After a five-year, arduous negotiation spanning two EU Commissions and several changes in negotiation teams, the EU and U.S. completed work on the data protection "Umbrella Agreement" regarding law enforcement data sharing. This agreement will put in place a comprehensive, high-level data protection framework for EU-U.S. law enforcement cooperation.
Both sides should be commended for the stamina and patience it took to complete the task. To those of us who lived through it, they might feel that this was perhaps as difficult as negotiating a Cold War strategic arms agreement between the U.S. and the former Soviet Union. This is a significant accomplishment and one that should succeed as a basis to strengthen information-sharing for law enforcement between the EU and the U.S.
The completion of the agreement, however, is only the end of the first step. The second step in the process is up to Congress and its consideration of the Judicial Redress Act (H.R. 1428)(Redress Bill) introduced by Rep. Jim Sensenbrenner (R-WI) The Redress Bill would authorize the Department of Justice to designate foreign countries whose citizens could bring civil actions in U.S. courts under the Privacy Act of 1974.
With the focus now on Congress and the Redress Bill, there are several questions worth considering.
- Are EU Privacy Rights Guaranteed in the U.S.?
Maybe the biggest misnomer in all the media coverage is that the Redress Bill will grant EU citizens Privacy Act rights*. Nowhere in the act is the EU mentioned by name. The Redress Bill is open to any "foreign country or regional economic integration organization, or member country of such organization, as a ‘covered country'" to apply. The applying country must be approved by the attorney general applying a two-part criteria** and with concurrence with the secretaries of state and homeland security. Further, implementing such an amendment to the Privacy Act would require the Department of Justice Office of Federal Programs to make adjustments to its existing practices.
- Are U.S. Privacy Rights Guaranteed in the EU?
EU policy-makers have said this will level the playing field, giving EU citizens the same rights that Americans enjoy in the U.S.. The U.S. side has been reminded that Americans can enforce their privacy rights against EU member states’ law enforcement authorities, but whether that is true has not been disclosed publicly to substantiate the claim. This may highlight one significant gap in the Redress Bill—that it lacks a reciprocity requirement. Should Congress consider amending the Redress Bill, it might consider adding third statutory criteria for applying countries: that the attorney general determine the covered country provides reciprocal privacy rights for U.S. citizens. Call it an adequacy determination.
- Who Is the Judicial Redress Act Constituency?
For the last seven years, the EU has lobbied Congress and the attorney general and various cabinet officers to provide its citizens with coverage under the Privacy Act without success. The Redress Bill now offers to do this, but, interestingly, none of the individuals that would benefit from the change are the constituents of any member of Congress. So why would a member of Congress pay attention let alone vote for such a bill? Possibly from a foreign policy viewpoint; internationally minded members of Congress believe that this will enhance U.S. credibility abroad. From a business standpoint, U.S. technology companies doing business in the EU, such as Google, Facebook and Microsoft as well as the U.S. Chamber of Commerce, Trans-Atlantic Business Council, Application Developers Alliance and other groups have urged bipartisan support for the bill. This makes for a truly global result: American businesses advocating for the right of non-Americans to file lawsuits against federal government agencies.
- Can Congress and Parliament Do a Two-Step Dance?
Let's assume Congress does its part and the Redress Bill is passed into law. This does not bring the agreement into force as has been widely reported. The umbrella agreement would have to be ratified by the EU Parliament before formal adoption by the EU Council, which represents the governments of the 28 EU member states. As with the U.S. Congress passage of the act, there is no guarantee the EU Parliament would ratify it. Further, how long it would take the EU Parliament to adopt it could take years, and even then, the outcome is uncertain: It might ratify the agreement or call on the European Commission to go back to the negotiating table with changes, or it might reject the agreement outright.
- Should You Be Careful What You Wish For?
For EU member states and other interested countries that believe this will provide their citizens with a satisfying remedy to file a Privacy Act case in U.S. federal court, this may be a rude awakening. The Privacy Act was enacted in the early 1970s in response to the U.S. government's adoption of large mainframe computers to administer databases of benefits programs to American citizens. The Privacy Act was focused on these domestic programs and had numerous exceptions for law enforcement and intelligence. In the 40-plus years since its inception, the Privacy Act has provided remedies to Americans in only a handful of cases.
One could almost wish for the passage of the Redress Bill as a tribute to the hard work of the negotiators as well as for their health and sanity. But if Congress doesn't pass the bill, what then? Perhaps by that time the negotiators will be well-rested.
The views expressed here are my own.
*Specifically, the bill would extend the coverage of the Privacy Act of 1974 to non-U.S. persons allowing such persons to bring a civil action against an agency and obtain civil remedies for certain disclosures made intentionally and willfully under the act.
**That the covered country has (1) entered into an agreement with the U.S. that provides for appropriate privacy protections for information shared for the purpose of preventing, investigating, detecting or prosecuting criminal offenses, and (2) has effectively shared information with the U.S. for the purpose of preventing, investigating, detectin, or prosecuting criminal offenses and has appropriate privacy protections for such shared information. H.R. 1428 at (d)(1).
photo credit: The Umbrella via photopin (license)