EU and U.S. Reach “Umbrella Agreement” on Data Transfers

The EU and U.S. reached an agreement on Tuesday (9 September) which will enable the two sides to exchange personal data during criminal and terrorism investigations.

The so-called “Umbrella Agreement” comes after four years of negotiations between the EU and U.S. and will protect personal data exchanged between police and judicial authorities in the course of investigations.

Concerns in the EU were raised following revelations in 2013 that the U.S. National Security Agency (NSA) conducted mass surveillance on EU citizens, was involved in industrial espionage, and spied on heads of state and ministers. The European Commission said this deal will help restore lost trust.

The Umbrella Agreement will allow the transfer of personal data between the EU and the U.S. “for the purpose of prevention, detection, investigation and prosecution of criminal offences,” providing it is not “processed beyond compatible purposes.” It also will put limits on the ability of the U.S., or an EU country, to pass the shared data to a third country.

Importantly, EU citizens will have the same rights as U.S. citizens to enforce their data protection rights before U.S. courts in cases where U.S. authorities deny access or rectification, or unlawfully disclose their personal data. U.S. citizens currently have data protection rights in the EU, so this is seen as a quid pro quo.

EU Justice Commissioner Vera Jourová said the agreement will guarantee a “high level of protection” for personal data exchanged between U.S. and EU investigators. “The finalization of the Umbrella Agreement negotiations is therefore an important step to strengthen the fundamental right to privacy effectively and to rebuild trust in EU-U.S. data flows,” she said in a statement.

Next steps

In the U.S., the Judicial Redress Bill, granting judicial redress rights to EU citizens, will have to be adopted before the Umbrella Agreement can be signed and formally concluded. Senator Chris Murphy, who is sponsoring the bill which was introduced by Representative Frank James Sensenbrenner Jr., has said that he is angling to attach the language to the Cybersecurity Information Sharing Act that is currently pending, or pass it as a standalone bill.

In the EU, the European Council, on the basis of a proposal by the European Commission, shall adopt a decision authorising the signing of the agreement. The decision concluding the agreement will be adopted by the European Council after consent of the European Parliament.

The Future of Safe Harbor?

The negotiations over the separate EU-U.S. Safe Harbor agreement, which covers corporate data transfers, have hit a road block. The concurrence on the judicial redress issue covered by the Umbrella Agreement should allow the parties to make progress on that point as part of the Safe Harbor negotiations.
Last year, the European Parliament voted to suspend the Safe Harbor agreement, which legitimizes the transfer of personal data outside the EU to the U.S. More than 5,000 U.S. companies have signed on to the Safe Harbor self-certification scheme, but a study in 2013 found that hundreds of companies had lied about belonging to the Safe Harbor arrangement.

Almost two years ago, the European Commission issued 13 recommendations to the U.S. to improve the scheme but, as yet, little has been done to improve it. The U.S. Department of Commerce is refusing to move on the agreement’s national security exceptions. The agreement is currently under review and on 9 September 2015, Ms. Jourová said that she is confident the work on Safe Harbor “will soon conclude.”