response. I must deal with this part straightaway: you assert

"d) As the US CLOUD Act of 2018 applies to the data of US citizens only . "

Sorry, this is totally false. This is terrible. Who told you that? The US CLOUD Act 2018 applies to ALL data held on the servers of American technology companies ANYWHERE IN THE WORLD.

"we are not able to see how the US CLOUD Act of 2018 applies to the Cabinet Office.
If you could please provide clarity into which specific parts of the legislation you feel
are applicable we can then respond accordingly"

I don't "feel" it, I KNOW IT: I suggest you do what I did - read the primary sources and expert advice. Eg those to which I linked at the end of my evidence submitted to the Public Bill Committee on 17 December 2018.

Client Alert produced by the Washington DC office of Linklaters LLP, March 2018
https://www.linklaters.com/en/insights/p...

"Cross Border Data Sharing under the CLOUD Act" produced by the US Congressional Research Service, dated 23 April 2018.
https://fas.org/sgp/crs/misc/R45173.pdf

My evidence submitted to the Public Bill Committee about the Crime (O verseas Production Orders) Bill can be read here.

https://publications.parliament.uk/pa/cm...

Yours faithfully
Rachel Mawhood

FOI Team Mailbox, Cabinet Office

CABINET OFFICE REFERENCE:  IR327251

Dear RACHEL MAWHOOD

Thank you for your request for an internal review. Your request was
received on 31/12/2018 and is being dealt with under the terms of the
Freedom of Information Act 2000.

This email is just a short acknowledgement of your request.

If you have any queries about this email, please contact the FOI team.
Please remember to quote the reference number above in any future
communications.

Yours sincerely,

Knowledge and Information Management Unit

Cabinet Office

E: [1][Cabinet Office request email]

 

References

Visible links
1. mailto:[Cabinet Office request email]

CABINET OFFICE REFERENCE: IR327251

FOI Team
Cabinet Office
Room 405
70 Whitehall,
London
SW1A 2AS

Dear FOI Team

While I am waiting for the outcome of your internal review of the Cabinet Office response to my FOI request, I thought I should respond to these other parts of your response:

"a) Google does not provide infrastructure to the Cabinet Office"

I did not make this up. The data protection officer for the Cabinet Office/DExEU volunteered this information in an e-mail to me, transmitted 28.11.2018 08:27, in which he stated, "Yes, Google provide our IT infrastructure. "

"but does provide its productivity suite (GSuite) under agreements with Google UK & Ireland. "

Which - because Google is an American technology company - means that, absent a US-UK executive agreement on extraterritoriality, since the CLOUD Act came into force on 23 March 2018 the US government and US military have been able to obtain British government data held on its servers anywhere in the world, without a court Order, without asking permission, without notifying the data subjects, and there is no possibility of legal challenge by the British Government (because no executive agreement in place). The above quoted statement about GSuite could be construed as an admission of a breach of UK GDPR 2018, EU Directives 2016/679 and 2016/680, and the breach is continuing (while British Government data is held on the servers of American technology companies, not just Google). This is essentially a 100% data leak, in real time. It is not lawful to keep secret a data leak from the affected data subjects.

""b) The only other productivity suite considered was Microsoft Office 365 which lacked
col aboration and productivity features at the time of the decision. "

Out of curiosity, could I ask: how does this statement and the one about Google GSuite, above, not breach the Official Secrets Act 1989? Telling the world that you use Google GSuite is telling the world where to find your data, that - because the US CLOUD Act 2018 changes everything (and totally destroyed the business model for "cloud computing" of Google, Amazon, MicroSoft, Godaddy, Mimecast, etc etc)- currently has no data protection at all, not even with the US-EU Privacy Shield. The US Govt probably has enough data, including data on every British citizen, gleaned from British Government departments data that have been transferred to servers in the US, to roll out over Britain an American version of the Civil Service, were the US President to take it into his head to do this (switching off the British Government' computerised procedures, at the servers, first). I will never understand why the Cabinet Office ever thought it was a good idea to put British GOVERNMENT data on servers physically located in any other sovereign country. Data is more valuable than silver, and this seems to be just asking for trouble.

Yours faithfully
Rachel Mawhood

FOI Team Mailbox, Cabinet Office

1 Attachment

Please find attached the reply to your IR request

 

 

 

Regards

 

 

FOI Team

Room 405

70 Whitehall,

London, SW1A 2AS

E-mail -[1][Cabinet Office request email] 

References

Visible links
1. mailto:[email address]

CABINET OFFICE REFERENCE: IR327251

FOI Team
Cabinet Office
Room 405
70 Whitehall,
London
SW1A 2AS

Dear FOI Team

Cabinet Office Internal Review Reference: IR327251
(Original Case Reference: FOI327251)

REVIEW OF REQUEST UNDER THE FREEDOM OF INFORMATION ACT 2000

You think that a response that contained a total falsehood is "suitable" (see your third paragraph, "I believe that our letter of 18/12/2018 was a suitable response to your request")?!

Okaaaaaay.

"Further queries in relation to this matter should include explicit references to the legislation in
question which can be responded to by the Government Legal Department. "

I may do this, as it appears that the EU laws on procurement have been broken, as well as EU and UK laws on data protection (which I have already cited in correspondence with the Cabinet Office), with the result that UK citizens' data has been transferred out of the UK/EU - without the data subjects' express consent - to the US where, because of the provisions of the US CLOUD Act 2018 (in force since 23 March 2018), this data has no protection whatsoever. Data privacy has been sacrificed unlawfully to "resilience". This may have extremely adverse repercussions for UK and EU citizens for decades to come. The rule of law is the most precious asset of any civilised society. The Government's first duty is to protect UK citizens (including civil servants), not deliberately expose them to unwelcome risks.

No one, no one, is above the law.

Yours faithfully
Rachel Mawhood

Looking for an EU Authority?

You can request documents directly from EU Institutions at our sister site AskTheEU.org . Find out more .

AskTheEU.org