The EU-US data protection ‘Umbrella Agreement’ aims to provide a comprehensive high-level data protection framework for EU-US law enforcement cooperation. The Agreement covers all personal data (for example names, addresses, criminal records) exchanged between the EU and the USA for the purpose of prevention, detection, investigation and prosecution of criminal offences, including terrorism.
According to the EU’s press release, the Umbrella Agreement ‘will provide safeguards and guarantees of lawfulness for data transfers, thereby strengthening fundamental rights, facilitating EU-US law enforcement cooperation and restoring trust’. The full text of the agreement was released on 15 September; it is available here.
EU citizens will benefit from equal treatment: they will have the same judicial redress rights as US citizens in case of privacy breaches.
The Umbrella Agreement will complement existing EU-US and Member State – US agreements between law enforcement authorities. The EU Commission claims that it will create clear harmonised data protection rules and set a high level of protection for future agreements in this field.
The Umbrella Agreement covers the following:
- Clear limitations on data use – Personal data may only be used for the purpose of preventing, investigating, detecting or prosecuting criminal offences, and may not be processed beyond compatible purposes.
- Onward transfer – Any onward transfer to a non-US, non-EU country or international organisation must be subject to the prior consent of the competent authority of the country which had originally transferred personal data.
- Retention periods – Individuals’ personal data may not be retained for longer than necessary or appropriate. These retention periods will have to be published or otherwise made publicly available. The decision on what is an acceptable duration must take into account the impact on people’s rights and interests.
- Right to access and rectification – Any individual will be entitled to access their personal data – subject to certain conditions, given the law enforcement context – and request it to be corrected if it is inaccurate.
- Information in case of data security breaches – A mechanism will be put in place so as to ensure notification of data security breaches to the competent authority and, where appropriate, the data subject.
- Judicial redress and enforceability of rights – EU citizens will have the right to seek judicial redress before US courts in case of the US authorities deny access or rectification, or unlawfully disclose their personal data. This provision of the Agreement depends on the adoption by the US Congress of the US Judicial Redress Bill.
The data transferred between EU and US law enforcement authorities can only be shared for the purpose of preventing, investigating, detecting or prosecuting criminal offences, including terrorism, in the framework of police cooperation and judicial cooperation in criminal matters. The Umbrella Agreement also clearly states that this data cannot be further processed for other incompatible purposes.
Judicial redress
At the moment, if an EU citizens’ data is transferred to US law enforcement authorities and that data is incorrect or unlawfully processed, EU citizens, unless resident in the USA, are unable to obtain redress in US courts (unlike US citizens, who could ask for redress in European courts). The Umbrella Agreement will introduce the equal treatment of EU citizens. A Bill extending the core of the judicial redress provisions of the US Privacy Act of 1974 to EU citizens has been formally introduced in the US Congress on 18 March (Judicial Redress Bill). Once adopted, it will give EU citizens the right to seek judicial redress before US courts in case US authorities have denied access or rectification, or unlawfully disclose their personal data. The adoption of the Judicial Redress Bill will allow for the conclusion of the umbrella agreement.
How will the agreement work in practice?
The EU Commission’s press release gives the following example. An EU citizen’s name is identical to that of a suspect in a transatlantic criminal investigation. Their data has been transferred from the EU to the U.S. and erroneously gets collected and included on a U.S. ‘black list’. This can lead to a series of adverse consequences from the refusal of an entry visa, to a possible arrest. The EU citizen should be able to have their name deleted by the authorities – if necessary by a judge – once the mistake is discovered. Europeans (and Americans) have those rights in the EU. They should have them when their data is exchanged with the US too. The citizen who believes that their data is inaccurate also can authorise, where permitted under domestic law, an authority (for instance a Data Protection Authority) or another representative to seek correction or rectification on his or her behalf.
If correction or rectification is denied or restricted, the US authority processing the data should provide the individual or the data protection authority acting on their behalf with a response explaining the reasons for the denial or restriction of correction or rectification.
What are the next steps?
The Umbrella Agreement will be signed and formally concluded only after the US Judicial Redress Bill, granting judicial redress rights to EU citizens, has been adopted.
The Council, on the basis of a proposal by the Commission, will then adopt a decision authorising the signing of the Agreement. The decision concluding the Agreement will be adopted by the Council after obtaining the consent of the European Parliament.