On February 24, 2016, President Obama signed the Judicial Redress Act of 2015, and the United States took a major step toward formalizing the EU-U.S. Privacy Shield.
Negotiators for the United States and European Union Commission recently announced the EU-U.S. Privacy Shield, which is the new data transfer framework replacing the Safe Harbor Program. The new framework has not yet been formalized, but in signing the Judicial Redress Act, President Obama and the United States took a major step toward doing so.
A main focus of the EU-U.S. Privacy Shield is protecting the privacy rights of EU citizens and providing some avenue for legal redress against the United States. The Judicial Redress Act accomplishes legal redress by allowing citizens of certain foreign countries to sue the federal government under very specific circumstances for alleged privacy violations. Importantly, the Act does not relate to or otherwise allow for such lawsuits against U.S. companies, businesses or entities. It applies only to the federal government.
The overarching purpose of the Act is to give citizens of certain foreign countries similar rights to those enjoyed by U.S. citizens under the 1970's Privacy Act. A U.S. citizen's ability to access or correct data maintained by the federal government comes from the Privacy Act. It is no secret the federal government collects data on virtually everyone. The IRS, for example, has wage and tax information, and if you have ever applied for a passport, the State Department has your photograph. In the '60s and early '70s, the federal government freely shared this data with private third-parties, such as insurance companies, advertisers and banks. For obvious reasons, the public opposed this practice, and Congress eventually passed the Privacy Act. The Privacy Act forbids certain federal agencies from disclosing an individual's data to anyone, including other federal agencies. Of course, there are exceptions to this prohibition; with the law enforcement exception being the most well-known.
The Privacy Act (like other federal laws, such as the Freedom of Information Act) allows U.S. citizens to request their data from a federal agency. To facilitate this, the Act requires a federal agency to publically identify and name any recordkeeping system storing an individual's data. The Privacy Act further allows U.S. citizens to sue the federal government if a federal agency: (i) unlawfully discloses their data; (ii) refuses to amend or correct their data; or (iii) collects data specifically excluded from the Act (such as data "describing how an individual exercises rights guaranteed by the First Amendment").
The Privacy Act applies only to U.S. citizens (and permanent U.S. residents). The Judicial Redress Act changes this, and when signed into law, citizens of certain foreign countries will enjoy similar rights to those enjoyed by U.S. citizens under the Privacy Act. This is key to finalizing the EU-U.S. Privacy Shield. Also key to finalizing the EU-U.S. Privacy Shield is legal redress. Under the Judicial Redress Act, citizens of certain foreign countries can sue the federal government for: (i) unlawfully disclosing their data; and/or (ii) refusing to amend or correct their data. Notably, such lawsuits are subject to the same restrictions as those brought by U.S. citizens under the Privacy Act. Nothing in the Judicial Redress Act allows or otherwise empowers a foreign citizen to sue a U.S. company, business or entity.
President Obama's signing of the Judicial Redress Act takes the U.S. and EU one important step closer to finalizing the EU-U.S. Privacy Shield. Once finalized, routine data exchanges between the U.S. and EU will hopefully return to normal. For more information on precautions and other steps your company should take in the meantime, please contact the author of this alert, Zachary Busey, or any members of the Firm's Privacy and Information Security Team.