On 20 October 2015, the U.S. House of Representatives unanimously passed the Judicial Redress Act (the "Act") which now awaits approval by the U.S. Senate. The Act is a critical piece in rebuilding the EU/U.S. data transfer puzzle, which broke into pieces last month when the European Union Court of Justice (the "CJEU") ruled the European Commission Safe Harbor decision invalid.
What Is the Act About?
Currently, individuals that are not U.S. citizens or permanent residents have no right to seek judicial redress in the U.S. under the Privacy Act of 1974 (the "Privacy Act"). The Act (if adopted) seeks to address this perceived gap in privacy protection by extending to certain foreign nationals certain privacy rights which U.S. citizens and permanent residents currently enjoy under the Privacy Act. In essence, the Act will confer upon citizens of designated countries certain rights to sue U.S. government agencies in U.S. courts in order to access, amend or correct certain records that U.S. agencies may be keeping about them or to seek redress for the unlawful disclosure of those records.
Once enacted, the Act would not automatically confer rights to EU citizens. Rather, the Attorney General would first need to designate the EU member states as "covered countries," which would likely follow the implementation of the so-called "Umbrella Agreement," which is detailed below.
How Is The Act Relevant To The Umbrella Agreement?
The passage of the Act has long been a prerequisite for concluding the Umbrella Agreement, which has been in negotiation for some time between the European Commission and the U.S. Government. The Umbrella Agreement is a framework intended to protect personal data shared between EU and U.S. law enforcement authorities for the purposes of preventing, detecting, investigating and prosecuting criminal offences. While negotiations are taking place behind closed doors, the Umbrella Agreement is expected to set out a number of privacy protections similar to the fair information practice principles for personal data shared between EU and U.S. law enforcement authorities. For example, it will likely include limitations for using, transferring and retaining such data as well as data breach notification obligations. The Act provides a mechanism for data subjects to enforce certain of those obligations.
How Is The Act Relevant to EU/U.S. Transfers in General?
The Act, in conjunction with the Umbrella Agreement, will also play an important role in the ongoing Safe Harbor 2.0 negotiations and EU/U.S. data transfers more generally. As noted above, last month, the CJEU invalidated the European Commission decision finding the original Safe Harbor Framework to be adequate. While not ruling specifically on the surveillance laws and data protections in place in the US (as that information was not in the record before the court), the CJEU ruled that, as a procedural matter, the European Commission did not incorporate sufficient data protections into the Safe Harbor decision on issues related to national security and other surveillance issues. In particular, the CJEU noted that the Safe Harbor decision does not guarantee that EU data subjects will have adequate rights of redress regarding their personal data in the context of government surveillance activities.
While the Act does not protect personal data transferred from the EU to the U.S. from access by U.S. intelligence authorities, it will provide EU data subjects the same rights under the Privacy Act as those afforded to US citizens and permanent residents. This would help address a key concern of the CJEU and is therefore an important step in advancing a legal solution for data transfers between the U.S. and EU.