Choose Site


Tech & Sourcing @ Morgan Lewis


The European Commission recently issued a press release that the United States and European Union have finalized and initialed a data protection umbrella agreement to provide minimum privacy protections for personal data transferred between the parties for law enforcement purposes.

The agreement covers all personal data (for example names, addresses, criminal records) exchanged between the EU and the US for the purpose of prevention, detection, investigation, and prosecution of criminal offences, including terrorism. The agreement will provide certain protections to ensure that personal data is protected when exchanged between police and criminal justice authorities of the US and EU. However, the agreement does not apply to personal data shared with national security agencies. These include clear limitations on data use, set retention periods, prohibition on the onward transfer of the data without the prior consent of the competent authority of the country which had originally transferred personal data, individuals’ right to access the data and correct the data (subject to certain conditions), and notification of data security breaches. The agreement does not, of itself, authorize the data transfers.

The agreement also provides that EU citizens will have the right to seek judicial redress before US courts where US authorities deny access or rectification, or unlawfully disclose their personal data. Currently, US citizens have the right to seek judicial redress in the EU if their data that is transferred for law enforcement purposes is misused by EU law enforcement authorities, but EU citizens do not have reciprocal rights in the US A judicial redress bill has been introduced in the US House of Representatives. US’s adoption of the bill would allow the US and EU to finalize the umbrella agreement.