On Feb. 24, President Barack Obama signed the Judicial Redress Act of 2015. The new law extends to non-U.S. citizens and non-legal permanent residents the ability to sue the federal government under the Privacy Act of 1974 for unlawful disclosure of their personal information, as well as the right to access and correct government records about themselves.
Since 1974, the Privacy Act, 5 U.S.C. § 552a, has allowed citizens and legal permanent residents (collectively, U.S. persons) to bring claims against the federal government for damages suffered as a result of the unlawful disclosure of personal information that the government has collected and maintains about them, as well as the right to request access to, or correction of, their governmental records.[1] The Privacy Act did not extend these rights of “judicial redress” to non-U.S. Persons, however.[2]
Europeans felt this discrepancy most acutely. In their view, Americans have had rights with respect to their personal information under EU law, as well as, theoretically at least, access to judicial redress in European courts to enforce those rights. EU officials therefore insisted that European citizens be given the same rights as U.S. persons under the Privacy Act.
Passage of the Judicial Redress Act was important enough to have gained rare bipartisan support in an otherwise gridlocked Washington. Congress was motivated because failure to amend the legal distinction between U.S. persons and non-U.S. persons could have had serious repercussions on EU countries’ willingness to share information with American businesses, law enforcement, and intelligence agencies — including those engaged in antiterrorism efforts.
The Judicial Redress Act and the Privacy Act are subject to many exceptions, some of which will preclude European citizens’ access to their personal information in some circumstances. Yet despite its many limitations, the Judicial Redress Act may be sufficient to achieve the foreign policy goals it was meant to address.
The relevance of the act to the Umbrella Agreement and Privacy Shield
The stakes surrounding enactment of the Judicial Redress Act have been particularly high in recent years. The unauthorized revelations in June 2013 about U.S. intelligence agencies’ bulk collection of information strengthened the EU’s calls to amend the Privacy Act. Indeed, the European Parliament and EU Commission made the extension of judicial redress to Europeans a condition for ratification of a long-awaited Data Protection and Privacy Agreement (Umbrella Agreement) that will govern the protection of personal information exchanged between law enforcement agencies on each side of the Atlantic.
This pressure increased in late 2015, when the European Court of Justice invalidated the U.S.-EU Safe Harbor Agreement, which had allowed companies to transfer the personal data of EU citizens from the EU to the U.S. for commercial purposes. The ECJ invalidated the Safe Harbor Agreement, in part, because the U.S. did not provide judicial redress to Europeans, even though data transfers under the Safe Harbor were only commercial in nature and therefore were unrelated to the government’s collection and use of personal information.
After the ECJ’s decision, the U.S. and EU administrations worked hard to finalize the Safe Harbor’s replacement, the so-called Privacy Shield, since it was critical to the commercial and security interests of all parties. Nonetheless, judicial redress under the Privacy Act for European citizens remained a sticking point. EU Commissioner Vera Jourova highlighted the Judicial Redress Act in her statements first announcing the Privacy Shield in early February 2016, and the conflation of the Umbrella Agreement and the Privacy Shield was prevalent in the EU Commission’s Feb. 29 press release, in particular in the draft adequacy decision. The EU is claiming political victory in light of the passage of the Judicial Redress Act.
Limitations and exemptions in the act
As might be expected in the current domestic political climate, the Judicial Redress Act is not a complete extension of the Privacy Act to non-citizens. It contains a number of limitations and exceptions that could make the legislation unacceptable to the EU.
First, the act only applies to citizens of countries that have been designated by the attorney general and other cabinet members. To qualify for such designation, a country (1) must either have privacy agreements with the U.S. covering the sharing of law enforcement information (like the Umbrella Agreement), or share such information under adequate privacy safeguards without an agreement; and (2) must allow the transfer of personal data for commercial purposes with the U.S. Moreover, the attorney general must certify that the country’s data sharing policies do not “materially impede” the national security interests of the U.S. Even then, such designation is left up to the discretion of the attorney general and other cabinet officials, and can be removed for any future failure to meet the above criteria. The designation also can be rescinded if the attorney general determines that the country “impedes the transfer of [law enforcement] information ... by a private entity or person.”
Second, not every federal agency is covered, only those that share law enforcement data under an agreement like the Umbrella Agreement. In fact, any head of an agency essentially can opt out of participating in the act. Furthermore, the attorney general actively must certify that any agency’s participation is in the national security interests of the U.S.
Third, only information shared with the U.S. government by a public or private entity in another country for law enforcement purposes is covered. Information collected by U.S. agencies themselves is not covered, nor is information shared for purposes such as intelligence gathering, visa applications, or other non-law enforcement motives.
Fourth, the Judicial Redress Act provides only a civil remedy for intentional or willful disclosures, whereas the Privacy Act grants the ability to sue even for inadvertent privacy failures that have an “adverse effect on an individual,” and also provides for criminal fines.
Finally, and most importantly, the Privacy Act itself has broad exemptions that reduce the ability of individuals to seek redress in certain law enforcement and national security situations. The Judicial Redress Act does not reduce or address those exemptions.
Implications of the Act on the Umbrella Agreement and The Privacy Shield
Despite the limitations listed above, the EU Commission has indicated that passage of the Judicial Redress Act meets the outstanding criteria for adoption of the Umbrella Agreement, and therefore the Umbrella Agreement is cleared for ratification. While the EU Commissioners seem to be satisfied, at least for now, it remains to be seen whether the European Parliament will agree and ratify the Umbrella Agreement. And although the Privacy Shield is not directly related to the Judicial Redress Act, the frequent references of the Judicial Redress Act in the recent Privacy Shield communiqué demonstrate its political importance to the EU. Now that judicial redress could be a reality for EU residents, will the act as passed be sufficient to meet the redress goals EU politicians first set out?
[1] Since 2009, the Department of Homeland Security applied a “Mixed Systems Policy,” allowing non-U.S. persons all administrative rights to access, correction and redress under the Privacy Act. Under Presidential Policy Directive 28, other federal agencies were instructed to implement their own mixed systems policies. Given that this are administrative functions, no judicial redress could be provided without amendments to the Privacy Act.
[2] The Privacy Act does not offer U.S. Persons unfettered rights to disclosure, access, and correction of their records, however. Indeed, the Privacy Act does not require the government to disclose certain records, such as those associated with ongoing law enforcement investigations. (See, e.g., 5 U.S.C. § 552a(b)(3) and 5 U.S.C. § 552a(b)(7).