EU-US Umbrella Agreement
The EU-US agreement, the so-called "Umbrella Agreement," is a framework for transatlantic data transfer between the US and the EU. The proposed goal of the Agreement is to provide data protection safeguards for personal information transferred between the EU and the US.
- EPIC Tells Congress US-UK Surveillance Agreement Should be Made Public: EPIC has sent a statement to the House Judiciary Committee for a hearing on "Data Stored Abroad." According to news reports, the United States and the United Kingdom are drafting a secret agreement for transnational access to personal data that would bypass legal and judicial safeguards. In November 2016, EPIC filed a FOIA Request for the draft US-UK agreement. The Justice Department recently informed EPIC that responsive documents had been located and would be referred to the State Department for additional processing. EPIC has long pursued public release of international agreements. In 2016, EPIC obtained the "Umbrella Agreement," concerning the transfer of personal data from the EU to the US, after a successful Freedom of Information Act lawsuit. (Jun. 14, 2017)
- US Designates Countries Covered Under the Judicial Redress Act: During the final week in office, the Obama Department of Justice released the list of European countries covered under the Judicial Redress Act. The Act gives citizens of these countries limited rights under the US Privacy Act. The Act implements the US-EU "Umbrella Agreement," which is a framework for transferring law enforcement data across the Atlantic. The Act came about in response to the Schrems decision, which held that the United States lacks adequate data protection. EPIC had recommended substantial changes to the Judicial Redress Act, explaining in a letter to Congress that the bill still did not provide adequate protection to permit transborder data flows and fails to provide necessary updates for U.S. citizens. EPIC successfully sued the Justice Department to obtain the full text of the Umbrella Agreement. (Jan. 23, 2017) More top news »
On September 8, 2015 European and US officials announced that they have concluded an agreement on data protection for transatlantic criminal investigations. The EU Justice Commissioner stated, "Once in force, this agreement will guarantee a high level of protection of all personal data when transferred between law enforcement authorities across the Atlantic." Despite the announcements, neither US officials nor their European counterparts made the text of the Agreement public.
Analysis of the Umbrella Agreement
The full text of the Agreement between the US and the EU on the Protection of Personal Information Relating to the Prevention, Investigation, Detection, and Prosecution of Criminal Offenses (Umbrella Agreement) was first made public by Statewatch. On September 14, 2015, the EU Parliament released the unofficial version of the agreement. EPIC pursues the public release of the document by US and EU agencies.
In-depth analysis of the Umbrella Agreement is here.
EPIC supports the establishment of a comprehensive legal framework to enable transborder data flows. EPIC previously urged that the United States begin the process of ratification of Council of Europe Convention 108.
The federal Privacy Act of 1974 places a duty upon federal agencies that maintain personal information to protect that data. This duty and concomitant responsibilities arise from the collection of personal data. Therefore, it does not matter what the data owner's citizenship or origin is. EPIC has previously made recommendations regarding Privacy Act modernization.EPIC routinely provides comments to federal agencies regarding Privacy Act compliance, and we have provided amicus briefs to the U.S. Supreme Court in two Privacy Act cases, Doe v. Chao and FAA v. Cooper. EPIC has also written extensively on data protection concerns arising from the transfer of personal information between the European Union and the United States.
Judicial Redress Act of 2015
Significantly, the Umbrella Agreement requires amendment to the US Privacy Act of 1974 before it has legal effect. Congress has proposed this legislation in the Judicial Redress Act of 2015.
In a letter to the House Judiciary Committee, EPIC recommended changes to the Judicial Redress Act to provide meaningful protections for data collected on non-U.S. persons. The bill, also pending in the Senate, seeks to amend the federal Privacy Act. EPIC explained that the legislation under consideration fails to provide adequate protection to permit transborder data flows. EPIC also pointed to increasing public concern in the United States about failure to enforce the law. EPIC has previously recommended Congressional action to ensure adequate protections for all personal information collected by U.S. federal agencies. EPIC is also seeking public release of the text of the EU-US "Umbrella Agreement."
- Douwe Korff, EU-US Umbrella Data Protection Agreement : Detailed analysis, FREE Group (October 14, 2015)
- EPIC Webpage on FOIA requests to obtain the text of the Umbrella Agreement, EPIC v DHS, DOJ and State Department (2015)
- EU-US Umbrella Agreement (Released by the EU Parliament, Sept. 14, 2015).
- Convention 108: Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Council of Europe.
- Marc Rotenberg, On International Privacy: A Path Forward for the US and Europe, Harv. Int’l Rev. (June 2014)
- Francesca Bignami, The US legal system on data protection in the field of law enforcement. Safeguards, rights and remedies for EU citizens, Directorate General for Internal Policies, Policy Department C:Citizens’ Rights and Constitutional Affairs, Civil Liberties, Justice and Home Affairs (May 15, 2015)
- Peter Schaar, Leaky Umbrella, Europäische Akademie für Informationsfreiheit und Datencshutz (Sept. 18, 2015).
- Cat Zakrzewski, Tech Firms Support Bill Expanding Privacy Rights To Non-U.S. Citizens, TechCrunch (Sept. 16, 2015).
- Jennifer Baker, In EU-US data sharing we trust - but can we have that in writing, say MEPs, The Register (Sept 16, 2015).
- Mehboob Dossa et al., EU and U.S. Reach “Umbrella Agreement” on Data Transfers, JD Supra (Sept. 15, 2015).
- Jean De Ruyt & Monika Kuschewsky, EU - US Umbrella Agreement About to be Concluded: Towards a Transatlantic Approach to Data Protection?, National Law Review (Sept. 10, 2015).
- What the E.U.-U.S. Umbrella Agreement Does-And Does Not-Mean for Privacy, Access (Sept. 10,2015).
- Dustin Volz, u.s. and Europe Forge Data-Protection Dealfor Terrorism Cases, National Journal (Sept. 8, 2015)
- Heather Greenfield, CCIA Welcomes EU-US Data Transfer Agreement, Computer & Comm. Indus. Assoc. (Sept. 8, 2015).
- Cory Bennet, US, EU Ink Data-sharing Agreement on Investigations, The Hill (Sept. 8, 2015).
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
by Ryan Calo, A. Michael Froomkin,