According to the European Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, the EU and the US have finalized the EU-US Umbrella Agreement (for the press release, see here; a reportedly near-final draft of the agreement can be read here). This is a remarkable breakthrough after the first calls for such an agreement back in March 2009, when the European Parliament called for an “EU – US agreement ensuring adequate protection of civil liberties and personal data protection”.
The negotiation mandate
In the meantime, and as part of the efforts necessary to reassure the European Parliament, in May 2010 the European Commission presented a proposal for a draft mandate for negotiating a personal data protection agreement between the US and the EU with the aim of ensuring a high level of protection of personal data like passenger data or financial information that is transferred as part of transatlantic cooperation in criminal matters. The mandate for this so-called “Umbrella Agreement” was approved by the Council in December 2010.
The European Parliament threatened to reject any new specific agreement with the US on data sharing, like the one on the collection of Passenger Name Records (PNR) from air carriers operating flights to the US (which it nonetheless approved in 2012), as long as no agreement was reached on the Umbrella Agreement. However, the negotiations did not progress. It seemed that the “cultural gap” between Europe and the EU in terms of data protection was simply too wide. And it became even wider after the revelations by Edward Snowden of large scale snooping by US agencies on European citizens in 2013.
Not only did this so-called “Snowden scandal” paralyze the negotiation of the Umbrella Agreement, it also put at risk the “US – EU Safe Harbor Frameworks”, a pragmatic agreement facilitating the transfer of personal data for commercial purposes from the EU to self-certified US organizations.
Safe Harbor: the European Commission’s list of recommendations
Under threat by the European Parliament to have Safe Harbor suspended, in November 2013 the European Commission published a Communication on the Functioning of the Safe Harbor, identifying a list of 13 recommendations. In 2014 the Commission started to negotiate a review with the US side, but this new negotiation, as others in the past, was complicated because of the deadlock over the Umbrella Agreement.
The “Judicial Redress Bill”
One of the most difficult issues in the Umbrella Agreement negotiation was the European demand that EU citizens not residing in the US should be allowed to seek redress in US courts in case of privacy breaches of the personal data that have been released by their home country for law enforcement purposes to US agencies. This was a prerequisite for the European side: EU citizens should benefit from equal treatment once their data have been transferred to the US, similar to US citizens who seek redress for data protection violations in EU courts.
The breakthrough finally came in March 2015 when a bill was formally introduced in US Congress, extending the core of the judicial redress provisions of the US Privacy Act of 1974 to EU citizens. Once adopted, the “Judicial Redress Bill” will give EU citizens the right to seek judicial redress before US courts in case US authorities have denied access or rectification or have unlawfully disclosed the EU citizen’s personal data.
Even if that Bill has not yet been adopted, this development encouraged the US and EU negotiators of the Umbrella Agreement to publicly announce on September 8 that the negotiation had been “finalized”, albeit the Umbrella Agreement would only be officially signed when the Judicial Redress Bill has been adopted.
Content of the Umbrella Agreement
The Umbrella Agreement will complement existing EU–US and Member State–US agreements in the area of law enforcement and put in place a comprehensive high level data protection framework. It will cover all personal data exchanged by the EU and the US for the purpose of prevention, detection, investigation and prosecution of criminal offences – including obviously terrorism.
Although the text of the Umbrella Agreement has not yet officially been published (although for a reportedly near-final leaked copy, see here), the protections awarded are said to be numerous: a clear limitation of data use; the prior consent of the country of origin if the data are transferred to a third country; retention time limits; right to access and rectification ; information in case of security data breaches and, as mentioned, above judicial redress for EU citizens in the US.
Industry is a strong supporter of the Umbrella Agreement. Indeed, in a letter to the leaders of the US House of Representatives in April, representatives of leading trade associations and Internet companies underline the importance to restore “global public trust in both the US government and the US technology sector” and note that the Judicial Redress Bill “will serve as a clear signal to our European allies that they can feel comfortable sharing critical law enforcement information across the Atlantic.”
What are the next steps?
Since it was introduced as a bipartisan proposal and enjoys the strong support of the Obama administration, there is a good chance that the US Judicial Redress Bill will be approved before the end of this Congress. The EU Council will then, on the basis of a proposal from the European Commission, adopt a decision authorizing the signature of the Agreement. The decision concluding the Agreement will be adopted by the Council after obtaining the approval by the European Parliament, which should not be too difficult.
The Umbrella Agreement is expected to help conclude the Safe Harbor negotiations. In her statement announcing the conclusion of the Umbrella Agreement, European Commissioner Věra Jourová said she was confident “that we will be able to soon conclude our work on strengthening the Safe Harbour Arrangement […]. We continue to work with determination with our US counterparts on the final details.”
(This post was updated on September 15, 2015 to add links to what is reported to be a leaked copy of the agreement itself; see here.)