Today MEP Sophie in 't Veld received an answer from Commissioner Jourová to her letter about the inconsistencies in Commission explanation on Privacy Shield and Umbrella Agreement. In the letter In 't Veld addressed the refusal of the US authorities to repeal the exemptions to the US Privacy Act. This repeal is necessary to make sure that the US obligations under the Umbrella Agreement are sufficiently enacted to guarantee the protections and rights that Europeans should enjoy regarding the transfer of their personal data for the purpose of law enforcement and the fight against terrorism.
In its answers to the questions posed in the LIBE committee in March 2016, which can be found below, the Commission clearly mentioned before that the exemptions to the Privacy Act must be repealed for the Umbrella Agreement to be effectively implemented and enacted in the US. However, in its answer to In 't Veld received today, the Commission deems that the exemptions do not need to be lifted anymore.
Questions from the LIBE Committee answered by the Commission in March 2016:
4. Does the Umbrella Agreement/the US Judicial Redress Act provide or grant effective judicial redress for individuals in the context of agreements like EU-US PNR and TFTP? How this would be implemented in light of the existing exemptions to the US Privacy Act?
As already explained with regard to Question no. II.3, Article 3(1) and the fourth recital of the preamble to the Umbrella Agreement clarify that "the obligations established by Article 19 of this Agreement on judicial redress" would apply to the PNR/TFTP Agreements. This is a significant achievement, given that in these agreements the EU and the U.S. had already agreed that the safeguards therein provide an adequate level of protection.
This also means that, once the Umbrella Agreement enters into force, the U.S. would be bound, in order to implement it, to remove from their legal system all exemptions which would go against the obligations of the Agreement.
For example, to our knowledge, PNR data (of both U.S. and non-U.S. citizens) are currently partly exempted from the US Privacy Act. This exemption was introduced by agency rules of the Department of Homeland Security (DHS) based on Section 552a (j)(2) of the US Privacy Act (authorising agencies to exempt certain "records"). Consequently, the DHS also has the power to abrogate this exemption (without the need for any legislative action by the U.S. Congress) and it will be obliged to do so under the Umbrella Agreement. Failure to do so will stand for a failure to give effect to the provision requiring the implementation of the Umbrella Agreement and will make it impossible for the U.S. to rely on the presumption laid down in Article 5(3) thereof.
6. Can the Commission confirm that compliance with the Umbrella Agreement necessarily requires:
i. a reversal of the decision on a partial exemption for PNR data from certain Privacy Act provisions, introduced by the DHS based on section 552a (j)(2) of the Privacy Act, which grants agencies under certain conditions the possibility to adopt rules partially exempting a "system of records" from requirements of the Privacy Act?
Yes. As it was explained above in answer to Question no. II-4, the obligations under Article 19 of the Umbrella Agreement are formulated in an unconditional manner and are confirmed, specifically with regard to PNR data, by the fourth recital of the Preamble. This excludes the possibility of maintaining exemptions such as the DHS exemption based on Section 552a (j)(2) of the US Privacy Act.