February 27, 2020

February 27, 2020

Subscribe to Latest Legal News and Analysis

February 26, 2020

Subscribe to Latest Legal News and Analysis

February 25, 2020

Subscribe to Latest Legal News and Analysis

Judicial Redress Act Would Extend Privacy Act Remedies to Citizens of Designated Foreign Nations

The pending legislation would authorize the US Department of Justice to designate foreign countries to allow the citizens of such countries to bring civil actions against certain US agencies to access, amend, or redress unlawful disclosures of personal information transferred for law enforcement purposes.

“In our complex digital world, privacy and security are not competing values,” said US Representative Jim Sensenbrenner (R-Wis.), a sponsor of the Judicial Redress Act of 2015 (Act), in a statement last October.[1] “They are weaved together inseparably, and today’s policymakers must craft legal frameworks that support both.”

The proposed Act, which was placed on the US Senate’s Legislative Calendar on February 1, attempts to do just that. The Act would give natural citizens of European nations and other designated countries procedural privacy protections similar to those available to US citizens under the Privacy Act of 1974 for personal information transferred to the United States through international law enforcement channels. The Act would permit citizens of designated countries to request corrections of inaccurate personal data held by certain US agencies, verify that personal data has not been improperly disclosed, and seek civil judicial remedies for improper use of personal data.

The Act, which has bipartisan support in US Congress and is expected to be signed by President Obama, was a critical component of the negotiations that recently resulted in a new “safe harbor” agreement (the EU-US Privacy Shield) between the European Union and the United States. The Act addresses one of the key criticisms in the European Court of Justice’s (ECJ’s) decision in Maximillian Schrems v. Data Protection Commissioner that invalidated the prior Safe Harbor program.[2] Additionally, the Act’s passage will serve as a prerequisite to the finalization of the EU-US Data Protection and Privacy Agreement.

The Act has been hailed as a “positive step forward in restoring [the United States’] international reputation and rebuilding trust” after several highly publicized leaks of classified information in connection with US surveillance activities.[3]

Key Provisions of the Act

The Act (H.R. 1428, as amended by the US Senate Judiciary Committee on January 28, 2016), allows any citizen of a “designated” country to bring a civil action and obtain civil remedies in the same manner, to the same extent, and subject to the same limitations, as a US citizen. A civil action under the Act can be brought only against (1) a US agency that intentionally or willfully violates the conditions for disclosing an individual’s records without the individual’s consent, (2) a “designated” US agency that refuses an individual’s request to amend his or her records, or (3) a “designated” US agency that refuses to permit an individual to review records pertaining to him or her.

The Act authorizes the US Department of Justice (DOJ) to designate both the foreign countries and the US agencies to which the Act applies, and such designations are exempt from judicial and administrative review.

The DOJ (with the concurrence of the US Department of State, US Department of the Treasury, and US Department of Homeland Security) may designate a country only if

  • the country either (a) has an agreement with the United States that includes appropriate privacy protections for information shared for purposes of preventing, investigating, detecting, or prosecuting crimes, or (b) the DOJ has determined that the country has effectively shared information with the United States for purposes of preventing, investigating, detecting, or prosecuting crimes and has appropriate privacy protections for that information;

  • the designated country permits the transfer of personal data for commercial purposes between the country and the US; and

  • the DOJ has certified that the designated country’s policies regarding the transfer of personal data for commercial purposes do not materially impede US national security interests.

A country’s designation may be revoked if the country ceases to meet these requirements or impedes a private entity or person’s transfer of information to the United States for purposes of reporting or preventing crimes.

The DOJ cannot designate a US agency “without the concurrence of the head of the relevant agency.” An agency may be designated only if

  • the DOJ determines that the information exchanged by the agency was pursuant to an agreement between a foreign country and the United States that includes appropriate privacy protections for information shared for purposes of preventing, investigating, detecting, or prosecuting crimes; or

  • the DOJ determines that designating the agency is in US law enforcement interests.

The Act’s remedies are exclusive, and the US District Court for the District of Columbia has exclusive jurisdiction over claims arising under the Act.

Importance of the Act

This bipartisan legislation is important for at least three reasons. First, the Act was critical to the negotiations that recently resulted in the EU-US Privacy Shield agreement for data transfers. The Act’s supporters believe that it will help to assuage the concerns of the ECJ that struck down the previous Safe Harbor program, in part, because the United States did not provide legal recourse to foreign individuals whose data was not properly protected. The EU-US Privacy Shield agreement is essential to many US businesses—especially technology companies—that rely on the international flow of data. The Act, therefore, would help promote what US Representative Goodlatte (R-VA) called “a healthy environment for US companies that do business overseas.”[4]

Second, the Act is essential to finalizing the EU-US Data Protection and Privacy Agreement (Umbrella Agreement) that establishes a data protection framework for EU and US law enforcement cooperation. The Umbrella Agreement covers personal data exchanged between the European Union and the United States for the purpose of preventing, investigating, and prosecuting crimes, including terrorism. The Umbrella Agreement commits both the European Union and the United States to provide citizens of the other with a civil remedy for the country’s failure to adequately protect personal data. The European Union already gives US citizens such a remedy. Because the United States does not, finalization of the Umbrella Agreement is contingent upon the passage of the Act. The Act is, therefore, vital to the continued sharing of information with the European Union for law enforcement purposes.

Finally, supporters of the legislation believe that its passage will be crucial to repairing global trust in the United States. Following several widely publicized and unauthorized disclosures of classified US intelligence information, European officials have expressed concerns about US intelligence collection and the need for greater privacy protection for information from the European Union. Because this legislation addresses a key concern raised by the ECJ, it is a significant step toward convincing the European bodies that must approve the proposed EU-US Privacy Shield agreement that the United States is serious about protecting EU citizens’ personal data.[5]

[1] 161 Cong. Rec. H6987 (daily ed. Oct. 20, 2015) (statement of Rep. Sensenbrenner).

[2] See our October 2015 LawFlash “ECJ Rules EU-US Safe Harbor Programme Is Invalid.”

[3] 161 Cong. Rec. H6987 (daily ed. Oct. 20, 2015) (statement of Rep. Sensenbrenner).

[4] 161 Cong. Rec. H6986 (daily ed. Oct. 20, 2015) (statement of Rep. Goodlatte).

[5] See our Feb. 3, 2016 LawFlash “EU-US Privacy Shield to Replace Safe Harbor.”

Copyright © 2020 by Morgan, Lewis & Bockius LLP. All Rights Reserved.


About this Author

Mark Krotoski, Litigation attorney, Morgan Lewis

Mark L. Krotoski represents and advises clients on antitrust cartel investigations; cybersecurity and privacy matters; trade secret, economic espionage, fraud, and foreign corrupt practices cases; and government investigations. With nearly 20 years of experience as a federal prosecutor and a leader in the US Department of Justice (DOJ), Mark provides clients with a unique blend of litigation and investigative experience. He has tried 20 cases to verdict and successfully argued appeals before the US Court of Appeals for the Ninth and Sixth Circuits.

W. Reece Hirsch, Morgan Lewis, Regulatory Attorney

W. Reece Hirsch counsels clients on healthcare regulatory and transactional matters and co-heads the firm’s privacy and cybersecurity practice. Representing healthcare organizations such as hospitals, health plans, insurers, physician organizations, healthcare information technology companies, and pharmaceutical and biotech companies, Reece advises clients on issues such as privacy, fraud and abuse, and self-referral issues. This includes healthcare-specific data privacy and security matters, such as compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act.

Matthew Howse, Employment law attorney, Morgan Lewis

As practice group leader for Morgan Lewis’s labor and employment practice in London, Matthew Howse represents clients in the financial services, media, legal, and insurance industries in High Court and employment tribunal litigation. His experience includes employment law as well as privacy and cybersecurity law. In addition to litigating both contentious and noncontentious issues, Matthew provides strategic employment law advice and counsels clients on the employment law aspects of transactions.

44 (0)20 3201 5670
Gregory Parks, privacy and cybersecurity lawyer, Morgan Lewis

Gregory T. Parks counsels and defends retail companies and other consumer facing clients in matters related to privacy and cybersecurity, class actions and Attorney General actions, consumer protection laws, loyalty and gift card programs, retail operations, payment mechanisms, product liability, waste management, shoplifting prevention, compliance, antitrust, and commercial disputes. If it is important to a retail company, Greg makes it his business to know it. He handles all phases of litigation, trial, and appeal work arising from these and other areas. Greg is the co...

Pulina Whitaker, Morgan Lewis, labor and employment lawyer

Pulina Whitaker’s practice encompasses both labor and employment matters as well as data privacy and cybersecurity. She manages employment and data privacy issues in sales and acquisitions, commercial outsourcings, and restructurings. Pulina provides day-to-day advisory support for multinationals on all employment issues, including the UK’s Modern Slavery Act and gender pay reporting requirements. She also advises on the full spectrum of data privacy issues, including preparing for the General Data Protection Regulation. Pulina has deep experience managing international...