The Article 29 Working Party has issued a statement about the so-called EU-U.S. Umbrella Agreement, which, while not providing legal basis for any data transfers, sets forth a high-level data protection framework for transatlantic cooperation on criminal law enforcement. The Agreement covers all personal data, including names, addresses, and criminal records, exchanged between the EU and the U.S. for the purposes of prevention, detection, investigation and prosecution of criminal offences, including terrorism. The Umbrella Agreement, signed by EU and the U.S. on June 2, 2016, after five years of negotiations, requires the consent of the European Parliament to be ratified.
In its statement, the Working Party cautiously welcomed the conclusion of the Umbrella Agreement. The Working Party expressed hope that the Agreement will complement the existing law enforcement treaties between the U.S. and EU and its Member States, aid the negotiation of future data sharing agreements, and set forth the minimum data protection standard for data transfers between criminal law enforcement in the U.S. and EU.
The Working Party acknowledged that the Umbrella Agreement will work in conjunction with the Judicial Redress Act of 2015 (signed into law on February 24, 2016), the passage of which was a prerequisite for the finalization of the Umbrella Agreement. The Judicial Redress Act affords EU citizens a right of redress in U.S. courts in the event the U.S. government mishandles their personal data. This, however, leaves a “gap” in the protection of the personal data of individuals covered by EU data privacy law, which applies to “everyone,” compared with the limited obligations imposed on the U.S. to provide judicial redress rights only for EU citizens. For this reason, the European Parliament’s Legal Opinion SJ-0784/15 (14 Jan. 2016), concluded earlier this year that the Umbrella Agreement “is not compatible with primary EU law and the respect for fundamental rights.”
In its statement, the Working Party recommended requesting from the U.S. government “additional assurances explaining and confirming the scope of redress rights” granted to EU citizens under the Judicial Redress Act. Particular points of clarification would be “how records from U.S. law enforcement authorities are exempted from the application of the Privacy Act and how this is compatible with the Umbrella Agreement.”
The Working Party would also like to obtain clarification on whether the level of protection of personal data afforded by the Umbrella Agreement is fully consistent with the EU law, focusing specifically on the following points:
- The definitions of the concepts of “personal data” and “data processing” differ from the EU definitions;
- The data retention period should be defined more strictly in relation to the purpose pursued; and
- The restrictions to individual’s access rights are very broad and access could be improved by the establishment of an indirect access right mechanism.
If the Agreement is adopted by the European Parliament, the Working Party intends to “closely monitor” whether it fully satisfies data protection requirements and whether it complies with the mandates of Article 7 (respect for private and family life) and Article 8 (protection of personal data) of the European Charter of Fundamental Rights.
If approved, the Umbrella Agreement will add to the shifting privacy landscape and complexities of EU-U.S. data-sharing practices. Given the questions raised by the Working Party and the European Parliament, however, more work will likely be required to get the Agreement across the finish line.