The U.S. and E.U. are one step closer to entering into a new data transfer agreement. On Wednesday President Barack Obama signed into legislation the Judicial Redress Act, giving citizens of certain allied countries, including E.U. countries, recourse in U.S. courts to protect their personal data.
The Act allows foreign citizens to take legal action against some U.S. government agencies if the agency misuses their personal information. The Act would give European citizens procedural privacy protections similar to those available to U.S. citizens under the Privacy Act of 1974 for personal information transferred to the U.S. through international law enforcement channels. Under the Act, a foreign citizen can bring a civil action against an agency that improperly discloses an individual’s personal information without consent. A foreign citizen can also request to review his or her records and to amend inaccurate personal data held by certain U.S. agencies.
The signing of the Act attempts to restore European trust in U.S. privacy laws. E.U. concerns over U.S. treatment of European citizens’ personal data came to a head last October when the European Court of Justice struck down the U.S.-E.U. Safe Harbor framework. Ever since, the U.S. and E.U. have been feverishly negotiating a new data agreement to replace the Safe Harbor framework. Nearly 5,000 U.S. businesses relied on the Safe Harbor mechanism to collect and transfer data of E.U. residents into the U.S. In the months that followed the ruling, uncertainty has prevailed with businesses being concerned that individual E.U. countries would levy enforcement actions against U.S. companies.
A few weeks ago U.S. and E.U. officials announced the creation of the “E.U.-U.S. Privacy Shield” as an alternative to the invalidated Safe Harbor framework. The Privacy Shield is not yet a formal agreement, and the European Commission has not confirmed that the Privacy Shield complies with E.U. data protection law.
The Act is the latest step in the path to restore data transfer relations between the U.S. and E.U. Passage of the Act is a stated requirement of the E.U. – U.S. Data Protection Umbrella Agreement, which will put in place a framework for E.U.-U.S. law enforcement cooperation. The Act also addresses several key privacy rights that the E.U. has criticized the U.S. for not adequately protecting in the past, which may help alleviate the concerns that led to the Safe Harbor’s invalidation in the first place and increase the likelihood of the success of the Privacy Shield.
While the passage of the Act is an important step in restoring European trust and showing U.S. commitment to respecting the privacy of European citizens, there are still a number of big hurdles ahead. U.S. businesses conducting transatlantic data transfers are still operating in an unstable legal framework. Womble Carlyle will keep you apprised of all developments relating to the negotiations between the E.U. and U.S. for a new data transfer regime.
To learn more about the announcement of the Privacy Shield and the invalidation of the Safe Harbor, please see our earlier Client Alerts: US Safe Harbor Not Safe from EU Court Ruling (October 2015) and US and EU Reach a Deal to Save Safe Harbor (February 2016).