EU-US umbrella agreement: Europe must ask for more

15 October 2015 – After four years of negotiations, an agreement was reached between the United States and the European Union on the protection of personal information in the context of their transfer for the purpose of criminal investigations. If it can only improve the current state of regulation, it remains largely perfectible and subject to the political goodwill of the United States.

Under negotiation for four years, the European Commission and the United States finally signed on 8 September the umbrella agreement on the protection of personal information transferred to prevent or investigate on criminal offences. This text was presented in the Civil Liberties, Justice and Home Affairs committee (LIBE) of the European Parliament on 15 September and MEPs, who will have to give or not their approval, already seem to agree that in the light of the current state of regulation this agreement constitutes an advance.

Thus, they welcome the inclusion of the principles of proportionality, necessity and purpose limitation (introductory remarks & Art. 6). The fact that the data retention period should be defined according to these principles is also seen as a step forward (art. 12), as the needs, before any further transfer to a third country, for prior approval of the law enforcement authority from where the data come (Art. 7). Last but not least, European citizens will finally get the right to an effective remedy before an American court when they will consider that they have suffered a violation of their rights (art. 19).

However, the protection specified in that agreement remains largely insufficient. For example, on the question of the scope of the agreement, the article 3 §2 excludes transfers or cooperation between authorities “safeguarding national security” (as the NSA in the United States). A distinction between law enforcement authorities and authorities responsible for national security is then made. While the transfer of data between the second ones is (logically) not subject to this agreement dedicated to the criminal context, the fact remains that the text is particularly vague on the specific issue of data transfers between law enforcement authorities and national security agencies. At the end it seems that, once again, the mere invocation of the vague motive of “national security” is enough to remove all data protection requirements!

Another limit of the text can be found in the application of the right to a legal remedy which is possible only in the circumstances defined by the agreement: when there is a denial of access or amendment of the personal information or when there is an unlawful and intentionally made disclosure of such information.

No question then to challenge the data retention time or the way to process data in itself. Added to this, non-EU citizens living in Europe (such as a Syrian or Afghan refugee or a non-European student), whose data have been transferred by European law enforcement authorities to their US counterparts, simply cannot submit a complaint before the American judge. Article 19 indeed specifies that only “citizens of the parties” are concerned by the right to an effective remedy.

While MEPs agreed to ask for the opinion of the Parliament’s legal service to make sure that the signing of the agreement will not lead to neither a regression of rights on the EU territory nor to a forced compromise on the data protection legal framework still under negotiation, AEDH encourages them, more than ever, to take account of the Safe Harbor judgment of the Court of Justice of the European Union and to be steadfast on defending citizens’ rights! Especially since, according to MEP Viviane Reding, the US Department of Justice defended, the day just after the agreement, the idea that the US authorities should have a right of direct access to data held by private companies and stored on foreign soil, Europe included. If already the United States do not have the political will to respect existing legal channels, is it worth the trouble to actually sign an agreement that is confined to the absolute minimum?

Further information:

Analysis of the text by the European Academy for Freedom of Information and Data Protection.

Analysis of the text by the Fundamental Rights European Experts Group (PDF or HTML)

Jennifer Baker’s article in The Register.

Video of the debates in LIBE committee.

Text of the agreement as released by Statewatch.

Five things you should know about the EU-US Umbrella Agreement, Access

[1]The text of the agreement has not been yet officially released by the institutions. This article is based on the text released by Statewatch.

[2]For a more complete list of the shortcomings of this text, even among the “advances” mentioned above, please see the analysis made by the European Fundamental Rights Experts Group.

Compte AEDH