Commission fails to answer Written Parliamentary Questions on US surveillance law authorising the collection of EU citizens' digital communications >
EU Commission will scrutinise French TES biometrics database of 60 million citizens following questions by D66 MEP >
Privacy Platform - “Track or Treat!" Behavioural targeting and online privacy >
While international trade agreements like the ones with Canada (CETA) and the U.S. (TTIP), trigger massive protests and dominate the news headlines, another international agreement is being passed very quietly and unobserved, below the radar. The so called "Umbrella Agreement" between the EU and US on the protection of personal data in the context of law enforcement, has not attracted any attention. It is set to be fast-tracked through the European Parliament by rapporteur Jan Albrecht (Greens/DE). However, the Umbrella Agreement is anything but uncontroversial. It will potentially serve as a blanket approval for data transfers to the US for law enforcement purposes. If the agreement is implemented, the US are "deemed to comply" with EU data protection legislation, and no further authorisation is required.
European standards and democratic process undercut
Although the Umbrella Agreement does indeed offer new and useful safeguards and rights, it is far from clear if it meet the standards required by EU law and case law. WP 29, the European platform of national data protection authorities, calls for further clarification of a range of issues, for example the definition of "personal data". Moreover, as an international agreement, the Umbrella Agreement takes precedence over EU secondary law, implying that an agreement that has been negotiated behind closed doors by civil servants, might undercut the new Data Protection Directive, which in contrast has been adopted in an open, democratic parliamentary process.
Why the rush?
Already a decade ago, as the flow of personal data to the US was growing, we considered there was a need for a set of standards, to be laid down in a transatlantic framework for the protection of personal data. For several years there were informal talks between the EU and the US, and an official negotiating mandate was adopted in 2010. As the process has lasted already so many years, it is unclear why it has to be rushed through Parliament in less than four weeks time. The more so, as within the next few months the EU Court of Justice will issue an opinion on the EU-Canada PNR agreement, which is expectedly very relevant for other agreements involving the transfer and processing of personal data for law enforcement purposes.
Conditions deliberately ignored
In addition, the Umbrella Agreement is made conditional on the right to judicial redress for EU citizens. This has been addressed in the US Judicial Redress Act. Although that is undeniably progress, the right is limited to EU citizens, and excludes millions of non-citizens living in the EU. That is contrary to the EU Charter of Fundamental Rights.
But there is one more problem: the Judicial Redress Act will only be considered valid for the purpose of the Umbrella Agreement, if the exemptions from the Privacy Act for PNR data and similar programmes are lifted. In other words: the Umbrella Agreement can not enter into force until the US administration decides that the Privacy Act also covers PNR data transferred from Europe to the US. That will happen when pigs fly. I.e. never. However, the Commission apparently wishes to push ahead regardless, with an agreement which by its own standards is not valid. The Commission replied that if citizens don't like it, they can go to court. (not exactly in line with the "better lawmaking" agenda of the Commission)
The right of judicial redress is granted only to citizens of designated countries, and may be repealed unilaterally by the US. A country is designated if it permits data transfers to the US for commercial purposes and if its data protection legislation does not impede US national security interests. This transfer is done in many cases on the basis of Privacy Shield, which is fiercely contested by the EP rapporteur. But if Privacy Shield falls, a key condition for the Umbrella Agreement ceases to be fulfilled.
The rapporteur has proposed to address some of the concerns by appending a declaration of the European Commission in an annex to the Umbrella Agreement. But that does not alter the legal contents of the agreement in any way, it is just a cosmetic solution. It does not mend the holes in the umbrella.
These are just a few of the problematic aspects of the Umbrella Agreement. Several experts have expressed their concern, but Commission just charges ahead and rapporteur Albrecht recommends support of the agreement, with so many questions left unanswered.
Umbrella protecting us from the rain? Or our fundamental rights washed away through a sieve?