The data protection 'umbrella' agreement was announced by the European Commission last September, although it will not apply until EU law makers ratify it.
The Commission said at the time that the agreement set out a range of privacy "protections" for when data is transferred for law enforcement purposes. The agreement does not of itself provide a lawful authority for the transfer of the data to the US from the EU but would instead apply data privacy safeguards to information that is transferred.
However, the European Data Protection Supervisor (EDPS) has now said that he thinks the umbrella agreement should apply to "bulk transfers of sensitive data".
"The EDPS is concerned that [the agreement] opens the possibility of having bulk transfers of sensitive data, as it allows an agreement concluded between the US and the EU or a member state to provide for the possibility of a 'transfer of personal information other than in relation to specific cases, investigations or prosecutions'," Giovanni Buttarelli said in a newly issued opinion (21-page / 874KB PDF).
"Although [the agreement] requires taking into account the nature of the information, it leaves to each specific agreement the determination of categories of data to be exchanged. In this context, the EDPS would recall his previous opinions on the use of Passenger Name Records (PNR), in which he advocated the complete exclusion of sensitive data in the context of bulk transfers. For instance, the EDPS had specifically questioned the processing of sensitive data by the Department of Homeland Security, recommending that the agreement at issue specify that air carriers should not transfer sensitive data to the Department. Therefore, the EDPS recommends that bulk transfers of sensitive data be excluded from the scope of the agreement," he said.
At the time the umbrella agreement was announced, EU justice commissioner Věra Jourová confirmed that the deal would not come into effect until the Judicial Redress Bill was adopted by US law makers. That Bill would give EU citizens new rights of redress if their data is misused by US authorities. Last week the Judicial Redress Bill was passed by US Congress. US president Barack Obama has still to sign the Bill into US law.
Earlier this month Isabelle Falque-Pierrotin, chair of the Article 29 Working Party, a body of European data protection authorities, said that she does not think the Judicial Redress Bill will address concerns raised in a ruling by the Court of Justice of the EU (CJEU) in October last year. In that ruling the CJEU invalidated a previous decision of the Commission. The Commission's decision was that adequate data protection applied to personal data when it was transferred to the US from the EU in line with 'safe harbour' principles. A new deal to facilitate EU-US data transfers, the EU-US Privacy Shield, has been announced to replace the previous safe harbour framework.
The CJEU in invalidating the EU-US safe harbour framework referenced concerns in relation to the lack of redress EU citizens could obtain in the US if their data was misused. Falque-Pierrotin said, though, that she does not think the Judicial Redress Bill will address those concerns because the Bill would not apply to cases concerning access to data for national security purposes.