EU-USA general agreement on data protection and the exchange of personal data
There are currently seven EU-US agreements covering justice and home affairs issues: 1. Europol (exchange of data); 2. Extradition; 3. Mutual assistance; 4. PNR (passenger name record); 5. SWIFT (all financial transactions, commercial and personal); 6. Container Security Initiative (CSI); 7. Eurojust.
Getting agreement on many of them has proved controversial, attracting adverse media coverage, and time-consuming (involving the European Parliament and the European Court of Justice) so now the EU and the USA want to conclude a long-term general agreement covering all future exchanges of personal data concerning any criminal offence however minor.
The Commission's Explanatory Memorandum and Mandate sent to the Council are below. The Decision agreed by the Council of the European Union in December 2010 is not available.
The European Data Protection Supervisor (EDPS), among others, is concerned that any agreement with the USA in advance of the EU's comprehensive review of data protection - which has only just been launched and is expected to take up to two years to complete - will undermine and influence the review.
The process underway is that the European Commission negotiates with the US side, in secret, based on the mandate in the Council Decision (not public). Agreement is reached and parliaments and people are presented with the end result - the European Parliament will seek to take a view and call for changes if necessary.
The proposals are not limited to law enforcement agencies exchanging personal data and intelligence on terrorism and serious organised crime but cover all crime, however minor.
EU-USA "Umbrella Agreement" of the exchange of personal data for purposes of law enforcement - agreed
Enhanced data protection rights for EU citizens in law enforcement cooperation : EU and US sign "Umbrella agreement" (Press release, pdf):
"On 2 June 2016, the European Union and the United States of America signed the so-called "Umbrella agreement" which puts in place a comprehensive high-level data protection framework for criminal law enforcement cooperation...
"Next step: After the signature and before the agreement can be finally concluded, the European Parliament will need to give its consent."
The "Umbrella Agreement" on the exchange of personal data - its Scope (Art 1): covers:
"The purpose of this Agreement is to ensure a high level of protection of personal information and enhance cooperation between the United States and the European Union and its Member States, in relation to the prevention, investigation, detection or prosecution of criminal offenses, including terrorism."
Note: the Scope covers all crimes however, minor.
- Agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offenses (Full-text, pdf) - Draft Council Decision - Adoption (pdf) - Council Decision (pdf)
The Agreement expressly excludes the security and intelligence agencies.
And: Marc Rotenberg President, EPIC Adjunct Professor, Georgetown Law Hearing: ""The Judicial Redress Act does not provide adequate protection to permit data transfers and it does not address the many provisions in the Privacy Act that need to be updated."
- Council of the European Union: Joint EU-U.S. press statement following the EU-U.S. Justice and Home Affairs Ministerial meeting of 2 June 2016 (pdf)
- European Commission: Joint EU-U.S. press statement following the EU-U.S. Justice and Home Affairs Ministerial meeting (pdf)
30.4.16: "ANOTHER DODGY DEAL": EU-USA: DATA PROTECTION: "UMBRELLA AGREEMENT": Proposal for a COUNCIL DECISION on the signing, on behalf of the European Union, of an Agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offenses (pdf) and Annex (pdf)
And see: Marc Rotenberg President, EPIC Adjunct Professor, Georgetown Law Hearing: ""The Judicial Redress Act does not provide adequate protection to permit data transfers and it does not address the many provisions in the Privacy Act that need to be updated."
EU-USA: EPIC Intervenes in Privacy Case before European Court of Human Rights (link)
Today EPIC filed a brief in a case before the European Court of Human Rights. The case involves a challenge brought by 10 human rights organizations arguing that surveillance by British and U.S. intelligence organizations violated their fundamental rights. In its brief, EPIC explained that the NSA's "technological capacities" enable "wide scale surveillance" and that U.S. statutes do not restrict surveillance of non-U.S. persons abroad. "The NSA collects personal data from around the world and transfer that data without adequate legal protections." EPIC routinely files amicus briefs in federal and state cases that raise novel privacy issues. This is EPIC's first brief for the Court of Human Rights in Strasbourg. [emphasis added]
EU-USA Data protection: EPIC: 'Judicial Redress Act' Provides Little Redress
"The Judicial Redress Act of 2015, which amends the Privacy Act of 1974, has been passed by Congress and moved on to the President for signature. The Act fails to extend Privacy Act protections to non-US citizens, and as adopted coerces EU countries to transfer data to the US.."
EU-USA: While President Obama signs the Judicial Redress act, are the European Commission and the Parliament sharing the same Umbrella? (EASFJ, link):
"The European Commission is dealing with challenges on another EU-U.S. data sharing deal: the Parliament legal service and MEPs argued that the so-called Umbrella Agreement, which will be brought into being with the signature of the Judicial Redress Act, does not comply with EU law."
European Parliament: Follow-up to the European Parliament resolution of 12 March 2014 on the electronic mass surveillance of EU citizens (Text adopted, pdf) and Mass surveillance: EU citizens' rights still in danger, says Parliament (Press release, pdf):
"Too little has been done to safeguard citizens' fundamental rights following revelations of electronic mass surveillance, say MEPs in a resolution voted on Thursday. They urge the EU Commission to ensure that all data transfers to the US are subject to an "effective level of protection" and ask EU member states to grant protection to Edward Snowden, as a "human rights defender". Parliament also raises concerns about surveillance laws in several EU countries.
This resolution, approved by 342 votes to 274, with 29 abstention"
Europe Is Spying on You (nytimes.com, link): article on the threats of surveillance law just published by the Council of Europe Commissioner for Human Rights, Nils Muiznieks, in the New York Times: "When Edward Snowden disclosed details of Americas huge surveillance program two years ago, many in Europe thought that the response would be increased transparency and stronger oversight of security services. European countries, however, are moving in the opposite direction. Instead of more public scrutiny, we are getting more snooping."
EU-USA "UMBRELLA" AGREEMENT: Study: Fundamental Rights European Experts Group (FREE): prepared by Douwe Korff
- NOTE on the EU-US Umbrella Data Protection Agreement (pdf)
"We believe the following aspects of the Umbrella Agreement violate, or are likely to lead to violations of, the Treaties and the EU Charter of Fundamental Rights:
The Umbrella Agreement appears to allow the sharing of data sent by EU law enforcement agencies to US law enforcement agencies with US national security agencies (including the FBI and the US NSA) for use in the latters mass surveillance and data mining operations; as well as the onward transfer of such data to third parties, including national security agencies of yet other (third) countries, which the Agreement says may not be subjected to generic data protection conditions
The Agreement should therefore, in our view, cannot be approved by the European Parliament in its present form
- ANNEX: ARTICLE-BY-ARTICLE ANALYSIS of the EU-US Umbrella Data Protection Agreement: [TEXT OF THE AGREEMENT IN BOLD; COMMENTS ARE IN ORDINARY TYPE] (pdf)
- Data flow: Chart 1 (pdf) and Data flow Chart 2 (pdf)
- Letter from Commissioner: announcing "deal" (pdf)
- EU-USA Umbrella Agreement: Full-text (pdf)
EU-USA: DATA PROTECTION: European Data Protection Supervisor (EDPS): EDPS: Enforcing EU data protection law essential for rebuilding trust between EU-US (Press release, pdf) and Opinion (pdf):
"Peter Hustinx, EDPS, said: "The rights of EU citizens to the protection of their privacy and personal information are enshrined in EU law. The mass surveillance of EU citizens by US and other intelligence agencies disregards these rights. As well as supporting a privacy act in the USA, Europe must insist on the strict enforcement of existing EU legislation, promote international privacy standards and swiftly adopt the reform of the EU data protection Regulation. A concerted effort to restore trust is required. " who also comments:
"It is... essential that progress is made quickly to thwart the attempts serving political and economic interests to restrict the fundamental rights to privacy and data protection."
EU-USA: DATA PROTECTION "UMBRELLA" AGREEMENT: European Parliament Press release: Civil liberties MEPs make case for data protection during Washington visit (pdf):
"A delegation from the civil liberties committee visited Washington DC last week to find out the latest information on issues such as data protection and legislation on surveillance activities from their American counterparts. The MEPs also provided updates on the EU's data protection reform and on counter-terrorism initiatives, including the passenger name records (PNR) proposal"
See also:Close your Facebook account is you do not want to be spied on: EU-US data pact skewered in court hearing (euobserver, link) Extraordinary statement by Commission lawyer in Court of European Justice (CJEU):
"A lawyer for the European Commission told an EU judge on Tuesday (24 March) he should close his Facebook page if he wants to stop the US snooping on him, in what amounts to an admission that Safe Harbour, an EU-US data protection pact, doesnt work.
You might consider closing your Facebook account, if you have one, European Commission attorney Bernhard Schima told attorney-general Yves Bot at the European Court of Justice in Luxembourg."
29.4.16: EU-USA: DATA PROTECTION: "UMBRELLA AGREEMENT": Proposal for a COUNCIL DECISION on the signing, on behalf of the European Union, of an Agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offenses (pdf) and Annex (pdf)
20.2.12: EU-USA:DATA PROTECTION AGREEMENT: PROTECTING THE RIGHTS OF EU CITIZENS? Council of the European Union: EU-US data protection negotiations during 2011 (pdf):
"the US side has a mandate for an Executive agreement that does not change existing US law, nor create any new rights"
"The US has rejected the idea to apply the agreement also to data transferred from private parties in the EU to private parties in the US and subsequently processed for law enforcement purposes by US competent authorities."
"a non-discrimination clause, i.e. the application of data protection principles to all data subjects regardless of nationality and place of residence, was discussed. The US is cautious on this as it is linked to the personal scope of protection under the Privacy Act, which is limited to US citizens and permanent residents."
"The US side however acknowledged that no judicial redress is available to non-US individuals who seek correction of their data without having suffered harm. Further discussion is needed."
"data retention, the US side appears to oppose a general obligation enshrined in this agreement to define appropriate retention periods whenever data sharing is agreed (specific agreements, unilateral condition by sending authority), arguing that such limits should be determined by the recipient party's domestic law."
"On purpose limitation (and further use of data), the US envisages to specify the purpose of data processing and further use in the "umbrella" agreement itself and to conceive it widely. This would result that in principle all data could be used for prevention, detection, suppression, investigation or prosecution of criminal offences, protection of public security, for directly related non-criminal and administrative proceedings, or for any other purpose if prior consent is given by the sending authority."
EU-USA DATA PROTECTION AGREEMENT: Commission press release: EU-US Negotiations on an agreement to protect
personal information exchanged in the context of fighting crime and terrorism (pdf).
Commission mandate: a) Commission mandate: a) Explanatory Memorandum and proposed Recommendation (COM 252-10): Proposal for a Council Recommendation to authorise the opening of negotiations for an agreement between the European Union and the United States of America on protection of personal data when transferred and processed for the purpose of preventing, investigating, detecting or prosecuting criminal offences, including terrorism, in the framework of police cooperation and judicial cooperation in criminal matters
b) Mandate: Negotiating Directives (pdf)
Council of the European Union
The Council and the Commission see the agreement being based on the work of the Report by the High Level Contact Group (HLCG) on information sharing and privacy and personal data protection (EU doc no: 15851/09, pdf).
European Data Protection Supervisor (EDPS): Opinion on the High Level Working Group: Final Report (November 2008, pdf)
In HLCG Report the "Scope" is set out in Section 1:
"The European Union would apply these principles for "law enforcement purposes", meaning use for the prevention, detection, investigation or prosecution of any criminal offence." and: "The United States would apply these principles for 'law enforcement purposes', meaning for the prevention, detection, suppression, investigation, or prosecution of any criminal offence or violation of law related to border enforcement, public security, and national security, as well as for non-criminal judicial or administrative proceedings related directly to such offences or violations." (emphasis added)
and see: EU-US High Level Contact Group on data protection and data sharing (HLCG) (EU doc no: 14574/09, pdf)
European Parliament's Civil Liberties Committee to Council: Letter (24.11.10, pdf)
European Parliament Resolution, 11 November 2010 (pdf)
European Parliament: Hearing Data Protection in a transatlantic perspective: Future EU-US data protection agreement in the framework of police and judicial cooperation in criminal matters (Brussels, 25/10/2010) (pdf)
European Parliament: Working document no 1 (pdf) and Working document no 2 (pdf): Public Hearing: Data Protection in a transatlantic perspective, 25 October 2010 (link)
European Data Protection Supervisor and Article 29 Working Party on data protection
- Article 29 Working Party on data protection: EU-USA Agreement: Data protection authorities call for strict general privacy agreement with United States (Press release, pdf) and Opinion: EU-US General Agreement (November 2010, pdf):
"the Working Party is however concerned about the possible outcome of the negotiations. It therefore urges the Commission, the Council and the European Parliament to ensure a strict and far reaching negotiating mandate, to obtain a high level of data protection. Coherence is needed in light of current developments, including the review of the EU data protection legal framework and the proposed negotiations with the US on a new PNR agreement."
- European Data Protection Supervisor (EDPS): Opinion on the High Level Working Group: Final Report (November 2008, pdf)
EU-USA: European Commission: Memorandum of Understanding between the European Commission and the United States Department of Health and Human Services on Cooperation Surrounding Health Related Information and Communication Technologies (pdf)
See also: Statewatch Observatory on the exchange of data on passengers (PNR) with USA
Statewatch News online | Join Statewatch news e-mail list | Download a free sample issue of Statewatch Journal
© Statewatch ISSN 1756-851X. Personal usage as private individuals/"fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law