Executive Summary The U.S. Judicial Redress Act has been signed into law by President Obama. The move marks an important step in data transfer relations between the EU and the United States, gives the green light to the EU-U.S. law enforcement data Umbrella Agreement and helps to underpin the Privacy Shield.
With all the talk of defunct “harbors”, “umbrellas” and “shields” these days, one might imagine EU-U.S. data exchanges to be more of an unruly deluge than an essential channel for trans-atlantic trade. What is clear, however, is that President Obama’s signing of the U.S. Judicial Redress Act (“JRA”) into law on 24 February will have a significant impact on future data-sharing arrangements between the EU and the United States, a topic which has dominated privacy headlines over the past months.
The passing of the JRA is highly significant: for the first time European citizens will be entitled to bring actions against the U.S. government if their personal data are misused. But at a more fundamental level, the JRA is important because it was the final step needed for the conclusion of the so-called “Umbrella Agreement” on EU-U.S. law enforcement data sharing. The Umbrella Agreement does not itself provide a legal basis for data transfers to the United States – transfers must still be made in accordance with the existing data protection framework.
Background Negotiations over the Umbrella Agreement (the “UA”) started in 2009. The UA will govern all personal data (for example, names, addresses, criminal records) exchanged between the EU and the United States for the purpose of prevention, detection, investigation and prosecution of criminal offences, including terrorism. In doing so, the UA will provide safeguards and guarantees of lawfulness for data transfers, strengthening fundamental rights, facilitating EU-U.S. law enforcement cooperation and going some way toward restoring trust. The UA will significantly improve the standard of privacy protection above the present, fragmented and non-harmonised environment for transatlantic data sharing between criminal law enforcement authorities.
As a result of the JRA, EU citizens will benefit from equal treatment: for the first time they will have the same judicial redress rights as U.S. citizens in case of privacy breaches. EU President Juncker stated: “The United States must [...] guarantee that all EU citizens have the right to enforce data protection rights in U.S. courts… Removing such discrimination will be essential for restoring trust in transatlantic relations.” As noted above, the primary role of the UA is to establish a high-level framework for facilitating EU and U.S. cooperation for the transfer and processing of personal data in the context of police and criminal judicial proceedings.
To this end, a bill extending the judicial redress provisions in the U.S. Privacy Act 1974 (the “Bill”) was put before U.S. Congress in March 2011. The progress of the Bill was difficult. This meant that the UA was “on ice” for some time because – as EU Justice Commissioner Věra Jourová confirmed – the Umbrella Agreement would not be permitted to come into effect until and unless EU citizens were given the same privacy rights as U.S. citizens – a long-standing demand of the EU.
President Obama’s signing of the JRA on 24 February 2016, was a step of major importance and will lead to the formal signing of the UA. (The JRA will come into force 90 days after presidential signing).
EU-U.S. Privacy Shield Although it was not a formal prerequisite, the JRA was also considered to be an important step towards finalising the EU-U.S. Privacy Shield, which replaces the invalidated Safe Harbor agreement. Indeed, the EU released its draft adequacy decision on the Privacy Shield on 29 February 2016, and this specifically references the JRA. Individuals’ rights of redress played an important role in the downfall of Safe Harbor last year. The European Commission’s failure (in its original adequacy decision of 2000 on Safe Harbor) to take into account whether Safe Harbor provided individuals an opportunity to pursue legal remedies, was one of the reasons for the invalidity finding by the CJEU last October (Maximillian Schrems v Data Protection Commissioner, Case C-362/14, 6 October 2015).
Reactions EU Justice Minister Jourová has welcomed the JRA, commenting that it “restores trust in transatlantic data flows”. The Act has also been praised by a U.S. Congressman for showing a “commitment to rebuilding trust between allies and demonstrates our nation’s willingness to act in good faith with our European allies to secure open lines of communication between law enforcement agencies”.
What next? The entry into force of the JRA paves the way to the formal signing of the Umbrella Agreement. The EU Commission will put forward a proposal to representatives of each European Member State to authorise its signing. Approval from the European Parliament is also required.
The Umbrella Agreement and the Privacy Shield are both important data transfer frameworks. The EU Commission notes in its Communication “their success depends in large part on effective enforcement and the respect of the rights accorded to individuals” as well as “continual assessment of their functioning [which] requires a shift in mind set from a static to a more dynamic process”.
In this climate of significant EU data protection reform, it looks clear that organisations are facing (1) more, effective, enforcement, (2) continual assessment and generally (3) a more dynamic regulatory environment.