EU-US Umbrella Agreement & Judicial Redress Act

• Background |
• EPIC's Interest |
• Resources |
• News

Summary

The EU-US agreement, the so-called "Umbrella Agreement," is a framework for transatlantic data transfer between the US and the EU. The proposed goal of the Agreement is to provide data protection safeguards for personal information transferred between the EU and the US.

Top News

• Court Dismisses Suits Against OPM Over Data Breach that Affected 22 Million: A federal court in Washington, DC has dismissed two lawsuits against the Office of Personnel Management over the data breaches that compromised the records of 22 million federal employees and family members. The court acknowledged the "troubling allegations" raised by OPM's victims but ruled that "the fact that a person's data was taken" is not "enough by itself to create standing to sue." EPIC has long argued that data breach victims should not wait until they suffer identity theft to sue the parties that failed to protect their data. EPIC also filed comments last year with OPM recommending limits on data collection, has recommended updates to the federal Privacy Act, and has urged the Supreme Court to recognize a right to "informational privacy" and to ensure Privacy Act damages for non-economic harm. (Sep. 20, 2017)
• EPIC Tells Congress US-UK Surveillance Agreement Should be Made Public: EPIC has sent a statement to the House Judiciary Committee for a hearing on "Data Stored Abroad." According to news reports, the United States and the United Kingdom are drafting a secret agreement for transnational access to personal data that would bypass legal and judicial safeguards. In November 2016, EPIC filed a FOIA Request for the draft US-UK agreement. The Justice Department recently informed EPIC that responsive documents had been located and would be referred to the State Department for additional processing. EPIC has long pursued public release of international agreements. In 2016, EPIC obtained the "Umbrella Agreement," concerning the transfer of personal data from the EU to the US, after a successful Freedom of Information Act lawsuit. (Jun. 14, 2017)
More top news »
US Designates Countries Covered Under the Judicial Redress Act » (Jan. 23, 2017)
During the final week in office, the Obama Department of Justice released the list of European countries covered under the Judicial Redress Act. The Act gives citizens of these countries limited rights under the US Privacy Act. The Act implements the US-EU "Umbrella Agreement," which is a framework for transferring law enforcement data across the Atlantic. The Act came about in response to the Schrems decision, which held that the United States lacks adequate data protection. EPIC had recommended substantial changes to the Judicial Redress Act, explaining in a letter to Congress that the bill still did not provide adequate protection to permit transborder data flows and fails to provide necessary updates for U.S. citizens. EPIC successfully sued the Justice Department to obtain the full text of the Umbrella Agreement.
New Study Shows Global Increase in Comprehensive Privacy Protections » (Nov. 29, 2016)
An updated study by David Banisar of the human rights organization Article 19 finds that over 100 countries now have data protection laws. Another 40 countries are considering new laws, and most countries have established a data protection authority to enforce privacy protections. Two EPIC publications - The Privacy Law Sourcebook 2016 and Privacy and Human Rights: An International Survey of Privacy Laws and Developments - provide an overview of privacy frameworks around the world and track emerging privacy challenges. EPIC has urged the US Congress to establish a federal privacy agency and to enact comprehensive privacy legislation.
EPIC Urges OMB to Strengthen Privacy Act Safeguards » (Nov. 7, 2016)
EPIC has submitted comments on Circular A-108, guidelines proposed by the Office of Management and Budget for federal agency compliance with the Privacy Act. EPIC warned that agencies frequently misuse exceptions to the Privacy Act to circumvent important safeguards required by law. EPIC urged the OMB to "strengthen its guidance on federal agency implementation of the Privacy Act" and to limit the 'routine use' exemption. EPIC regularly comments on privacy safeguards for federal databases and has urged Congress to modernize the Privacy Act.
"Judicial Redress Act" Provides Little Redress » (Feb. 12, 2016)
The Judicial Redress Act of 2015, enacted by Congress and now on to the President for signature, fails to extend Privacy Act protections to non-U.S. citizens. EPIC previously recommended changes to protect transborder data flows. The bill, as adopted, coerces European countries to transfer data to the US, even without adequate protection, or be denied legal rights. Congress adopted the narrow amendment to the Privacy Act without any changes to benefit U.S. citizens even after a data breach compromised 21.5 records maintained by the Office of Personnel Management. EPIC explained that the OPM breach made clear the need for updates to the federal privacy law.
Hackers Breach US Government Database, No Recourse for Non-Americans » (Feb. 9, 2016)
Less than a week after the European and US governments struck a deal for a framework to permit transborder data flows of personal data, hackers breached sensitive personal data at the US Department of Homeland Security. The DHS stores vast amounts of personal information on non-US persons, including detailed travel information. Under current law, non-US persons have no legal rights when federal agencies fail to safeguard their personal data. EPIC is seeking release of the so-called "Privacy Shield" and has launched a new campaign to promote Data Protection in the United States.
EPIC v. DOJ: EPIC Prevails, DOJ Releases Secret EU-US Umbrella Agreement » (Jan. 25, 2016)
After months of delay, the Department of Justice has finally released to EPIC the full text of the EU-US Umbrella Agreement. EPIC sued the DOJ last year after the agency failed to act on EPIC's FOIA request for the secret agreement. Today's release comes on the heels of EPIC's opposition to the agency's attempt to further delay the Agreement's release. The Umbrella Agreement outlines data transfers between EU and US law enforcement agencies, and is the basis for the Judicial Redress Act currently before Congress. EPIC has criticized the legislation, and recently urged the Senate to delay action on the bill until the DOJ releases the Umbrella Agreement and the Judiciary Committee holds a hearing on the legislation.
EPIC Urges Senate to Postpone Action on Judicial Redress Act » (Jan. 16, 2016)
Today EPIC urged the Senate Judiciary Committee to postpone action on the Judicial Redress Act until the Department of Justice releases a secret data transfer agreement on which the bill is based. The so-called Umbrella Agreement outlines data transfers between law enforcement agencies in Europe and the United States. EPIC has sued the DOJ for release of the document. EPIC also urged the Senate Committee to conduct a public hearing on Privacy Act modernization following the massive data breach at the office of Personnel and Management.EPIC previously wrote to the House Judiciary Committee to recommend updates to the Privacy Act.
EPIC Seeks Default Judgment in Umbrella Agreement Lawsuit » (Jan. 6, 2016)
In its fight to obtain a copy of the EU-US Umbrella Agreement, EPIC asked a federal court in Washington, D.C. today to grant default judgment against the Department of Justice. EPIC sued the agency to obtain the secret agreement, which concerns the transfer of personal information between the EU and US. After the DOJ failed to answer EPIC's complaint, the court entered default against the agency. The Agreement is central to pending legislation, which the Senate Judiciary Committee is set to debate this month yet the DOJ has not made the document available to the public or to Members of Congress.
Senate Postpones Action on Weak EU-US Privacy Measure » (Dec. 12, 2015)
The Senate Judiciary Committee has "held over" the Judicial Redress Act, industry-sponsored legislation regarding the transfer of personal data on Europeans to the United States. European legal experts have stated that the measure does not provide meaningful protections for the data of Europeans. Forty NGOS have recommended substantial changes to privacy law in the US and the EU to make possible the continuation of transborder data flows. EPIC has also recommended specific changes to the Judicial Redress Act. European data protection agencies are expected to begin enforcement actions against US companies after January 30, 2016. According to Govtrack, the Judicial Redress Act has a "1% chance of being enacted."
EPIC Sues for Release of Secret EU-US "Umbrella Agreement" » (Nov. 4, 2015)
EPIC has sued the Department of Justice to obtain a secret agreement between the United States and the European Union concerning the transfer of personal information. US and EU officials finalized the so-called "Umbrella Agreement" in September, but had kept the final document secret even as Congress was voting on provisions to implement the text. "The DOJ has withheld from the public the text of an Agreement that is central to legislation currently pending before Congress and critical to a related negotiation between the United States and the European Union that implicates the fundamental rights of Americans and Europeans" wrote EPIC in the FOIA lawsuit.
After FOI Request, EPIC Obtains Secret "Umbrella Agreement" from the EU Commission » (Oct. 23, 2015)
The EU Commission, in response to a freedom of information request, has released to EPIC the text of the EU-US data transfer agreement. US and EU officials finalized the so-called "Umbrella Agreement" in September, but had kept the final document secret. EPIC has filed multiple FOIA requests with US federal agencies and the European Commission to obtain public release of the document. The Agreement, alongside the Judicial Redress Act, is a key document in the aftermath of the European court decision striking down the Safe Harbor arrangement. Legal scholars who have reviewed the agreement have concluded it is deeply flawed. EPIC continues to pursue the public release of the Agreement from US federal agencies.
House Passes Faux Privacy Bill » (Oct. 21, 2015)
The House of Representatives has passed the Judicial Redress Act of 2015, which—contrary to its stated purpose—fails to extend Privacy Act protections to non-U.S. citizens. In a letter to Congress, EPIC explained that the bill does not provide adequate protection to permit transborder data flows and recommended changes to ensure protections for all personal information collected by U.S. federal agencies. Congress moved to advance the bill after announcement of the recently concluded but secret EU-US "Umbrella Agreement". EPIC submitted a Freedom of Information request for the Umbrella agreement, and recently filed an administrative appeal challenging the agency's denial of expedited processing.
European Data Protection Authorities Conclude Data Transfers under Safe Harbor Now Unlawful » (Oct. 17, 2015)
Following the landmark ruling that invalidated the Safe Harbor data transfer arrangement, the Article 29 Working Party, composed of privacy officials across Europe, issued a preliminary statement. They called for solutions "enabling data transfers to the territory of the United States that respect fundamental rights." They concluded that "transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful." Also, Standard Contractual Clauses and Binding Corporate Rules will not provide an adequate basis. EPIC, US and European consumer organizations have urged lawmakers in the United States to update US privacy law.
EPIC Expresses Support for Advocate General Opinion in Schrems Case » (Sep. 28, 2015)
In a statement issued today, EPIC supported a recent opinion of the Advocate General of the Court of Justice of the European Union which found that the Safe Harbor Arrangement was invalid. Safe Harbor has operated for several years as a substitute for the legal protections that would otherwise be required for the transfer of personal data across national borders. EPIC said that Safe Harbor has "given rise to significant concerns on both sides of the Atlantic about the adequacy of the privacy and security afforded personal information." Earlier today the US Mission issued a statement calling into question the opinion of the Advocate General. The Mission stated that the PRISM program, operating in conjunction with Safe Harbor and involving the mass surveillance of EU citizens, is "duly authorized by law, and strictly complies with a number of publicly disclosed controls and limitations."
EPIC celebrates International Right to Know Day » (Sep. 25, 2015)
On September 28, EPIC celebrates International Right to Know Day and government transparency. EPIC has pursued numerous FOIA cases and routinely made the information obtained available to Congress and the public. EPIC recently filed a FOIA request to obtain the secret US-EU data transfer agreement. For more information, see EPIC Open Government. @EPICprivacy #FOISuccess #IRTKD2015
EPIC Recommends Changes to Judicial Redress Act » (Sep. 16, 2015)
In a letter to the House Judiciary Committee, EPIC recommended changes to the Judicial Redress Act to provide meaningful protections for data collected on non-U.S. persons. The bill, also pending in the Senate, seeks to amend the federal Privacy Act. EPIC explained that the legislation under consideration fails to provide adequate protection to permit transborder data flows. EPIC also pointed to increasing public concern in the United States about failure to enforce the law. EPIC has previously recommended Congressional action to ensure adequate protections for all personal information collected by U.S. federal agencies. EPIC is also seeking public release of the text of the EU-US "Umbrella Agreement."
Congress Moves to Advance Judicial Redress Act as Secret Police Agreement is Leaked in Europe » (Sep. 15, 2015)
A Congressional committee will this week consider endorsement of the Judicial Redress Act, after announcement of the just concluded EU-US "Umbrella Agreement." EPIC filed expedited an FOIA requests to obtain the text of the secret agreement. The document was since made available by Statewatch. EPIC will pursue official release of the Agreement from US and EU authorities to the public. Regarding amendments to the Privacy Act, EPIC has made extensive recommendations for Privacy Act modernization, including specific changes to the damages provision that would correct a Supreme Court holding and address such problems as the OPM data breach.
EPIC Pursues Public Release of EU-US Agreement on Data Transfers » (Sep. 10, 2015)
EPIC has filed an expedited FOIA request to obtain a secret agreement between US and EU law enforcement agencies concerning the transfer of personal data. Citing legislation pending in Congress and NGO concern about the scope of the data protection safeguards, EPIC said "there is an urgency to inform the public" about the contents of the agreement. EPIC has pursued numerous FOIA cases and routinely made the information obtained available to Congress and the public. The agency has 10 days to respond to EPIC's request about the law enforcement "umbrella agreement."

Background

On September 8, 2015 European and US officials announced that they have concluded an agreement on data protection for transatlantic criminal investigations. The EU Justice Commissioner stated, "Once in force, this agreement will guarantee a high level of protection of all personal data when transferred between law enforcement authorities across the Atlantic." Despite the announcements, neither US officials nor their European counterparts made the text of the Agreement public.

Analysis of the Umbrella Agreement

The full text of the Agreement between the US and the EU on the Protection of Personal Information Relating to the Prevention, Investigation, Detection, and Prosecution of Criminal Offenses (Umbrella Agreement) was first made public by Statewatch. On September 14, 2015, the EU Parliament released the unofficial version of the agreement. EPIC pursues the public release of the document by US and EU agencies.

In-depth analysis of the Umbrella Agreement is here.

EPIC's Interest

EPIC supports the establishment of a comprehensive legal framework to enable transborder data flows. EPIC previously urged that the United States begin the process of ratification of Council of Europe Convention 108.

The federal Privacy Act of 1974 places a duty upon federal agencies that maintain personal information to protect that data. This duty and concomitant responsibilities arise from the collection of personal data. Therefore, it does not matter what the data owner's citizenship or origin is. EPIC has previously made recommendations regarding Privacy Act modernization.EPIC routinely provides comments to federal agencies regarding Privacy Act compliance, and we have provided amicus briefs to the U.S. Supreme Court in two Privacy Act cases, Doe v. Chao and FAA v. Cooper. EPIC has also written extensively on data protection concerns arising from the transfer of personal information between the European Union and the United States.

Judicial Redress Act of 2015

Significantly, the Umbrella Agreement requires amendment to the US Privacy Act of 1974 before it has legal effect. Congress has proposed this legislation in the Judicial Redress Act of 2015.

In a letter to the House Judiciary Committee, EPIC recommended changes to the Judicial Redress Act to provide meaningful protections for data collected on non-U.S. persons. The bill, also pending in the Senate, seeks to amend the federal Privacy Act. EPIC explained that the legislation under consideration fails to provide adequate protection to permit transborder data flows. EPIC also pointed to increasing public concern in the United States about failure to enforce the law. EPIC has previously recommended Congressional action to ensure adequate protections for all personal information collected by U.S. federal agencies. EPIC is also seeking public release of the text of the EU-US "Umbrella Agreement."

Resources

• Douwe Korff, EU-US Umbrella Data Protection Agreement : Detailed analysis, FREE Group (October 14, 2015)
• EPIC Webpage on FOIA requests to obtain the text of the Umbrella Agreement, EPIC v DHS, DOJ and State Department (2015)
• EU-US Umbrella Agreement (Released by the EU Parliament, Sept. 14, 2015).
• Convention 108: Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Council of Europe.
• Marc Rotenberg, On International Privacy: A Path Forward for the US and Europe, Harv. Int’l Rev. (June 2014)
• Francesca Bignami, The US legal system on data protection in the field of law enforcement. Safeguards, rights and remedies for EU citizens, Directorate General for Internal Policies, Policy Department C:Citizens’ Rights and Constitutional Affairs, Civil Liberties, Justice and Home Affairs (May 15, 2015)

News

• Peter Schaar, Leaky Umbrella, Europäische Akademie für Informationsfreiheit und Datencshutz (Sept. 18, 2015).
• Cat Zakrzewski, Tech Firms Support Bill Expanding Privacy Rights To Non-U.S. Citizens, TechCrunch (Sept. 16, 2015).
• Jennifer Baker, In EU-US data sharing we trust - but can we have that in writing, say MEPs, The Register (Sept 16, 2015).
• Mehboob Dossa et al., EU and U.S. Reach “Umbrella Agreement” on Data Transfers, JD Supra (Sept. 15, 2015).
• Jean De Ruyt & Monika Kuschewsky, EU - US Umbrella Agreement About to be Concluded: Towards a Transatlantic Approach to Data Protection?, National Law Review (Sept. 10, 2015).
• What the E.U.-U.S. Umbrella Agreement Does-And Does Not-Mean for Privacy, Access (Sept. 10,2015).
• Dustin Volz, u.s. and Europe Forge Data-Protection Dealfor Terrorism Cases, National Journal (Sept. 8, 2015)
• Heather Greenfield, CCIA Welcomes EU-US Data Transfer Agreement, Computer & Comm. Indus. Assoc. (Sept. 8, 2015).
• Cory Bennet, US, EU Ink Data-sharing Agreement on Investigations, The Hill (Sept. 8, 2015).