What is the EU-US data protection "Umbrella Agreement"?
The EU-US data protection "Umbrella Agreement" puts in place a comprehensive high-level data protection framework for EU-US law enforcement cooperation. The agreement covers all personal data (for example names, addresses, criminal records) exchanged between the EU and the US for the purpose of prevention, detection, investigation and prosecution of criminal offences, including terrorism.
The Umbrella Agreement will provide safeguards and guarantees of lawfulness for data transfers, thereby strengthening fundamental rights, facilitating EU-US law enforcement cooperation and restoring trust.
In particular, EU citizens will benefit from equal treatment: they will have the same judicial redress rights as US citizens in case of privacy breaches. This point was outlined by President Juncker in his Political Guidelines, when he stated: “The United States must [...] guarantee that all EU citizens have the right to enforce data protection rights in U.S. courts, whether or not they reside on U.S. soil. Removing such discrimination will be essential for restoring trust in transatlantic relations”.
How will the "Umbrella Agreement" make data transfers safer?
This agreement will complement existing EU-US and Member State – US agreements between law enforcement authorities. It will create clear harmonised data protection rules and set a high level of protection for future agreements in this field.
The "Umbrella Agreement" will provide the following protections to make sure that everyone's data are protected when exchanged between police and criminal justice authorities:
- Clear limitations on data use – Personal data may only be used for the purpose of preventing, investigating, detecting or prosecuting criminal offences, and may not be processed beyond compatible purposes.
- Onward transfer – Any onward transfer to a non-US, non-EU country or international organisation must be subject to the prior consent of the competent authority of the country which had originally transferred personal data.
- Retention periods - Individuals' personal data may not be retained for longer than necessary or appropriate. These retention periods will have to be published or otherwise made publicly available. The decision on what is an acceptable duration must take into account the impact on people's rights and interests.
- Right to access and rectification - Any individual will be entitled to access their personal data – subject to certain conditions, given the law enforcement context – and will be able to request the data is corrected if it is inaccurate.
- Information in case of data security breaches – A mechanism will be put in place so as to ensure notification of data security breaches to the competent authority and, where appropriate, the data subject.
- Judicial redress and enforceability of rights - EU citizens will have the right to seek judicial redress before US courts in case of the US authorities deny access or rectification, or unlawfully disclose their personal data. This provision of the Agreement depends on the adoption by US Congress of the US Judicial Redress Bill.
For what purpose can data be transferred across the Atlantic under the "Umbrella Agreement"? (purpose limitation)
The data transferred between EU and US law enforcement authorities can only be shared for the purpose of preventing, investigating, detecting or prosecuting criminal offences, including terrorism, in the framework of police cooperation and judicial cooperation in criminal matters. The agreement also clearly states that this data cannot be further processed for other incompatible purposes.
What if the US decides to transfer data to a third country or international organisation, how will the "Umbrella Agreement" protect the data? (onward transfer)
The "Umbrella Agreement" introduces strong safeguards to protect EU citizens' data transferred across the Atlantic when US authorities need to transfer it to a third country. In case a US authority intends to further transfer data it has received from the EU to a third country/international organisation, it will have first to obtain the consent from the law enforcement authority in the EU which has originally transferred the data to the US.
What is judicial redress? What will the "Umbrella Agreement" change?
At the moment, if an EU citizens' data is transferred to US law enforcement authorities and if their data is incorrect or unlawfully processed, EU citizens – non-resident in the US- are unable to obtain redress in US courts (unlike US citizens, who could ask for redress in European courts). The "Umbrella Agreement" will introduce the equal treatment of EU citizens, as called for by President Juncker in his Political Guidelines.
The Judicial Redress Act which extends the core of the judicial redress provisions of the US Privacy Act of 1974 to EU citizens was signed by President Obama on 24 February 2016. It will give EU citizens the right to seek judicial redress before US courts in case US authorities have denied access or rectification, or unlawfully disclose their personal data.
How will the agreement work in practice?
Example: An EU citizen's name is identical to that of a suspect in a transatlantic criminal investigation. Their data has been transferred from the EU to the US and erroneously gets collected and included on a US "black list". This can lead to a series of adverse consequences from the refusal of an entry visa, to a possible arrest. The EU citizen should be able to have their name deleted by the authorities – if necessary by a judge – once the mistake is discovered. Europeans (and Americans) have those rights in the EU. Europeans should have them when their data is exchanged with the US too. The citizen who believes that their data is inaccurate can also authorise, where permitted under domestic law, an authority (for instance a Data Protection Authority) or another representative to seek correction or rectification on his or her behalf.
If correction or rectification is denied or restricted, the US authority processing the data should provide the individual or the data protection authority acting on their behalf with a response explaining the reasons for the denial or restriction of correction or rectification.
What are the next steps?
The "Umbrella Agreement" will enter into force once each party has completed the necessary internal procedures.
On the European Union side, this is the adoption of a decision by the Council on the conclusion of the agreement, following the European Parliament's consent vote. The US side now has to make the necessary designations under the Judicial Redress act.
When were the negotiations first launched?
The European Parliament, in a resolution on 26 March 2009, called for an EU-US agreement that ensures adequate protection of civil liberties and personal data protection. In December 2009, the European Council invited the Commission to propose a Recommendation "for the negotiation of a data protection and, where necessary, data sharing agreements for law enforcement purposes with the US."
In December 2010, EU Justice Ministers approved the start of talks between the European Union and the United States (see IP/10/1661). The negotiations began officially on 29 March 2011 (see MEMO/11/203).
The data protection "Umbrella Agreement" was initialled on 8 September 2015, following the finalisation of the negotiations.
As part of this agreement, President Obama signed the Judicial Redress Bill on 24 February 2016, following its adoption in the US Congress.
On 2 June 2016 EU-U.S. Justice and Home Affairs Ministers formerly signed the "Umbrella Agreement" at a ministerial meeting in Amsterdam.
For further information: