In the letter below, MEP Sophie in 't Veld urges the Commission to fulfil its duty and ensure effective implementation of Privacy Shield and Umbrella Agreement. Currently, as a result of President Trump's Executive Order and the refusal to repeal the exemptions to the Privacy Act, the US obligations under the Privacy Shield and Umbrella Agreement are not sufficiently enacted to guarantee the protections and rights that Europeans should enjoy as per the EU Charter of Fundamental Rights.
Brussels, 30 March 2017
Dear President Juncker,
Dear Commissioner Jourová,
Thank you for your letters of 31 January 2017 (Ref. Ares(2017)532581) and 17 March 2017 (Ref. Ares (2017)1441735) concerning measures taken by the U.S. administration and their influence on data protection guarantees for EU citizens under the EU-US Privacy Shield and the EU-US Umbrella Agreement.
In the letters, you state that the Commission considers that President Trump’s Executive Order on “Enhancing Public Safety in the Interior of the United States” of 25 January 2017, and in particular its Section 14 on the exclusion of foreign citizens from the protections of the Privacy Act regarding personally identifiable information, does not affect the data protection guarantees available to Europeans under the EU-US Privacy Shield and the EU-US Umbrella Agreement.
As established by the CJEU Schrems judgment, in order to respect the fundamental right to effective judicial protections (article 47 of the EU Charter of Fundamental Rights), any legislation needs to provide a possibility for an individual to “pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data”. The decision by the Commission that the level of protection for personal data transferred from the EU to the US is adequate under the EU-US Privacy Shield relies on U.S. written assurances that judicial redress mechanisms exist for individuals in cases in which data was accessed by the U.S. authorities. In light of your interpretation of Section 14 of the Executive Order, does the Commission consider the US written assurances related to the EU-US Privacy shield as part of the “applicable law” under the US judicial order? Can the Commission guarantee that the exclusion by US agencies of “persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information” will not affect the right to effective judicial protection and other data protection guarantees available to Europeans under the EU-US Privacy Shield?
Moreover, the Umbrella Agreement requires, as per its article 19, that the US provide the ability to citizens to seek administrative redress in cases where access to or amendment of their personal data was denied. In your answer to us, you state that the adoption of the Judicial Redress Act by the U.S. Congress enables individual redress, and that the Executive Order only obliges agencies to exclude non-US persons from the protections of the U.S. Privacy Act “to the extent consistent with applicable law”. Therefore, the protections under the Umbrella Agreement would not be affected by President Trump’s Executive Order. However, the Judicial Redress Act does not fully guarantee that the Executive Order does not have an impact on privacy protections of EU citizens. The fact that the Judicial Redress Act has been adopted does not give the same protection to EU citizens that was provided by the Privacy Act. The Judicial Redress Act does not allow EU citizens to address improper dissemination of their data that is accidental or inadvertent, since it only extends the right to EU citizens to start a court procedure against the US government if their records were “wilfully and intentionally” disseminated without consent.
While you state that the Judicial Redress Act sufficiently guarantees that law enforcement databases containing data of EU citizens cannot be exempted from the benefit of judicial redress rights, as the Privacy Act currently allows, the Commission has clearly mentioned before that the exemptions to the Privacy Act must be repealed for the Umbrella Agreement to be effectively implemented and enacted in the US. According to the written answers given by the Commission to the questions posed during the LIBE committee meeting of 9 March 2016 (Ares(2017)1713145), the Department of Homeland Security will be “obliged” to abrogate the exemption of PNR data from the Privacy Act. The answer mentioned that “failure to do so will stand for a failure to give effect to the provision requiring the implementation of the Umbrella Agreement and will make it impossible for the U.S. to rely on the presumption laid down in Article 5(3).” In the same written answers, the Commission explicitly says that the obligations under Article 18 of the Umbrella Agreement are “formulated in an unconditional manner”, which excludes “the possibility of maintaining exemptions” such as the exemption under which PNR data falls (Section 552a (j)(2) of the US Privacy Act).
Has the Commission changed opinion and now does not consider that these exemptions to the Privacy Act need to be lifted? To date, does the Commission consider the current legal framework applicable in the US as compliant with the obligations and commitments set out in the Umbrella Agreement and Privacy Shield?
To my view, as a result of the Executive Order and the refusal to repeal the exemptions to the Privacy Act, the US obligations under the Privacy Shield and Umbrella Agreement are not sufficiently enacted to guarantee the protections and rights that Europeans should enjoy as per the EU Charter of Fundamental Rights. I urge the Commission to fulfill its duty and ensure that these international agreements affecting the protection of Europeans’ personal data are effectively implemented.
Sophie in ‘t Veld