On 8 September 2015, the European Commission announced the successful completion of the negotiations with the US on a framework agreement („Umbrella Agreement“), that shall apply to the co-operation between law enforcement authorities. „Once in force, this agreement will guarantee a high level of protection of all personal data when transferred between law enforcement authorities across the Atlantic. It will in particular guarantee that all EU citizens have the right to enforce their data protection rights in US courts“, said the competent EU Commissioner Věra Jourová. Prerequisite for the signing of the agreement will be, however, that the US Congress will have approved the necessary legislative changes („Judicial Redress Bill“).
Although the Commission initially did not want to publish the agreement, the text – however – has found it’s way into the Internet, enabling the assessment.
First the good news: The agreement contains, in fact, substantial concessions from the US side. It has to be highlighted, that the US shall even provide EU citizens with a right to seek judicial redress if they are of the opinion that their privacy rights have been violated in the context of processing information the respective US authorities have received from the EU. Over years, the US government insisted on granting EU citizens only administrative redress. For Europe such limited redress – ultimately depending on the goodwill of the US administration – would not have provided an adequate level of data protection.
Another positive aspect is that both sides have agreed to commit to the principles of proportionality, necessity and purpose limitation and that they have to determine the use and duration of storage of personal information in accordance with these principles. The concrete purposes of data processing and the retention periods have to be determined by the specific legal acts.
However, although the agreement improves the legal status of EU citizens whose data are transferred to the US, it would be a misperception that the agreement provides EU citizens with the same privacy rights as US persons. If this would have been intended, the rights provided by US Privacy Act of 1974 and other laws, currently limited to US citizens and residents, could have been extended to EU citizens. Instead, the agreement text contains complicated rules, which do not ensure equality in the result. EU citizens have first to seek administrative redress. They may call a US court only after administrative redress definitely was exhausted. In addition, administrative and judicial redress are limited to those privacy rights explicitly specified in the Agreement, as the right to access and correction of the personal information. The agreement will not grant EU citizens – unlike US citizens – further rights to challenge the lawfulness of the entire process of data processing before a US court.
Furthermore, it should be noted that the agreement shall apply only to judicial and police authorities, but not to authorities with the task to guarantee the „national security“. US intelligence agencies like the NSA and the CIA share personal data with law enforcement agencies, even if they have received these information from their European partners. The provisions of the umbrella agreement would not apply in these cases. Last but not least the agreement does not cover data US and European authorities collect on the basis of national laws, i.e. the Foreign Intelligence Surveillance Act (FISA) or similar European legislation.
Another limitation of the umbrella: While according to the European data protection law, all personal data will be protected regardless of the nationality of the persons concerned, the agreement should apply only to data on EU citizens which have been transferred to the US by European authorities or companies based on bilateral or multilateral agreements. So data relating to citizens of third countries remain unprotected.
Finally, the agreement (Art. 21) falls short, however, with regard to the data protection oversight. It lacks an explicit commitment of both parties to ensure an independent data protection supervision. While the European Union commits that the independent data protection authorities shall be competent to check the provisions, the agreement refers with respect to the United States on a variety of oversight institutions, some of them not independent, which are to exercise the supervision of data protection „cumulatively“.
Given these shortcomings, to me the exultation of the agreement seem premature. The European legal bodies which need to approve the ratification of the agreement, in particular the European Parliament and the parliaments of the Member States are called upon to thoroughly examine the agreement, in particular, its compatibility with the provisions of the EU Charter of Fundamental Rights. Depending on the results of such assessment it might be necessary to renegotiating and caulking the umbrella.