On Wednesday, February 24, President Obama signed the Judicial Redress Act into law. “What it does in the simplest terms is makes sure that everybody’s data is protected in the strongest possible way with our privacy laws—not only American citizens, but also foreign citizens,” President Obama said at signing. “We take our privacy seriously. And along with our commitment to innovation, that’s one of the reasons that global companies and entrepreneurs want to do business here.” According to EU Commissioner Věra Jourová, “The signature of the Judicial Redress Act by President Obama is a historic achievement in our efforts to restore trust in transatlantic data flows . . . . It will strengthen privacy, while ensuring legal certainty for transatlantic data exchanges between police and criminal justice authorities. This is crucial to keep Europeans safe through efficient and robust cooperation between the EU and the U.S. in the fight against crime and terrorism.”
To obtain the benefit of Privacy Act redress, the Act requires the Attorney General to designate applicable foreign countries, partly conditioned on EU member states allowing and not unduly impeding transfers of data to the US for commercial, national security and law enforcement purposes. Under the Judicial Redress Act, once the DOJ has made designations, citizens of those designated countries will have access to US federal courts to bring certain claims under the Privacy Act against the US government for violations of data protection rights. The new law was a partial solution to criticism of US surveillance practices in the wake of the Snowden leaks and ultimately, the Schrems decision invalidating the EU-US Safe Harbor program. Now, if a designated government agency willfully or intentionally discloses information or violates other Privacy Act Rights with respect to citizens of those countries, and those foreign citizens are adversely affected, they will have procedural rights to bring civil claims in US federal courts that parallel the rights provided to US citizens under the Privacy Act.
Passage of the Judicial Redress Act was a required condition before the enactment of the EU-U.S. Umbrella Agreement facilitating the exchange of personal data for law enforcement and anti-terrorism purposes. The Umbrella Agreement establishes a framework for EU-US law enforcement cooperation, covering all personal data, such as names, addresses, and criminal records, which the EU and US may exchange in the process of monitoring, preventing, inspecting, and prosecuting crimes, including terrorism. The Umbrella Agreement limits the use, transfer, retention, and access of personal data by law enforcement; and ensures that authorities and, in certain cases, affected individuals are notified in the case of a data breach. The passage of the Judicial Redress Act will also be another factor supporting the agreement on a new transatlantic data transfer solution, the EU-U.S. Privacy Shield, announced on February 2 to replace the invalidated Safe Harbor framework, which includes an ombudsperson who would provide broader redress mechanisms than available under the Judicial Redress Act, such as for collection of information by intelligence agencies (though this mechanism would not necessarily involve financial recovery).