ORIGINAL PUBLISHED ON EU-LOGOS
by Elena Dal Monte
The European Commission is dealing with challenges on another EU-U.S. data sharing deal: the Parliament legal service and MEPs argued that the so-called Umbrella Agreement, which will be brought into being with the signature of the Judicial Redress Act, does not comply with EU law.
On November 2015 the legal service of the European Parliament received a request from Mr. Claude Moraes, Chair of the committee of Civil Liberties, Justice and Home Affairs (LIBE), regarding the “Agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation detection and prosecution of criminal offences” also known as the “ EU-U.S. umbrella Agreement”. This accord would put in place a data protection framework for personal data transferred for the purpose of prevention, detection, investigation, and prosecution of criminal offenses, including terrorism. The European Commission agreed on terms for the ‘Umbrella Agreement’ with the U.S. government on 8 September 2015.
The Commission made the Umbrella Agreement conditional on the U.S. Congress’ passing of the Judicial Redress Act, which will give EU citizens the right to challenge how their data is used in the U.S. courts. The Judicial Redress Act was passed by the U.S. Senate in February 2016.
At a meeting on 15 February, the MEPs of the committee of Civil Liberties, Justice and Home Affairs of the EP and the Legal Service of the European Parliament presented their opinion on the relationship between the Umbrella agreement and Union law, both as regards its compatibility with primary and secondary European law.
To give his advice the Legal Service was supposed to answer three questions regarding the umbrella agreement, first about the legal nature of the accord and its relation with secondary EU legislation, second whether it could be considered as an adequacy decision, and third regarding the legal status of person who are not EU citizens and whether they are entitled to protection.
Concerning the first question the Legal Service answered that the agreement once properly concluded will be an international accord within the meaning of the Treaty on the Functioning of the European Union (TFEU), so it will have primacy over secondary legislation such as on the future data protection package. However, it is important to specify, that international agreements cannot have primacy over secondary EU law if they are in any way incompatible with the Charter of Fundamental Rights.
Regarding the second matter, on whether the agreement will constitute an adequacy decision or not, Dominique Moore, the rapporteur of the Legal Service, stated that the agreement does not represent a classic form of adequacy decision, that it falls outside the scope of secondary legislation and that, being its effects already clear, they do not require further adequacy decision. He also explained, on a further comment, that the European Court of Justice has limited jurisdiction over international agreements, while enjoys full powers in the review and eventual annulment or declaration of invalidity of a Commission position.
On the third question Mr. Moore stated that under EU law and in particular under both article 8 of the charter and article 16 of the TFEU “everyone has the right to the protection of personal data”. Thus, under EU primary law , the right to protection of personal data is granted to everyone and it is not restricted on the basis of residence or citizenship or any other criteria. The situation under the EU-U.S. umbrella agreement, would instead be different. Specifically, as for regards agreement itself, it is important to note that Article 19, labeled « Judicial Redress », provides that certain limited rights of judicial redress shall be made available, subject to certain conditions, only to « any of a Party »
Accordingly, the EU-U.S. Umbrella agreement does not provide that the U.S. will afford rights of judicial redress to natural persons, falling within the scope of EU law, other than EU citizens. This then opens a significant « gap » in the protection of the personal data of individuals covered by EU law which applies to « everyone », when compared with the limited obligations imposed on the U.S. by the EU-U.S. Umbrella agreement .That is why in the opinion of the Legal Service, the proposed agreement would not be compatible with the charter.
Then Mr. Francisco J. Morillo, Deputy Director- General in the DG JUST, took the floor during the LIBE meeting and explained that, in the opinion of the Commission, the agreement will constitute a major success for EU. The agreement establishes indeed a framework that will apply to every transfer in the law enforcement sector made on the basis of future or existing accords or national law.
In addition, it will improve the situation of all EU data subjects except for judicial address avenues, regardless of the nationality or place of residence of the data subject. Furthermore he explained that the Umbrella agreement is an improvement compared to the present situation. The judicial redress act will allow EU citizens to benefit from redress: refusal to grant access to personal data, change data and disclosure to data. The effectiveness will be the core issue. The judicial redress act extends avenues to EU citizens. Nevertheless, this is not the only route of judicial redress.
However Mr. Morillo also specified that the agreement does not grant adequacy to the U.S. and he added it was never the intention of the Commission to make an adequacy finding. Article 5.3 of the draft version of the Umbrella Agreement does not provide a blanket authorization but a presumption of compliance. Paragraph 2 of article 5 clarifies that. The presumption operates on a case by case basis. It is an instrument to complement our legal basis for transfer. It is very different from an adequacy decision, he concluded.
Afterwards Mr. Giovanni Buttarelli, European Data Protection Supervisor (EDPS) took the floor, and welcomed the efforts of the European Commission to reach, for the first time, a general agreement with the U.S. Nevertheless he emphasized that the crucial challenge was to ensure full compatibility of the agreement with the EU Treaties and the Charter of Fundamental Rights, and in particular with Articles 7, 8 and 47 of the Charter and Article 16 TFEU. Thus he suggested three essential improvements in order to guarantee the compliance of the accord with the Charter and with Article 16 of the Treaty.
First of all, he said that all the safeguards should apply to all individuals in the EU, not only to EU nationals, because there are specific provisions in the Agreement that regard all individuals – such as the rights to access, rectification and administrative redress. But there are two essential provisions that appear to be limited to citizens of the two parties to the Agreement: namely, the general non-discrimination obligation in Article 4 and the right to judicial redress in Article 19. Mr. Buttarelli added that on these points the EDPS could not afford any ambiguity.
Secondly, Mr. Buttarelli stated that the second EDPS recommendation was to ensure that judicial redress provisions were effective – again within the meaning of the Charter.
Finally, the third EDPS recommendation dealt with transfers of sensitive data. As Buttarelli underlined “I am afraid that Article 13(2) of the Agreement seems to open the possibility of bulk transfers of sensitive data: it refers to the possibility of transfers of personal information « other than in relation to specific cases ». Such transfers would not necessarily mean transfers in bulk, but this possibility cannot be excluded”.
Afterwards many MEP’s casted serious doubts on the transatlantic agreement. Indeed, several MEP’s denounced the agreement for not safeguarding the rights of all EU residents, and contested Mr. Morillo assertion that the text would not lead to an adequacy decision.
Thus, how to reach an agreement on the accord is still not clear.
However, in the meanwhile, on Wednesday 24 February, the American President, Barack Obama signed the Judicial Redress Act, which was adopted by the American Senate in early February and on the occasion of the signing, Justice Commissioner Věra Jourová said:
“I welcome the signature of the Judicial Redress Act by President Obama today. This new law is a historic achievement in our efforts to restore trust in transatlantic data flows. The Judicial Redress Act will ensure that all EU citizens have the right to enforce data protection rights in U.S. courts, as called for in President Juncker’s political guidelines. U.S. citizens already enjoy this right in Europe. The entry into force of the Judicial Redress Act will pave the way for the signature of the EU-U.S. Data Protection Umbrella Agreement. This agreement will guarantee a high level of protection of all personal data, regardless of nationality, when transferred across the Atlantic for law enforcement purposes. It will strengthen privacy, while ensuring legal certainty for transatlantic data exchanges between police and criminal justice authorities. This is crucial to keep Europeans safe through efficient and robust cooperation between the EU and the U.S. in the fight against crime and terrorism. The signature of the Judicial Redress Act by President Obama is a historic achievement in our efforts to restore trust in transatlantic data flows, paving the way to the signature of the EU-U.S. Data Protection Umbrella Agreement.”
Elena Dal Monte
For Further Information:
Committee on Civil Liberties, Justice and Home Affairs – meeting 15/02/2016 (PM)
European Commission – Statement
Speech of Giovanni Buttarelli on the EU-U.S. Umbrella Agreement given at Civil Liberties, Justice and Home Affairs Committee (LIBE)
Agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences