President Barack Obama signed the Judicial Redress Act on Wednesday, February 24, 2016, which will eventually enable European Union citizens to seek remedies for alleged privacy violations by the federal government in U.S. courts. The Act gives the U.S. Department of Justice (DOJ) authority to designate countries or international organizations that (1) have appropriate privacy protections for sharing information with the U.S., (2) permit the sharing of personal data for commercial purposes with the U.S., and (3) have DOJ-certified data transfer policies that do not impede U.S. national security interests. EU citizens (and citizens of other countries/organizations designated in the future by DOJ) will be able to seek remedies under the Privacy Act against certain U.S. agencies for the mishandling of personal information in criminal or terror investigations, including for the improper disclosure of their data. Potential remedies include injunctive relief and monetary damages.
The passage of this Act is a key element of the recently announced EU–U.S. Privacy Shield (more here), the successor agreement to the U.S.–EU Safe Harbor Agreement. (The Act’s passage also allows negotiations to move forward on the “umbrella agreement”—the Data Protection and Privacy Agreement (DPPA)—concerning the privacy of personal information exchanged for law enforcement purposes.) Safe Harbor, which dates from the Clinton Administration in 2000, was an agreement to allow the transfer of data from the EU (where privacy is a fundamental right) to the U.S. (a country that does not have a legal privacy regime deemed “adequate” under EU law to protect privacy) so long as businesses agreed to abide by European privacy practices and requirements. The Safe Harbor, however, from the outset, was attacked by some, and in the intervening years a number of things combined to cast the Safe Harbor in doubt. The sheer increase in the volume of data transfers by commercial entities is a global phenomenon, but the perception that “big data” was increasingly concentrated in the hands of American businesses—from retailers and news organizations to social media—led to a growing distrust about data protection practices. (Some U.S. businesses believe there is a competitive side to the privacy focus as the EU seeks to work on the Digital Single Market.) Some data protection authorities (notably in Germany) began taking aim at the Safe Harbor, preferring contractual instruments, binding corporate rules, or simply local processing. Then came Edward Snowden’s revelations of widespread data surveillance by U.S. government agencies, sometimes by tapping into the data that was transferred to the U.S.
Finally, in summer 2016, the tipping point for the Safe Harbor came when the European Court of Justice (ECJ) concluded that Member State’s data protection authorities (DPAs) could not be restrained by a European Commission decision recognizing the U.S.–EU Safe Harbor Agreement from exercising their own independent judgment about protecting their citizens’ privacy rights (see related post here). Since then, data transfers under the Safe Harbor have been in purgatory, waiting for a resolution by governments to allow them to send data across the Atlantic without encumbrance.
The Privacy Shield is meant to be that resolution. It still must be approved by a variety of EU bodies before being finalized, and was predicated on a number of concessions by the U.S. government, including giving EU citizens the right to sue in U.S. courts. The Judicial Redress Act fulfills that American promise, going part of the way to reassure EU citizens who heard, in the wake of the Snowden revelations, that Americans did not have to worry about surveillance because it was only being done to foreigners. It remains to be seen whether all of the United States’ promises as part of the Privacy Shield negotiations will be enough to convince individual countries in the EU to approve the new pact and allow this additional tool to be used to satisfy adequacy requirements to support data transfers.