U.S. may grant rights to EU citizens under Privacy Act

On June 25, U.S. Attorney General Eric Holder announced the Obama administration is seeking to extend to EU citizens several privacy protections in U.S. law, which today are only available to U.S. citizens and permanent residents. If the U.S. Congress follows through and passes legislation to this effect, Europeans will gain access to U.S. courts for certain privacy offences, for the first time.

First step for EU citizens’ rights


Holder’s announcement builds on a U.S. Department of Justice proposal in June to work with Congress to grant EU citizens the same rights to judicial redress as U.S. citizens enjoy under the Privacy Act of 1974. Currently, if a European user’s information was wrongly disclosed to a U.S. agency, or if a U.S. agency refused to correct errors in a record about them, he or she would have no recourse.

Since 2010, the EU and the U.S. have been negotiating an Umbrella Agreement on data transfers for criminal law enforcement. The conclusion of this agreement with a mechanism granting judicial redress for EU citizens was one of the seven objectives laid down in the European Parliament report on the impact of mass surveillance programmes on EU citizens’ fundamental rights. After four years of negotiations, Holder’s announcement might help close this deal, but significant work remains to ensure full protection of the rights of European users.

European authorities have welcomed Holder’s announcement, seeing it as “an important first step towards rebuilding trust in our transatlantic relations,” and are now waiting for this commitment to be swiftly implemented through legislation.

While Access welcomes the inclusion of a mechanism granting judicial redress for EU citizens in the U.S. in this future agreement, this reform will not end – or even bring transparency to – the wholesale violations of EU citizens’ rights by US surveillance via its top secret intelligence programmes.

Privacy Act of 1974, and its discontents


Passed in 1974, the Privacy Act limits the collection, sharing, and disclosure of data by federal agencies in the U.S., and has several provisions allowing the inspection and correction of records by people whose data are held by federal agencies. The Act allows people to sue the government for civil and criminal remedies under several causes of action, including for unauthorised disclosure of personal data according to the rules in the Act.

Unfortunately, the Act is subject to numerous exceptions, including for subjects of current law enforcement investigations, and for “routine uses” – a very broad and overused category that includes any purpose compatible to the reason the data was originally collected. Most important to the present debate over the limits of government surveillance, though, is that the data collected by the National Security Agency, and other national security and anti-terror collection programs, is not subject to the Act. Thus, AG Holder’s announcement does not constitute the real reform of surveillance and collection of data on non-US persons that the DOJ may wish to depict.


How it works – getting PNR and other data

Once a user makes a request to an agency under the Privacy Act, it must respond within ten business days, either by making the requested changes or explaining its denial. After an appeals process, individuals can take the agency to court if it continues to refuse the request. Civil or monetary damages are available to plaintiffs who prove “intentional or willful” disclosure or other violations of the Act, and to people wrongfully denied access to inspect or correct records held on them. Criminal penalties can be imposed on officials who knowingly and willfully disclose personal data, or for agencies that maintain systems of records without disclosing their existence.

In practice, EU citizens would be permitted to request information collected under data transfer agreements falling under the scope of the Umbrella Agreement for the prevention, investigation, detection, or prosecution of criminal offences. Among these agreements are the Terrorist Finance Tracking Program (TFTP) agreement, allowing access the SWIFT transaction database and the transfer of bank data to U.S. authorities, and the EU-US Passenger Name Record (PNR) program, under which air passenger travel records are collected when flying to or from the U.S.

These agreements have recently come under scrutiny of the European Parliament’s Inquiry into Mass Surveillance Programmes as it was revealed that the data stored might have been used for other purposes than the reasons for which they were originally collected. The report alleged for instance that TFTP data, intended to combat terrorism, had also been used for commercial purposes. In 2012, the Danish newspaper, Berlinske, similarly reported that the U.S. authorities used the TFTP database to seize money transferred by European companies buying Cuban cigars. The U.S. Treasury found the transaction to be in violation of the U.S. commercial embargo on Cuba, even though the deal took place between European countries and did not involve economic activities in the U.S.

Thus while it is encouraging that EU citizens might be able to seek redress in court for these alleged violations if this proposed legislation passes, comprehensive and meaningful review of existing transatlantic data transfer agreements is still needed.


Future reforms


Following this first step to improve the protection of EU citizens’ fundamental right to data protection in the U.S., further reform will be needed in other areas as this new right to judicial redress only applies to information collected for law enforcement purposes.

For instance, this redress would not apply to the Safe Harbour agreement, a data transfer accord between the EU and U.S. meant to facilitate business despite the vast differences in data protection frameworks. By signing up to this agreement, U.S. companies voluntarily adhere to a set of principles in order to demonstrate their compliance with EU data protection standards. This agreement has been the subject of much scrutiny, especially after the NSA disclosures, in particular the PRISM programme – an intelligence operation beyond the purview of the Privacy Act.

The EU and the U.S. are currently negotiating a full review of the Safe Harbour, and Access believes this agreement must be significantly strengthened; in its current form, it fails to ensure adequate protection for users’ personal data.

Next steps

Access is encouraged by Attorney General Eric Holder’s announcement as a first step in the right direction to restore trust in the transatlantic relationship and guarantee E.U. citizens’ rights in the U.S. However, more reform will be needed in the near future to ensure the security of data transferred to the U.S. and the ability of users to seek redress through existing agreements for all matters affecting privacy, including for commerce, law enforcement, and national security purposes.