September 27, 2022

Volume XII, Number 270


September 26, 2022

Subscribe to Latest Legal News and Analysis

The Judicial Redress Act of 2015 Becomes Law

Passage of the Act facilitates two data-sharing agreements between the European Union and United States that will improve transatlantic business, privacy, and security.

On February 24, the Judicial Redress Act of 2015 (the Act) was enacted into law.[1] Congressman Jim Sensenbrenner (R-WI), who introduced the legislation in the US House of Representatives, summarized that the Act’s passage “shows America's commitment to rebuilding trust between allies and demonstrates our nation's willingness to act in good faith with our European allies to secure open lines of communication between law enforcement agencies. This is a significant achievement for our country, our allies, and for the safety and security of the United States.”[2]

The Act, which had strong bipartisan support in the US Congress, extends to natural citizens of designated foreign countries the principal benefits of the Privacy Act of 1974 to citizens from designated countries,[3] which are already available to Americans.[4] These benefits include the ability to access, amend, or sue for the improper disclosure of personal information shared with US law enforcement for purposes of preventing, investigating, or prosecuting crimes. A number of other countries, including those in the European Union, already extend such protections to US citizens.

During congressional debate, three primary benefits were noted from the legislation. As House Judiciary Committee Chairman Bob Goodlatte (R-VA) highlighted, “the Judicial Redress Act is critical [1] to reestablishing a trusting relationship between the European Union and the United States, [2] to ensuring continued strong law enforcement cooperation between the United States and Europe, and [3] to preserving the ability of American companies to do business internationally.”[5]

Key Provisions

The Act allows citizens of a “designated” country to bring a civil action and obtain civil remedies in the same manner, to the same extent, and subject to the same limitations as a US citizen. A civil action under the Act can be brought only against (1) a US agency that intentionally or willfully violates the conditions for disclosing an individual’s records without the individual’s consent, (2) a “designated” US agency that refuses an individual’s request to amend his or her records, or (3) a “designated” US agency that refuses to permit an individual to review records that pertain to him or her.

The Act authorizes the US Department of Justice (DOJ) to designate both the foreign countries and the US agencies to which the Act applies. The DOJ’s designations are exempt from judicial and administrative review.

The DOJ (with the concurrence of the US Department of State, the US Department of the Treasury, and the US Department of Homeland Security) may designate a country only if

  • the country either

    • has an agreement with the United States that includes appropriate privacy protections for information shared for purposes of preventing, investigating, detecting, or prosecuting crimes or 

    • the DOJ has determined that the country has effectively shared information with the United States for purposes of preventing, investigating, detecting, or prosecuting crimes and has appropriate privacy protections for that information;

  • the country permits the transfer of personal data for commercial purposes between the country and the United States; and

  • the DOJ has certified that the country’s policies regarding the transfer of personal data for commercial purposes do not materially impede US national security interests.

A country’s designation may be revoked if the country ceases to meet these requirements or impedes a private entity or person’s transfer of information to the United States for purposes of reporting or preventing crimes.

The DOJ cannot designate a US agency “without the concurrence of the head of the relevant agency.” An agency may be designated only if (1) the DOJ determines that the information exchanged by the agency was pursuant to an agreement between a foreign country and the United States that includes appropriate privacy protections for information shared for purposes of preventing, investigating, detecting, or prosecuting crimes or (2) the DOJ determines that designating the agency is in the United States’ law enforcement interests.

The Act’s remedies are exclusive, and the US District Court for the District of Columbia has exclusive jurisdiction over claims that arise under the Act.


The Act’s passage is crucially important to restoring trust and facilitating commerce between the United States and its allies, continued cooperation between US and foreign law enforcement, and implementation of two data-sharing agreements between the European Union and United States that will improve transatlantic business, privacy, and national security.

In signing the law, US President Barack Obama said, "[w]e take our privacy seriously. And along with our commitment to innovation, that's one of the reasons that global companies and entrepreneurs want to do business here." European Commissioner Věra Jourová praised the Act a "historic achievement in our efforts to restore trust in transatlantic data flows."[6]

The two data-sharing agreements between the European Union and United States work in two ways. First, the Act is a requirement for the Data Protection and Privacy Agreement (the Umbrella Agreement) between the European Union and United States, which establishes a data protection framework for the countries’ law enforcement cooperation and covers personal data exchanged between the European Union and United States for the purpose of preventing, investigating, and prosecuting crimes, including terrorism. The Umbrella Agreement commits the countries to provide citizens of the other with a civil remedy for the country’s failure to adequately protect personal data. The European Union already gave US citizens such a remedy, and the Act ensures that EU citizens have the same rights.

Second, the Act shows good faith during the finalization of the proposed new EU-US Privacy Shield, details of which were released on February 29, 2016, by the European Commission. The Privacy Shield is of paramount importance to US companies that rely on data transfers with the European Union. The Act’s passage demonstrates that the United States is serious about protecting EU citizens’ privacy.

[1] See Pub. Law No. 114-126; see also Remarks by the President at the Signing of the Judicial Redress Act Bill (Feb. 24, 2016).

[2] Press Releases and Statements, Rep. Sensenbrenner Statement on the Judicial Redress Act Becoming Law (Feb. 24, 2016).

[3] 5 U.S.C. § 552a. For an explanation of the rights available under the Privacy Act of 1974, see US Department of Justice Overview Of The Privacy Act of 1974 (2015 Edition).

[4] For an earlier summary of the legislation following Senate Judiciary Committee consideration, see our LawFlash Judicial Redress Act Would Extend Privacy Act Remedies to Citizens of Designated Foreign Nations (Feb. 8, 2016). For the legislative history of the statute, see House Comm. on Gov’t Operations and Senate Comm. on Gov’t Operations, 94th Cong., 2d Sess., Legislative History of the Privacy Act of 1974 – S. 3418 (Pub. L. No. 93-579) Source Book on Privacy (1976).

[5] 161 Cong. Rec. H6986 (daily ed. Oct. 20, 2015).

[6] Statement by Commissioner Věra Jourová on the signature of the Judicial Redress Act by President Obama (Feb. 24, 2016).

Copyright © 2022 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume VI, Number 63

About this Author

Mark Krotoski, Litigation attorney, Morgan Lewis

Mark L. Krotoski represents and advises clients on antitrust cartel investigations; cybersecurity and privacy matters; trade secret, economic espionage, fraud, and foreign corrupt practices cases; and government investigations. With nearly 20 years of experience as a federal prosecutor and a leader in the US Department of Justice (DOJ), Mark provides clients with a unique blend of litigation and investigative experience. He has tried 20 cases to verdict and successfully argued appeals before the US Court of Appeals for the Ninth and Sixth Circuits.

W. Reece Hirsch, Morgan Lewis, Regulatory Attorney

W. Reece Hirsch counsels clients on healthcare regulatory and transactional matters and co-heads the firm’s privacy and cybersecurity practice. Representing healthcare organizations such as hospitals, health plans, insurers, physician organizations, healthcare information technology companies, and pharmaceutical and biotech companies, Reece advises clients on issues such as privacy, fraud and abuse, and self-referral issues. This includes healthcare-specific data privacy and security matters, such as compliance with the Health Insurance Portability and Accountability Act...

Gregory Parks, privacy and cybersecurity lawyer, Morgan Lewis

Gregory T. Parks counsels and defends retail companies and other consumer facing clients in matters related to privacy and cybersecurity, class actions and Attorney General actions, consumer protection laws, loyalty and gift card programs, retail operations, payment mechanisms, product liability, waste management, shoplifting prevention, compliance, antitrust, and commercial disputes. If it is important to a retail company, Greg makes it his business to know it. He handles all phases of litigation, trial, and appeal work arising from these and other areas. Greg is the co...

Pulina Whitaker, Morgan Lewis, labor and employment lawyer

Pulina Whitaker’s practice encompasses both labor and employment matters as well as data privacy and cybersecurity. She manages employment and data privacy issues in sales and acquisitions, commercial outsourcings, and restructurings. Pulina provides day-to-day advisory support for multinationals on all employment issues, including the UK’s Modern Slavery Act and gender pay reporting requirements. She also advises on the full spectrum of data privacy issues, including preparing for the General Data Protection Regulation. Pulina has deep experience managing international...

Matthew Howse, Employment law attorney, Morgan Lewis

As practice group leader for Morgan Lewis’s labor and employment practice in London, Matthew Howse represents clients in the financial services, media, legal, and insurance industries in High Court and employment tribunal litigation. His experience includes employment law as well as privacy and cybersecurity law. In addition to litigating both contentious and noncontentious issues, Matthew provides strategic employment law advice and counsels clients on the employment law aspects of transactions.

44 (0)20 3201 5670