The pending legislation would authorize the US Department of Justice to designate foreign countries to allow the citizens of such countries to bring civil actions against certain US agencies to access, amend, or redress unlawful disclosures of personal information transferred for law enforcement purposes.

“In our complex digital world, privacy and security are not competing values,” said US Representative Jim Sensenbrenner (R-Wis.), a sponsor of the Judicial Redress Act of 2015 (Act), in a statement last October.[1] “They are weaved together inseparably, and today’s policymakers must craft legal frameworks that support both.”

The proposed Act, which was placed on the US Senate’s Legislative Calendar on February 1, attempts to do just that. The Act would give natural citizens of European nations and other designated countries procedural privacy protections similar to those available to US citizens under the Privacy Act of 1974 for personal information transferred to the United States through international law enforcement channels. The Act would permit citizens of designated countries to request corrections of inaccurate personal data held by certain US agencies, verify that personal data has not been improperly disclosed, and seek civil judicial remedies for improper use of personal data.

The Act, which has bipartisan support in US Congress and is expected to be signed by President Obama, was a critical component of the negotiations that recently resulted in a new “safe harbor” agreement (the EU-US Privacy Shield) between the European Union and the United States. The Act addresses one of the key criticisms in the European Court of Justice’s (ECJ’s) decision in Maximillian Schrems v. Data Protection Commissioner that invalidated the prior Safe Harbor program.[2] Additionally, the Act’s passage will serve as a prerequisite to the finalization of the EU-US Data Protection and Privacy Agreement.

The Act has been hailed as a “positive step forward in restoring [the United States’] international reputation and rebuilding trust” after several highly publicized leaks of classified information in connection with US surveillance activities.[3]

Key Provisions of the Act

The Act (H.R. 1428, as amended by the US Senate Judiciary Committee on January 28, 2016), allows any citizen of a “designated” country to bring a civil action and obtain civil remedies in the same manner, to the same extent, and subject to the same limitations, as a US citizen. A civil action under the Act can be brought only against (1) a US agency that intentionally or willfully violates the conditions for disclosing an individual’s records without the individual’s consent, (2) a “designated” US agency that refuses an individual’s request to amend his or her records, or (3) a “designated” US agency that refuses to permit an individual to review records pertaining to him or her.

The Act authorizes the US Department of Justice (DOJ) to designate both the foreign countries and the US agencies to which the Act applies, and such designations are exempt from judicial and administrative review.

The DOJ (with the concurrence of the US Department of State, US Department of the Treasury, and US Department of Homeland Security) may designate a country only if

  • the country either (a) has an agreement with the United States that includes appropriate privacy protections for information shared for purposes of preventing, investigating, detecting, or prosecuting crimes, or (b) the DOJ has determined that the country has effectively shared information with the United States for purposes of preventing, investigating, detecting, or prosecuting crimes and has appropriate privacy protections for that information;
  • the designated country permits the transfer of personal data for commercial purposes between the country and the US; and
  • the DOJ has certified that the designated country’s policies regarding the transfer of personal data for commercial purposes do not materially impede US national security interests.

A country’s designation may be revoked if the country ceases to meet these requirements or impedes a private entity or person’s transfer of information to the United States for purposes of reporting or preventing crimes.

The DOJ cannot designate a US agency “without the concurrence of the head of the relevant agency.” An agency may be designated only if

  • the DOJ determines that the information exchanged by the agency was pursuant to an agreement between a foreign country and the United States that includes appropriate privacy protections for information shared for purposes of preventing, investigating, detecting, or prosecuting crimes; or
  • the DOJ determines that designating the agency is in US law enforcement interests.

The Act’s remedies are exclusive, and the US District Court for the District of Columbia has exclusive jurisdiction over claims arising under the Act.

Importance of the Act

This bipartisan legislation is important for at least three reasons. First, the Act was critical to the negotiations that recently resulted in the EU-US Privacy Shield agreement for data transfers. The Act’s supporters believe that it will help to assuage the concerns of the ECJ that struck down the previous Safe Harbor program, in part, because the United States did not provide legal recourse to foreign individuals whose data was not properly protected. The EU-US Privacy Shield agreement is essential to many US businesses—especially technology companies—that rely on the international flow of data. The Act, therefore, would help promote what US Representative Goodlatte (R-VA) called “a healthy environment for US companies that do business overseas.”[4]

Second, the Act is essential to finalizing the EU-US Data Protection and Privacy Agreement (Umbrella Agreement) that establishes a data protection framework for EU and US law enforcement cooperation. The Umbrella Agreement covers personal data exchanged between the European Union and the United States for the purpose of preventing, investigating, and prosecuting crimes, including terrorism. The Umbrella Agreement commits both the European Union and the United States to provide citizens of the other with a civil remedy for the country’s failure to adequately protect personal data. The European Union already gives US citizens such a remedy. Because the United States does not, finalization of the Umbrella Agreement is contingent upon the passage of the Act. The Act is, therefore, vital to the continued sharing of information with the European Union for law enforcement purposes.

Finally, supporters of the legislation believe that its passage will be crucial to repairing global trust in the United States. Following several widely publicized and unauthorized disclosures of classified US intelligence information, European officials have expressed concerns about US intelligence collection and the need for greater privacy protection for information from the European Union. Because this legislation addresses a key concern raised by the ECJ, it is a significant step toward convincing the European bodies that must approve the proposed EU-US Privacy Shield agreement that the United States is serious about protecting EU citizens’ personal data.[5]