On Oct. 6, the European Court of Justice struck down a data sharing agreement between the European Union and the United States that has been crucial for cross-Atlantic tech business over the last 15 years. On Tuesday, House lawmakers took a major step towards building a new agreement by passing the Judicial Redress Act, H.R. 1428, on a voice vote.
The bill, sponsored by Rep. Jim Sensenbrenner (R-Wis.), would give foreign citizens of designated close American allies the power to sue U.S. federal agencies if they mishandle their personal information. Citizens of these designated countries would enjoy the same legal rights given to American citizens in the Privacy Act of 1974.
The House vote comes at a time when American tech companies are reeling from the European high court’s decision to end the data sharing agreement. Then, on Oct. 16, the court brought new urgency to the problem when it said a new data sharing agreement should be established by the end of January 2016.
The now-defunct “Safe Harbor” agreement allowed tech companies to transfer data between the U.S. and E.U. despite differing privacy regulations. Europe’s highest court invalidated the agreement because of a general lack of trust within the United States and throughout Europe about how the U.S. protects (or fails to protect) against citizen surveillance and privacy breaches.
People who are watching the international debate say that congressional action on the judicial redress bill shows that America has been listening to global criticisms. “The Judicial Redress Act is critical to reestablishing a trusting relationship between the European Union and the United States,” said House Judiciary Committee Chairman Bob Goodlatte (R-Va.), on the House floor Tuesday.
This symbolism could actually be more important than the bill’s contents, according to Jens-Henrik Jeppesen, director of European affairs at the Center for Democracy and Technology. “It has political significance which may be bigger than its actual practical substantive significance,” he said in an interview Tuesday.
“It is a significant step in the sense that this is something that the European Commission had attached a lot of importance to,” he added.
A foreign national of a country covered under the bill would be able to request access to personal records that American officials receive from private entities when investigating a crime against them. The individual could then fix any incorrect information in the records and get governmental redress if any of the information was obtained illegally.
The legislation aims to bridge a legal divide between the European Union and the United States regarding privacy rights and data collection. While Americans currently have this ability in Europe, the reverse is not the same in the U.S. Fixing this inconsistency has been a key component in the global conversation about privacy and data sharing.
“If we fail to pass this bill we will undermine several important international agreements, further harm our businesses operating in Europe and severely limit sharing of law enforcement information,” Sensenbrenner said during the floor debate Tuesday.
“The Judicial Redress act is significant because it specifically extends privacy rights to foreign citizens, which is an unusual thing,” Jeppesen said. “That has certainly been a theme in the global discussions following [Edward] Snowden, that non-U.S. persons also have privacy rights that are affected by the state’s activity.”
Berin Szoka, president of the think tank Tech Freedom, said passing the Judicial Redress Act is vital if the U.S. wants to bring credibility to the table when discussing a replacement for Safe Harbor. He said that a lack of redress rights for Europeans was one of the main reasons that the European court could not conclude that there are adequate privacy protections in the United States.
“The [judicial redress] bill won’t address that concern alone, since the scope of the Privacy Act is limited. But passing the bill is table stakes for the U.S.,” Szoka said in an email. “Without it, the State Department will have no credibility at the bargaining table in negotiating with the Europeans over a replacement for Safe Harbor.”
The European Court of Justice also specifically cited redress as a critical reason for its ruling that invalidated the “Safe Harbor” agreement. The ruling referenced federal agencies’ ability to access personal data from E.U. nations and transfer it to the U.S. and process it however they want. “The Commission noted that the persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased,” the ruling said.
Pressure to pass the bill has come not just from Europe, but from American tech companies. In striking down the legal framework to transfer data to Europe, the European Court of Justice hurt American tech companies’ ability to do business with companies and citizens of the E.U.
A coalition of tech companies and organizations — including Google, Facebook, Microsoft, and Yahoo — wrote to House Speaker John Boehner (R-Ohio) and Minority Leader Nancy Pelosi (D-Calif.) last week urging action on the bill. The letter said the decision from Europe’s highest court “confirmed” the lack of trust between the U.S. and E.U., and it stated that the last two years has seen the trust between tech and U.S. government decline.
Mistrust in the U.S. government had already dealt a blow to business in Europe for tech companies, even before the court’s decision was released. But the aftermath is worrying for the companies. The recent decision leaves a legal void for data transferring, which is vital for any tech firm.
“Many of the 4,400 companies that relied solely upon the Safe Harbor agreement to transfer data from the E.U. to the United States face tremendous uncertainty regarding what bases exist to justify transatlantic flows of data,” the letter said.
Szoka said that while the invalidation of the Safe Harbor is hard on all businesses, it’s especially tough for smaller tech companies without the money to handle each inquiry from regulators when they aim to share data.
“Without a new agreement, U.S. companies will be at the mercy of each and every European Data Protection Authority, which can now decide how to regulate cross-border data flows. This burden will likely fall heaviest on U.S. tech startups, who can ill afford this risk,” Szoka said.
He added that without a streamlined legal framework allowing for data sharing, American tech companies could simply decide to ignore the European market altogether.
