The Snowden revelations of 2013 sparked tension between the European Union and the United States. European Union officials and Members of Parliament expressed shock and outrage at the surveillance programs that were unveiled. EU Member States, on the other hand, had less to say about the revelations, mainly because these countries run national security surveillance programs similar to those of the National Security Agency, and in close cooperation with that agency.
The European Commission set out its response to the revelations in November 2013 in the form of a set of recommendations for ‘Rebuilding Trust in EU-US Data Flows’. The EU institutions do not have competence to act on matters of national security, but they do have authority on data protection policy as it pertains to commercial entities and law enforcement.
The European Commission, confined by these constitutional limitations, responded to the revelations with two main initiatives. One was to request a revision of the EU-US Safe Harbor agreement that enables data transfer from the EU to the US by companies that have signed up to that arrangement. The Safe Harbor scheme may well be declared invalid shortly by the Court of Justice of the EU – details can be found here.
The Commission’s other main requirement – and the subject of this post – was the swift adoption of the ‘EU-US Umbrella Agreement’. The objective of the Commission in that Agreement is to put in place a high level of data protection when personal information is transferred between the US and an EU country for the purpose of investigating, detecting, or prosecuting a crime, including terrorism. It was recently initialed by EU and US negotiators, pending US Congress adoption of the Judicial Redress Act (JRA) (H.R. 1428) . The text of the Umbrella Agreement has not been officially published, but has been made available by Statewatch.org.
The EU-US Umbrella Agreement
National security surveillance, and the public debate surrounding it, is the political context of the Umbrella Agreement and the JRA. But the first thing to note about these instruments is while national security was the impetus for these agreements neither will actually regulate national security surveillance, nor limit the access to personal data by intelligence agencies. Data transfers between authorities responsible for safeguarding national security are specifically excluded from the Umbrella Agreement.
The Umbrella Agreement puts in place a data protection framework for personal data transferred for the purpose of prevention, detection, investigation, and prosecution of criminal offenses.
The Umbrella Agreement puts in place a data protection framework for personal data transferred for the purpose of prevention, detection, investigation, and prosecution of criminal offenses, including terrorism. The agreement includes data governance requirements similar to those found in the Fair Information Practice Principles (FIPPs). Based on a preliminary analysis of the available text, the provisions seem reasonable, although there is certainly room for improvement. For example, the Umbrella Agreement’s provisions on access to information include a number of exceptions that could be narrowed down. On breach notification, the agreement contains a harm trigger, which ideally it should not. The Umbrella Agreement does not bar a country from circumventing its own privacy rules by receiving from another country information it could not collect directly under its own laws.
While improvements to the Umbrella Agreement could be made, putting in place a comprehensive set of data governance principles for law enforcement data is a step in the right direction and is likely to be an improvement on the current state of affairs. Once the Agreement is in place, mass transfers of personal information about financial transactions as well as Passenger Name Records of air travelers, will take place under a somewhat more privacy protective regime than was in place prior to the Umbrella Agreement. Additional transfers of personal information for criminal purposes will probably also be made under this regime.
The Judicial Redress Act
As mentioned, the Umbrella Agreement will only be formally concluded once the Judicial Redress Act is adopted. EU negotiators have insisted that privacy rights and remedies available to US persons should also be extended to EU citizens. This is the gap the JRA is intended to fill. The JRA (H.R. 1428) was approved by the House Judiciary Committee in September and is pending in the Senate as an amendment to the Cybersecurity Information Sharing Act, or CISA (S. 754).
To understand the Judicial Redress Act, one must first have a basic understanding of the Privacy Act of 1974. It sets forth certain data protection mandates that federal agencies must abide by, based on the FIPPs, when handling individuals’ data. Those mandates include: allowing individuals to access, review, and request correction of information an agency collects on them; limiting who can access someone’s data without their consent; and providing for civil and criminal penalties if an agency violates the Act. By its terms, the Privacy Act only applies to US citizens and permanent residents. The Privacy Act does not extend to much of the classified data collected by US intelligence agencies, meaning it is likely not the most effective tool for controlling the flow of personal information collected by US secret surveillance activities, or enabling a person to learn whether such surveillance has impacted them. While it covers sensitive personal information such as health, criminal, and financial information, it is also riddled with exceptions, and agencies apply it in ways that limit its effectiveness. As a result, even when it applies, Privacy Act protections are limited.
The JRA would extend certain, but not all, protections in the Privacy Act to records shared by EU and other designated countries with US law enforcement agencies
The JRA would extend certain, but not all, protections in the Privacy Act to records shared by EU and other designated countries with US law enforcement agencies for the purpose of investigating, detecting, or prosecuting criminal offenses, including records shared under the Umbrella Agreement. It affords persons who are the subject of those records – including citizens of EU Member States – access to civil remedies for certain violations of those protections, and access to court proceedings in which those remedies can be pursued. However, there are a number of exceptions, definitional limitations, loopholes, and other hurdles a citizen of an EU country must clear before he/she can actually seek redress under the law.
As a preliminary matter, the Act’s extension of Privacy Act protections would only apply to a country that either (1) has an agreement in place with the US outlining “appropriate” privacy protections for data shared for criminal cases (such as the Umbrella Agreement) or (2) “effectively shares” information with the US for the purpose of preventing, investigating, detecting, or prosecuting crimes. Such nations would be designated “covered countries” under the Act. The Attorney General could remove a nation from the list of covered countries if the country does not comply with an agreement like the Umbrella Agreement, is no longer “effectively” sharing data with the US, or “impedes the transfer of information…to the United States by private entity or person.” This means the US could remove a particular EU Member State from the list of covered countries (and deny that country’s citizens protections under H.R. 1428) even if the country complies with the Umbrella Agreement, but is determined to have impeded data transfers to the US through a company or individual actor. This gives the Department of Justice a stick it can wave at countries that are slow to respond to US law enforcement demands, or even those that appropriately decline to fulfill such demands in compliance with local law. A better approach would be to extend Privacy Act protections to all individuals, or to all citizens of countries that extend similar protections to US persons.
Second, H.R. 1428 does not extend Privacy Act protections to records pertaining to non-US persons that US agencies amass on their own, even if for the purpose of investigating and prosecuting crimes. It does not apply to records shared by designated countries for purposes other than law enforcement, including records shared for intelligence purposes. It does not apply to agencies that are not involved in law enforcement. Personal information maintained by non-law enforcement agencies typically subject to the Privacy Act, like the Department of Health and Human Services, would not fall within the scope of the H.R. 1428. It also gives agency heads, and heads of agency components, discretion to exempt their agency or component from the Act.
It does not provide citizens of EU countries with redress that is on par with that which US persons enjoy under the Privacy Act.
Third, it does not provide citizens of EU countries with redress that is on par with that which US persons enjoy under the Privacy Act. US persons can obtain a civil remedy under the Privacy Act when an agency improperly fails to amend that person’s record in accordance with the person’s request or refuses to disclose an individual’s record to the individual when required to do so. The Judicial Redress Act extends such remedy only to the limited class of records covered by the bill and permits only actions against the law enforcement agencies and components designated by the Attorney General. The Privacy Act also affords US persons a civil remedy when an agency fails to maintain a record “with such accuracy, relevance, timeliness, and completeness” as is necessary to ensure the person is treated fairly; the Judicial Redress Act does not provide any remedy in such a case. Finally, the Privacy Act imposes criminal fines of up to $5,000 on agency officials who willfully disclose individually identifiable information they know to be prohibited from disclosure; there are no criminal penalties for violations of H.R. 1428.
The Umbrella Agreement and the JRA can reasonably be described as limited, but not insignificant, improvements of the privacy rights of EU citizens. CDT has called for full extension of Privacy Act rights to non-US persons. The JRA does not achieve this goal, but is a step in the right direction. If adopted, it would be a rare instance in which the US Congress enacted legislation with the specific aim of enhancing privacy rights of non-US persons. Taken together, in their current form, the Umbrella Agreement and the JRA could be improved, but they do represent progress, if only limited progress.