After four years negotiation, the EU and the US have announced an umbrella agreement on a framework to protect personal data that is legitimately transferred between law enforcement agencies.
The European Commission, which negotiated for the EU, believes the framework will “re-build trust in EU-US data flows” by providing high-level protection for personal data used by EU and US law enforcement agencies and a strong structure for future rule making.
The framework will cover all personal data (such as names, addresses and criminal records) exchanged for the purposes of the prevention, detection, investigation and prosecution of crime, including terrorism.
It will create clear, harmonised rules controlling the transfer and use of such data between agencies based on the following protections:
Limitations – data can only be used for the stated crime prevention purposes;
Equal treatment – EU citizens will have the same rights as US citizens to redress from US courts for privacy breaches;
Onward transfer – the onward transmission of data outside the EU or the US will require prior consent of the enforcement agency that originally supplied the data;
Retention periods and access – the data should be kept no longer than necessary or appropriate and the actual retention periods must be published;
Access and rectification – individuals will have the right to access their data – subject to certain conditions – and to require rectification if it is incorrect;
Notification of breach – there will be obligations to notify privacy breaches to the originating enforcement agency and in some cases the data subject.
The Umbrella Agreement will be signed once the US Congress has approved the Judicial Redress Bill giving EU citizens equal access to US courts for breaches of their privacy rights.