Questions and Answers on the EU-US data protection "Umbrella agreement"
What is the EU-US data protection "Umbrella Agreement"?
The EU-US data protection "Umbrella Agreement" puts in place a comprehensive high-level data protection framework for EU-US law enforcement cooperation. The Agreement covers all personal data (for example names, addresses, criminal records) exchanged between the EU and the U.S. for the purpose of prevention, detection, investigation and prosecution of criminal offences, including terrorism.
The Umbrella Agreement will provide safeguards and guarantees of lawfulness for data transfers, thereby strengthening fundamental rights, facilitating EU-U.S. law enforcement cooperation and restoring trust.
In particular, EU citizens will benefit from equal treatment: they will have the same judicial redress rights as US citizens in case of privacy breaches. This point was outlined by President Juncker in his political guidelines, when he stated: “The United States must [...] guarantee that all EU citizens have the right to enforce data protection rights in U.S. courts, whether or not they reside on U.S. soil. Removing such discrimination will be essential for restoring trust in transatlantic relations”
How will the Umbrella Agreement make data transfers safer?
This agreement will complement existing EU-US and Member State - US agreements between law enforcement authorities. It will create clear harmonised data protection rules and set a high level of protection for future agreements in this field.
The Umbrella agreement will provide the following protections to make sure that everyone's data are protected when exchanged between police and criminal justice authorities:
-
-Clear limitations on data use - Personal data may only be used for the purpose of preventing, investigating, detecting or prosecuting criminal offences, and may not be processed beyond compatible purposes.
-
-Onward transfer - Any onward transfer to a non-US, non-EU country or international organisation must be subject to the prior consent of the competent authority of the country which had originally transferred personal data.
-
-Retention periods - Individuals' personal data may not be retained for longer than necessary or appropriate. These retention periods will have to be published or otherwise made publicly available. The decision on what is an acceptable duration must take into account the impact on people's rights and interests.
-
-Right to access and rectification - Any individual will be entitled to access their personal data - subject to certain conditions, given the law enforcement context - and request it to be corrected if it is inaccurate.
-
-Information in case of data security breaches - A mechanism will be put in place so as to ensure notification of data security breaches to the competent authority and, where appropriate, the data subject.
-
-Judicial redress and enforceability of rights - EU citizens will have the right to seek judicial redress before US courts in case of the US authorities deny access or rectification, or unlawfully disclose their personal data. This provision of the Agreement depends on the adoption by U.S. Congress of the US Judicial Redress Bill will have been adopted.
For what purpose can data be transferred across the Atlantic under the Umbrella Agreement? (purpose limitation)
The data transferred between EU and US law enforcement authorities can only be shared for the purpose of preventing, investigating, detecting or prosecuting criminal offences, including terrorism, in the framework of police cooperation and judicial cooperation in criminal matters. The agreement also clearly states that this data cannot be further processed for other incompatible purposes.
What if the US decides to transfer data to a third country or international organisation, how will the Umbrella agreement protect the data? (onward transfer)
The Umbrella Agreement introduces strong safeguards to protect EU citizens' data transferred across the Atlantic when US authorities need to transfer it to a third country. In case a US authority intends to further transfer data it has received from the EU to a third country/international organisation, it will have first to obtain the consent from the law enforcement authority in the EU which has originally transferred the data to the US.
What is judicial redress? What will the Umbrella Agreement change?
At the moment, if an EU citizens' data is transferred to US law enforcement authorities and if their data is incorrect or unlawfully processed, EU citizens - non-resident in the US- are unable to obtain redress in US courts (unlike US citizens, who could ask for redress in European courts). The Umbrella Agreement will introduce the equal treatment of EU citizens, as called for by President Juncker in his political guidelines.
A bill extending the core of the judicial redress provisions of the US Privacy Act of 1974 to EU citizens has been formally introduced in the US Congress on 18 March (Judicial Redress Bill). Once adopted, it will give EU citizens the right to seek judicial redress before US courts in case US authorities have denied access or rectification, or unlawfully disclose their personal data. The adoption of the Judicial Redress Bill will allow for the conclusion of the umbrella agreement.
How will the agreement work in practice?
Example: An EU citizen’s name is identical to that of a suspect in a transatlantic criminal investigation. Their data has been transferred from the EU to the U.S. and erroneously gets collected and included on a U.S. "black list". This can lead to a series of adverse consequences from the refusal of an entry visa, to a possible arrest. The EU citizen should be able to have their name deleted by the authorities - if necessary by a judge - once the mistake is discovered. Europeans (and Americans) have those rights in the EU. They should have them when their data is exchanged with the US too. The citizen who believes that their data is inaccurate also can authorise, where permitted under domestic law, an authority (for instance a Data Protection Authority) or another representative to seek correction or rectification on his or her behalf.
If correction or rectification is denied or restricted, the US authority processing the data should provide the individual or the data protection authority acting on their behalf with a response explaining the reasons for the denial or restriction of correction or rectification.
What are the next steps?
The Umbrella Agreement will be signed and formally concluded only after the US Judicial Redress Bill, granting judicial redress rights to EU citizens, will have been adopted.
The Council, on the basis of a proposal by the Commission, shall adopt a decision authorising the signing of the Agreement. The decision concluding the Agreement will be adopted by the Council after obtaining the consent of the European Parliament.
When were the negotiations first launched?
The European Parliament, in a resolution on 26 March 2009, called for an EU-US agreement that ensures adequate protection of civil liberties and personal data protection. In December 2009, the European Council invited the Commission to propose a Recommendation "for the negotiation of a data protection and, where necessary, data sharing agreements for law enforcement purposes with the US."
On 26 May 2010, the Commission proposed a draft mandate for negotiating a personal data protection agreement between the EU and the US (IP/10/609 and MEMO/10/216).
In December 2010, EU Justice Ministers today approved the start of talks between the European Union and the United States (see IP/10/1661). The negotiations began officially on 29 March 2011 (see MEMO/11/203).
For further information
EU Justice data protection: http://ec.europa.eu/justice/data-protection/index_en.htm
Věra Jourová's speech: Stronger data protection rules to boost the Digital Single Market
MEMO/15/5612