EU-US Umbrella Agreement & Judicial Redress Act
EU-US Umbrella Agreement & Judicial Redress Act
The EU-US agreement, the so-called “Umbrella Agreement,” is a framework for transatlantic data transfer between the US and the EU. The proposed goal of the Agreement is to provide data protection safeguards for personal information transferred between the EU and the US.
- Court Dismisses Suits Against OPM Over Data Breach that Affected 22 Million: A federal court in Washington, DC has dismissed two lawsuits against the Office of Personnel Management over the data breaches that compromised the records of 22 million federal employees and family members. The court acknowledged the “troubling allegations” raised by OPM’s victims but ruled that “the fact that a person’s data was taken” is not “enough by itself to create standing to sue.” EPIC has long argued that data breach victims should not wait until they suffer identity theft to sue the parties that failed to protect their data. EPIC also filed comments last year with OPM recommending limits on data collection, has recommended updates to the federal Privacy Act, and has urged the Supreme Court to recognize a right to “informational privacy” and to ensure Privacy Act damages for non-economic harm. (Sep. 20, 2017)
- EPIC Tells Congress US-UK Surveillance Agreement Should be Made Public: EPIC has sent a statement to the House Judiciary Committee for a hearing on “Data Stored Abroad.” According to news reports, the United States and the United Kingdom are drafting a secret agreement for transnational access to personal data that would bypass legal and judicial safeguards. In November 2016, EPIC filed a FOIA Request for the draft US-UK agreement. The Justice Department recently informed EPIC that responsive documents had been located and would be referred to the State Department for additional processing. EPIC has long pursued public release of international agreements. In 2016, EPIC obtained the “Umbrella Agreement,” concerning the transfer of personal data from the EU to the US, after a successful Freedom of Information Act lawsuit. (Jun. 14, 2017)
On September 8, 2015 European and US officials announced that they have concluded an agreement on data protection for transatlantic criminal investigations. The EU Justice Commissioner stated, “Once in force, this agreement will guarantee a high level of protection of all personal data when transferred between law enforcement authorities across the Atlantic.” Despite the announcements, neither US officials nor their European counterparts made the text of the Agreement public.
Analysis of the Umbrella Agreement
The full text of the Agreement between the US and the EU on the Protection of Personal Information Relating to the Prevention, Investigation, Detection, and Prosecution of Criminal Offenses (Umbrella Agreement) was first made public by Statewatch. On September 14, 2015, the EU Parliament released the unofficial version of the agreement. EPIC pursues the public release of the document by US and EU agencies.
In-depth analysis of the Umbrella Agreement is here.
EPIC supports the establishment of a comprehensive legal framework to enable transborder data flows. EPIC previously urged that the United States begin the process of ratification of Council of Europe Convention 108.
The federal Privacy Act of 1974 places a duty upon federal agencies that maintain personal information to protect that data. This duty and concomitant responsibilities arise from the collection of personal data. Therefore, it does not matter what the data owner’s citizenship or origin is. EPIC has previously made recommendations regarding Privacy Act modernization.EPIC routinely provides comments to federal agencies regarding Privacy Act compliance, and we have provided amicus briefs to the U.S. Supreme Court in two Privacy Act cases, Doe v. Chao and FAA v. Cooper. EPIC has also written extensively on data protection concerns arising from the transfer of personal information between the European Union and the United States.
Judicial Redress Act of 2015
Significantly, the Umbrella Agreement requires amendment to the US Privacy Act of 1974 before it has legal effect. Congress has proposed this legislation in the Judicial Redress Act of 2015.
In a letter to the House Judiciary Committee, EPIC recommended changes to the Judicial Redress Act to provide meaningful protections for data collected on non-U.S. persons. The bill, also pending in the Senate, seeks to amend the federal Privacy Act. EPIC explained that the legislation under consideration fails to provide adequate protection to permit transborder data flows. EPIC also pointed to increasing public concern in the United States about failure to enforce the law. EPIC has previously recommended Congressional action to ensure adequate protections for all personal information collected by U.S. federal agencies. EPIC is also seeking public release of the text of the EU-US “Umbrella Agreement.”
- Douwe Korff, EU-US Umbrella Data Protection Agreement : Detailed analysis, FREE Group (October 14, 2015)
- EPIC Webpage on FOIA requests to obtain the text of the Umbrella Agreement, EPIC v DHS, DOJ and State Department (2015)
- EU-US Umbrella Agreement (Released by the EU Parliament, Sept. 14, 2015).
- Convention 108: Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Council of Europe.
- Marc Rotenberg, On International Privacy: A Path Forward for the US and Europe, Harv. Int’l Rev. (June 2014)
- Francesca Bignami, The US legal system on data protection in the field of law enforcement. Safeguards, rights and remedies for EU citizens, Directorate General for Internal Policies, Policy Department C:Citizens’ Rights and Constitutional Affairs, Civil Liberties, Justice and Home Affairs (May 15, 2015)
- Peter Schaar, Leaky Umbrella, Europäische Akademie für Informationsfreiheit und Datencshutz (Sept. 18, 2015).
- Cat Zakrzewski, Tech Firms Support Bill Expanding Privacy Rights To Non-U.S. Citizens, TechCrunch (Sept. 16, 2015).
- Jennifer Baker, In EU-US data sharing we trust – but can we have that in writing, say MEPs, The Register (Sept 16, 2015).
- Mehboob Dossa et al., EU and U.S. Reach “Umbrella Agreement” on Data Transfers, JD Supra (Sept. 15, 2015).
- Jean De Ruyt & Monika Kuschewsky, EU – US Umbrella Agreement About to be Concluded: Towards a Transatlantic Approach to Data Protection?, National Law Review (Sept. 10, 2015).
- What the E.U.-U.S. Umbrella Agreement Does-And Does Not-Mean for Privacy, Access (Sept. 10,2015).
- Dustin Volz, u.s. and Europe Forge Data-Protection Dealfor Terrorism Cases, National Journal (Sept. 8, 2015)
- Heather Greenfield, CCIA Welcomes EU-US Data Transfer Agreement, Computer & Comm. Indus. Assoc. (Sept. 8, 2015).
- Cory Bennet, US, EU Ink Data-sharing Agreement on Investigations, The Hill (Sept. 8, 2015).