U.S.-EU Reach Agreement on Common Personal Data Protection Principles
October 28, 2009
The joint statement adopted at the October 28, 2009, United States-European Union Justice and Home Affairs Ministerial acknowledged the completion of the High Level Contact Group’s (HLCG) common principles to protect personal data. The common principles, consolidated into one document based on the HLCG’s May 2008 and October 2009 reports, are below.
The United States looks forward to the negotiation of a binding international EU-U.S. agreement embodying the principles, which would serve as a solid basis for our law enforcement authorities for even further enhanced cooperation, while ensuring the availability of full protection for our citizens.
Below is the text of the common principles to on privacy and personal data protection:
Principles on Privacy and Personal Data Protection for Law Enforcement Purposes for which common language has been developed (common principles)
The European Union would apply these principles for 'law enforcement purposes' meaning use for the prevention, detection, investigation, or prosecution of any criminal offense.
The United States would apply these principles for 'law enforcement purpose,' meaning use for the prevention, detection, suppression, investigation, or prosecution of any criminal offense or violation of law related to border enforcement, public security, and national security, as well as for non-criminal judicial or administrative proceedings related directly to such offenses or violations.
Purpose Specification/Purpose Limitation
Personal information [should/shall] be processed for specific legitimate law enforcement purposes in accordance with the law and subsequently processed only insofar as this is not incompatible with the law enforcement purpose of the original collection of the personal information.
Personal information should be maintained with such accuracy, relevance, timeliness and completeness as is necessary for lawful processing.
Relevant and Necessary/Proportionality
Personal information may only be processed to the extent it is relevant, necessary and appropriate to accomplish a law enforcement purpose laid down by law.
Personal information must be protected by all appropriate technical, security and organizational procedures and measures to guard against such risks as loss; corruption; misuse; unauthorized access, alteration, disclosure or destruction; or any other risks to the security, confidentially or integrity of the information. Only authorized individuals with an identified purpose may have access to personal information.
Special Categories of Personal Information
Personal information revealing racial or ethnic origins, political opinions or religious or philosophical beliefs, or trade union membership, as well as personal information concerning health or sexual life or other categories defined under domestic law may not be processed unless domestic law provides appropriate safeguards.
Public entities processing personal information [shall/should] be accountable for complying with domestic law and rules and on the protection of personal information.
Independent and Effective Oversight
A system of independent and effective data protection supervision [shall/should] exist in the form of a public supervisory authority with effective powers of intervention and enforcement. These responsibilities may be carried out by a specialized public data protection authority or by more than one supervisory public authority to meet the particular circumstances of different legal systems.
Individual Access and Rectification
[An/every] individual [should/shall] be provided with access to and the means to seek rectification and/or expungement of his or her personal information. In appropriate cases, an individual may object to processing of personal information related to him or her.
Transparency and Notice
An individual [should/shall] be informed, as required by law, with general and individual notice at least as to the purpose of processing of personal information concerning him or her and who will be processing that information, under what rules or laws, the types of third parties to whom information is disclosed as well as other information insofar as is necessary to ensure fairness including rights and remedies available to the individual.
Recognizing that both the US and EU provide multiple mechanisms for administrative and judicial redress, wherever an individual’s privacy has been infringed or data protection rules have been violated with respect to that individual, that individual [should/shall] have, before an impartial competent authority, independent court or tribunal, an effective remedy and/or appropriate and effective sanctions.
Automated Individual Decisions
Decisions producing significant adverse actions concerning the relevant interests of the individual may not be based solely on the automated processing of personal information without human involvement unless provided for by domestic law and with appropriate safeguards in place, including the possibility to obtain human intervention.
Restrictions on onward transfers to third countries
Where personal information is transmitted or made available by a competent authority of the sending country or by private parties in accordance with the domestic law of the sending country to a competent authority of the receiving country, the competent authority of the receiving country may only authorise or carry out an onward transfer of this information to a competent authority of a third country if permitted under its domestic law and in accordance with existing applicable international agreements and international arrangements between the sending and receiving country. In the absence of such international agreements and international arrangements, such transfers should moreover support legitimate public interests consisting of: national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences, breaches of ethics of regulated professions, or the protection of the data subject. In all cases transfers should be fully consistent with these common principles, especially the limitation/purpose specification.
Issues pertinent to the transatlantic relationship
On private entities’ obligations, any adverse impact on private entities resulting from data transfers, including those impacts deriving from diverging legal and regulatory requirements, should be avoided to the greatest extent possible.
On preventing undue impact on relations with third countries, when the European Union or the United States has international agreements or arrangements for information sharing with third countries, each should use their best endeavors to avoid putting those third countries in a difficult position because of differences relating to data privacy including legal and regulatory requirements.
On specific agreements relating to information exchanges and privacy and personal data protection, when the European Union and the United States agree that a clear legal necessity arises in particular due to a serious conflict of laws substantiated by one party, the processing of personal information in specific areas should be made subject to specific conditions and should include the necessary safeguards for the protection of privacy and personal data and individual liberties through the negotiation of an information sharing agreement. Such rules may offer individuals a wider measure of protection.
On issues related to the institutional framework of the EU and the U.S., the European Union and the United States intend to consult each other as necessary to discuss and if possible resolve matters arising from divergent legal and regulatory requirements.
On equivalent and reciprocal application of data privacy law, the European Union and the United States should use best efforts to ensure respect for the requirements, taken as a whole as opposed to singular examples, that each asks the other to observe.