EU-USA general agreement on data protection and the exchange of personal data
There are currently seven EU-US agreements covering justice and home affairs issues: 1. Europol (exchange of data); 2. Extradition; 3. Mutual assistance; 4. PNR (passenger name record); 5. SWIFT (all financial transactions, commercial and personal); 6. Container Security Initiative (CSI); 7. Eurojust.
Getting agreement on many of them has proved controversial, attracting adverse media coverage, and time-consuming (involving the European Parliament and the European Court of Justice) so now the EU and the USA want to conclude a long-term general agreement covering all future exchanges of personal data concerning any criminal offence however minor.
The Commission's Explanatory Memorandum and Mandate sent to the Council are below. The Decision agreed by the Council of the European Union in December 2010 is not available.
The European Data Protection Supervisor (EDPS), among others, is concerned that any agreement with the USA in advance of the EU's comprehensive review of data protection - which has only just been launched and is expected to take up to two years to complete - will undermine and influence the review.
The process underway is that the European Commission negotiates with the US side, in secret, based on the mandate in the Council Decision (not public). Agreement is reached and parliaments and people are presented with the end result - the European Parliament will seek to take a view and call for changes if necessary.
The proposals are not limited to law enforcement agencies exchanging personal data and intelligence on terrorism and serious organised crime but cover all crime, however minor.
20.2.12: EU-USA:DATA PROTECTION AGREEMENT: PROTECTING THE RIGHTS OF EU CITIZENS? Council of the European Union: EU-US data protection negotiations during 2011 (pdf):
"the US side has a mandate for an Executive agreement that does not change existing US law, nor create any new rights"
"The US has rejected the idea to apply the agreement also to data transferred from private parties in the EU to private parties in the US and subsequently processed for law enforcement purposes by US competent authorities."
"a non-discrimination clause, i.e. the application of data protection principles to all data subjects regardless of nationality and place of residence, was discussed. The US is cautious on this as it is linked to the personal scope of protection under the Privacy Act, which is limited to US citizens and permanent residents."
"The US side however acknowledged that no judicial redress is available to non-US individuals who seek correction of their data without having suffered harm. Further discussion is needed."
"data retention, the US side appears to oppose a general obligation enshrined in this agreement to define appropriate retention periods whenever data sharing is agreed (specific agreements, unilateral condition by sending authority), arguing that such limits should be determined by the recipient party's domestic law."
"On purpose limitation (and further use of data), the US envisages to specify the purpose of data processing and further use in the "umbrella" agreement itself and to conceive it widely. This would result that in principle all data could be used for prevention, detection, suppression, investigation or prosecution of criminal offences, protection of public security, for directly related non-criminal and administrative proceedings, or for any other purpose if prior consent is given by the sending authority."
EU-USA DATA PROTECTION AGREEMENT: Commission press release: EU-US Negotiations on an agreement to protect
personal information exchanged in the context of fighting crime and terrorism (pdf).
Commission mandate: a) Commission mandate: a) Explanatory Memorandum and proposed Recommendation (COM 252-10): Proposal for a Council Recommendation to authorise the opening of negotiations for an agreement between the European Union and the United States of America on protection of personal data when transferred and processed for the purpose of preventing, investigating, detecting or prosecuting criminal offences, including terrorism, in the framework of police cooperation and judicial cooperation in criminal matters
b) Mandate: Negotiating Directives (pdf)
Council of the European Union
The Council and the Commission see the agreement being based on the work of the Report by the High Level Contact Group (HLCG) on information sharing and privacy and personal data protection (EU doc no: 15851/09, pdf).
European Data Protection Supervisor (EDPS): Opinion on the High Level Working Group: Final Report (November 2008, pdf)
In HLCG Report the "Scope" is set out in Section 1:
"The European Union would apply these principles for "law enforcement purposes", meaning use for the prevention, detection, investigation or prosecution of any criminal offence." and: "The United States would apply these principles for 'law enforcement purposes', meaning for the prevention, detection, suppression, investigation, or prosecution of any criminal offence or violation of law related to border enforcement, public security, and national security, as well as for non-criminal judicial or administrative proceedings related directly to such offences or violations." (emphasis added)
and see: EU-US High Level Contact Group on data protection and data sharing (HLCG) (EU doc no: 14574/09, pdf)
European Parliament's Civil Liberties Committee to Council: Letter (24.11.10, pdf)
European Parliament Resolution, 11 November 2010 (pdf)
European Parliament: Hearing Data Protection in a transatlantic perspective: Future EU-US data protection agreement in the framework of police and judicial cooperation in criminal matters (Brussels, 25/10/2010) (pdf)
European Parliament: Working document no 1 (pdf) and Working document no 2 (pdf): Public Hearing: Data Protection in a transatlantic perspective, 25 October 2010 (link)
European Data Protection Supervisor and Article 29 Working Party on data protection
- Article 29 Working Party on data protection: EU-USA Agreement: Data protection authorities call for strict general privacy agreement with United States (Press release, pdf) and Opinion: EU-US General Agreement (November 2010, pdf):
"the Working Party is however concerned about the possible outcome of the negotiations. It therefore urges the Commission, the Council and the European Parliament to ensure a strict and far reaching negotiating mandate, to obtain a high level of data protection. Coherence is needed in light of current developments, including the review of the EU data protection legal framework and the proposed negotiations with the US on a new PNR agreement."
- European Data Protection Supervisor (EDPS): Opinion on the High Level Working Group: Final Report (November 2008, pdf)
EU-USA: European Commission: Memorandum of Understanding between the European Commission and the United States Department of Health and Human Services on Cooperation Surrounding Health Related Information and Communication Technologies (pdf)
See also: Statewatch Observatory on the exchange of data on passengers (PNR) with USA
Statewatch News online | Join Statewatch news e-mail list | Download a free sample issue of Statewatch Journal
© Statewatch ISSN 1756-851X. Personal usage as private individuals/"fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law