Congress is presently deliberating enactment of the Judicial Redress Act (JRA), intended to soothe European Union (EU) concerns about the absence of redress for EU member state citizens whose privacy rights may be violated by the U.S. government in general, and by NSA surveillance in particular. But the JRA is deficient for this purpose because it would provide Europeans with no more than the rights presently available to US citizens under the Privacy Act, whereas for the conduct that most concerns the EU—collection of surveillance information—the Privacy Act provides minimal if any rights to U.S. citizens.
Why this matters
The EU views the JRA as a crucial ingredient of two works in progress. The first is successor to the Safe Harbor arrangement. Under Safe Harbor, personal data was lawfully exported from the EU to thousands of U.S. importers who certified to the Safe Harbor Principles. Safe Harbor was a major lawful conduit for personal data from the EU, with its restrictive data export laws, to the US. But EU approval for the Safe Harbor arrangement was invalidated on October 6 by the EU’s highest court. That development required EU data exporters and their US importers to scurry around seeking an alternative legal means for transfer of the data—at least unless and until a successor to Safe Harbor is agreed between the U.S. and the EU.
The basis for invalidation of Safe Harbor was the EU court’s belief that U.S. law was not “adequate,” in particular, because Europeans lacked a right of redress in the U.S. for violations of their data protection rights by National Security Agency (NSA) surveillance. According to the court, this lack of redress violated the data protection provisions of the Charter of Fundamental Rights of the EU, a document having constitutional status, thereby requiring invalidation of Safe Harbor. The EU and the U.S. are presently negotiating an agreement that, if concluded, will replace the Safe Harbor arrangement. But the EU has indicated that such an arrangement cannot be concluded absent a right of redress for Europeans whose data protection rights are violated in the U.S., especially in connection with NSA surveillance.
The second work in progress for which the JRA is perceived as necessary is the “Umbrella Agreement” between the U.S. and the EU, intended to cover the transfer of information between their respective law enforcement agencies. The U.S. and the EU recently initialed the Umbrella Agreement. But before it can be executed and become effective, Europeans must be afforded a right of redress under U.S. law for violations of their privacy rights.
Thus, a significant EU concern and demand in relation to both the Safe Harbor successor and the Umbrella Agreement, and a sine qua non for their conclusion, is redress for Europeans in relation to U.S. national security surveillance. The proposed vehicle for satisfying this demand is the JRA, which would give Europeans the right to bring civil actions for certain violations of the Privacy Act. But whatever the rights that may be afforded by the JRA in connection with traditional law enforcement, in its present form the JRA would not provide Europeans with effective redress as to NSA surveillance—which is precisely the conduct that has caused most of the recent EU concern about a need for redress.
The JRA has not yet been enacted; H.R. 1428 was passed by the House on October 20, and S.1600 is in committee. Accordingly, the content of this legislation may change before any enactment. In its present form, the JRA permits the Attorney General to designate “covered countries,” which would presumably include the 28 EU member states. For certain violations of the Privacy Act, citizens of covered countries would be permitted to bring civil actions against U.S. federal agencies and obtain civil remedies “in the same manner and to the same extent and subject to the same limitations, including exemptions and exceptions,” as U.S. citizens.
The Privacy Act
The Privacy Act of 1974 (5 USC §552a) is the primary US statute imposing privacy obligations on the federal government. That statute requires federal departments and agencies to comply with certain privacy obligations regarding the personal information of “U.S. persons” (US citizens and lawful permanent aliens), including a duty to provide them with a right to access information about themselves, to correct incorrect information and to restrict disclosure. Many in the EU seem to believe that if Europeans have rights similar to those afforded U.S. citizens under the Privacy Act, concern about the perceived inadequacy of U.S. privacy law may be abated.
As presently drafted, the JRA would give Europeans at best the same rights that U.S. citizens have under the Privacy Act (and perhaps not that). But in concentrating on providing equal rights, rather than providing specific enumerated rights, the JRA is chasing a mirage, because the rights of US citizens under the Privacy Act, especially in connection with information relating to national security, are minimal. Thus, in pursuing enactment of the JRA, as presently drafted, as a panacea for obtaining rights of redress, the EU has taken its eye off the ball. There are several reasons why the draft JRA will not provide the data protection rights the EU wants for Europeans.
No right to restrict collection under the Privacy Act
The aspect of NSA surveillance that most troubles the EU is the massive nature of NSA collection. It is difficult to see how affording Privacy Act rights to Europeans would give them rights to restrict collection, as the Privacy Act focuses on rights regarding access to one’s own information, and rectification and disclosure of same—but not collection.
The Privacy Act exemption
By its terms, the JRA would not give Europeans Privacy Act rights greater than those of U.S. citizens. But the Privacy Act permits any agency head to exempt that agency’s records from many of the Privacy Act’s requirements, including any requirement to provide the data subject with a right of access or a right of correction, if any of seven enumerated exemptions applies. And the very first of these exemptions is for “matters that are ... (A) specifically authorized under criteria established by Executive order to be kept secret in the interest of national defense or foreign policy and (B) are in fact properly classified pursuant to such Executive order.” NSA surveillance fits nicely into that exemption.
Thus, so long as the head of the NSA invokes the right to the exemption, the Privacy Act provides U.S. citizens with no right of access to or correction of information relating to NSA surveillance. That precludes the acquisition of any such rights by Europeans under the JRA. And just to make sure, the JRA contains another pertinent restriction: “Nothing in this section shall be construed to … require the disclosure of classified information.” In giving Europeans the same rights to privacy vis-à-vis NSA surveillance as U.S. citizens have, the U.S. would be giving away the sleeves out of its vest—if any such rights exist, they are quite narrow.
Insufficient Privacy Act sanctions
Available remedies for violation of the Privacy Act are not as potent as many in the EU may believe. There are three potential remedies for a Privacy Act violation: a civil action, a criminal action and a disciplinary proceeding against an offending federal employee (this last remedy is not set forth in the Privacy Act itself). A civil action may result in an order directing the agency to comply with the statute, and that is a positive event—if there were a provision important to the EU that was not within the national security exemption noted above. And in any event, damages in such a civil action are available only for intentional or willful conduct, and then only if plaintiff can show actual damages. Thus, even if there were a violation of an important provision, it would be difficult to recover damages.
The criminal remedy is not expressly made available to Europeans by the JRA, which states that the civil remedy provided is the exclusive remedy for a non-U.S. person. And even if a criminal action were available for a violation involving the information of a non-U.S. person, the Privacy Act provides that a criminal action is available only against a federal employee who willfully (i) discloses information whose disclosure she or he knows is prohibited, (ii) maintains a system of records without giving the required notice or (iii) and knowingly requests a record under false pretenses. This provision has a rather narrow ambit and, again, willfulness may be quite problematic to show in such circumstances. Moreover, it may be quite difficult to induce a prosecutor to bring such a criminal action—prosecutors seem to be busy enough bringing actions for conduct directed at US citizens, thank you—and, even if the employee were convicted, it would not make the data subject whole. Likewise, a data subject’s chances of getting the government to bring a disciplinary action against an offending agency employee (even if such were permitted in the case of information of a non-U.S. person) is hardly a sure-fire event and, even a successful disciplinary action would not make the data subject whole.
The JRA loophole
By its terms, the JRA applies only to a “designated Federal agency or component.” The Attorney General makes the designations, but is not authorized to do so “without the concurrence of the head of the relevant agency.” So unless the head of NSA concurs, NSA will not be a designated agency, and the JRA will not apply to it. Likewise with regard to any other US intelligence agency.
The conclusion of a critical commercial data transfer arrangement (the Safe Harbor successor) and an important law enforcement data transfer agreement (the Umbrella Agreement) will depend on the establishment of adequate redress rights for Europeans under the Privacy Act. But whatever rights the JRA, as presently composed, would provide in connection with standard law enforcement information, it would not give the EU what it seeks regarding U.S. government collection and processing of surveillance information. To satisfy its concerns about NSA surveillance, what the EU actually needs are rights significantly superior to those that US citizens have under the Privacy Act.
And that may be a tough sell.
If you want to comment on this post, you need to login.