The US and EU are one step closer to entering into a new data transfer agreement. On Wednesday President Barack Obama signed into legislation the Judicial Redress Act, giving citizens of certain allied countries, including EU countries, recourse in US courts to protect their personal data.
The Act allows foreign citizens to take legal action against some US government agencies if the agency misuses their personal information. The Act would give European citizens procedural privacy protections similar to those available to US citizens under the Privacy Act of 1974 for personal information transferred to the US through international law enforcement channels. Under the Act, a foreign citizen can bring a civil action against an agency that improperly discloses an individual’s personal information without consent. A foreign citizen can also request to review his or her records and to amend inaccurate personal data held by certain US agencies.
The signing of the Act attempts to restore European trust in US privacy laws. EU concerns over US treatment of European citizens’ personal data came to a head last October when the European Court of Justice struck down the US-EU Safe Harbor framework. Ever since, the US and EU have been feverishly negotiating a new data agreement to replace the Safe Harbor framework. Nearly 5,000 US businesses relied on the Safe Harbor mechanism to collect and transfer data of EU residents into the US In the months that followed the ruling, uncertainty has prevailed with businesses being concerned that individual EU countries would levy enforcement actions against US companies.
A few weeks ago US and EU officials announced the creation of the “EU-US Privacy Shield” as an alternative to the invalidated Safe Harbor framework. The Privacy Shield is not yet a formal agreement, and the European Commission has not confirmed that the Privacy Shield complies with EU data protection law.
The Act is the latest step in the path to restore data transfer relations between the US and EU Passage of the Act is a stated requirement of the EU – US Data Protection Umbrella Agreement, which will put in place a framework for EU-US law enforcement cooperation. The Act also addresses several key privacy rights that the EU has criticized the US for not adequately protecting in the past, which may help alleviate the concerns that led to the Safe Harbor’s invalidation in the first place and increase the likelihood of the success of the Privacy Shield.
While the passage of the Act is an important step in restoring European trust and showing US commitment to respecting the privacy of European citizens, there are still a number of big hurdles ahead. US businesses conducting transatlantic data transfers are still operating in an unstable legal framework. Womble Carlyle will keep you apprised of all developments relating to the negotiations between the EU and US for a new data transfer regime.
To learn more about the announcement of the Privacy Shield and the invalidation of the Safe Harbor, please see our earlier Client Alerts: US Safe Harbor Not Safe from EU Court Ruling (October 2015) and US and EU Reach a Deal to Save Safe Harbor (February 2016).