EU-US agreement on personal data protection related to crime

11.11.16: Following calls by the European Parliament, on 3 December 2010, the Council adopted a decision authorising the Commission to open negotiations on an Agreement between the European Union and the United States of America on the protection of personal data when transferred and processed for the purpose of preventing investigating, detecting or prosecuting criminal offences, including terrorism, in the framework of police cooperation and judicial cooperation in criminal matters. The agreement has been named the “Umbrella Agreement“.

On 28 March 2011, the Commission opened negotiations with the U.S. Department of Justice. Over the course of the negotiations, the Parliament was regularly informed issued a series of working documents to facilitate discussions in the LIBE Committee.

The text of the agreement was initialled on 8 September 2015. Following the adoption by the U.S. Congress of the Judicial Redress Act on 24 February 2016, on 18 July 2016, the Council decided to request the European Parliament to give its consent to the conclusion of the Agreement, and submitted the request to the Parliament on 12 September 2016.

The “Umbrella Agreement” does not provide for a legal basis for transfers of personal data. This legal basis for data transfers is to be found in existing EU-US agreements or bilateral agreements between the Member States and the US or national laws providing for personal data exchanges.

Major elements of the Umbrella Agreement

The Agreement contains provisions setting out the basic data protection principles, namely:

  • Purpose and use limitations of personal data transferred. Personal information shall be processed for specified purposes authorised by the legal basis for the transfer. Further processing by other or the same law enforcement, regulatory or administrative authorities is allowed provided it is not incompatible with the initial purpose of the transfer. The transferring authority may impose additional conditions to the transfer and the subsequent processing to the extent that the applicable legal framework allows for it.
  • Personal information shall be maintained with such accuracy, relevance, timeliness and completeness as is necessary and appropriate for the lawful processing. Moreover, the processing shall be subject to specific retention periods to ensure that personal data is not processed longer than necessary.
  • As regards the processing of personal data other than in relation to specific cases, investigations or prosecutions (bulk), the Umbrella Agreement provides that any specific agreement allowing the “bulk transfer” of personal data will have to further specify the standards and conditions under which this processing in bulk may take place, in particular, as regards the processing of sensitive data, onward transfers and data retention periods. Such bulk data transfer, in particular those of sensitive data, might raise questions of compatibility with EU data protection framework as interpreted by the Court of Justice.
  • One of the main novelties of the Umbrella Agreement is that it will allow the citizens of each Party to be able to seek judicial redress for the i) denial of access, ii) denial of rectification or iii) unlawful disclosure by the authorities of the other Party. These rights are exercised pursuant to the law of the State where they are invoked.
  • The Umbrella Agreement shall be subject to periodic joint reviews, the first one will take place no later than three years from the entry into force of the Umbrella Agreement and thereafter on a regular basis, and the composition of the respective delegations shall include representatives of both data protection authorities and law enforcement authorities. The findings of the joint reviews will be made public.

To see the elements of the agreement in more detail click here.