News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | The Judicial Redress Act: A Path To Nowhere Related reading: Tech Firms Support Judicial Redress Act

rss_feed

Congress is presently deliberating enactment of the Judicial Redress Act (JRA), intended to soothe European Union (EU) concerns about the absence of redress for EU member state citizens whose privacy rights may be violated by the U.S. government in general, and by NSA surveillance in particular. But the JRA is deficient for this purpose because it would provide Europeans with no more than the rights presently available to US citizens under the Privacy Act, whereas for the conduct that most concerns the EU—collection of surveillance information—the Privacy Act provides minimal if any rights to U.S. citizens. 

Why this matters

The EU views the JRA as a crucial ingredient of two works in progress. The first is successor to the Safe Harbor arrangement. Under Safe Harbor, personal data was lawfully exported from the EU to thousands of U.S. importers who certified to the Safe Harbor Principles. Safe Harbor was a major lawful conduit for personal data from the EU, with its restrictive data export laws, to the US. But EU approval for the Safe Harbor arrangement was invalidated on October 6 by the EU’s highest court. That development required EU data exporters and their US importers to scurry around seeking an alternative legal means for transfer of the data—at least unless and until a successor to Safe Harbor is agreed between the U.S. and the EU. 

The basis for invalidation of Safe Harbor was the EU court’s belief that U.S. law was not “adequate,” in particular, because Europeans lacked a right of redress in the U.S. for violations of their data protection rights by National Security Agency (NSA) surveillance. According to the court, this lack of redress violated the data protection provisions of the Charter of Fundamental Rights of the EU, a document having constitutional status, thereby requiring invalidation of Safe Harbor. The EU and the U.S. are presently negotiating an agreement that, if concluded, will replace the Safe Harbor arrangement. But the EU has indicated that such an arrangement cannot be concluded absent a right of redress for Europeans whose data protection rights are violated in the U.S., especially in connection with NSA surveillance.

The second work in progress for which the JRA is perceived as necessary is the “Umbrella Agreement” between the U.S. and the EU, intended to cover the transfer of information between their respective law enforcement agencies. The U.S. and the EU recently initialed the Umbrella Agreement. But before it can be executed and become effective, Europeans must be afforded a right of redress under U.S. law for violations of their privacy rights.

Thus, a significant EU concern and demand in relation to both the Safe Harbor successor and the Umbrella Agreement, and a sine qua non for their conclusion, is redress for Europeans in relation to U.S. national security surveillance. The proposed vehicle for satisfying this demand is the JRA, which would give Europeans the right to bring civil actions for certain violations of the Privacy Act. But whatever the rights that may be afforded by the JRA in connection with traditional law enforcement, in its present form the JRA would not provide Europeans with effective redress as to NSA surveillance—which is precisely the conduct that has caused most of the recent EU concern about a need for redress.

The JRA

The JRA has not yet been enacted; H.R. 1428 was passed by the House on October 20, and S.1600 is in committee. Accordingly, the content of this legislation may change before any enactment. In its present form, the JRA permits the Attorney General to designate “covered countries,” which would presumably include the 28 EU member states. For certain violations of the Privacy Act, citizens of covered countries would be permitted to bring civil actions against U.S. federal agencies and obtain civil remedies “in the same manner and to the same extent and subject to the same limitations, including exemptions and exceptions,” as U.S. citizens.

The Privacy Act

The Privacy Act of 1974 (5 USC §552a) is the primary US statute imposing privacy obligations on the federal government. That statute requires federal departments and agencies to comply with certain privacy obligations regarding the personal information of “U.S. persons” (US citizens and lawful permanent aliens), including a duty to provide them with a right to access information about themselves, to correct incorrect information and to restrict disclosure. Many in the EU seem to believe that if Europeans have rights similar to those afforded U.S. citizens under the Privacy Act, concern about the perceived inadequacy of U.S. privacy law may be abated.

As presently drafted, the JRA would give Europeans at best the same rights that U.S. citizens have under the Privacy Act (and perhaps not that). But in concentrating on providing equal rights, rather than providing specific enumerated rights, the JRA is chasing a mirage, because the rights of US citizens under the Privacy Act, especially in connection with information relating to national security, are minimal. Thus, in pursuing enactment of the JRA, as presently drafted, as a panacea for obtaining rights of redress, the EU has taken its eye off the ball. There are several reasons why the draft JRA will not provide the data protection rights the EU wants for Europeans.

No right to restrict collection under the Privacy Act

The aspect of NSA surveillance that most troubles the EU is the massive nature of NSA collection. It is difficult to see how affording Privacy Act rights to Europeans would give them rights to restrict collection, as the Privacy Act focuses on rights regarding access to one’s own information, and rectification and disclosure of same—but not collection.

The Privacy Act exemption

By its terms, the JRA would not give Europeans Privacy Act rights greater than those of U.S. citizens. But the Privacy Act permits any agency head to exempt that agency’s records from many of the Privacy Act’s requirements, including any requirement to provide the data subject with a right of access or a right of correction, if any of seven enumerated exemptions applies. And the very first of these exemptions is for “matters that are  ... (A) specifically authorized under criteria established by Executive order to be kept secret in the interest of national defense or foreign policy and (B) are in fact properly classified pursuant to such Executive order.” NSA surveillance fits nicely into that exemption. 

Thus, so long as the head of the NSA invokes the right to the exemption, the Privacy Act provides U.S. citizens with no right of access to or correction of information relating to NSA surveillance. That precludes the acquisition of any such rights by Europeans under the JRA. And just to make sure, the JRA contains another pertinent restriction: “Nothing in this section shall be construed to … require the disclosure of classified information.”  In giving Europeans the same rights to privacy vis-à-vis NSA surveillance as U.S. citizens have, the U.S. would be giving away the sleeves out of its vest—if any such rights exist, they are quite narrow.

Insufficient Privacy Act sanctions

Available remedies for violation of the Privacy Act are not as potent as many in the EU may believe. There are three potential remedies for a Privacy Act violation: a civil action, a criminal action and a disciplinary proceeding against an offending federal employee (this last remedy is not set forth in the Privacy Act itself). A civil action may result in an order directing the agency to comply with the statute, and that is a positive event—if there were a provision important to the EU that was not within the national security exemption noted above. And in any event, damages in such a civil action are available only for intentional or willful conduct, and then only if plaintiff can show actual damages. Thus, even if there were a violation of an important provision, it would be difficult to recover damages. 

The criminal remedy is not expressly made available to Europeans by the JRA, which states that the civil remedy provided is the exclusive remedy for a non-U.S. person. And even if a criminal action were available for a violation involving the information of a non-U.S. person, the Privacy Act provides that a criminal action is available only against a federal employee who willfully (i) discloses information whose disclosure she or he knows is prohibited, (ii) maintains a system of records without giving the required notice or (iii) and knowingly requests a record under false pretenses. This provision has a rather narrow ambit and, again, willfulness may be quite problematic to show in such circumstances. Moreover, it may be quite difficult to induce a prosecutor to bring such a criminal action—prosecutors seem to be busy enough bringing actions for conduct directed at US citizens, thank you—and, even if the employee were convicted, it would not make the data subject whole. Likewise, a data subject’s chances of getting the government to bring a disciplinary action against an offending agency employee (even if such were permitted in the case of information of a non-U.S. person) is hardly a sure-fire event and, even a successful disciplinary action would not make the data subject whole.

The JRA loophole

By its terms, the JRA applies only to a “designated Federal agency or component.” The Attorney General makes the designations, but is not authorized to do so “without the concurrence of the head of the relevant agency.” So unless the head of NSA concurs, NSA will not be a designated agency, and the JRA will not apply to it. Likewise with regard to any other US intelligence agency.

The conclusion of a critical commercial data transfer arrangement (the Safe Harbor successor) and an important law enforcement data transfer agreement (the Umbrella Agreement) will depend on the establishment of adequate redress rights for Europeans under the Privacy Act. But whatever rights the JRA, as presently composed, would provide in connection with standard law enforcement information, it would not give the EU what it seeks regarding U.S. government collection and processing of surveillance information.  To satisfy its concerns about NSA surveillance, what the EU actually needs are rights significantly superior to those that US citizens have under the Privacy Act. 

And that may be a tough sell.

photo credit: Berlaymont via photopin (license)

Author
Headshot David Bender IAPP Member Contributor
Tags
Europe
U.S.
2 Comments

If you want to comment on this post, you need to login.

  • comment John Kropf • Dec 17, 2015 
    David,
Useful insights and well written.
  • comment Stuart Ritchie • Dec 17, 2015 
    Interesting and thoughtful discussion. I can appreciate the political difficulties in giving EU citizens greater rights than US citizens against the US government, failing which it can achieve nothing. But in a way even that misses the point, as the EU (Schrems aside) actually seems more concerned about private remedy, as demonstrated (just the most spectacular example) by the recent judicial creation of a new English international privacy tort against a US company. Even under Safe Harbor the FTC as a public regulator (through no fault of its own) provided absolutely no comfort to EU citizens in private remedy. Ironies abound, and not merely because most private EU privacy law came from the USA via the FIPPS authored by the FTC, prophets without honor in their own country...
Related Stories
Tech Firms Support Judicial Redress Act
U.S. technology companies “are lining up” to support the Judicial Redress Act, Tech Crunch reports. The House bill “would allow non-U.S. citizens to seek records U.S. agencies have collected and pursue legal action when such records are disclosed,” the report states, noting it would apply to citizen...
Read More queue Save This
House Committee Approves Judicial Redress Act
Inching a step closer toward a major law enforcement agreement with the European Union, the U.S. House Judiciary Committee approved a bill that would give European citizens a right to sue in U.S. courts if their personal data is misused, The Hill reports. A major component of the EU-U.S. Umbrella Ag...
Read More queue Save This
Related Stories
Tags
Europe
U.S.
Recent Comments