On Wednesday, February 10, 2016, the US took a step towards assuaging privacy concerns regarding transatlantic data transfers when the House passed a bill granting European citizens recourse to US Courts to protect treatment of their personal data. Now heading to President Obama for signature, the Judicial Redress Act would give European citizens the right to pursue legal action against certain US agencies in American courts if their personal data has been mishandled when used by the US in criminal and terror investigations. As the EU and US work out a framework to replace Safe Harbour in light of concerns over the treatment of Europeans’ personal data, the JRA may help restore trust in American data privacy protections.
The JRA is part of the EU-US Data Protection and Privacy Agreement (Umbrella Agreement), whereby the EU and US committed to provide both parties’ citizens with civil remedies for a failure to protect personal data exchanged for the purpose of preventing, detecting, investigating and prosecuting crimes. The Umbrella Agreement covers all personal data, including names, addresses and criminal records. It will be formally concluded only after the JRA has been adopted.
If approved by President Obama, the bill would allow citizens of “designated” EU countries to bring civil actions against US agencies that violate the US Privacy Act by unlawful treatment of personal information. Under the JRA, a citizen can bring a civil action against a US agency that improperly discloses an individual’s records without their consent. Additionally, an action can be brought by a EU citizen against a “designated” US agency that refuses an individual’s request to amend inaccurate personal data or review their records. The US Department of Justice (DOJ) designates which European countries the JRA applies to as well as which US agencies are covered.
Only “designated” European countries are covered by the JRA
A European country can be designated as covered under the JRA if it fulfills certain requirements. A country that has an agreement with the US involving privacy protections for information shared for crime prevention, investigation, detection or prosecution is covered by the JRA. Otherwise, the DOJ can designate a country if it determines that: (1) the country has effectively shared information with the United States for crime prevention, investigation, detection or prosecution with appropriate privacy protections; (2) the country permits personal data transfer to be transferred across the Atlantic for commercial purposes; and (3) the DOJ certified that the country’s policies on personal data transfers for commercial purposes do not materially impede American national security interests. The DOJ can revoke a designation if the country does not meet these requirements or if the country impedes information transfer to the United States for crime prevention or reporting purposes.
The requirement that the foreign country’s policies regarding transfers of personal data for commercial purposes do not materially impede US national security interests was an amendment to the original bill. While unanimously approved, the amendment may be seen as a back-door allowance for the US to continue security services data use.
The DOJ retains authority to determine which US agencies are subject to the JRA
The bill limits which US agencies can be subject to the JRA. US agencies cannot be designated as falling under the purview of the JRA without the agreement of the head of the agency. There are two cases under which an agency can be subject to the JRA. Firstly, an agency can be designated if the DOJ determines information exchanged by the agency was pursuant to an agreement between the European country and the US which includes privacy protections for information shared for crime prevention, investigation, detection or prosecution. Otherwise, a US agency can be designated if the DOJ determines that it is within the US law enforcement interests to do so.
The authority of the DOJ to determine which agencies are subject to the JRA may be worrisome for the EU to the extent that it potentially limits the reach of the JRA. This will depend on how broadly or narrowly the DOJ interprets the scope of US law enforcement interests.
A step towards restoring trust in transatlantic data transfers?
In light of EU concerns over American treatment of European citizens’ personal data, the JRA represents a step forward by the US government. The JRA is a welcome development after Max Schrems’ case against the Irish data-protection authority and Edward Snowden’s allegations about US companies’ disclosure of personal data as part of a US National Security Agency program
Following the European Court of Justice (ECJ)’s striking down of the Safe Harbour framework in Schrems, the Article 29 Working Party, European College of Commissioners and an EU committee will review the EU-US Privacy Shield replacement framework. It is yet to be determined whether it meets the standards mandated by Schrems. While not expressly identified as a prerequisite for the Privacy Shield, the JRA addresses critical privacy rights that the ECJ said were required in any replacement of Safe Harbour: A key criticism of Safe Harbour was the fact that European citizens had no method to address misuse of their data in the US. At the same time, it remains to be seen whether a regime that requires the US agencies’ consent to be bound satisfies European standards.
Although the JRA’s passage may demonstrate an American commitment to respecting the personal privacy of European Citizens, the Privacy Shield remains subject to scrutiny by the ECJ and lacks clear legal status or enforceability. While the JRA represents progress in privacy protections for EU-US data transfers, one important question will be whether the limits on the scope of the JRA described above are compatible with the European requirements for independent oversight and effective individual recourse. We will have to wait and see whether the EU and US will be able to convert the Privacy Shield into an effective, enforceable agreement that strikes a balance between security requirements, commercial utility and personal data protections.