The Umbrella Agreement just isn’t good enough to protect our rights

Update: Today the European Parliament has adopted the Umbrella Agreement which will now become binding and enter into force after its publication in the Official Journal. We deplore this adoption given the inherent flaws of the text and encourage the EU institutions to review the Agreement at the earliest possible opportunity.


Today, the Civil Liberties Committee of the European Parliament has approved the EU-US Umbrella Agreement, which ostensibly aims to protect the privacy of personal data that is transferred overseas for law enforcement purposes. There is relative consensus on the need for such an agreement, but the final text came under heavy fire from privacy experts because it fails to comply with EU law. The representatives of the European Parliament have nevertheless decided to vote for the flawed agreement, and it will now be presented for final vote in the plenary in the next few weeks before being implemented. Once again, the EU has moved forward with a dysfunctional framework in an effort at political compromise with the US, instead of fully protecting Europeans’ fundamental rights.

Below we provide background on the negotiations for the agreement and analysis of the current state of play, including our reflections on the fate of EU-US data protection agreements in the wake of the recent US presidential elections.

Ten years of negotiations

Negotiations on a data protection agreement between the EU and the US started more than 10 years ago. Talks were completely stalled until the Snowden revelations re-established that there is a need for this kind of framework to protect users’ right to privacy when information is shared overseas. The agreement was completed in September of last year, with the condition that the US Congress pass the Judicial Redress Act (JRA), legislation to provide EU citizens with legal remedy in the US. Following passage of the JRA in the US, the Council of the European Union and the United States signed the agreement, and today, it was approved by the Civil Liberties Committee of the EU Parliament. Once the adoption is confirmed in plenary, the agreement will become binding and will enter into force after it is published in the Official Journal. From that point on, individuals will have access to the limited rights provided for under the agreement, with the exception of the right to remedy, which will require further steps (see below).

Right vehicles, wrong standards

Access Now has written extensively about the shortcomings of the Umbrella Agreement here and here, in particular regarding the inclusion of untested legal standards and lack of oversight.

Obtaining judicial redress for EU citizens was one of the key demands from the European Union in order to conclude negotiations on the Umbrella Agreement, which in itself does not grant EU citizens a right to remedy for privacy violations — a right that already exists for US citizens in the EU.

The Judicial Redress Act grants a very limited right to remedy to non-US citizens in cases when their personal information has been misused under certain sections of the US Privacy Act of 1974. This does not, however, protect people from misuse of data collected by federal agencies or in federal programs that have been made exempt from these protections. Nor would it allow them to initiate legal claims against companies for privacy breaches that take place in the US.

Further limitations exist. In fact, the agreement covers personal data transferred for purposes of prevention, investigation, detection, or prosecution of criminal offences, which includes data transferred under the EU-US Passenger Name Records (“PNR”) and Terrorist Finance Tracking Program (TFTP) agreements. However, PNR data are excluded from the scope of the Judicial Redress Act, which means that EU citizens would not be able to seek redress in case of abuse of these data. This inability to seek redress for the misuse of data was established by amendments to the US Privacy Act in 2007, shortly after the conclusion of the initial EU-US PNR agreement.

Finally, and perhaps most importantly, rights are universal and should not be limited based on nationality. Unfortunately, the United States only committed to uphold the rights of EU citizens under the agreement, leaving everyone who lives in the EU, but is not an EU citizen, without protection. It is unacceptable for the European Union to agree to lowering its standard of protection.

Trump election: What is the prospect for US compliance with its engagement?

The Judicial Redress Act gives discretion to the US Attorney General, together with other administrative bodies in the US, to designate countries or organisations whose citizens may pursue civil remedies once a country has met certain conditions. This means that, as of today, even the limited redress mechanisms for EU citizens in the US is contingent on a written assurance rather than having an actual right to redress. And here is the problem: such a promise, by nature, is directly connected to the political will of the executive branch. Will President-elect Trump’s designated Attorney General keep a promise that was made under the Obama administration? Only time will tell, but the EU Commission must stand ready to suspend the agreement if the promise is not swiftly fulfilled.

How to play good hands badly

Edward Snowden presented the world with an opportunity to address the pressing issues of government surveillance, the role of private actors in the process, and how we perceive and protect privacy in a democratic society. In the EU-U.S. context, this has led to legal challenges and negotiations such as the Privacy Shield and the Umbrella Agreement.

Even though those frameworks are very different in nature, a data transfer scheme on the one hand and a data protection agreement on the other,  they both presented a unique chance for the EU to ensure and improve the protection of users’ rights. Unfortunately, it has turned out to be a lost opportunity. Both European and US negotiators mis-characterised the Privacy Shield and the Umbrella Agreement and overstated the level of protection these instruments provide for privacy and data protection.

In both cases, the EU insisted on the adoption of these frameworks regardless of the flaws, and despite violations reported by numerous experts, including the European Parliament’s own legal service, data protection authorities, academics, and NGOs. EU officials conceded fundamental rights despite the real legal leverage they had during the negotiations. The political compromises include the option to suspend the Umbrella Agreement, and in the case of Privacy Shield to suspend data flows. Access Now urges all stakeholders to use this option wisely to correct these errors and once again ensure that the level of data protection and privacy complies with human rights requirements.

We acknowledge that creating data protection measures for data transfer schemes is an important step in the right direction, but the current framework is simply not good enough. It does not meet the standards set by EU law. So far the EU has fallen short of fulfilling its role to protect EU citizens. Now, more than ever, it’s important for the EU to stay strong on all cross-border agreements and to uphold the integrity of its laws and policies.