Transatlantic framework for data protection : additional safeguard or threat for EU citizens personal data ?
“For the first time ever, the EU citizens will be able to know, by looking at one single set of rules, which minimum rights and protection they are entitled to, with regards to data share with the US in the law enforcement sector”. These are the words of P. Michou, chief negotiator in charge of the negotiation process of the so called EU-US “Umbrella Agreement”, who gave a public overview on the lately finalized transatlantic data protection framework in the field of law enforcement cooperation. The speech, delivered during the last meeting of the LIBE committee of the European Parliament, has met a warm welcome by the MEPs. Great congratulations have been expressed by all the political groups, for the work done by the negotiating team of the Commission that, from its side, has thanked the LIBE committee for its strong support and pressures. As Mrs. Michou said, they “helped us to be stronger in our negotiations”. Negotiations that were dealt with a partner that is far from being an easy one. The words of Michou, however, have not completely reassured all the MEPs, who have called for a legal opinion on the text of the agreement to be delivered by the legal department of the European Parliament. Legal certainties about the potential benefits or detrimental effects that this agreement could have on the existing EU data protection rules, as well as on past and future agreements, have been asked by the majority of the deputies, as a necessary precondition for the vote.
An EU-US agreement in the field of protection of personal data was already called by the European Parliament in the year 2009. At that time, in a resolution on the state of transatlantic relation, the Parliament underlined the necessity of a “proper legal framework, ensuring adequate protection of civil liberties, including the right to privacy”, to be agreed on the base of a binding international agreement. The Commission then, on the invitation of the European Council, proposed a draft mandate for starting the negotiations with the United States, on a high standard system of data protection. The final mandate, being adopted by the Council in December 2010, opened the negotiation procedure among the two partners, that formally started on March 2011.
The negotiations have been though, mainly because of a great cultural difference existing among the two partners in terms of data protection, but after four years of work, the agreement has been initialed in Luxembourg, last September 8th. The final text, that can be signed only with the authorization of the Council and the consent of the Parliament, represents a huge step forward: “if we look back to some years ago, it was clear that some of the issues that have been now achieved in the text, couldn’t even have been theoretically possible”, Jan Philippe Albrecht (Greens/EFA) said, by opening the debate after Mrs. Michou speech.
The european Commissioner for Justice, Consumers and Gender Equality, Věra Juorová, by declaring full satisfaction for the conclusion of the discussions, affirmed: “robust cooperation between the EU and the US to fight crime and terrorism is crucial to keep Europeans safe. But all exchanges of personal data, such as criminal records, names or address, need to be governed by strong data protection rules. This is what the Umbrella Agreement will ensure.”
Terrorism or organized crime are phenomena that definitely constitute serious threats to security. However, leaving aside the narrow concept of security, as many theories and authors consider nowadays, a threat to security can be identified as any threat to the “cherished values” of our society: thus also to those values such as the right of privacy and the data protection.
The issue concerns how security and law enforcement are able to positively and constructively interact with new technology, but also to clash with it.
On one side, the information and data sharing is now a fundamental and crucial aspect of policy and judicial inter-state cooperation, since major threats and criminal phenomena have assumed a transnational connotation. On the other side however, it is necessary to ensure the protection and the fair and limited treatment of information, that is transferred as part of the transatlantic cooperation in criminal matters, in order to avoid abuses and the setting up of mass surveillance systems.
The two transatlantic partner, have already settled a substantial framework of data transfer rules. In 2010 they signed an agreement on the processing and transfer of financial messaging data from the EU to the US, for the purposes of the Terrorist Finance Tracking Program (TFTP); while in 2012 they concluded a bilateral agreement for the exchange of PNR (Passenger Name Records) data.
“Data protection is a fundamental right of particular importance in the digital age. In addition to swiftly finalizing the legislative work on common data protection rules within the European Union, we also need to uphold this right in our external relations.” This principle was included by Jean-Claude Juncker in the political priorities of the European Commission agenda, presented in July 2014.
A look inside the “Umbrella Agreement”
The Umbrella Agreement constitutes a proper and wide framework of protection for all the data exchanges among EU and US, in the field of criminal law enforcement. As the Commission made it clear during its exposition, the agreement “does not regulate or authorize any data transfer, but exclusively focuses on safeguards and rights of individuals”.
The agreement, whose text has not been published yet, mainly aims at increasing the level of data protection: the collection and processing of all data will remain subject to national and EU protection rules, and only their proper transfer will occur on the base of the safeguard measures provided by the “Umbrella”.
Mrs. Michou has spoken about a backward looking added value of the agreement, that once adopted, will complement any existing legal bases, such as the agreements on data transfer among the EU and the US, by adding protection and safeguard provisions where they’re missing. According to the Commission opinion, “most of the existing agreement lack these safeguards” actually. The text, will also have a forward looking added value, since it will constitute an important legal precedent and a guarantee for future rulings, that shall not fall below the high standards of protection settled by the “Umbrella”.
The comprehensive nature of the text provides specific measures about all the EU core data protection rules and principles: limitations on data use, onward transfer, retention period, safeguards on the processing of sensitive data, right to access and rectification, information in case of data security breaches, judicial redress and enforceability of rights.
The text settles clear limitation on the time and the scope for the retention of data, that “may be used only for the purpose of preventing, investigating, detecting or prosecuting criminal offences, including terrorism, in the framework of police cooperation and judicial cooperation in criminal matters”, and for no “longer than necessary or appropriate”. “The decision on what is an acceptable duration must take into account the impact on people’s rights and interests”.
Clear limitations have been put in place also with regards to onward transfer of data to third countries or international organizations, that is possible only under the prior consent of the competent authority of the country that originally transferred the data.
The last point to be settled during the discussions has been the language issue. According to the US negotiators the translation and authentication of the final agreement in all the 24 official languages of the EU would be too burdensome in terms of both time and resources. Moreover, multiple versions could easily arise legal interpretation disputes and conflicts. Therefore, the final solution envisages the signature of the agreement only in english, since it has been the language in which the negotiation process has been conducted. Hereafter, it will be possible to authenticate it in all the other official languages, by exchanging diplomatic notes with the US. In case of conflict or divergence among different versions, however, the english version will prevail. In line with the Commission view, this has been an important achievement, since “for the nature and the scope of the agreement, which primarily concerns individual rights and it is going to be essentially implemented by national authorities”. Thus, the latter, as well as all the EU citizens, must join the right to access the text in their own languages.
Mutual trust to be restored
The necessity to set up a stricter set of rules for data protection has particularly strengthened in the light of E. Snowden revelations about the NSA digital surveillance of US allies in 2013. This induced the European Parliament to adopt a resolution calling for the suspension of the EU-US agreement on the exchange of bank transfer data, that was stored on the servers of the Belgian electronic money transfer cooperative Swift. “The revelations about NSA interception of SWIFT data make a mockery of the EU’s agreement with the US, through which the bank data of European citizens is delivered to the US anti-terror system (TFTP)”, Albrecht declared after the approval of the resolution in October 2013.
The abuse of new technology, aimed at settle real mass surveillance programs, not only constitutes an unlawful practice, but also compromises the good and authorized use of advanced instruments to improve cooperation in security and law enforcement field. Thus, clear and high levels of guarantee for the respect of the rule of law are indispensable requisites.
“In view of recent mass surveillance revelations…The U.S. must also guarantee that all EU citizens have the right to enforce data protection rights in U.S. courts, whether or not they reside on U.S. soil. This will be essential for restoring trust in transatlantic relations”, called the President of the European Commission in July 2014.
The Judicial Redress Bill
One of the key element of the “Umbrella Agreement”, laying at the core attention of european authorities and civil society, concerns the american Judicial Redress Bill, aimed at extending the protection of the American Privacy Act of 1974 to EU citizens. This provision, that once approved will allow the Attorney General to extend judicial redress to foreign country’s residents, has constituted a very controversial aspect all along the negotiation talks.
At present, American citizens (non-resident in the EU) are able to redress EU courts, in case their data are unlawfully processed on the european soil. The situation in this field is totally unbalanced, since the American Privacy Act does not provide any kind of similar protection for those who are not “a citizen of the United States or an alien lawfully admitted for permanent residence”: EU citizens (non-resident in the US) therefore, do not enjoy the right of judicial redress in the US, as the americans actually do in Europe.
The Judicial Redress Bill has been introduced in the US Congress in June 2015 by Senator Orrin Hatch and Senator Chris Murphy, who affirmed: “Our closest allies have raised legitimate concerns about the rights and protections of their own citizens in the United States for privacy violations. In support of the critical, collaborative relationships, it is in the United States’ best interest to grant our closest friends abroad limited privacy protections similar to those they provide to us.”
The Bill, as it has been underlined many times by the Commission during the debate in the LIBE committee, enjoys a bipartisan support within the Congress and a broad endorsement from various stakeholders. On June 25th, 17 trade associations and organisation, including Google, Yahoo and Microsoft, together with the Majority and the Minority leaders of the US Senate, jointly signed a letter to urge the Senator leaders to support the Bill. The White House, the U.S. Department of Justice and the U.S. federal law enforcement agencies gave a green light as well.
In line with this evidence, the Commission is confident that the Congress will soon pass the Bill, that constitutes an imperative pre-condition for any further steps towards the signature of the agreement: “without this, the Umbrella Agreement would not make any sense and it would not be approved by this house” has remarked Jan Philippe Albrecht (Greens/EFA) during the meeting.
The finalization of the agreement exercises now further pressure on the Congress. Nonetheless, Mrs. Michou has exhorted the deputies to use their personal contacts in the Congress to insist on the approval of the Bill.
Legal opinion and other issues raised by the MEPs
The finalization of the agreement triggers further considerations to be made, since a reform of the data protection legal framework is currently being discussed in trialogue talks, among the Parliament, the Council and the Commission and is supposed to be adopted by the end of the year (trialogue talks are supposed to be on the agenda of the Justice and Home Affairs Council of October 9th).
According to Mrs. Michou’s words, some of the agreed article even “anticipate certain element of the reform, that are not present in the current EU data protection acquis”.
However, Jan Philippe Albrecht (Greens), rapporteur of the European Parliament for the EU-US agreement, not only highlighted the importance of the American Bill approval, but also fixed another pre-condition for the vote of the Parliament on the “Umbrella”. “This agreement should not compromise the legislation on data protection that we have in place in the EU”, the deputy said, asking for the legal department of the European Parliament to deliver an opinion on it. “If those two conditions [the approval of the Judicial Redress Bill and the positive legal opinion] are met, then we can look at this agreement as an opportunity to start building a transatlantic binding data protection standards, not only in the law enforcement sector, but starting from that, also in the private sector”, positively stated the deputy by concluding his remarks.
The request has been sent to the chair of the committee, with full endorsement of the other political groups, except from the EPP.
“If I look at the text, the protections it offers are of much lower level than the once actually provided by the EU data protection legislation, that we’re currently discussing … I want to be absolutely sure before we vote, that there is no risk that this agreement will ever override the data protection directive”, firmly stated Sophie in’ t Veld (ALDE).
On the contrary, Monika Hohlmeier (EPP) fully entrusted the work conducted by the Commission during the negotiations. The deputy, by anticipating the words of Mrs. Michou, affirmed “I do trust the Commission for the check on all the legal aspects about the agreement”. The chief negotiator, indeed, underlined the meticulous scrutiny that was carried out by the negotiating team, even under the legal aspect of the agreement.
Cornelia Ernst (GUE/NGL) and Marju Lauristin (S&D) have openly supported the opinion of the rapporteur and raised further issues on the agreement. The socialist deputy said: “We have to have a very peaceful mind to vote for that … Still I confess that I might not be peaceful: what can we tell to non-Europeans living in the EU?” Many others MEPs have shared the question about the rules that will apply to non-EU citizens, since the text of the agreement explicitly refers to the “citizens of the EU”.
The EPP remarked that the EU is not entitled to rule for the citizens of other States, who remain subject to their national law. The Commission on its side, clarified that some concessions had to be made during the negotiations, therefore: “apart from the right to redress, all safeguards of the agreement will apply to everyone”.
The chief negotiator Michou and the rapporteur Albrecht, during the meeting inevitably made reference to the Safe Harbour Agreement on data transfer for commercial purposes, that allows american companies as Google, Facebook and Apple to bring back home European personal data.
In 2014, the Commission started the negotiations with the US on this issue, in order to review and update the principles of the system. Mrs. Michou concluded her speech by saying that the negotiations team is working very hard and closely with the US and she underlined that the process is being dealt in the light of high standards of data protection and strong guarantees. Moreover, next September 23th, the European Court of justice is supposed to state its conclusions on ‘Schrems case, that directly concerns the legal accountability of Safe Harbour system.
To know more
-. TRADE AGREEMENTS AND DATA FLOWS: SAFEGUARDING THE EU DATA PROTECTION STANDARDS http://europe-liberte-securite-justice.org/2015/07/30/trade-agreements-and-data-flows-safeguarding-the-eu-data-protection-standards/
-. MAX SCHREMS N’EST PLUS SEUL :CINQ AUTORITÉS NATIONALES ENQUÊTENT SUR FACEBOOK ! http://europe-liberte-securite-justice.org/2015/04/20/max-schrems-nest-plus-seul-cinq-autorites-nationales-enquetent-sur-facebook/
-. European Parliament resolution of 26 March 2009 on the state of transatlantic relationsin the aftermath of the US elections (2008/2199(INI)) (EN) http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+TA+P6-TA-2009-0193+0+DOC+PDF+V0//EN (FR) http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P6-TA-2009-0193+0+DOC+XML+V0//FR
-. LIBE committee meeting 15/09/2015: EU-US agreement on the protection of personal data when transferred and processed for law enforcement purposes (EU-US « umbrella agreement”) http://www.europarl.europa.eu/ep-live/en/committees/video?event=20150915-1500-COMMITTEE-LIBE
-. Statement by EU Commissioner Věra Jourová on the finalisation of the EU-US negotiations on the data protection « Umbrella Agreement” http://europa.eu/rapid/press-release_STATEMENT-15-5610_en.htm
-. Transfer of Air Passenger Name Record (PNR) and Data and Terrorist Finance Tracking Programme (TFTP) http://ec.europa.eu/justice/data-protection/international-transfers/pnr-tftp/pnr-and-tftp_en.htm
-. Jean-Claude Juncker, A New Start for Europe: My Agenda for Jobs, Growth, Fairness and Democratic Change (EN) http://ec.europa.eu/priorities/docs/pg_en.pdf#page=9 (FR) http://ec.europa.eu/priorities/docs/pg_fr.pdf#page=9
-. The US legal system on data protection in the field of law enforcement. Safeguards, rights and remedies for EU citizens http://www.europarl.europa.eu/RegData/etudes/STUD/2015/519215/IPOL_STU(2015)519215_EN.pdf
-. Murphy, Hatch introduce Judicial Redress Act of 2015 http://www.murphy.senate.gov/newsroom/press-releases/murphy-hatch-introduce-judicial-redress-act-of-2015
-. Broad support lining up behind Murphy-Hatch Judicial Redress Act of 2015 http://www.murphy.senate.gov/newsroom/press-releases/broad-support-lining-up-behind-murphy-hatch-judicial-redress-act-of-2015
-. NSA/SWIFT scandal. EU’s data agreement with US must be suspended says EP http://www.greens-efa.eu/nsaswift-scandal-10789.html
-. Suspension of the SWIFT agreement as a result of NSA surveillance (EN) http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2013-0449&language=EN (FR) http://www.europarl.europa.eu/sides/getDoc.do?type=TA&reference=P7-TA-2013-0449&language=FR
-. Max Schrems Vs. Facebook: Activist Takes Aim at U.S.-EU Safe Harbor http://blogs.wsj.com/digits/2014/11/20/max-schrems-vs-facebook-activist-takes-aim-at-u-s-eu-safe-harbor/
-. Commission decisions on the adequacy of the protection of personal data in third countries http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm
Transfer of Air Passenger Name Record (PNR) Data and Terrorist Finance Tracking Programme (TFTP) http://ec.europa.eu/justice/data-protection/international-transfers/pnr-tftp/pnr-and-tftp_en.htm