What the E.U.-U.S. Umbrella Agreement does — and does not — mean for privacy

Update, 9/15/2015: The full text of the E.U.-U.S. Umbrella Agreement has now been released [PDF].

Negotiators from the United States and the European Union recently reached a preliminary deal on the so-called Umbrella Agreement, a transatlantic deal that sets standards for protecting personal data when it is transferred for law enforcement purposes. However, one key hurdle remains before the agreement will get sign off: the U.S. must grant a right to remedy for E.U. citizens who suffer privacy violations (a right that already exists in the E.U. for U.S. citizens in similar circumstances). It remains to be seen whether the U.S. will follow through on providing that protection, and whether it will be meaningful enough to meet E.U. standards.

What is the Umbrella Agreement?

The Umbrella Agreement seeks to ensure robust protection for data transferred between the E.U. and the U.S. in the context of police and judicial co-operation in criminal and terrorist matters (note: this does not include transfers for other purposes, such as transfers for consumer purposes). The agreement aims to establish common standards for protecting privacy rights. The text, which has not yet been made public, sets rules for:

  • retention periods,
  • onward transfer to third states,
  • right to access and rectification, and,
  • notification in case of data breach.

Robust protection of data is the objective of the Umbrella Agreement. However, since the text is not yet available for analysis, we can’t be sure yet whether the rules will meet that objective.

Will the Umbrella Agreement include a judicial redress mechanism for non-U.S. citizens?

The Umbrella Agreement does not grant E.U. citizens the right to remedy for privacy violations. However, adoption of the Umbrella Agreement is contingent on the U.S. Congress passing legislation that grants E.U. citizens this right, specifically the Judicial Redress Act of 2015, which was introduced by U.S. congressman James Sensenbrenner. This bill would give discretion to the U.S. Attorney General, with the concurrence of other administrative bodies in the U.S., to designate countries or organizations whose citizens may pursue civil remedies once certain conditions have been met by that country.

The Judicial Redress Act would grant a limited right to remedy to non-U.S. citizens in cases when their personal information has been misused under certain sections of the U.S. Privacy Act of 1974. This does not, however, protect people from misuse of data collected by federal agencies or in federal programs that have been made exempt from these protections. Nor would it allow them to initiate legal claims against companies for privacy breaches that take place in the U.S.

Further limitations exist. For instance, data collected under the E.U. Passenger Name Records (“PNR”) agreement would not be subject to the Judicial Redress Act. Therefore, E.U. citizens would not be able to seek redress if the information collected under the E.U.-U.S. PNR agreement is misused. This inability to seek redress for the misuse of data was established by  amendments to the U.S. Privacy Act in 2007, shortly after the conclusion of the initial E.U.-U.S. PNR agreement.

When will the U.S. Congress pass the Judicial Redress bill?

It’s not likely that the Judicial Redress Act will be debated in the U.S. Congress before the end of this year, particularly since several other high-priority items are competing for time on the agenda (such as the Iran nuclear deal and the debt ceiling increase).

Currently, the quickest route for passage would be through attachment as an amendment to the infamous Cybersecurity Information Sharing Act (CISA). U.S. Senator Chris Murphy is sponsoring the amendment, along with Senator Orrin Hatch. However, many civil society groups and privacy experts are vehemently opposed to CISA, which gives private companies legal immunity for sharing sensitive personal information with federal agencies. CISA would increase the amount of  users’ private information that could be sent to government agencies, without providing adequate protection for privacy or other human rights. Given the considerable opposition to CISA, the U.S. Congress may turn to alternative legislative vehicles for strengthening online security.

What should the U.S. Congress do?

There are broad exemptions in the U.S. Privacy Act that have long been exploited by federal agencies to limit remedies for U.S. citizens. These exemptions could also make it so that the Judicial Redress Act will be inadequate to appease the E.U. Congress should substantively narrow these exemptions and hold federal agencies accountable to the global public. Additionally, this important issue should not be coupled with a harmful surveillance bill like CISA. To do so means that any potential benefits of passing the Judicial Redress Act would be trumped by the greater loss to privacy that CISA represents.

Stay tuned for more updates on the Umbrella Agreement and in-depth analysis of the text when it becomes available.

Photo credit: Hartwig HKD