House of Lords e-mail arrangements appear to breach UK GDPR 2018 and EU Directives 2016/679 and 2016/680

Indigo made this Freedom of Information request to House of Lords

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was refused by House of Lords.

Dear House of Lords

It has come to my attention that the House of Lords e-mail servers appear to be physically located in the USA, in the states of Missouri and Washington. If so, this is a breach of UK GDPR 2018 and EU Directive 2016/679, as no attempt is made to obtain the express consent of those who e-mail the House of Lords to their personal data being sent out of the UK/EU, and in real time.

The House of Lords e-mail arrangements may also be a breach of EU "Police Directive" 2016/680, in the case of data transfers to do with law enforcement.

One result is that, since the US CLOUD Act was signed into law by the US President on 23 March 2018, the US government can obtain these e-mails and other data, anytime it wants, in real time, without a court Order, and no challenge is possible because there is no executive agreement in place between the US and UK governments. The data already transferred is gone forever, into the "wild", to be analysed and sold, possibly putting lives at risk but certainly used to influence British domestic and foreign policy and "neutralise" individuals considered to be an obstacle to US interests.

My FOI request is for any information about how and why this situation - the House of Lords current e-mail arrangements with mail servers physically located in the USA - has been allowed to happen, as it appears to put the highest court in the land in breach of at least three UK and/or EU data protection laws, with very long-lasting implications.

Incidentally, the US state of Missouri has the death penalty. Execution is by lethal injection or gas inhalation. Washington State abolished the death penalty only recently, in October 2018, after the US Supreme Court decided that in Washington State the penalty was being applied in an "arbitrary and racially biased manner". So it could be reinstated.

Words cannot express how angry I am about this betrayal of British and EU citizens' data privacy rights, which have been sacrificed to "resilience", by the House of Lords, an extremely privileged cadre. This is beyond stupid.

Thank you.

Yours faithfully
Rachel Mawhood

HL FOI & Information Compliance, House of Lords

1 Attachment

Dear Ms Mawhood,

 

Please find attached our response to your request (copied below) to the
House of Lords Administration.

 

You may, if dissatisfied with the treatment of your request, ask the House
of Lords to conduct an internal review. This should be addressed to
[1][email address] or to the Freedom of Information Officer, House
of Lords, London SW1A 0PW and explain clearly the nature of your complaint
in terms of compliance with the Freedom of Information Act 2000.
Arrangements will be made for someone who has not been involved in dealing
with your request to conduct an internal review within 20 working days.

 

You should note that we will not normally accept an application for
internal review if it is received more than two months after the date our
response was sent. Any such request received after this time will only be
considered in exceptional circumstances.

 

If, following this review, you remain dissatisfied with the House’s
treatment of your request for information you may then take your complaint
to the Information Commissioner at Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF.

 

Yours sincerely,

 

Kimberley Swift

Information Compliance Team

House of Lords

 

 

 

From: Indigo <[2][FOI #540974 email]>
Sent: 28 December 2018 08:21
To: HL External Communications Office <[3][email address]>
Subject: Freedom of Information request - House of Lords e-mail
arrangements appear to breach UK GDPR 2018 and EU Directives 2016/679 and
2016/680

 

Dear House of Lords

It has come to my attention that the House of Lords e-mail servers appear
to be physically located in the USA, in the states of Missouri and
Washington. If so, this is a breach of UK GDPR 2018 and EU Directive
2016/679, as no attempt is made to obtain the express consent of those who
e-mail the House of Lords to their personal data being sent out of the
UK/EU, and in real time.

The House of Lords e-mail arrangements may also be a breach of EU "Police
Directive" 2016/680, in the case of data transfers to do with law
enforcement.

One result is that, since the US CLOUD Act was signed into law by the US
President on 23 March 2018, the US government can obtain these e-mails and
other data, anytime it wants, in real time, without a court Order, and no
challenge is possible because there is no executive agreement in place
between the US and UK governments. The data already transferred is gone
forever, into the "wild", to be analysed and sold, possibly putting lives
at risk but certainly used to influence British domestic and foreign
policy and "neutralise" individuals considered to be an obstacle to US
interests.

My FOI request is for any information about how and why this situation -
the House of Lords current e-mail arrangements with mail servers
physically located in the USA - has been allowed to happen, as it appears
to put the highest court in the land in breach of at least three UK and/or
EU data protection laws, with very long-lasting implications.

Incidentally, the US state of Missouri has the death penalty. Execution is
by lethal injection or gas inhalation. Washington State abolished the
death penalty only recently, in October 2018, after the US Supreme Court
decided that in Washington State the penalty was being applied in an
"arbitrary and racially biased manner". So it could be reinstated.

Words cannot express how angry I am about this betrayal of British and EU
citizens' data privacy rights, which have been sacrificed to "resilience",
by the House of Lords, an extremely privileged cadre. This is beyond
stupid.

Thank you.

Yours faithfully
Rachel Mawhood

-------------------------------------------------------------------

Please use this email address for all replies to this request:
[4][FOI #540974 email]

Is [5][House of Lords request email] the wrong address for Freedom of Information
requests to House of Lords? If so, please contact us using this form:
[6]https://www.whatdotheyknow.com/change_re...

Disclaimer: This message and any reply that you make will be published on
the internet. Our privacy and copyright policies:
[7]https://www.whatdotheyknow.com/help/offi...

For more detailed guidance on safely disclosing information, read the
latest advice from the ICO:
[8]https://www.whatdotheyknow.com/help/ico-...

Please note that in some cases publication of requests and responses will
be delayed.

If you find this service useful as an FOI officer, please ask your web
manager to link to us from your organisation's FOI page.

show quoted sections

FOI 3160

Ms Kimberley Swift
Information Compliance Team
House of Lords

Dear Ms Swift

Thank you for your response of 9 January 2019 to my FOI request made 28 December 2018 which was
for "any information about how and why this situation - the House of Lords current e-mail
arrangements with mail servers physically located in the USA - has been allowed to happen".

Your reply states,

"The House of Lords Administration does not hold any information relevant to your request. This is
because the parliamentary email servers are physically located in the UK, not the USA. Parliament
has a contractual commitment with our supplier that our emails will always be held in the EU."

Please note the following:

1. I have documentary evidence that, at the time I made my FOI request, Parliamentary e-mail was being sent to/from or relayed through Mimecast servers in Missouri and Washington State, USA. (Please refer to my e-mail to the Baroness Williams of Trafford and Baroness Hamwee, transmitted 27 December 2018 21:22, subject line" US CLOUD Act already applies to House of Lords e-mails", and copied to The Criminal Bar and The Bar Council.)

2. Since then, it seems that Parliamentary e-mail arrangements have been moved to Mimecast UK Limited servers apparently located in London and Cambridge, UK.

3. Mimecast Services Limited (company number 4901524) is 75 per cent owned by Mimecast UK Limited (company number 04698693) which is itself 75 per cent owned by Mimecast Limited (registered in the Bailiwick of Jersey, number 119119).

Jersey is not part of the UK and is not fully part of the EU. Jersey is an offshore financial centre with its own financial, legal and judicial system. So the US-EU Privacy Shield may not, in practice, protect personal data sent via the Parliament's cloud computers owned by Mimecast. Furthermore, the US-EU Privacy Shield does not cover data transfers to do with law enforcement (see EU "Police Directive" 2016/680).

The point of telling you this is to highlight the fact that the parent company of the provider of Parliament's cloud computing is not located in either the UK or the EU. As offshore financial centres are not UK or EU, Parliament's IT people should probably investigate Jersey's interactions with the US CLOUD Act 2018.

4. I think that those responsible for deciding on IT arrangements for Parliament should read the Mimecast privacy statement, here

https://www.mimecast.com/archived-pages/...

and note that (a) it does not even reference the current EU Directives and (b) Mimecast's data protection officer is in Lexington, Massachusetts. Also, people should check that when Mimecast refers to "GDPR" they are not referring to the company that has that name, but letting you construe that they are referring to the UK GDPR 2018.

Mimecast's web site privacy statement says "Personal Data with Mimecast-controlled affiliates, partners, properly vetted sub-processors and third party service providers throughout the world, when required by law, to protect the security our customers with respect to the information that passes through our Services, as well as to protect the rights or property of Mimecast."

5. The data that was relayed via servers located in the US states of Missouri and/or Virginia up to the end of December 2018 is gone forever: essentially a 100% data leak in real time, and it is not lawful to keep data leaks secret from the affected data subjects.

6. Unless Parliament's contract with Mimecast specifically states otherwise, Parliament probably does not own the data it uploads to Mimecast's cloud computers.

7. All this is in the context of

(a) so many of the British Government departments' computerised processes having been transferred to the servers of American technology companies in the US in the past 12 months or so;

(b) the coming into force of the US CLOUD Act on 23 March 2018;

(c) there being no US-UK executive agreement on extraterritoriality in place, no legal challenge is possible of any US government or US military demand for data of UK and EU citizens' held for the British Government (in breach of GDPR, and EU Directives 2016/679 and 2016/680) on the servers of American technology companies;

and

(d) these circumstances do, in my view, constitute an unprecedented existential threat to Britain from the US; the US could - all it needs is the US President's signature on an executive order - switch off the British Government at any time of any day or night. President Trump has already shut down his own government, to try to force through a vanity project, so why wouldn't he shut down the British Government in order to obtain something (eg a particular version of Brexit) that he wants or to prepare the ground for a "shock and awe" operation?

For the above reasons, I should be grateful if you would treat this reply from me as a request for an internal review of Parliament's response to my FOI request made 28 December 2018.

Statement of truth: I believe that the facts stated by me here are true.

Yours sincerely
Rachel Mawhood

HL FOI & Information Compliance, House of Lords

Dear Ms Mawhood,

 

Thank you for your correspondence below seeking an internal review of the
House of Lords Administration’s response to your request for information
under the Freedom of Information Act 2000 (“the FOIA”). I have
investigated the original request and response provided. I was not
involved in the initial response to your request.

 

You asked for:

 

“…any information about how and why this situation - the House of Lords
current e-mail arrangements with mail servers physically located in the
USA - has been allowed to happen.”

 

I have reviewed the original response provided.  I can confirm that the
Parliamentary Digital Service have investigated this service and are clear
that data was not, and is not, being processed on servers hosted in the
US. I am therefore content that the response provided was correct.

 

If you are not content with the handling of this request, you have the
right to apply directly to the Information Commissioner. The Information
Commissioner may be contacted at: the Information Commissioner's Office,
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

 

Yours sincerely,

 

 

Richard Foreman

Information Compliance Manager

House of Lords

 

 

From: Indigo <[1][FOI #540974 email]>
Sent: 17 January 2019 10:14
To: HL FOI & Information Compliance <[2][email address]>
Subject: Internal review of Freedom of Information request - House of
Lords e-mail arrangements

 

FOI 3160

Ms Kimberley Swift
Information Compliance Team
House of Lords

Dear Ms Swift

Thank you for your response of 9 January 2019 to my FOI request made 28
December 2018 which was
for "any information about how and why this situation - the House of Lords
current e-mail
arrangements with mail servers physically located in the USA - has been
allowed to happen".

Your reply states,

"The House of Lords Administration does not hold any information relevant
to your request. This is
because the parliamentary email servers are physically located in the UK,
not the USA. Parliament
has a contractual commitment with our supplier that our emails will always
be held in the EU."

Please note the following:

1. I have documentary evidence that, at the time I made my FOI request,
Parliamentary e-mail was being sent to/from or relayed through Mimecast
servers in Missouri and Washington State, USA. (Please refer to my e-mail
to the Baroness Williams of Trafford and Baroness Hamwee, transmitted 27
December 2018 21:22, subject line" US CLOUD Act already applies to House
of Lords e-mails", and copied to The Criminal Bar and The Bar Council.)

2. Since then, it seems that Parliamentary e-mail arrangements have been
moved to Mimecast UK Limited servers apparently located in London and
Cambridge, UK.

3. Mimecast Services Limited (company number 4901524) is 75 per cent owned
by Mimecast UK Limited (company number 04698693) which is itself 75 per
cent owned by Mimecast Limited (registered in the Bailiwick of Jersey,
number 119119).

Jersey is not part of the UK and is not fully part of the EU. Jersey is an
offshore financial centre with its own financial, legal and judicial
system. So the US-EU Privacy Shield may not, in practice, protect personal
data sent via the Parliament's cloud computers owned by Mimecast.
Furthermore, the US-EU Privacy Shield does not cover data transfers to do
with law enforcement (see EU "Police Directive" 2016/680).

The point of telling you this is to highlight the fact that the parent
company of the provider of Parliament's cloud computing is not located in
either the UK or the EU. As offshore financial centres are not UK or EU,
Parliament's IT people should probably investigate Jersey's interactions
with the US CLOUD Act 2018.

4. I think that those responsible for deciding on IT arrangements for
Parliament should read the Mimecast privacy statement, here

[3]https://www.mimecast.com/archived-pages/...

and note that (a) it does not even reference the current EU Directives and
(b) Mimecast's data protection officer is in Lexington, Massachusetts.
Also, people should check that when Mimecast refers to "GDPR" they are not
referring to the company that has that name, but letting you construe that
they are referring to the UK GDPR 2018.

Mimecast's web site privacy statement says "Personal Data with
Mimecast-controlled affiliates, partners, properly vetted sub-processors
and third party service providers throughout the world, when required by
law, to protect the security our customers with respect to the information
that passes through our Services, as well as to protect the rights or
property of Mimecast."

5. The data that was relayed via servers located in the US states of
Missouri and/or Virginia up to the end of December 2018 is gone forever:
essentially a 100% data leak in real time, and it is not lawful to keep
data leaks secret from the affected data subjects.

6. Unless Parliament's contract with Mimecast specifically states
otherwise, Parliament probably does not own the data it uploads to
Mimecast's cloud computers.

7. All this is in the context of

(a) so many of the British Government departments' computerised processes
having been transferred to the servers of American technology companies in
the US in the past 12 months or so;

(b) the coming into force of the US CLOUD Act on 23 March 2018;

(c) there being no US-UK executive agreement on extraterritoriality in
place, no legal challenge is possible of any US government or US military
demand for data of UK and EU citizens' held for the British Government (in
breach of GDPR, and EU Directives 2016/679 and 2016/680) on the servers of
American technology companies;

and

(d) these circumstances do, in my view, constitute an unprecedented
existential threat to Britain from the US; the US could - all it needs is
the US President's signature on an executive order - switch off the
British Government at any time of any day or night. President Trump has
already shut down his own government, to try to force through a vanity
project, so why wouldn't he shut down the British Government in order to
obtain something (eg a particular version of Brexit) that he wants or to
prepare the ground for a "shock and awe" operation?

For the above reasons, I should be grateful if you would treat this reply
from me as a request for an internal review of Parliament's response to my
FOI request made 28 December 2018.

Statement of truth: I believe that the facts stated by me here are true.

Yours sincerely
Rachel Mawhood

show quoted sections