The EU and US have agreed on a data protection framework for law enforcement cooperation. While the framework is praised for increased data protection, critics highlight the lack of a clear enforcement mechanism for EU citizens.
After over four years of negotiations, the European Union and the United States agreed on a framework data protection agreement on 8 September 2015 (Umbrella Agreement). The Umbrella Agreement covers all personal data exchanged between the European Union and the United States to prevent, detect, investigate, and prosecute criminal offenses, including terrorism. According to the Q&A’s posted on the EU Commission’s website, the Umbrella Agreement shall “provide safeguards and guarantees of lawfulness for data transfers.”
During the negotiations, the Umbrella Agreement was widely criticized throughout the EU because EU citizens could not file lawsuits in the United States to enforce their data protection rights. The U.S. Privacy Act allows only U.S. residents to obtain redress for data privacy and protection violations. As part of the Umbrella Agreement, the U.S. Congress introduced an amendment to the U.S. Privacy Act known as the “Judicial Redress Bill.” If adopted, the Judicial Redress Bill will permit an EU citizen to use U.S. courts to (for example) have his or her name deleted from U.S. blacklists if the name was mistakenly included.
Also Read:
In Germany, the first reactions by political commentators on the agreement are moderately optimistic and an important step to rebuild trust after the National Security Agency (NSA) spying revelations. More importantly, the Umbrella Agreement includes many of the same general data privacy and protection principles followed in Germany and other EU countries, including:
- Limitations on data use—Personal data may only be used to prevent, investigate, detect, or prosecute criminal offenses.
- Onward transfer—Any onward transfer to a non-U.S., non-EU country, or international organization requires the prior consent of the country’s competent data protection authority for the personal data that was originally transferred.
- Retention periods – Personal data may not be retained longer than necessary or appropriate. The decision on an acceptable duration must consider the impact on people’s rights and interests. Retention periods must be published or otherwise made publicly available.
- Right to access and rectification—Any individual is entitled to access their personal data—subject to certain conditions, given the law enforcement context—and to request corrections.
While the increased data protection and proposed Judicial Redress Bill are positive developments, some commentators in Germany criticize the Umbrella Agreement’s lack of a clear and easy process for EU citizens’ data protection enforcement in the United States. The critics claim that most individuals will not even know when and if their data protection rights are violated.
Also Read:
The U.S. Congress and the EU Parliament and Council still must ratify the Umbrella Agreement, the full text of which is not yet available, but we expect that the Umbrella Agreement will unite the European Union and the United States on an increased level of data protection. We will report on the Umbrella Agreement again once its full text is publicized.
