Congress has taken a critical step in implementing its obligations under the recently announced EU-U.S. Privacy Shield through Wednesday night’s passage of the Judicial Redress Act in the House of Representatives. The Act passed by unanimous consent and is the latest step in a bipartisan effort to put in place a new data transfer framework with the EU following last October’s toppling of the 15-year old U.S.-EU Safe Harbor by the European Court of Justice. The ECJ’s holding sparked a prompt reaction from policy and business leaders on both sides of the Atlantic to implement a new data transfer framework, which was answered in the form of the EU-U.S. Privacy Shield announced in early February. One of the key elements of the Privacy Shield is the U.S. promise that EU citizens will be given avenues to redress misuse of personal data.
How does the Judicial Redress Act advance that obligation? Generally, the Act extends to citizens of designated countries certain protections already enjoyed by U.S. citizens under the Privacy Act of 1974. Under the Privacy Act, U.S. citizens and lawfully admitted aliens can obtain access to information maintained by government agencies regarding the individual, amend any incorrect information, and sue the agency for injunctive relief or civil damages where the individual has suffered injury stemming from a wrongful disclosure by the agency. Under the Judicial Redress Act, citizens of designated countries will enjoy some of the same protections and remedies that American citizens and residents have under the Privacy Act.
However, there are key distinctions in the Judicial Redress Act that may drastically reduce the scope of the rights afforded to EU citizens and undermine the very obligation that Congress is attempting to satisfy through the Act. Key among those differences is the conduct by a government agency that can form the basis of a citizen-suit. While U.S. citizens can sue for a range of conduct by government agencies under the Privacy Act, the Judicial Redress Act permits citizens of designated countries to sue only where a designated government agency has willfully or intentionally made a disclosure of information in violation of the Privacy Act, or where the agency refuses to comply with an individual’s request. Equally key is the limitation on the particular agencies that can be sued under the Judicial Redress Act. U.S. citizens can sue any government agency that maintains and misuses their data, but EU citizens are limited to law enforcement agencies specified by the Attorney General. This gives tremendous discretion to the Attorney General, and could potentially result in no agencies being designated. This would, of course, leave EU citizens with no additional avenues of redress and would utterly gut the obligation undertaken by the U.S. in the Privacy Shield.
The significance of the Act will depend heavily on the countries and agencies designated by the Executive in the months and years to come.