The European Commission is facing challenges on another EU-US data sharing deal: the Parliament legal service and MEPs argued the so-called Umbrella Agreement doesn’t comply with EU law.
A European Parliament legal advisor expressed doubts yesterday evening (15 February) about the Commission’s pending Umbrella Agreement on personal data transfers to the US for law enforcement purposes.
MEPs in the Civil Liberties, Justice and Home Affairs (LIBE) Committee also criticised the agreement, which has been awaiting a green light from the Commission and the US government since the two sides struck a deal last September.
The Commission is already under pressure for its EU-US Privacy Shield, a separate privacy agreement for transferring commercial data to the US. Critics have vowed to challenge that deal in the European Court of Justice, which knocked down its predecessor, the Safe Harbour agreement four months ago.
The Umbrella Agreement was set up to allow data to be transferred from the EU to the US government for law enforcement use.
Parliament legal advisor Dominique Moore told LIBE MEPs yesterday that there is “clearly a gap between what EU law requires” and the data protection guarantees offered by the Umbrella Agreement.
The executive has held off on rubber stamping the Umbrella Agreement until the Judicial Redress Act was passed by the US Congress. Judicial Redress, another piece of the Commission’s multi-pronged data transfer package with the US, would give EU citizens the right to challenge how their data is used in US courts. That deal was passed by the US Senate last week.
The criticism from the Parliament comes as a last-ditch warning before the Commission could sign off on the new data sharing agreement for law enforcement.
An opinion from the Parliament’s legal service called the Umbrella Agreement “not compatible with primary EU law and the respect for fundamental rights”, according to the version leaked yesterday by NGO Statewatch.
Moore told LIBE MEPs that the Umbrella Agreement would act as a kind of adequacy agreement with the US and could therefore override secondary EU legislation, including the new EU-wide data protection laws that were passed in December.
The agreement would break EU law by only guaranteeing citizens of member states the right to legal redress if US law enforcement agencies misuse their data, Moore argued.
Francisco J. Fonseca Morillo, Deputy-Director General of DG Justice, dismissed that claim. Morillo called the Judicial Redress Act an “unprecedented act by the US Congress” and said “to consider the extent of such an improvement as not the maximum and thus make the Umbrella Agreement illegal is difficult to understand”.
Officials clashed over the details of the Umbrella Agreement in an hour-long debate, with European Data Protection Supervisor Giovanni Buttarelli, rebuffing the European Commission’s argument that all EU residents could have judicial redress as too ambiguous.
“Everyone in the EU should have the right to judicial redress. Not only EU nationals,” Buttarelli told MEPs.
A Commission source told EurActiv the EU executive is not considering making changes to the Umbrella Agreement since it was initialed by EU and US lawmakers last year.
Several MEPs blasted the agreement for not safeguarding the right of all EU residents—including those who are not EU citizens—to challenge how their data is handled in the US.
“With the kind of candidates and the appointments of a new Supreme Court judge, I want 100% reassurance for the rights of my citizens,” said Dutch ALDE MEP Sophie in ‘t Veld (D66), referring to the US presidential campaign that is now underway.
German S&D MEP Birgit Sippel (SPD) said, “I’m not convinced that this text does not lead to a kind of adequacy ruling.”
The European Commission agreed on terms for the 'Umbrella Agreement' with the US government on 8 September 2015. The agreement includes data protection measures for data transfers for law enforcement purposes, including terrorism.
The Commission made the Umbrella Agreement conditional on the US Congress' passing of the Judicial Redress Act, which will give EU citizens the right to challenge how their data is used in US courts. The Judicial Redress Act was passed by the US Senate in February 2016.
The US-EU Safe Harbour agreement allowed over 4,000 companies to transfer data from the EU to the US - provided the companies guaranteed the data's security abroad. EU law considers data privacy protections to be inadequate in the US. In October 2015, the European Court of Justice (ECJ) ruled Safe Harbour to be invalid on grounds that government surveillance in the US threatens the privacy of EU citizens' data, and that there is no judicial redress for EU citizens whose data is accessed by state surveillance agencies in the US.
Since the ECJ decision, EU and US negotiators have sped up their talks to strike a new data transfer agreement. European data protection authorities from the 28 EU member states met after the ECJ decision, and asked the Commission to come up with a new deal by the end of January 2016. The data protection authorities are tasked with investigating and deciding on privacy complaints in their own member states.
European Data Protection Supervisor: opinion on the Umbrella Agreement (February 2016)