EU-US Data Protection “Umbrella Agreement” Finalised

A new EU-US data protection “Umbrella Agreement” has been finalized which once in force will implement a high-level data protection framework to cover the transfer of personal data from the EU to US authorities for the purposes of law enforcement.  Although this new agreement relates only to the transfer of information for law enforcement purposes, those issues have been particularly sensitive post-Snowden.  Accordingly, the finalization of this agreement may alleviate a particular point of contention and suggest that the overall discussions on the EU-US Safe Harbor are more likely to result in the continuation of that broader agreement.

The Umbrella Agreement will not however, come into force until the US Judicial Redress Bill has become law in the US.  That measure would grant EU citizens the right to seek judicial redress in US courts under the US Privacy Act where their data has been processed unlawfully or incorrectly by US law enforcement.  It aims to address a potential concern of EU officials with a perceived more generalized lack of access to US courts for EU citizens, although the issue is actually is limited to the provisions of the US Privacy Act – which applies only to governmental entities.  According to the European Commission, the adoption of the Bill will allow for the conclusion of the Umbrella Agreement.

The Umbrella Agreement, once concluded, will impose the following safeguards:

  • Clear limitations on data use (i.e. for the prevention, investigation, detection and prosecution of criminal offences);
  • Any onward transfer beyond the EU or the US will require the consent of the Data Protection Authority from the country where the personal data originated;
  • Personal data must not be kept for longer than is necessary;
  • In certain circumstances individuals will have a right of access to their personal data and to correction where the personal data is inaccurate;
  • Mandatory notification of security breaches to the applicable Data Protection Authority and where appropriate the individual; and
  • EU citizens will have the right to seek judicial redress before US courts under the US Privacy Act where US law enforcement have processed their personal data unlawfully or incorrectly.