The so-called "Umbrella Agreement" which was signed-off by the European Parliament, December 1, was designed to allow EU and US law enforcement agencies to share personal data (passenger information, names, addresses, criminal records and other data) for the purpose of the "prevention, detection, investigation and prosecution of criminal offences, including terrorism".
However, the Liberals and Democrats (ALDE) group in the European Parliament has raised question marks about the compatibility of the EU-US data protection agreement with EU treaties, expressing worries about the "small print".
The group said that the loose phrasing of the agreement could lead to EU citizens' data being compromised without further legal safeguards on the part of the US which was "already doubtful" under Barack Obama's administration, but which "with the upcoming Trump administration it seems practically impossible".
The deal — which has been mooted since 2009 — was finally agreed by MEPs, under the proviso that it would "provide safeguards and guarantees of lawfulness for data transfers, thereby strengthening fundamental rights, facilitating EU-US law enforcement cooperation and restoring trust".
"We were the first ones to call for a data protection agreement with the US, as the flow of personal data was growing. A set of standards was clearly needed and this agreement represents significant progress in that sense. However, although this new framework certainly strengthens data protection safeguards, legal concerns persist in the "small print" of the Umbrella Agreement," said Sophie in ‘t Veld, ALDE shadow rapporteur for the umbrella agreement and ALDE spokesperson for data protection.
Under the agreement, EU citizens' data should only be used for the "purpose of preventing, investigating, detecting or prosecuting criminal offences" and may not be processed "beyond compatible purposes" — for mass surveillance, for instance.
"For the Umbrella Agreement to be valid, the US needs to ensure that certain databases, such as those holding passenger data or bank data [known as 'Swift' data], are no longer exempt from the Privacy Act," Sophie in ‘t Veld said, having already noted the apparent propensity of US and UK authorities to eavesdrop wherever they need.
(Twitter: "US and UK services spied on calls on board Air France flights #snowden"
"For this to be fulfilled under the Obama administration was already doubtful; with the upcoming Trump administration it seems practically impossible. This is even more important because, once the agreement enters into force, the US are deemed to have fulfilled the 'appropriate safeguards' for data transfers required by the recently adopted EU Data Protection Directive for law enforcement."