EU, US sign ‘Umbrella Agreement’ on data protection

Věra Jourová, Ard van der Steur and Loretta Lynch [European Commission]

The European Union and the United States on Thursday (2 June) signed a deal to protect personal data transferred across the Atlantic in a bid to fight crime and terrorism.

The so-called umbrella agreement signed in the Dutch city of Amsterdam follows five years of talks hobbled by European concerns about revelations of large-scale US snooping.

“It will improve cooperation between US and European law enforcement authorities when combatting serious crime and terrorism,” Dutch Justice Minister Ard van der Steur said at a signing ceremony during the six-month Dutch presidency of the EU.

“It will advance the full respect for fundamental rights whenever personal data is being transferred between us,” he said at the ceremony with US Attorney General Loretta Lynch.

The European parliament must still give its consent to the agreement which was signed after the United States adopted in February a prerequisite law granting EU citizens the right to judicial redress in the US.

Commission's 'Umbrella Agreement' with US under fire from MEPs

The US-EU Safe Harbour agreement allowed over 4,000 companies to transfer data from the EU to the US – provided the companies guaranteed the data’s security abroad.


An EU statement said the umbrella agreement covers all personal information shared between EU member states and US law enforcement authorities in a bid to prevent, investigate, detect and prosecute criminal offences, including terrorism.

The deal will not only facilitate law enforcement cooperation but guarantee the legality of data transfers, it added.

Safeguards include setting clear limits on data use and requiring agencies to seek consent before data is transferred, it said.

The talks had been bedevilled by concerns in Europe after intelligence leaker Edward Snowden in 2013 released evidence of a massive network of US spy operations on friend and foe alike, including on EU countries.

Separately in February, the EU and US struck a tentative deal on strengthening a 2001 agreement meant to ensure US companies like Google and Facebook respect EU norms on commercial use of personal data.

But the European Parliament called last month on Brussels to remove “deficiencies” from the deal designed to replaced the earlier “Safe Harbour” agreement which Europe’s top court cancelled on the basis of the Snowden revelations.

Parliament approves privacy rules after record number of amendments

MEPs approved new EU privacy rules today (14 April), including a regulation on consumer privacy that drew the aggressive ire of lobbyists during its four-year run through negotiations in the European Parliament.

The European Commission agreed on terms for the 'Umbrella Agreement' with the US government on 8 September 2015. The agreement includes data protection measures for data transfers for law enforcement purposes, including terrorism.

The Commission made the Umbrella Agreement conditional on the US Congress' passing of the Judicial Redress Act, which will give EU citizens the right to challenge how their data is used in US courts. The Judicial Redress Act was passed by the US Senate in February 2016.

The US-EU Safe Harbour agreement allowed over 4,000 companies to transfer data from the EU to the US - provided the companies guaranteed the data's security abroad. EU law considers data privacy protections to be inadequate in the US. In October 2015, the European Court of Justice (ECJ) ruled Safe Harbour to be invalid on grounds that government surveillance in the US threatens the privacy of EU citizens' data, and that there is no judicial redress for EU citizens whose data is accessed by state surveillance agencies in the US.

Since the ECJ decision, EU and US negotiators have sped up their talks to strike a new data transfer agreement. European data protection authorities from the 28 EU member states met after the ECJ decision, and asked the Commission to come up with a new deal by the end of January 2016. The data protection authorities are tasked with investigating and deciding on privacy complaints in their own member states.

Subscribe to our newsletters


Want to know what's going on in the EU Capitals daily? Subscribe now to our new 9am newsletter.