Five things you should know about the EU-US Umbrella Agreement

Earlier this month, negotiators from the United States and the European Union reached a preliminary deal on the so-called Umbrella Agreement. The Umbrella agreement is a transatlantic deal that sets standards for protecting personal data when it is transferred for law enforcement purposes. Notably, these rules do not apply to the transfer of commercial or employee data by companies like Google, Apple, Facebook, or Verizon. These companies must abide by a separate set of rules, the data sharing agreement called the Safe Harbour principles (see our recent press release on the Safe Harbour).

The text of the Umbrella Agreement has not yet been officially released, and we are only able to comment on it thanks to our friends at Statewatch, who published the text in full (EPIC has requested the formal release of the agreement under the US Freedom of Information Act).

Even though the agreement hasn’t been released, lawmakers have already been praising its scope and promoting it as a way to restore consumer trust. We have looked into five key pieces of the 14-page agreement aimed at establishing common standards for protecting privacy rights. Here is what you should know:

1.) The rules for data security are vague and leave room for broad discretion

The rules set to ensure the security of data transferred and stored are vague and leave room for broad discretion. There is no clear requirement that security protocols be subject to audits or review in order to assure that the information is properly protected. Notably, the cooperation procedures between data protection agencies is limited to where it is feasible and in cases of “significant doubts”.

Additionally, the text does not provide any guidance on proper ways to safeguard data, while at the same time allowing for retention mandates that could undermine security. Also undefined is what would constitute a triggering event for data breach notification. The agreement requires notification when there is a “significant risk of damage” without providing guidance on what constitutes “damage”. For the most part governments have tied damage to financial harm, although Access has advocated for a standard that recognizes the significant non-financial harms that could be suffered when personal information is compromised.

Perhaps most troubling is the possibility that the rules would not be binding beyond the initial transfer, meaning data could be further transferred within the receiving governments’ bureaucracies without other agencies having to follow the same rules.

2.) Personal data could be shared with another country

After authorisation from a data protection agency, personal data could be shared outside the EU and the United States. To transfer personal data from a US citizen outside the EU, prior authorisation from the US is necessary, and vice versa.

Importantly, the agreement prohibits refusing to transfer data to a third country on the basis that the country has an insufficient level of data protection. Data could therefore be shared with countries where no measures for data security and judicial remedy are in place, putting individual privacy at risk.

3.) Data could be retained so long as it’s “necessary and appropriate” — an untested standard

A data retention mandate is the requirement that personal information is stored for a preordained period of time to be used at a later date — for instance, during an investigation. As Access has previously explained, data retention mandates violate human rights, are ineffective, and create additional attack surfaces for bad actors. Despite long-recognized international law that requires that all measures that interfere with the right to privacy be necessary and proportionate, the Umbrella Agreement requires only that the EU and the US adopt data retention rules that are “necessary and appropriate”. This untested, unfamiliar standard opens the door for a wide range of interpretations and abuses.

The lack of legal certainty in this agreement is a characteristic shared with the EU-US Passenger Name Record agreement. Under this agreement, the passenger data of all transatlantic passengers could be retained for up to 15 years — a length of time that is hard to conceive of as proportionate in light of EU case law. As the rules established by the Umbrella Agreement will apply to the EU-US PNR agreement, it appears that the 15-year retention period will remain unquestioned.

4.) The agreement does not provide a right to remedy for EU citizens

The Umbrella Agreement does not grant EU citizens a right to remedy for privacy violations — a right that already exists for US citizens in the EU. However, adoption of the Umbrella Agreement is contingent on the US Congress passing legislation that grants EU citizens this right, specifically the Judicial Redress Act of 2015, which was introduced by US congressman James Sensenbrenner. The bill passed out of the House Judiciary Committee last week by voice vote and is expected to be pass through the full chamber. Timing for passage remains unsure, given the long list of items on the US Senate’s congressional agenda.

The Judicial Redress Act would grant a limited right for non-US citizens to pursue civil remedies in cases when their personal information has been misused under certain sections of the US Privacy Act of 1974. This does not, however, protect people from misuse of data collected by federal agencies or in federal programs that have been made exempt from these protections. Nor would it allow them to initiate legal claims against companies for privacy breaches that take place in the US.

To be able to exercise this limited right to remedy, the Umbrella Agreement established rules for transparency and access to information for individuals. This access could however be limited at the discretion of the authorities and would not be free of charge. Further limitations exist. See our previous post on the Umbrella Agreement for more information on the right to remedy.

5.) The agreement foresees oversight mechanisms

The agreement foresees the establishment of a large number of oversight mechanisms in the EU via its member states and data protection authorities, and, in the US, via government accountability offices, privacy boards, chief privacy officers, and states executives. These bodies will be able to carry out independent reviews on their own initiative, and receive complaints from individuals. While these mechanisms are already extensive, a cooperation mechanism between bodies could have been provided, especially for cross-border cases.

What’s next?

The agreed text of the Umbrella Agreement will have be ratified by the European Parliament. The vote will not take place until the US Congress passes the Judicial Redress Act, which could take a few months.

Access urges lawmakers to take into account the above highlighted shortcomings of this agreement and learn from past mistakes. Clarity and legal certainty should be brought to the text. This could be done through a comprehensive legal review of the agreement before considering ratification.

Photo credit: Hartwig HKD