EU-US agreement on personal data protection
Decision (EU) 2016/920 on the signing of the Agreement between the US and the EU on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences
EU-US agreement on standards of protection when personal data are transferred between EU-US law enforcement authorities
WHAT IS THE AIM OF THE DECISION AND THE AGREEMENT?
The decision authorised the signature (on 2 June 2016) of the agreement between the United States of America (US) and the European Union (EU) on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences (the so-called ‘Umbrella Agreement’). The agreement will enter into force only after the parties have notified each other that their respective internal procedures for entry into force have been completed (which, on the EU side, requires that the Council adopts a decision to conclude the agreement following consent by the European Parliament).
The agreement aims to ensure that personal data is protected to a high standard when being transferred by law enforcement authorities (police and criminal justice authorities). It also aims to foster law enforcement cooperation between the EU and the EU countries, on the one hand, and the US on the other.
It provides greater legal certainty and strengthens the rights of the individuals concerned by the transfer of their data.
The agreement is 1 of 3 key actions set out in a 2016 Communication designed to restore trust in data flows between the EU and the US.
The agreement complements rules regarding personal data protection in existing EU/EU country-US agreements, and in national laws, that authorise the exchange of information for law enforcement purposes. It establishes a common data protection framework which will also apply to future agreements and national laws in this field.
The agreement covers all personal data (including names, addresses, criminal records) exchanged between the EU and the US for the purpose of the prevention, detection, investigation and prosecution of criminal offences, including terrorism.
The agreement provides a number of protections for personal data when they are exchanged between police and criminal justice authorities including:
clear limitations on data use — personal data may only be used for the purpose of preventing, investigating, detecting or prosecuting criminal offences.
restrictions on onward transfer — any onward transfer to a non-US, non-EU country or international organisation must be approved by the competent authority of the country which had originally transferred personal data.
retention periods — personal data may not be retained for longer than necessary or appropriate. These retention periods must be published or otherwise made publicly available.
right to access personal data and to rectification — any individual is entitled to access their personal data, subject to certain conditions, and can request the data be corrected if inaccurate.
notification in the case of data security breaches — a mechanism will be put in place so as to ensure that the competent authority and, where appropriate, the data subject* is notified of any data security breach.
judicial redress and enforceability of rights — EU citizens will be granted an additional right to seek judicial redress before US courts if US authorities deny access or rectification, or unlawfully disclose their personal data. In addition, any EU data subject can rely on the already existing judicial redress rights in the US.
FROM WHEN DO THE DECISION AND THE AGREEMENT APPLY?
The decision has applied since 20 May 2016. The agreement was signed by the EU and US on 2 June 2016.
For more information, see:
* KEY TERMS
Data subject: the person to whom personal data relate.
Council Decision (EU) 2016/920 of 20 May 2016 on the signing, on behalf of the European Union, of the Agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences (OJ L 154, 11.6.2016, pp. 1-2)
Agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences (OJ L 336, 10.12.2016, pp. 3-13)
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, pp. 89-131)
last update 23.01.2017