Stephen M. Byers

For more than a year, the United States and the European Union have been engaged in negotiations over a data protection framework covering trans-Atlantic law enforcement cooperation. Last week, U.S. Attorney General Eric Holder and EU Vice-President Viviane Reding met in Washington to discuss that and other topics. Both expressed optimism in a joint press release issued after the meeting, but it remains to be seen whether the enormous gap between U.S. and EU notions of data privacy can be bridged through such an agreement.

In the EU, the privacy of one’s personal data is a fundamental civil right, whereas in the U.S. such privacy considerations are routinely subordinated in the context of law enforcement investigations and prosecutions. The EU’s stringent data protection rules have thus become a recurring sticking point in joint law enforcement efforts between the two governments because the U.S. has been unable to guarantee an “adequate” level of protection for data transfers as far as the EU is concerned.

In an effort to address those difficulties, in March 2012, the U.S. and EU officially commenced negotiations on a framework agreement regarding the protection of personal data exchanged by law enforcement authorities. While U.S. authorities hope that the EU will ultimately agree that U.S. data protection standards are adequate, there are some significant hurdles. These include European citizens’ right to judicial redress in U.S. courts, and retroactive application of the new framework agreement to prior U.S.-EU data sharing arrangements in specific contexts such as terrorism financing and airline passenger information.

At the same time, the EU is moving forward with a comprehensive reform of its domestic data protection rules, including both: (1) a new “Data Protection Regulation” setting out a general data protection regime that would directly apply in all EU member states without implementation at the national level being required, and (2) a new “Data Protection Directive” that would specifically govern how personal data is handled in criminal investigations, prosecutions and related judicial activities. Unlike the new Data Protection Regulation, the law-enforcement-focused Directive would require implementation at national level.

Negotiations over the U.S.-EU framework agreement are, of course, part of a much larger picture in another respect as well. Fundamental cultural differences have triggered clashes between strict EU data privacy protections and broad U.S. evidence-gathering procedures for decades. And while that disconnect has been difficult for U.S. law enforcement officials to navigate, they at least have the option of government-to-government dialogue and negotiation. The situation is even more difficult for private parties who are put in the untenable position of defying U.S. legal requirements for the preservation and production of data on the one hand, or violating EU member state law on the other, with potentially severe sanctions looming from both sides. That state of affairs may only get worse if and when the sweeping EU-wide Data Protection Regulation, mentioned above and described in our prior blog posts, is adopted.