House Passes Judicial Redress Bill to Extend U.S. Privacy Rights to EU Citizens
On October 20, 2015, the U.S. House of Representatives passed the Judicial Redress Act (JRA) (H.R. 1428)—an important step in extending some privacy rights and remedies available to U.S. persons to EU citizens. The bill now moves to the U.S. Senate, where it currently is pending as an amendment to the Cybersecurity Information Sharing Act (CISA) (S. 754). If enacted, the JRA would allow certain foreign nationals the right to sue some U.S. government agencies in U.S. courts in order to access, amend, or correct certain records the agencies may be keeping about them or to seek redress for the unlawful disclosure of those records. The legislation is a prerequisite for a data sharing “Umbrella Agreement” that U.S. and EU negotiators agreed to last month.
The Judicial Redress Act
By its terms, the JRA would allow citizens of “covered countries” to bring civil actions in the U.S. under the Privacy Act of 1974 (Privacy Act). The Privacy Act sets forth certain data protection mandates that federal agencies must abide by when handling individuals’ data. These requirements track those found in the Fair Information Practice Principles (FIPPs) and include: allowing individuals to access, review, and request correction of information an agency collects on them; limiting who can access someone’s data without their consent; and providing for civil and criminal penalties if an agency violates the Act.
Currently, the Privacy Act applies only to U.S. citizens and permanent residents. The JRA would extend certain, but not all, protections in the Privacy Act to data shared by “covered countries” with U.S. law enforcement agencies for the purpose of investigating, detecting, or prosecuting criminal offenses, including data shared under the Umbrella Agreement. In effect, it would afford certain foreign nationals access to civil remedies for violations of those protections and access to courts in which those remedies can be pursued.
A number of limitations and exceptions are built into the JRA. As a preliminary matter, the JRA does not extend to much of the classified data collected by U.S. intelligence agencies. In addition, the JRA does not cover data pertaining to non-U.S. persons that U.S. agencies collect on their own, even if for the purpose of investigating and prosecuting crimes. It also does not apply to data shared for purposes other than law enforcement (including records shared for intelligence purposes). Finally, it does not apply to agencies that are not involved in law enforcement.
Although the primary aim of the JRA is to extend privacy rights and remedies available to U.S. persons to EU citizens, the bill applies to “covered countries” that either (i) have an agreement in place with the U.S. outlining “appropriate” privacy protections for data shared for criminal cases—such as the Umbrella Agreement—or (ii) “effectively share” information with the U.S. for the purpose of preventing, investigating, detecting, or prosecuting crimes. As such, it is possible that the U.S. government could extend Privacy Act rights to citizens of non-EU countries in the future. Pursuant to the JRA, the Attorney General could remove a country from the list of “covered countries” if the country does not comply with the relevant data sharing agreement, stops sharing data with the U.S., or otherwise “impedes the transfer of information…to the United States by private entity or person.”
The EU-U.S. Umbrella Agreement
Adoption of the JRA in the U.S. is a prerequisite to the formal conclusion of the pending EU-U.S. Umbrella Agreement. The Umbrella Agreement is meant to be “a comprehensive high-level data protection framework for EU-U.S. law enforcement cooperation.” Representatives from the U.S. government and the European Commission agreed to a draft agreement on September 8, 2015. However, the agreement cannot go into effect until the JRA becomes law in the U.S.
The Umbrella Agreement covers all personal data, such as names, addresses, and criminal records, shared between the EU and U.S. law enforcement authorities for the purpose of preventing, detecting, investigating, and prosecuting criminal offenses. However, the Umbrella Agreement does not apply to personal data shared with national security agencies. For personal data that falls under its scope, the Umbrella Agreement sets forth a number of privacy protections. These include limitations on data use, data retention periods, prohibitions on further transfers of the data without the prior consent of the competent authority of the country which originally transferred the data, individuals’ right to access and correct the data, and notification of data breaches. The Umbrella Agreement also prohibits the use of the personal data for incompatible purposes.
The House’s action is an important step in restoring public confidence in transatlantic data flows, particularly after the recent invalidation of the EU-U.S. Safe Harbor by the EU Court of Justice. U.S. citizens already have the right to seek judicial redress in the EU if their data that is transferred for law enforcement purposes is misused by EU law enforcement authorities. EU citizens, however, currently do not have reciprocal rights in the U.S. The JRA addresses that gap and paves the way forward for implementation of the Umbrella Agreement. By addressing a significant concern of EU regulators, adoption of the JRA also could open the door for a Safe Harbor replacement.