Passage of the Act facilitates two data-sharing agreements between the European Union and United States that will improve transatlantic business, privacy, and security.

On February 24, the Judicial Redress Act of 2015 (the Act) was enacted into law.[1] Congressman Jim Sensenbrenner (R-WI), who introduced the legislation in the US House of Representatives, summarized that the Act’s passage “shows America's commitment to rebuilding trust between allies and demonstrates our nation's willingness to act in good faith with our European allies to secure open lines of communication between law enforcement agencies. This is a significant achievement for our country, our allies, and for the safety and security of the United States.”[2]

The Act, which had strong bipartisan support in the US Congress, extends to natural citizens of designated foreign countries the principal benefits of the Privacy Act of 1974 to citizens from designated countries,[3] which are already available to Americans.[4] These benefits include the ability to access, amend, or sue for the improper disclosure of personal information shared with US law enforcement for purposes of preventing, investigating, or prosecuting crimes. A number of other countries, including those in the European Union, already extend such protections to US citizens.

During congressional debate, three primary benefits were noted from the legislation. As House Judiciary Committee Chairman Bob Goodlatte (R-VA) highlighted, “the Judicial Redress Act is critical [1] to reestablishing a trusting relationship between the European Union and the United States, [2] to ensuring continued strong law enforcement cooperation between the United States and Europe, and [3] to preserving the ability of American companies to do business internationally.”[5]

KEY PROVISIONS

The Act allows citizens of a “designated” country to bring a civil action and obtain civil remedies in the same manner, to the same extent, and subject to the same limitations as a US citizen. A civil action under the Act can be brought only against (1) a US agency that intentionally or willfully violates the conditions for disclosing an individual’s records without the individual’s consent, (2) a “designated” US agency that refuses an individual’s request to amend his or her records, or (3) a “designated” US agency that refuses to permit an individual to review records that pertain to him or her.

The Act authorizes the US Department of Justice (DOJ) to designate both the foreign countries and the US agencies to which the Act applies. The DOJ’s designations are exempt from judicial and administrative review.

The DOJ (with the concurrence of the US Department of State, the US Department of the Treasury, and the US Department of Homeland Security) may designate a country only if

  • the country either
    • has an agreement with the United States that includes appropriate privacy protections for information shared for purposes of preventing, investigating, detecting, or prosecuting crimes or 
    • the DOJ has determined that the country has effectively shared information with the United States for purposes of preventing, investigating, detecting, or prosecuting crimes and has appropriate privacy protections for that information;
  • the country permits the transfer of personal data for commercial purposes between the country and the United States; and
  • the DOJ has certified that the country’s policies regarding the transfer of personal data for commercial purposes do not materially impede US national security interests.

A country’s designation may be revoked if the country ceases to meet these requirements or impedes a private entity or person’s transfer of information to the United States for purposes of reporting or preventing crimes.

The DOJ cannot designate a US agency “without the concurrence of the head of the relevant agency.” An agency may be designated only if (1) the DOJ determines that the information exchanged by the agency was pursuant to an agreement between a foreign country and the United States that includes appropriate privacy protections for information shared for purposes of preventing, investigating, detecting, or prosecuting crimes or (2) the DOJ determines that designating the agency is in the United States’ law enforcement interests.

The Act’s remedies are exclusive, and the US District Court for the District of Columbia has exclusive jurisdiction over claims that arise under the Act.

IMPACT

The Act’s passage is crucially important to restoring trust and facilitating commerce between the United States and its allies, continued cooperation between US and foreign law enforcement, and implementation of two data-sharing agreements between the European Union and United States that will improve transatlantic business, privacy, and national security.

In signing the law, US President Barack Obama said, "[w]e take our privacy seriously. And along with our commitment to innovation, that's one of the reasons that global companies and entrepreneurs want to do business here." European Commissioner Věra Jourová praised the Act a "historic achievement in our efforts to restore trust in transatlantic data flows."[6]

The two data-sharing agreements between the European Union and United States work in two ways. First, the Act is a requirement for the Data Protection and Privacy Agreement (the Umbrella Agreement) between the European Union and United States, which establishes a data protection framework for the countries’ law enforcement cooperation and covers personal data exchanged between the European Union and United States for the purpose of preventing, investigating, and prosecuting crimes, including terrorism. The Umbrella Agreement commits the countries to provide citizens of the other with a civil remedy for the country’s failure to adequately protect personal data. The European Union already gave US citizens such a remedy, and the Act ensures that EU citizens have the same rights.

Second, the Act shows good faith during the finalization of the proposed new EU-US Privacy Shield, details of which were released on February 29, 2016, by the European Commission. The Privacy Shield is of paramount importance to US companies that rely on data transfers with the European Union. The Act’s passage demonstrates that the United States is serious about protecting EU citizens’ privacy.