Skip to main content
SpringerLink
Log in

The EU–US Data Privacy and Counterterrorism Agreements: What Lessons for Transatlantic Institutionalisation?

  • Chapter
  • First Online:
Institutionalisation beyond the Nation State

Part of the book series: Studies in European Economic Law and Regulation ((SEELR,volume 10))

  • 583 Accesses

Abstract

This chapter explores the forms of governance that the EU–US PNR, TFTP, Privacy Shield and Umbrella Agreement have established in the transatlantic data space by looking at the relevant rules, procedures and institutions. It concludes that transatlantic institutionalisation in the sphere of data protection is weak and has not achieved a locus of legitimation as these agreements have been mainly negotiated by the executive serving national security interests and contain a complex set of fragmented, uncertain rules that in their substance have weakened fundamental rights’ protection. This chapter advocates that potential solutions for the current inadequate transatlantic data privacy framework could be searched at the domestic level through the emergence of new actors, such as private individuals and independent authorities that can act as watchdogs for the protection of data privacy rights beyond the EU borders.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Jourová (2017).

  2. 2.

    Greenleaf (2012), p. 68.

  3. 3.

    Schwartz (2013).

  4. 4.

    Papakonstantinou and de Hert (2009), pp. 885, 892.

  5. 5.

    Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the Safe Harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under Doc No C(2000) 2441).

  6. 6.

    Schwartz (2013), pp. 1982–1983.

  7. 7.

    Ibid.

  8. 8.

    Fahey (2017).

  9. 9.

    Schwartz (2013), p. 1967.

  10. 10.

    See inter alia Reidenberg (1999), p. 1315; Cole and Fabbrini (2016), p. 220; Tzanou (2017b).

  11. 11.

    Boehm (2012).

  12. 12.

    Tzanou (2017b).

  13. 13.

    Tzanou (2015), p. 87.

  14. 14.

    Fahey (2017).

  15. 15.

    Ibid.

  16. 16.

    Meyer and Rowan (1977), pp. 340, 363; Sanders (2008), p. 40.

  17. 17.

    Stone-Sweet et al. (2001), p. 1.

  18. 18.

    Petrov (2010).

  19. 19.

    Case C-362/13 Maximillian Schrems v Data Protection Commissioner, 6 October 2015, unreported.

  20. 20.

    Article 7 EUCFR.

  21. 21.

    See Fuster (2014); Tzanou (2013), p. 88; Tzanou (2017b).

  22. 22.

    Directive 95/46/EC [1995] OJ L 281/31.

  23. 23.

    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1.

  24. 24.

    GDPR, art 5.

  25. 25.

    GDPR, art 4 (7).

  26. 26.

    Tzanou (2011), p. 273; Tzanou (2014), p. 24.

  27. 27.

    GDPR, art 68.

  28. 28.

    Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, OJ L201 of 31.07.2002, p. 37; Regulation (EC) 45/2001/EC of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, OJ L 8/1 of 12.1.2001; Directive 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, L 119/89 of 4.5.2016.

  29. 29.

    GDPR, art 45.

  30. 30.

    Schrems (Case C-362/13 Maximillian Schrems v Data Protection Commissioner, 6 October 2015, unreported), para 73.

  31. 31.

    Tzanou (2017a), pp. 1, 4; Kuner (2015), p. 235; Taylor (2015), p. 246.

  32. 32.

    Shaffer (2000), pp. 1, 22.

  33. 33.

    Brenner (2008), pp. 225, 230.

  34. 34.

    Schmerber v. California, 384 U.S 757 (1966). It should be noted, however, that the Fourth Amendment has not been interpreted to afford a ‘comprehensive right to personal data protection’. See Bignami (2015), p. 8.

  35. 35.

    Katz v. United States, 389 U.S 347 (1967).

  36. 36.

    Ibid.

  37. 37.

    United States v. Verdugo-Urquidez, 494 U.S. 1092 (1990).

  38. 38.

    Shaffer (2000).

  39. 39.

    Schwartz (2013) 1974.

  40. 40.

    Ibid, 1977.

  41. 41.

    Ibid.

  42. 42.

    Ibid, 1979–1980; Article 29 Working Party, Opinion 1/99 Concerning the Level of Data Protection in the United States and the Ongoing Discussion Between the European Commission and the United States Government, 26 January 1999.

  43. 43.

    Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441).

  44. 44.

    Communication from the Commission to the European Parliament and the Council on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU, Brussels, 27.11.2013, COM(2013) 847 final.

  45. 45.

    These data fields include: name, address, e-mail, contact telephone numbers, passport information, date of reservation, date of travel, travel itinerary, all forms of payment information, billing address, frequent flyer information, travel agency and travel agent, travel status of passenger (such as confirmations and check-in status), ticketing field information (including ticket number, one way tickets and Automated Ticket Fare Quote), date of issuance, seat number, seat information, general remarks, no show history, baggage information, go show information, OSI (Other Service-related Information) and SSI/SSR (Special Service Information/Special Service Requests).

  46. 46.

    Commission Decision 2004/535/EC of 14 May 2004 on the adequate protection of personal data contained in the Passenger Name Record of air passengers transferred to the United States Bureau of Customs and Border Protection, OJ 2004 L 235/11.

  47. 47.

    Council Decision 2004/496/EC of 17 May 2004 on the conclusion of an Agreement between the European Community and the United States of America on the processing and transfer of PNR data by Air Carriers to the United States Department of Homeland Security, Bureau of Customs and Border Protection, OJ 2004 L 183/83 and corrigendum at OJ 2005 L 255/168.

  48. 48.

    Joined Cases C-317/04 and C-318/04 European Parliament v Council and Commission (PNR) [2006] ECR I-4721.

  49. 49.

    Council Decision 2006/729/CFSP/JHA of 16 October 2006 on the signing, on behalf of the European Union, of an Agreement between the European Union and the United States of America on the processing and transfer of passenger name record (PNR) data by air carriers to the United States Department of Homeland Security, OJ L 298/27 of 27 October 2006.

  50. 50.

    Council Decision 2007/551/CFSP/JHA of 23 July 2007 on the signing, on behalf of the European Union, of an Agreement between the European Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement), OJ L 204/16 of 4 August 2007.

  51. 51.

    Agreement between the United States of America and the European Union on the use and transfer of passenger name records to the United States Department of Homeland Security (2012 PNR Agreement) OJ L 215/5, 11/08/2012.

  52. 52.

    Processing of EU originating Personal Data by United States Treasury Department for Counter Terrorism Purposes—‘SWIFT’ (2007/C 166/09) Terrorist Finance Tracking Program—Representations of the United States Department of the Treasury, [2007] OJ C166/18.

  53. 53.

    Council Decision 2010/16/CFSP/JHA of 30 November 2009 on the signing, on behalf of the European Union, of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Programme, [2010] OJ L8/9. The Agreement was deemed to apply provisionally from 1 February 2010 and expire the latest on 31 October 2010.

  54. 54.

    European Parliament legislative resolution of 11 February 2010 on the proposal for a Council decision on the conclusion of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Programme (05305/1/2010 REV 1—C7-0004/2010—2009/0190(NLE)) P7_TA(2010)0029.

  55. 55.

    Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Programme, [2010] OJ L195/5.

  56. 56.

    Fahey (2017).

  57. 57.

    Commission Implementing Decision of 12.7.2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield, Brussels, 12.7.2016, C(2016) 4176 final.

  58. 58.

    Commission Implementing Decision, recital 88.

  59. 59.

    Commission Proposal for a Council Decision on the signing, on behalf of the European Union of an Agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences, COM(2016) 238 final, 29.4.2016.

  60. 60.

    The legal basis of the Umbrella Agreement is Article 16 TFEU, in conjunction with Article 218 (5) TFEU.

  61. 61.

    S 2(d)(1) Judicial Redress Act 2015.

  62. 62.

    Koops (2010), pp. 973, 987.

  63. 63.

    See also Schulhofer (2016), pp. 238, 255.

  64. 64.

    Ibid.

  65. 65.

    Tzanou (2015), p. 98.

  66. 66.

    Opinion 1/15 Request for an opinion submitted by the European Parliament, pending.

  67. 67.

    Report from the Commission to the European Parliament and the Council, On the joint review of the implementation of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program, Brussels, 19.1.2017, COM(2017) 31 final.

  68. 68.

    Ibid.

  69. 69.

    Argomaniz (2009), pp. 119, 126–127.

  70. 70.

    Tzanou (2015), p. 97.

  71. 71.

    Tzanou (2017a), pp. 17–18.

  72. 72.

    Tzanou (2015), p. 98.

  73. 73.

    Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, [2016] OJ L119/132.

  74. 74.

    Communication from the Commission to the European Parliament and the Council, A European terrorist finance tracking system: available options’, Brussels, 13.7.2011, COM(2011) 429 final.

  75. 75.

    Tzanou (2017b), p. 150.

  76. 76.

    Ibid. See also Korff (2015); EDPS, Opinion 1/2016, Preliminary Opinion on the agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection and prosecution of criminal offences, 12 February 2016.

  77. 77.

    Tzanou (2017b), pp. 147–148.

  78. 78.

    Communication from the Commission to the European Parliament and the Council, ‘Transatlantic Data Flows: Restoring Trust through Strong Safeguards’, COM(2016) 117 final, 29.2.2016, 12–13.

  79. 79.

    Tzanou (2017b), p. 169.

  80. 80.

    See above.

  81. 81.

    Tzanou (2017a), p. 19.

  82. 82.

    Schrems (Case C-362/13 Maximillian Schrems v Data Protection Commissioner, 6 October 2015, unreported), para 94.

  83. 83.

    Ibid, para 95.

  84. 84.

    Tzanou (2017a), p. 10.

  85. 85.

    Fahey (2017).

  86. 86.

    S.J.Res.34—A joint resolution providing for congressional disapproval under chapter 8 of title 5, United States Code, of the rule submitted by the Federal Communications Commission relating to ‘Protecting the Privacy of Customers of Broadband and Other Telecommunications Services’, 15th Congress (2017–2018), Public Law No: 115-22.

  87. 87.

    Executive Order: Enhancing Public Safety in the Interior of the United States, January 25, 2017 <https://www.whitehouse.gov/the-press-office/2017/01/25/presidential-executive-order-enhancing-public-safety-interior-united> accessed 26 May 2017.

  88. 88.

    Nielsen (2017).

  89. 89.

    Emphasis added.

References

  • Argomaniz J (2009) When the EU is the “Norm-Taker”: The passenger name records agreement and the EU’s internalization of US border security norms. J Eur Integrat 31:119, 126–127

    Article  Google Scholar 

  • Bignami F (2015) The US legal system on data protection in the field of law enforcement. Safeguards, rights and remedies for EU citizens. Study for the LIBE Committee, PE 519.215, © European Union, Brussels, p 8

    Google Scholar 

  • Boehm F (2012) Information sharing and data protection in the area of freedom, security and justice: towards harmonised data protection principles for information exchange at EU-level. Springer

    Google Scholar 

  • Brenner S (2008) Constitutional rights and new technologies in the United States. In: Leenes R, Koops BJ, De Hert P (eds) Constitutional rights and new technologies: a comparative study. TMC Asser Press, Distributed by Cambridge University Press, pp 225, 230

    Google Scholar 

  • Cole D, Fabbrini F (2016) Bridging the transatlantic divide? The United States, the European Union, and the protection of privacy across borders. I•CON 14(1):220

    Google Scholar 

  • Fahey E (2017) Introduction: institutionalisation beyond the nation state: new paradigms? Transatlantic relations:- data privacy and trade law. In: Fahey E (ed) Institutionalisation beyond the nation state: transatlantic relations:- data privacy and trade law. Springer

    Google Scholar 

  • Fuster GG (2014) The emergence of personal data protection as a fundamental right of the EU. Springer, Cham

    Book  Google Scholar 

  • Greenleaf G (2012) The influence of European data privacy standards outside Europe: implications for globalization of Convention 108. Int Data Priv Law 2(2):68

    Article  Google Scholar 

  • Jourová V (2017) Commissioner for justice, consumers and gender equality ‘EU-U.S. data flows and data protection: opportunities and challenges in the digital era’. Speech at the Center for Strategic and International Studies, Washington, 31 March 2017 <http://europa.eu/rapid/press-release_SPEECH-17-826_en.htm>. Accessed 26 May 2017

  • Koops B-J (2010) Law, technology, and shifting power relations. Berkeley Technol Law J 25:973, 987

    Google Scholar 

  • Korff D (2015) Note on the EU – US Umbrella Data Protection Agreement. Fundamental Rights European Experts Group (FREE), 14 October 2015 <www.statewatch.org/news/2015/oct/eu-usa-umbrella-freegroup-Korff-Note.pdf>. Accessed 26 May 2017

  • Kuner C (2015) Extraterritoriality and regulation of international data transfers in EU data protection law. Int Data Priv Law 5:235

    Article  Google Scholar 

  • Meyer J, Rowan B (1977) Institutionalized organizations: formal structure as myth and ceremony. Am J Sociol 83(2):340, 363

    Article  Google Scholar 

  • Nielsen N (2017) Trump’s anti-privacy order stirs EU angst. Euobserver, 27 January 2017 <https://euobserver.com/justice/136699>. Accessed 26 May 2017

  • Papakonstantinou V, de Hert P (2009) The PNR agreement and transatlantic anti-terrorism co-operation: no firm human rights framework on either side of the Atlantic. Common Market Law Rev 46:885, 892

    Google Scholar 

  • Petrov P (2010) Early institutionalisation of the ESDP governance arrangements: insights from the operations Concordia and Artemis. In: Vanhoonacker S, Dijkstra H, Maurer H (eds) Understanding the role of bureaucracy in the European security and defence policy. European Integration Online Papers

    Google Scholar 

  • Reidenberg J (1999) Resolving conflicting international data privacy rules in cyberspace. Stanford Law Rev 52:1315

    Article  Google Scholar 

  • Sanders E (2008) Historical institutionalism. In: Binder S, Rhodes RAW, Rockman B (eds) The Oxford handbook of political institutions. OUP, p 40

    Google Scholar 

  • Schulhofer S (2016) An international right to privacy? Be careful what you wish for. I•CON 14(1):238, 255

    Article  Google Scholar 

  • Schwartz P (2013) The EU-U.S. privacy collision: a turn to institutions and procedures. Harv Law Rev 1966, 1967

    Google Scholar 

  • Shaffer G (2000) Globalization and social protection: the impact of EU and international rules in the ratcheting up of U.S. data privacy standards. Yale J Int Law 25:1, 22

    Google Scholar 

  • Stone-Sweet A, Sandholtz W, Filgstein N (2001) The institutionalisation of European space. In: Stone-Sweet A et al (eds) The institutionalisation of Europe. OUP, p 1

    Chapter  Google Scholar 

  • Taylor M (2015) The EU’s human right obligations in relation to its data protection laws with extraterritorial effect. Int Data Priv Law 5:246

    Article  Google Scholar 

  • Tzanou M (2011) Data protection in EU law: an analysis of the EU legal framework and the ECJ jurisprudence. In: Akrivopoulou C, Psygkas A (eds) Personal data privacy and protection in a surveillance era: technologies and practices. IGI Global, Hershey, p 273

    Chapter  Google Scholar 

  • Tzanou M (2013) Data protection as a fundamental right next to privacy? “Reconstructing” a not so new right. Int Data Priv Law 3(2):88

    Article  Google Scholar 

  • Tzanou M (2014) Data protection in EU law after Lisbon: challenges, developments, and limitations. In: Gupta M (ed) Handbook of research on emerging developments in data privacy. IGI Global, Hershey, p 24

    Google Scholar 

  • Tzanou M (2015) The war against terror and transatlantic information sharing: spillovers of privacy or spillovers of security? Utrecht J Int Eur Law 31(80):87

    Article  Google Scholar 

  • Tzanou M (2017a) European Union regulation of transatlantic data transfers and online surveillance. Hum Rights Law Rev [Advanced online access], pp 1, 4

    Google Scholar 

  • Tzanou M (2017b) The fundamental right to data protection: normative value in the context of counter-terrorism surveillance. Hart Publishing, Oxford

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Law, University of Keele, Staffordshire, UK

    Maria Tzanou

Authors
  1. Maria Tzanou
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Maria Tzanou .

Editor information

Editors and Affiliations

  1. Institute for the Study of European Law (ISEL), The City Law School, City University of London, London, United Kingdom

    Elaine Fahey

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Tzanou, M. (2018). The EU–US Data Privacy and Counterterrorism Agreements: What Lessons for Transatlantic Institutionalisation?. In: Fahey, E. (eds) Institutionalisation beyond the Nation State. Studies in European Economic Law and Regulation, vol 10. Springer, Cham. https://doi.org/10.1007/978-3-319-50221-2_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-50221-2_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-50220-5

  • Online ISBN: 978-3-319-50221-2

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics

Search

Navigation