In the years since Edward Snowden claimed that U.S. intelligence agencies were tapping into Europeans’ personal data flowing to the United States through undersea cables, an icy distrust has prevailed between Washington and Brussels on the subject of privacy and security. Tensions reached a new high last fall, when the European Court of Justice (ECJ) invalidated the principal legal mechanism for trans-Atlantic data flows, the U.S.-EU Safe Harbor Framework on protecting personal information in the commercial context.
But, somewhat suddenly, there’s reason to think that the worst may be past. Last week the U.S. Congress quietly passed the Judicial Redress Act, a law that would grant foreign citizens protections that U.S. citizens enjoy under the 1974 Privacy Act. The legislation in turn clears the way for the United States and the European Union to sign a long-stalled agreement on protecting personal information in the law enforcement context. Enactment of the new legislation also comes immediately on the heels of a February 2nd announcement by the U.S. Commerce Department and the European Commission that they had come to terms on a successor to the Safe Harbor Framework, the “Privacy Shield.”
European privacy advocates, well-represented in the European Commission and Parliament, have long complained that the 1974 Privacy Act denied their citizens the right to sue in the United States if their personal information had been collected and misused by the U.S. Government. After all, they pointed out, foreign nationals benefited from such a right of judicial redress in EU member states. Since stamping out discrimination against European citizens, whether at home or abroad, is in the DNA of the EU institutions, the Commission set out with a purpose to correct this inequity in U.S. law.
They found a vehicle for their grievance in the long-running negotiations with the United States on a so-called “umbrella” agreement to protect personal data transferred in the law enforcement context. Commission negotiators demanded that the agreement grant Europeans a right of judicial redress in the United States if their personal data in the hands of U.S. law enforcement authorities were unlawfully disclosed, and the negotiators refused to sign until the necessary change in U.S. law was made.
The Department of Justice duly developed legislation to grant such a civil remedy to citizens of designated foreign jurisdictions. The House of Representatives passed it last year, but progress in the Senate was slow, especially after last fall’s ECJ decision on the Safe Harbor. Senators began to ask why the United States should be doing the EU a favor in the law enforcement data context when the EU had just done us the contrary in the commercial data setting. Commentators jumped in, including on Lawfare, to suggest that Congress condition the law’s benefits on a foreign jurisdiction permitting unimpeded commercial data flows to the United States and eschewing policies that impede U.S. national security interests.
The logjam finally broke in early February. Days after a successor to the U.S.-EU Safe Harbor Framework was announced, the Senate Judiciary Committee adopted amendments to the House-passed version of the Judicial Redress Act that would link foreign citizens’ access to U.S. courts for law enforcement-related privacy violations to the Attorney General first certifying that the foreign jurisdiction was cooperating with the United States on commercial data flows and on national security matters. The full Senate and House quickly adopted the amended measure, and sent it to the President, who is expected to sign it into law.
As difficult as the Judicial Redress Act proved politically to adopt, its significance needs to be kept in perspective. Foreign citizens would gain the same core rights to sue U.S. authorities as are permitted to Americans under the Privacy Act, but limited to the law enforcement context.
The political consequences are potentially larger, however. The United States and European Union now find themselves in a significantly better place on privacy issues than anyone could reasonably have expected just a short time ago: greater parallelism in judicial redress laws, the prospect of a signed law enforcement umbrella agreement, and improved chances for EU approval of the new commercial “Privacy Shield”.
Much could still go wrong, as often happens in this troubled corner of U.S.-EU relations: privacy advocates’ criticism of the umbrella agreement could complicate its approval by the European Parliament, and the ECJ could find the Privacy Shield not significantly better than its predecessor. But the February thaw should not be discounted: the United States and the European Union finally are making progress in building a stable and trustworthy structure for trans-Atlantic data flows. Accommodating the needs of privacy, law enforcement and commerce remains a complicated—but essential—proposition for Washington and Brussels, which makes this month’s developments all the more heartening.