The Judicial Redress Act – A Step Closer Toward the Privacy Shield?
On February 24, 2016, President Obama signed the Judicial Redress Act (the Act) into law, which may be a step closer toward the implementation of the EU-US Privacy Shield.
As previously reported in our alert, European Commission Announces Forthcoming EU-US Privacy Shield Agreement, the Privacy Shield is intended to replace the now-defunct Safe Harbor rules for transatlantic transfers of data from the European Union to the United Sates. Although exact details regarding the framework of the Privacy Shield have not yet been disclosed, it is understood to incorporate three key elements: (1) stronger obligations on US companies to protect and secure personal information collected from EU citizens, (2) assurances from the US that “clear safeguards and transparency obligations” will be in place to mitigate the US government’s ability to access transferred personal information of EU citizens, and (3) that EU citizens have recourse should they believe that their personal information has been improperly disclosed. The Judicial Redress Act addresses the third element.
The Act allows foreign citizens in “covered countries” to sue the United States, under the terms of the Privacy Act, for unlawful disclosure of personal information transferred from a foreign county. Previously, only US citizens and legal residents could bring claims against the federal government for unauthorized disclosure of their personal information. The right to redress is subject to the same restrictions US citizens face under the Privacy Act, including broad exemptions for national security.
Under the new law, citizens of “covered countries” may bring a civil action against federal agencies that intentionally or willfully violate conditions for disclosing records without the consent of the individual to whom the record pertains. The legislation also provides the opportunity to sue federal agencies designated by the Department of Justice (DOJ), with the concurrence of the agency, that refuse an individual’s request to review or amend his or her records.
The legislation features the expanded definition of “covered country” added by the US Senate. Under the Act, the DOJ, with concurrence of the Department of State, the Department of the Treasury, and the Department of Homeland Security, may designate countries or organizations whose citizens may pursue such civil remedies if the person’s country or organization:
- Has appropriate privacy protections for sharing information with the United States, as provided for in an agreement with the United States or as determined by DOJ;
- Permits the transfer of personal data for commercial purposes between its territory and the United States; and
- Has DOJ-certified data transfer policies that do not impede U.S. national security interests.
A country's designation as a “covered country” may be revoked.
WHERE DO WE GO FROM HERE?
The Judicial Redress Act will be seen by some as a critical step toward implementation and approval of the EU-US Privacy Shield. One day after its passage, Commissioner Věra Jourová of the European Commission said in a statement that she welcomed the enactment of the Judicial Redress Act and praised the Act as a “historic achievement.” She also noted that the Act “will pave the way for the signature of the EU-US Data Protection Umbrella Agreement.”
The Judicial Redress Act undoubtedly is a positive development for the future of the EU-US Privacy Shield. Other developments, such as the Federal Trade Commission’s signal that it would “robustly enforce” the Privacy Shield, also are noteworthy. However, critical details about the Privacy Shield still need to be disclosed. In particular, the Article 29 Working Party has requested complete disclosure of its framework before providing full judgment. A challenge of the Privacy Shield before the European Court of Justice, the same court that struck down the Safe Harbor, also is foreseeable.
White and Williams LLP will continue to monitor developments on the EU-US Privacy Shield and provide updates as more information becomes available. For questions, please contact Joshua Mooney (firstname.lastname@example.org; 215.864.6345), Laura Schmidt (email@example.com; 215.864.6333) or another member of our Cyber Law and Data Protection Group.