Movement in U.S.-EU Data Transfer Agreements

The United States (U.S.) and European Union (EU) have reached a deal to allow the sharing of personal data for law enforcement purposes while protecting the data, under a so-called "umbrella agreement." The deal was four years in the making and is now in its final form. The umbrella agreement will bind U.S. and EU government authorities to maintain the security of the personal data of each other's citizens when that data is used for law enforcement or national security purposes. The agreement will also hold the respective governments accountable for data misuse, through access, rectification, maintenance, and retention requirements. Notably, the agreement offers onward transfer rights for law enforcement authorities pursuant to the prior consent of the original law enforcement authority. An apparently final version of the agreement that has been posted publicly also outlines breach notification requirements based on a "significant risk of damage" and the "likelihood and scale of damage to individuals and to the integrity of the [law enforcement authority]'s program." The umbrella agreement also requires authorities to refrain from retaining data for longer than necessary or appropriate. In general and despite its outline of specific requirements, the umbrella agreement leaves the door open for the U.S. and EU to conclude clarifying agreements.

Nonetheless, a hurdle remains for the U.S. before the parties formally sign and conclude the umbrella agreement. The Commission has made it clear that the U.S. Congress must act to enshrine the right to judicial redress in the U.S. for European Union citizens before the completed agreement is formally signed. Such a bill on judicial redress was introduced in Congress in March 2015; yet current passage of the bill is daunting as Congress returns from recess to a full docket of pressing issues. Once the judicial redress bill passes Congress, the European Parliament must ratify the umbrella agreement so that the European Council can formally adopt it.

The right to judicial redress and parameters around data sharing for law enforcement purposes have been the sticking points in the revision of the separate U.S.-EU Safe Harbor (Safe Harbor) agreement. The Safe Harbor agreement is said to be close to finalization as the U.S. Department of Commerce and European Commission wrap up their negotiations. Safe Harbor currently allows over 4,400 companies to transfer personal data for commercial purposes from Europe to the U.S. in compliance with the 1995 European data protection directive, and both sides of the Atlantic have said that its survival is important for business continuity and transatlantic trade.

An eagerly anticipated European Court of Justice (ECJ) case about Safe Harbor, which has been moving parallel to the Safe Harbor renegotiation, is also one step closer to finalization. Yves Bot, advocate general of Europe's highest court, has announced that he will provide his opinion on September 23 in Europe v. Facebook. The case was brought by Max Schrems, an Austrian law student who argued that Safe Harbor gave the U.S. National Security Agency (NSA) authority to gain access to the Facebook data of European citizens; a claim refuted by the Irish data protection commissioner to whom the complaint was originally made. The advocate general's opinion will act as guidance for the ECJ, and is not legal authority in and of itself.

Watch for news on all fronts in the coming weeks as Crowell & Moring continues to follow the high stakes U.S.-EU data transfer negotiations.