On December 2, 2016, the European Parliament voted to approve the EU-U.S. Umbrella Agreement, a framework for the exchange of personal data for law-enforcement (including anti-terrorism) purposes between the EU and U.S. As we previously explained, negotiations on this Agreement have been underway for quite some time, with the European Parliament first calling for it back in March 2009.
According to the European Commission’s fact sheet, the Agreement “puts in place a comprehensive high-level data protection framework for EU-US law enforcement cooperation.” Specifically, the Umbrella Agreement includes the following protections:
-
Data Use Limitations
-
Onward Transfer Requirements
-
Publicly Available Retention Periods
-
Access and Rectification Rights
-
Data Breach Notification
-
Judicial Redress and Enforceability
Judicial redress for EU citizens in U.S. courts was a particularly important point for EU negotiators, and adoption of the Agreement explicitly depended on U.S. passage of the Judicial Redress Act, which we previously covered and was enacted into law in February 2016.
EU officials were quite bullish on the vote to approve the Agreement. The European Commission’s press release called it a “historic” and “unique” agreement that “guarantees a high level of protection to EU citizens’ personal data transferred to judicial and police authorities across the Atlantic.” And Jan Philipp Albrecht, a Member of the European Parliament who led the examination of the Agreement and the rapporteur for the stringent General Data Protection Regulation, stated that the Agreement would ensure “high, binding standards and strong rights for citizens on both sides of the Atlantic” and would “rais[e] data protection with the USA to a new level.”
Now that the European Parliament has voted to approve the Umbrella Agreement, it will enter into force once both the EU and U.S. complete the necessary internal procedures. On the EU side, the European Council must adopt a decision authorizing signature of the Agreement. On the U.S. side, the Attorney General (with the concurrence of the Secretary of State, Secretary of the Treasury, and Secretary of Homeland Security) must designate the EU as a “covered country” under the Judicial Redress Act.
Finalization of the Agreement is complicated, however, by the potentially conflicting priorities of the incoming Trump Administration with regard to the protections called for by the Umbrella Agreement. Specifically, there is uncertainty about how the new administration will approach the scope of U.S. surveillance activities and whether, for instance, it will share the Obama Administration’s commitments in PPD-28 to account for individuals’ legitimate privacy interests “regardless of their nationality or wherever they might reside” in conducting U.S. surveillance activities.