Data Protection across the Atlantic
Historical break-through with the “Umbrella Agreement”
Erstellt am 01.12.2016
On 1st December 2016, the European Parliament will vote on the conclusion of the Agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offenses.
The agreement is also known as the “Umbrella Agreement”. Jan Philipp Albrecht has been the Parliament’s chief negotiator (“rapporteur”) on this agreement since it was kicked off in 2010, after repeated calls from the European Parliament.
Negotiations were slow for the first years, but gained new momentum after the revelations by Edward Snowden. The final text was agreed on 8 September 2015 by the negotiators from the US Department of Justice and the European Commission, and approved by the EU Member States in July 2016. After the European Parliament’s approval and just before the end of the Obama administration, we can witness a historical break-through: The first time in history the United States enter into a binging international agreement on data protection.
No new data transfers, but harmonised high data protection
The “Umbrella Agreement” is not a legal basis for transfers of personal data, therefore is does by no means authorise any new data transfers. The purpose of the Agreement is to ensure a high level of data protection in situations where personal data are transferred to across the Atlantic from the EU to law enforcement authorities in the US or vice versa. Any data transfers have to be based on a separate legal basis, either in EU-US agreements or in bilateral agreements between the Member States and the US, e.g. mutual legal assistance treaties or air passenger data agreements (PNR). The Umbrella Agreement supplements the protections and safeguards of these agreements, and enhances and harmonises the data subject rights. It contains provisions on purpose and use limitations of data transferred, data quality and integrity, rules on onward transfer, right to access and rectification, judicial redress and enforceability. It also covers data transferred by private entities of one party to law enforcement authorities of the other party where there is a legal basis for that; however, it does not cover data exchanges between national security authorities, nor between private entities. National security is outside of the EU competence, and private data transfers are regulated by the General Data Protection Regulation.
After the Parliament’s Legal Service in its opinion of 14 January 2015 however raised some issues that could need further clarification, Jan Philipp Albrecht as rapporteur managed to get a written declaration from the European Commission that confirms the legal interpretation of the EU side. It will be published in the Official Journal of the EU together with the Agreement and will therefore also guide interpretation by the Court of Justice if necessary.One of the clarifications concerns the last part-sentence of Article 5(3) (“no further authorisation [for data transfers] shall be required”). This clause does not provide for a de-facto adequacy decision, but merely states that no further legal basis than the respective agreement referred to in Article 3(1) shall be necessary, which is already the case. The Commission also clarified that the presumption of compliance of the US with applicable international transfer rules is not an automatic, but a qualified one, which is refutable and does not affect the powers of the data protection authorities.
Judicial Redress for EU Citizens in the US
In order to finalise the EU-US Umbrella Agreement, the US Congress had to adopt the Judicial Redress Act which amends the Privacy Act of 1974 and grants judicial redress to EU citizens and possibly citizens of other countries after designation by the Attorney-General. It was passed by Congress in February 2016. This is also the first time ever the US Congress extended a privacy law because the EU demanded this.
The Judicial Redress Act has some limits. It allows EU citizens to bring actions to US courts only if commercial data transfers are permitted between the EU and the US, and data transfer policies do not impede U.S. national security interests. These two conditions may weaken the implementation of the Umbrella Agreement by the US, as the US Attorney General could decide that the Judicial Redress Act might no longer apply to EU citizens. In this case, however, the U.S. would be in breach of the Agreement. The Agreement as such is without any conditions, and the US have to follow their obligations under international law.
Also, judicial redress will only be open in the US for EU citizens and not for EU “residents” (third-country nationals who live in the EU). Nonetheless, the Commission clarified that other judicial redress avenues in the US are available to all EU data subjects concerned by the transfer for law enforcement purposes, regardless of their nationality or place of residence. From the EU perspective, it would have been ideal if all persons in the EU would have been granted the right to judicial redress, but the U.S. legal tradition very often distinguishes between US citizens and non-US citizens. On the EU side, US citizens and non-US citizens can enforce their rights in court without such distinction, like everybody else. The Agreement is therefore in line with the EU Charter of Fundamental Rights.
Exemptions? Illegal under the Agreement
Under Section 552a(j)(2) of the US Privacy Act, some data are currently exempted from judicial redress, among those PNR or banking data. However, the data subject rights conferred by the Umbrella Agreement are formulated in an unconditional manner. This means that the US authorities will not be able to exempt PNR and other data anymore. Otherwise the US would again be in breach of the binding agreement. This is also the legal understanding of the Commission in its declaration.
The US administration could hand over their ratification documents at the EU-US Ministerial Meeting on Justice and Home Affairs in Washington DC on 4th and 5th December. The EU will only hand over their documents after the remaining conditions have been fulfilled by the US administration, i.e. the granting of judicial redress to citizens of all EU Member States, and the repealing of the exemptions. The agreement enters into force on the first day of the month after these documents have been exchanged by both sides, therefore the earliest option could be 1st January. We hope that these procedures can still be finalised by the outgoing Obama administration. The agreement then will bind the incoming Trump administration under international law.
The Agreement will be subject to periodic joint reviews, the first one will take place no later than three years from the entry into force of the Umbrella Agreement and thereafter on a regular basis, and the composition of the respective delegations shall include representatives of both data protection authorities and law enforcement authorities. The findings of the joint reviews will be made public.
In sum, the agreement constitutes major progress for the protection of personal data when transferred between the EU and the US in the context of law enforcement activities. It may not be the best agreement that can be envisaged, but it is certainly the best one possible in the current situation. Moreover, the agreement does not limit or infringe any data subject rights, as it constitutes no legal basis for any further data transfers. It merely adds new rights and protections to the existing frameworks for data transfers in the context of EU US law enforcement cooperation.
Check out the Interview - Data protection: "Snowden case showed the US needs to deliver on trustworthy rules"