AEDH

Umbrella Agreement: not enough protection for European residents

31 January 2017 – Context. In the European Union, investing and prosecuting crime is a legitimate policy objective according to the EDPS [1]. Recently this objective has been increasingly underlined because of the fight against terrorism which implies information sharing with third countries. Yet, the EU does not have a robust common framework in this field. This situation has become more and more unacceptable, especially since Snowden’s revelations[2] concerning mass surveillance, particularly concerning exchanges with US.

Thus, in 2009, the European Parliament adopted a resolution calling for an agreement with the US. This agreement, even if it is following the same logic, should not be confused with the “Privacy Shield”, which applies to the commercial environment. The Umbrella Agreement applies specifically to police and judicial cooperation for sharing data for the purpose of preventing and detecting criminal offenses and for the implementation of investigations and prosecutions (in this field). On the 1st of December, the Parliament has approved the agreement, on the 2nd December the Council adopted a decision authorizing the European Union to conclude this agreement, which puts it in the spotlight.

Necessity of compliance between international agreements binding EU with the European Charter of Human Rights. Even though there is progress -and/or good will- the Umbrella Agreement does not fully respect human rights. Article 216 paragraph 2 of the TFEU states that international agreements are binding for institutions and Member States. The CJEU has specified European Union law’s place in the European juridical order, which is “primacy over secondary Community legislation”.[5]

Sensibility of data needed in criminal matters: necessity of a high level of vigilance. Criminal matters are a specific framework with extensive issues. This field can have serious consequences, going beyond “simple” advertising targeting. Data sharing concerns more than privacy, it also concerns arbitrary arrests or inaccessibility to a fair trial.

The agreement states that it aims "to ensure a high level of protection of personal information”, which is certainly laudable but also leads to questions of compliance between objectives and provisions of the agreement. This compliance can be questioned by setting out what the agreement does not say.

Lack of a more general clause on the Human rights

The equality principle applies only to EU-US citizens: negation of the universality of  Human Rights. Following Article 3 of the Agreement the agreement shall apply “to (all) personal information transferred” between the parties in the criminal matters. As the EDPS deplores, this reference to “all personal information” seemingly indicates that all personal information benefit from the same degree of protection. Yet, article 4 indicates the contradicts this the principle inasmuch it merely indicates the duty to protect “personal information of its own nationals and the others Party’s national”. Article 19 follows the same logic because judicial redress should apply just to the citizens of the Parties. This means that refugees, undocumented migrants/persons, among other, are excluded from the scope of application of the agreement.

A discriminatory agreement. The Umbrella Agreement protects exclusively European citizens and not non-European ones, whose data is transferred by a European law enforcement authority to the US, and whose proceeding is indisputably discriminatory. 

In order to prevent this, it should have been clearly stated in the agreement that each Party would provide an equivalent protection for all persons whose data have been processed by the law enforcement authorities.

Indeed, data protection should be a right for everyone, going beyond any consideration of nationality.

Agreement does not comply with article 7- right to privacy-, 8 –right to data protection- and 47 – right to an effective judicial redress- from the European Charter of Human Rights which theoretically applies to « any person » in the European Union regardless of his nationality or his status, because the agreement excludes all persons who are not citizens of the Parties.

Beyond this fundamental problem, maybe the most important, this agreement raises other concerns.

Challenging conceptual differences and terminological problems

Existence of conceptual, terminological differences between US and EU are undisputable. The first, and for this case most relevant difference concerns the term “privacy”. Secondly, the agreement is not clear, which is never good news for the juridical security. The terminology differs in the US and EU regime.

Diverging principles of necessity and proportionality. The preamble states that Parties recognize principles of proportionality and necessity, as well as relevance and reasonableness “as implemented by the Parties in their respective legal frameworks”. Yet, conceptions of necessity principles are clearly diverging between the US and EU, in so far as reasonableness is not limited to the respect of “need to know”.

Regarding the definition of «processing of personal information». The definition in article 2-2 is clearly inspired by the 1995 Directive. Nevertheless, this definition is just partially underpinned. This seems disappointing, because the core of the problem is not entirely addressed in the agreement.

Massive transfers of sensitive data. The notion of sensitive data differs amongst the Parties. If article 13, paragraph 2, specifies that sensitive data is data revealing “ethnic origins, political opinions, religious beliefs.”, it still opens the possibility their transfers in” specific cases” whose definition is up to the Parties. On this subject, the EDPS points out that he would have wanted the exclusion of sensitive data notably from the PNR agreement.

Problems of the Agreements Application Scope:

General presumption of conformity. Article 5 paragraph 3 refers to the domestic application of the agreement. The article is based on the presumption of conformity between the agreement and domestic law, notably in the field of protection matters. This means that no authorization is needed for the implementation. Thus, excluding any control possibilities.  If data is processed in the field covered by the agreement, it is considered as consistent with national law. The existence of a general conformity clause reinforces the necessity for robust safeguards concerning data protection.

Competent authorities, sources and receivers of data. Article 2 paragraph 5 defines these authorities as “national law enforcement authority responsible for the prevention, investigation, detection or prosecution of criminal offenses, including terrorism”. As it is set out by the EDPS, it is clear that authorities responsible for the national security protection are subjects to the agreement. Moreover, regarding the definition of article 2, one can follow that public ministries are also subject to the agreement. In this way, it appears that the definition of the authorities’ is too wide and blurred.

Concerning the transfer itself, it will not exclusively take place between competent authorities. The agreement applies indeed to “personal information transferred between the Competent authorities of one Party and the Competent Authorities of the other Party, or otherwise transferred in accordance with an agreement concluded between the United States and the European Union or its Member States”.  In this way, by taking the most blatant example which is the case of the PNR, the agreement also applies to data transferred between competent authorities and private stakeholders, as airlines (companies). It should be noted that the general use of externalization regarding security, will pull in private security companies into the scope of the agreement. This intrusion of a private party in criminal matters can raise legitimate concerns.

Possibility of an effective legal remedy. The impossibility for European citizens to assert their rights– access, rectification, administrative and judicial remedy- concerning their personal data in the US delayed the signature of the Agreement. The Judicial Redress Act has been approved in order to end this impossibility for European citizens. As a matter of fact Article 5-2 considers the act in question as implementation’s condition of the Agreement. Nevertheless, it should be underlined that the Judicial Redress Act brings no change concerning the situation of the European citizens, deprived of any legal remedy.

Direct implementation/application. Once signed by the EU, the agreement will directly enter into force in the Member States.[12] The situation looks different in the US, however, because the definition of “direct application” itself differs. In the US an international agreement must first be enacted by the Congress (enforcement provisions).

National security harming personal data protection

Information Security (safety). Article 10 paragraph 2 point b allows omissions notification of security breaches, violations of data, when such notification may “endanger national security”. This potential danger is not specified. Beyond the lack of precision of the disposition, its result is also questionable. As asked by the EDPS: why is it not enough to allow the limitation or the delay of the notification? If there is no notification, it means there is no information so no possibility to assert rights, which is against the article 47 of the European Charter of Human Rights. Again, if national security is fundamental, and needs sometimes special dispositions –in this case, limitation or delay of the notification- it should not be used as a justification for the violation of right.

The Umbrella Agreement is a step forward, attempting to respond do the needs of transparency necessary for a democracy under the rule of law, as per the given objective of the agreement.  However, the lack of clarity in its definitions, its intentional omissions and the incertitude of its application, underlines its limits.  Finally, even if this agreement were impeccable, it would not solve the issue of the transfer of data to Third Countries, a non-regulated question, and cause of clear incertitude and prejudice to the rights of Europeans.[14]

 

Annexes :

-Opinion EDPS :

https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2016/16-02-12_EU-US_Umbrella_Agreement_EN.pdf

-Analysis of Free : https://free-group.eu/2015/10/14/eu-us-umbrella-data-protection-agreement-detailed-analysis-by-douwe-korff/

– Boehm’s report (on the difference between privacy in EU and US)  : http://www.uni-muenster.de/Jura.itm/hoeren/itm/wp-content/uploads/PNR-Study-FINAL-120313.pdf

-Bignami’s study (on the direct application in IS) :

http://www.europarl.europa.eu/RegData/etudes/STUD/2015/519215/IPOL_STU(2015)519215_EN.pdf

 



[1] Opinion n° 1/2016 EDPS, 12th February 2016 : Preliminary Opinion on the agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection and prosecution of criminal offences.

[2] The revelations of Snowden in 2013 has revealed, a.o, a massive surveillance led by the NSA.

[3] Jan Philip Albrecht, European MP, rapporteur for the « Umbrella Agreement » states that the agreement reachs « high standards of preotection ».

[4] ECJ, case C-308/06 Intertanko et autres, 3 juin 2008 (recital 5) : http://curia.europa.eu/juris/celex.jsf?celex=62006CJ0308&lang1=fr&type=TXT&ancre=

[5] EJC, C-402/05 Kadi/Council and Commission, 3 September 2008 (recital 42):

http://curia.europa.eu/juris/celex.jsf?celex=62005CJ0402&lang1=fr&type=TXT&ancre=

[6] Study of the Commission LIBE, «Etude Boehm»: « A comparison between US and EU Data Protection Legislation for Law Enforcement », F.Boehm, September 2015.

[7] Report of FREE by the jurist Douwee Korff, 14 October 2015.

[8] Directive 95/46/EC of European Parliament and Council, 24th October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data :

 http://eur-lex.europa.eu/legal-content/FR/ALL/?uri=uriserv%3Al14012

[9] Passenger Name Records Directive 2016/681, 27 avril 2016 :

http://eur-lex.europa.eu/eli/dir/2016/681/oj

[10] American Senate has adopted the « Judicial Redress Act » and the President Obama has signed it the 24th February 2016. It opens the possibility for European citizens to challenge to American court the use of their data : https://www.congress.gov/bill/114th-congress/house-bill/1428

[11] Art 276 TFEU – ECJ, Van Geend en Loos.

United State Supreme Court,  Meddelin/Texas 552 US (2008) : The Court states that direct application means automatic effect of  the treaty on the domestic law, the Court adds  “even if an international treaty may constitute an international commitment, it is not binding domestic law unless Congress has enacted statutes implementing it or unless the treaty itself is "self-executing”.

[13] Exemple: data are transferred from EU to US, US transfer these data to Saudi Arabia ; this transfer is not in the scope of the Agreement.

 

Compte AEDH