January 23, 2018

January 22, 2018

Subscribe to Latest Legal News and Analysis

Obama Signs Judicial Redress Act—Will It Move EU–U.S. Privacy Shield Forward?

President Barack Obama signed the Judicial Redress Act on Wednesday, February 24, 2016, which will eventually enable European Union citizens to seek remedies for alleged privacy violations by the federal government in U.S. courts.  The Act gives the U.S. Department of Justice (DOJ) authority to designate countries or international organizations that (1) have appropriate privacy protections for sharing information with the U.S., (2) permit the sharing of personal data for commercial purposes with the U.S., and (3) have DOJ-certified data transfer policies that do not impede U.S. national security interests. EU citizens (and citizens of other countries/organizations designated in the future by DOJ) will be able to seek remedies under the Privacy Act against certain U.S. agencies for the mishandling of personal information in criminal or terror investigations, including for the improper disclosure of their data. Potential remedies include injunctive relief and monetary damages.

The passage of this Act is a key element of the recently announced EU–U.S. Privacy Shield (more here), the successor agreement to the U.S.–EU Safe Harbor Agreement. (The Act’s passage also allows negotiations to move forward on the “umbrella agreement”—the Data Protection and Privacy Agreement (DPPA)—concerning the privacy of personal information exchanged for law enforcement purposes.) Safe Harbor, which dates from the Clinton Administration in 2000, was an agreement to allow the transfer of data from the EU (where privacy is a fundamental right) to the U.S. (a country that does not have a legal privacy regime deemed “adequate” under EU law to protect privacy) so long as businesses agreed to abide by European privacy practices and requirements. The Safe Harbor, however, from the outset, was attacked by some, and in the intervening years a number of things combined to cast the Safe Harbor in doubt. The sheer increase in the volume of data transfers by commercial entities is a global phenomenon, but the perception that “big data” was increasingly concentrated in the hands of American businesses—from retailers and news organizations to social media—led to a growing distrust about data protection practices. (Some U.S. businesses believe there is a competitive side to the privacy focus as the EU seeks to work on the Digital Single Market.) Some data protection authorities (notably in Germany) began taking aim at the Safe Harbor, preferring contractual instruments, binding corporate rules, or simply local processing. Then came Edward Snowden’s revelations of widespread data surveillance by U.S. government agencies, sometimes by tapping into the data that was transferred to the U.S.

Finally, in summer 2016, the tipping point for the Safe Harbor came when the European Court of Justice (ECJ) concluded that Member State’s data protection authorities (DPAs) could not be restrained by a European Commission decision recognizing the U.S.–EU Safe Harbor Agreement from exercising their own independent judgment about protecting their citizens’ privacy rights (see related post here). Since then, data transfers under the Safe Harbor have been in purgatory, waiting for a resolution by governments to allow them to send data across the Atlantic without encumbrance.

The Privacy Shield is meant to be that resolution. It still must be approved by a variety of EU bodies before being finalized, and was predicated on a number of concessions by the U.S. government, including giving EU citizens the right to sue in U.S. courts. The Judicial Redress Act fulfills that American promise, going part of the way to reassure EU citizens who heard, in the wake of the Snowden revelations, that Americans did not have to worry about surveillance because it was only being done to foreigners. It remains to be seen whether all of the United States’ promises as part of the Privacy Shield negotiations will be enough to convince individual countries in the EU to approve the new pact and allow this additional tool to be used to satisfy adequacy requirements to support data transfers.

© 2018 Keller and Heckman LLP


About this Author

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies,...

Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer

Tracy Marshall joined Keller and Heckman in 2002. She assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and commercial e-mail messages, contests and sweepstakes, endorsements and testimonials, marketing to children, and data breach notification. Ms. Marshall also helps clients establish best practices for collecting, storing, sharing, and disposing of data, and manage outsourcing arrangements and transborder data flows. In addition, she assists with drafting and implementing internal privacy, data security, and breach notification policies, as well as public privacy policies and website terms and conditions. 

Nathan Cardon, Keller Heckman, product safety attorney, labor lawyer, consumer protection law, cybersecurity matters

Nathan Cardon joined Keller and Heckman in 2013.  Mr. Cardon practices in the areas of product safety, privacy, and advertising.

In his product safety practice, Mr. Cardon counsels clients on risk management and product safety strategies, as well as on compliance with Consumer Product Safety Commission (CPSC) requirements, including new requirements under the Consumer Product Safety Improvement Act of 2008 (CPSIA). 

In the privacy and advertising practice, Mr. Cardon is involved in a wide variety of privacy, data...