Exemptions to the US Privacy Act and their impact on the legality of transatlantic transfer of personal data
Dear Commissioner Jourova,
During the last structured dialogue within the Committee on Civil Liberties, Justice and Home Affairs, you have announced that, following the designation by the U.S. Attorney General of “covered countries” and “designated Federal agencies or components” In accordance with the Judicial Redress Act of 2015, the EU-US Umbrella Agreement on data protection will be entering into force on 1st February 2017.
I have however pointed during our exchange of views that, while the Judicial Redress Act will allow an extension of certain remedies available under the Privacy Act to nationals of the European Union, a major caveat remains when it comes to access to judicial redress for EU nationals and this puts in question the effective enactment by the U.S of their obligations as per the EU-US Umbrella Agreement.
The US Privacy Act allows federal agencies to exempt systems of records from most of the duties of the Privacy Act; one of the most commonly used exemptions refers to systems of records involving law enforcement. As already confirmed by your services, databases containing PNR data and similar law enforcement databases are currently exempted from the US Privacy Act, meaning that de facto judicial redress would not be granted to EU citizens when it comes to data transferred under the EU-US PNR Agreement or the EU-US TFTP Agreement, which the EU-US Umbrella is supposed to complement. The decision by the U.S. authorities to lift these existing exemptions to the Privacy Act is therefore an essential precondition for the U.S. to effectively enact their obligations as per Article 19 of the EU-US Umbrella Agreement (Judicial Redress).
Given the imminence of the entry into force of this Agreement, I would therefore be grateful if I could receive a detailed answer regarding your discussion with the new US Administration in order to ensure that the existing exemptions to the US Privacy Act, for those US databases which may process personal data of EU individuals and receive personal information pursuant to the EU-US Umbrella Agreement, are lifted without any delay. Should this not be the case, I would be interested to know the reasons whereby they are exempted and which consecutive measures the European Commission is intending to take with regard to this material breach of the Agreement.
In addition, you are certainly aware that President Trump signed on 25th January 2017 a new Executive Order on "Enhancing Public Safety in the Interior of the United States", which in its section 14 about the Privacy Act states that “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” Such a decision not only undermines further the compliance with the terms of the EU-US Umbrella Agreement, but also contradicts some of the “written assurance” provided by the U.S. Authorities under the Privacy Shield.
As Guardian of the Treaties and responsible for the application of EU law, it is the duty of the European Commission to ensure that it’s decision and the obligations derived from international agreement it has concluded are fully implemented, enacted and respected. It is therefore urgent that the Commission provides clear answers with regards to the exemptions to the US Privacy Act and their impact on the legality of transatlantic transfer of personal data.
Sophie in ‘t Veld