• Home /
• News /
• 2016 /
• November /
• EU-USA: Transatlantic law enforcement data deal gets go-ahead from European Parliament

EU-USA: Transatlantic law enforcement data deal gets go-ahead from European Parliament

Topic

Country/Region

21 November 2016

The European Parliament has voted strongly in favour of the EU-US 'Umbrella Agreement' that, in theory, provides for the protection of personal data exchanged for law enforcement purposes. Attempts left and liberal MEPs to have the text rejected and to seek the European Court of Justice's opinion on its compatibility with the Charter of Fundamental Rights were rejected. The agreement is unlikely to provide what it promises.

The Council of the EU will move to adopt the final decision concluding the agreement after 481 MEPs voted in favour of the deal, 75 voted against and 88 abstained.

According to the European Commission's press release (pdf), the Umbrella Agreement "puts in place a comprehensive high-level data protection framework for EU-US law enforcement cooperation."

The Agreement has a broad scope, concerning all crimes:

"The data transferred between EU and US law enforcement authorities can only be shared for the purpose of preventing, investigating, detecting or prosecuting criminal offences, including terrorism, in the framework of police cooperation and judicial cooperation in criminal matters. The agreement also clearly states that this data cannot be further processed for other incompatible purposes."

The Commission argues that the text:

"[W]ill provide safeguards and guarantees of lawfulness for data transfers, thereby strengthening fundamental rights, facilitating EU-US law enforcement cooperation and restoring trust."

The European Parliament's press release noted:

"The deal will ensure that citizens on both sides of the Atlantic will have the right to:

- be informed in the event of data security breaches,
- have inaccurate information corrected and
- judicial redress at court.

It also sets limits on onward transfers of data and retention periods."

However, the much-vaunted "judicial redress" is not quite what it seems - as US civil liberties group EPIC (link) has long-pointed out:

"The Judicial Redress Act of 2015, enacted by Congress and now on to the President for signature, fails to extend Privacy Act protections to non-U.S. citizens."

MEPs from both the left (GUE/NGL) and liberal (ALDE) groups in the European Parliament had proposed amendments (pdf) to the text that, if approved, would have seen the Parliament reject the agreement as it stands.

The proposed left group amendment stated:

"The agreement does not meet the requirements of the Charter and EU law. The wording is ambiguous regarding core DP provisions and does not provide effective judicial redress as the Charter requires. Furthermore, the agreement will serve as a form of adequacy decision, creating a false legal presumption of compliance of the US with EU data protection standards. Finally we regret that the committee did not wait for the ECJ ruling on the EU-Canada PNR agreement."

A group of solicitors from US firm Jenner & Block explained in more detail in March 2016 (link) why the Judicial Redress Act "contains a number of limitations and exceptions that could make the legislation unacceptable to the EU" (empasis added):

"First, the act only applies to citizens of countries that have been designated by the attorney general and other cabinet members. To qualify for such designation, a country must either have privacy agreements with the U.S. covering the sharing of law enforcement information (like the Umbrella Agreement), or share such information under adequate privacy safeguards without an agreement; and must allow the transfer of personal data for commercial purposes with the U.S. Moreover, the attorney general must certify that the country’s data sharing policies do not “materially impede” the national security interests of the U.S. Even then, such designation is left up to the discretion of the attorney general and other cabinet officials, and can be removed for any future failure to meet the above criteria. The designation also can be rescinded if the attorney general determines that the country “impedes the transfer of [law enforcement] information ... by a private entity or person.”

Second, not every federal agency is covered, only those that share law enforcement data under an agreement like the Umbrella Agreement. In fact, any head of an agency essentially can opt out of participating in the act. Furthermore, the attorney general actively must certify that any agency’s participation is in the national security interests of the U.S.

Third, only information shared with the U.S. government by a public or private entity in another country for law enforcement purposes is covered. Information collected by U.S. agencies themselves is not covered, nor is information shared for purposes such as intelligence gathering, visa applications, or other non-law enforcement motives.

Fourth, the Judicial Redress Act provides only a civil remedy for intentional or willful disclosures, whereas the Privacy Act grants the ability to sue even for inadvertent privacy failures that have an “adverse effect on an individual,” and also provides for criminal fines.

Finally, and most importantly, the Privacy Act itself has broad exemptions that reduce the ability of individuals to seek redress in certain law enforcement and national security situations. The Judicial Redress Act does not reduce or address those exemptions."

Nevertheless, the European Commission, in the press release issued following the EP's vote, maintained the line that:

"The "Umbrella Agreement" will introduce the equal treatment of EU citizens, as called for by President Juncker in his Political Guidelines."