In an uncharacteristically swift move, the United States Congress passed the Judicial Redress Act (“Act”) on 20 October 2015. The Act proposes to extend safeguards implemented under the Privacy Act 1974, and, if brought into force, would allow non-U.S. citizens to bring civil actions against United States agencies in certain circumstances. To become law, the Act must now be passed by the Senate and signed by the president.
Scope of the right
At first glance, the Act appears to create a significant new right for non-U.S. citizens to bring actions against United States agencies and to obtain civil remedies arising out of the use of personal information. However, on closer reading, important distinctions emerge between the right created by the Act and the rights granted to United States citizens under the Privacy Act of 1974. The key limitations of the right created by the Act are that:
- Actions may only be brought by natural persons residing in a “covered country”. A country or regional economic integration organization (for example, the European Union) may only become “covered” by designation of the attorney general, with the concurrence of the secretary of state, the secretary of the treasury and the secretary of homeland security. One of two things must occur for the designation to be made: (i) the country or regional organization concerned must have entered into an agreement with the United States that provides for appropriate privacy protections for information shared for the purposes of preventing, investigating, detecting or prosecuting criminal offenses; or (ii) the attorney general must determine that the country has effectively shared information with the United States for the above purposes.
- There are two legal grounds on which an action can be brought, but the categories of agencies against which these actions can be brought differ. The first action may be brought against “agencies”, such as the FBI or NSA, only where an agency has “intentionally or wilfully disclosed” an individual’s personal information to a person or agency without that individual’s consent. This prohibition on disclosure is, however, subject to several exceptions, including where disclosure is to another agency “for criminal law enforcement activity where the activity is authorised by law”. The second action may be brought where an agency fails to amend a record or refuses to provide access to a record, and may only be brought against a “designated Federal agency or component”. Such designated federal agencies are determined by the U.S. attorney general with the concurrence of the head of the relevant agency or the agency to which the component belongs.
- The legal bases set out above can be relied on when an action arises in respect of a “covered record”. This term includes several types of information, in particular that related to education, financial transactions, criminal history, etc. However, a record will only qualify as a “covered record” where it has been transferred by a public authority of or private entity within a country which is a “covered country” as outlined above, and is transferred to an agency for the purposes of preventing, investigating, detecting or prosecuting criminal offenses.
How will the Act impact on relations with the European Union?
A key element in the Court of Justice of the European Union’s reasoning in Maximillian Schrems v Data Protection Commissioner (C-362-14) was that once data were transferred to the United States and in the possession of intelligence agencies, data subjects in the EU would have no administrative or judicial means of redress, “enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.”
On the face of it, the Act does appear in some way to address the concerns raised by the CJEU. As outlined above, however, the two causes of action available under the Act are exercisable against different classes of United States agencies, creating a patchwork of legal remedies. Further, there are significant hurdles to overcome and thresholds to meet before an individual could bring an action, and redress is available only in limited circumstance and for narrow classes of data.
There are also practical barriers to individuals exercising their rights. The first is that, given the inherently secretive nature of intelligence services, it is doubtful whether individuals will know that their data is held, and they will therefore be unaware that they have the potential to exercise their rights. Secondly, the rights granted by the Act may only be enforced by individuals with sufficient resources to bring an action in the United States.
Given the limited scope of personal information that falls within the Act, it appears that the rights are premised on countries, regional economic integration organizations, or private entities first transferring data of individuals to the United States in contravention of their own laws. Further, it is unclear whether the Act will apply to data provided by private entities which are based outside of the United States, but which have offices inside the country. It seems doubtful, however, that intelligence services will cease making requests to United States entities for data held by them both within the country and abroad.
In the EU, the fallout from the CJEU’s decision continues to develop. On 20 October, the Irish High Court requested that Ireland’s office of the data protection commissioner investigate whether Facebook Inc. improperly shared personal data with the United States National Security Agency. This development was not surprising, given the CJEU’s ruling.
While the Act has been passed quickly by the United States Congress, it appears to be largely form over substance. It remains to be seen whether the law will have any effect on the on-going negotiations regarding the U.S.-EU Umbrella Agreement or “Safe Harbor 2.0”.