Agreement between The United States of America and The European Union on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offenses (not yet binding under PIL)
The European Parliament, in a resolution on 26 March 2009, called for an EU-US agreement that ensures adequate protection of civil liberties and personal data protection. In December 2009, the European Council invited the Commission to propose a Recommendation "for the negotiation of a data protection and, where necessary, data sharing agreements for law enforcement purposes with the US." Negotiations officially begun on 29 March 2011.
The EU-US so-called "Umbrella Agreement" puts in place a data protection framework for EU-US law enforcement cooperation. The Agreement covers all personal data (for example names, addresses, criminal records) exchanged between the EU and the U.S. for the purpose of prevention, detection, investigation and prosecution of criminal offences, including terrorism. The agreement will complement existing EU-US and MS–US agreements between law enforcement authorities. It will create clear harmonised data protection rules and set a high level of protection for future agreements in this field.
The Umbrella agreement will provide the following protections to make sure that everyone's data are protected when exchanged between police and criminal justice authorities:
- Clear limitations on data use – Personal data may only be used for the purpose of preventing, investigating, detecting or prosecuting criminal offences, and may not be processed beyond compatible purposes.
- Onward transfer – Any onward transfer to a non-US, non-EU country or international organisation must be subject to the prior consent of the competent authority of the country which had originally transferred personal data.
- Retention periods - Individuals' personal data may not be retained for longer than necessary or appropriate. These retention periods will have to be published or otherwise made publicly available. The decision on what is an acceptable duration must take into account the impact on people's rights and interests.
- Right to access and rectification - Any individual will be entitled to access their personal data – subject to certain conditions, given the law enforcement context – and request it to be corrected if it is inaccurate.
- Information in case of data security breaches – A mechanism will be put in place so as to ensure notification of data security breaches to the competent authority and, where appropriate, the data subject.
- Judicial redress and enforceability of rights - EU citizens will have the right to seek judicial redress before US courts in case of the US authorities deny access or rectification, or unlawfully disclose their personal data. This provision of the Agreement depends on the adoption by U.S. Congress of the US Judicial Redress Bill will have been adopted.
Reference number: -
Issue date: 08-09-15
Official Journal: Not yet published in the Official Journal