With Schrems and safe harbours in the spotlight, what does the conclusion of a US-EU umbrella agreement actually mean for EU citizens and US-EU relations?
With news in Sophie’s recent post here on the recent judgement of the CJEU in Schrems v Data Protection Commissioner, the purpose of this post is to discuss the recent European Commission announcement that it has concluded negotiations for a data protection ‘umbrella agreement’ with the US, and consider what this means for EU citizens and the Schrems decision.
For background, a draft mandate to open negotiations for an agreement was adopted by the European Commission in 2010, following a 2009 Resolution by the European Parliament calling for an EU-US agreement to ensure adequate protection of civil liberties and personal data protection, and an invitation by the European Council to the Commission to propose a Recommendation “for the negotiation of a data protection and, where necessary, data sharing agreements for law enforcement purposes with the US.” The initiative was announced as part of the Commission’s action plan for the implementation of the Stockholm Programme, a comprehensive plan of EU justice and security policies for 2010 – 2014. Talks between the EU and the US authorities began officially in 2011.
The aim of the agreement is to ensure that US authorities comply with EU data protection principles when processing personal data – such as criminal records, names, and addresses – transferred to them under agreements for transatlantic co-operation in criminal matters. An example of law enforcement cooperation includes the transfer of passenger names records (PNR) by EU airlines (see my post on this issue here).
In particular, under the agreement’s provisions:
- The transfer and processing of personal data by EU or US authorities would only be permitted for the purpose of preventing, investigating, detecting or prosecuting criminal offences, including terrorism, in the framework of police cooperation and judicial cooperation in criminal matters. To these ends, they must not be used for further incompatible purposes.
- Any onward transfer to a non-US, non-EU country or international organisation must be subject to the prior consent of the competent authority of the country which had originally transferred personal data.
- Individuals’ personal data may not be retained for longer than necessary or appropriate. These retention periods will have to be published or otherwise made publicly available. The decision on what is an acceptable duration must take into account the impact on people’s interests and rights.
- A mechanism will be put in place so as to ensure notification of data security breaches to the competent authority and, where appropriate, to the affected data subject.
- The US will be required to adopt legislation that grants EU citizens the same judicial redress rights as US citizens enjoy (under the US Privacy Act) in case of privacy breaches by US authorities to whom their data has been disclosed by their home countries for law enforcement purposes. Such rights include a right to access, or rectify inaccurate, personal data held by US authorities. Specifically, the Bill would extend the coverage of the Privacy Act to non-US persons allowing such persons to bring civil actions in US courts against US agencies in seeking to obtain civil remedies for certain disclosures made intentionally and wilfully.
US plans to adopt the aforementioned legislation were first announced in 2014, with the Judicial Redress Bill formally introduced to Congress this summer. [As alluded to, the Redress Bill would actually be open to any “foreign country or regional economic integration organization, or member country of such organization, as a ‘covered country’“, subject to the approval by the Attorney General applying a two-part criteria and with concurrence with the Secretaries of State and Homeland Security. Specifically, this proposed criteria is that the covered country has (1) entered into an agreement with the US that provides for appropriate privacy protections for information shared for the purpose of preventing, investigating, detecting or prosecuting criminal offenses, and (2) has effectively shared information with the US for the purpose of preventing, investigating, detecting, or prosecuting criminal offenses and has appropriate privacy protections for such shared information.] The European Commission has underlined that the umbrella agreement cannot be formally concluded until that Bill becomes law.
Back to the agreement, it is intended that independent authorities in the EU and the US would control compliance with its provisions. For more information, see a European Commission factsheet here. The factsheet gives an example of how the agreement will work in practice, which is worth reading in full:
An EU citizen’s name is identical to that of a suspect in a transatlantic criminal investigation. Their data has been transferred from the EU to the U.S. and erroneously gets collected and included on a U.S. “black list”. This can lead to a series of adverse consequences from the refusal of an entry visa, to a possible arrest. The EU citizen should be able to have their name deleted by the authorities – if necessary by a judge – once the mistake is discovered. Europeans (and Americans) have those rights in the EU. They should have them when their data is exchanged with the US too. The citizen who believes that their data is inaccurate also can authorise, where permitted under domestic law, an authority (for instance a Data Protection Authority) or another representative to seek correction or rectification on his or her behalf. If correction or rectification is denied or restricted, the US authority processing the data should provide the individual or the data protection authority acting on their behalf with a response explaining the reasons for the denial or restriction of correction or rectification.
In respect of what the implications are of the initialising of the umbrella agreement in light of the news of the invalidity of the EU-US safe harbour agreement found in the Schrems decision, while the agreement would not itself provide a basis for specific data transfers, it would include a set of principles that would apply to all transfers agreed under separate data transfer agreements. This, by itself, is an important step towards “rebuilding trust in transatlantic relations” (as remarked by Věra Jourová, EU Commissioner for Justice and Consumers in her statement). It would provide safeguards and guarantees of lawfulness for data transfers, she goes on to say, thereby strengthening fundamental rights and facilitating EU-US law enforcement cooperation. Admittedly, the prospect of EU citizens having judicial redress against US authorities is, in particular, a significant accomplishment.
Notwithstanding, ostensibly the agreement’s implications are restricted to law enforcement and intelligence access to information that has been explicitly shared between the US and EU authorities. [Postscript: for a critique of the umbrella agreement, which sheds a different light on the issues as portrayed in the Commission’s press release and raises issues around the agreement’s compatibility with EU law from a wider perspective of data sharing and leakage outside the Transatlantic relationship, we recommend the following: http://statewatch.org/news/2015/oct/eu-usa-umbrella.htm%5D
Furthermore, the announcement of the agreement still needs to be translated into law (and swiftly so) to have maximum effect. Assuming that the Judicial Redress Bill is adopted by US Congress, the Council of the European Union would still have to adopt a decision authorising the signing of the agreement. Yet the latter would depend, first, on obtaining the consent of the European Parliament in its ratification of the agreement (which could be subject to significant delays and uncertainty, of the on-going type that I mentioned in respect of the PNR Directive here. Albeit that such delays may be warranted).
I leave the final words to EU Commissioner, Věra Jourová, who said (at the end of her statement announced before the Schrems AG opinion and final decision) that, “I am also confident that we will be able to soon conclude our work on strengthening the Safe Harbour Arrangement for exchange of data for commercial purposes. We continue to work with determination with our US counterparts on the final details.” This is yet more evidence of the fact that the commercial sphere and the law enforcement/intelligence sphere are regarded as two sides of the same coin by the EU institutions in respect of supra-EU information sharing. After all, at the heart of the Schrems case is the issue of US law enforcement access to EU personal data (this agreement should help to expedite those, essentially, political discussions, as well as helping to ensure legal consistency). However, we can only ponder whether the Commissioner had foreknowledge of the storm surrounding the US-EU safe harbour decision that was about to break.