President Obama signed the U.S. Judicial Redress Act (JRA) into law on 24 February 2016, giving European citizens the same right as U.S. citizens to bring actions against the U.S. government if their personal data are misused.
While the JRA is not a formal prerequisite to finalizing the EU-U.S. Privacy Shield transatlantic data-sharing framework, it’s considered to be a key step in this direction – which means it’s highly relevant for businesses with transatlantic data-sharing needs, such as many pharmaceutical and medical device companies.
The JRA signing is the final step needed for the conclusion of the “Umbrella Agreement” on EU-U.S. law enforcement data-sharing, which will govern all personal data exchanged between the EU and the United States for the purpose of prevention, detection, investigation and prosecution of criminal offences, including terrorism. The agreement will also provide safeguards and guarantees of lawfulness for data transfers, strengthening fundamental rights and helping to restore trust.
The Umbrella Agreement itself does not provide a legal basis for data transfers to the United States. However, individuals’ rights of redress played an important role in the downfall of the Safe Harbor transatlantic data-sharing framework, the EU-U.S. Privacy Shield’s predecessor, last October in Maximillian Schrems v Data Protection Commissioner. Failure to ensure such rights could have set up the EU-U.S. Privacy Shield for a similar fate.
The JRA comes into force 90 days after its signing, and paves the way to the formal signing of the Umbrella Agreement. For more information, read our recent Client Alert, “Passage of the U.S. Redress Act Raises Confidence in Privacy Protection for Transatlantic Data Flows.”