The Judicial Redress Act of 2015, 5 U.S.C. § 552a note, extends certain rights of judicial redress established under the Privacy Act of 1974, 5 U.S.C. § 552a, to citizens of certain foreign countries or regional economic organizations. Specifically, the Judicial Redress Act enables a “covered person” to bring suit in the same manner, to the same extent, and subject to the same limitations, including exemptions and exceptions, as an “individual” (i.e., a U.S. citizen or permanent resident alien) may bring and obtain with respect to the: 1) intentional or willful unlawful disclosure of a covered record under 5 U.S.C. § 552a(g)(1)(D); and 2) improper refusal to grant access to or amendment of a covered record under 5 U.S.C. § 552a(g)(1)(A) & (B). Under the Judicial Redress Act, the access/amendment action may only be brought against a "designated Federal agency or component." Under the Judicial Redress Act, a "covered person" means a natural person (other than an "individual" as defined under the Privacy Act) who is a citizen of a covered country. Additionally, a "covered country" is a country or regional economic integration organization, or member country of such organization, that has been designated by the Attorney General to have met certain protections outlined in Section 2(d)(1) of the Judicial Redress Act. Before designating a covered country, the Attorney General must receive the concurrences of the Secretary of State, the Secretary of the Treasury, and the Secretary of Homeland Security.
Attorney General Designations Related to The U.S.-EU Data Protection and Privacy Agreement
On December 2, 2016, the European Union (the “EU”) undertook the final steps necessary under EU law to approve an executive agreement between the U.S. and the EU (the “Parties”) relating to privacy protections for personal information transferred between the U.S., the EU, and the EU Member States for the prevention, detection, investigation, or prosecution of criminal offenses. The Agreement, commonly known as the Data Protection and Privacy Agreement (the “DPPA”) or the “Umbrella Agreement,” establishes a set of protections that the Parties are to apply to personal information exchanged for the purpose of preventing, detecting, investigating, or prosecuting criminal offenses. Article 19 of the DPPA establishes an obligation for the Parties to provide, in their domestic law, specific judicial redress rights to each other’s citizens. The Judicial Redress Act is implementing legislation for Article 19 of the DPPA.
On January 17, 2017, the Attorney General designated 26 countries and one regional economic integration organization as “covered countr[ies],” and four Federal agencies and nine components of other Federal agencies as “designated Federal agenc[ies] or component[s],” to be effective on February 1, 2017, which is the date of entry into force of the DPPA. The Attorney General designations have been published in the Federal Register:
Under Article 27 of the U.S.-EU DPPA, the United Kingdom (the "UK") was excluded from the Agreement unless the European Commission (the “EC”) notified the U.S. that the Agreement applied to the UK. On March 9, 2018, the EC notified the U.S. that, as of April 1, 2018, the DPPA applied to the UK. On February 12, 2019, the Department of Justice designated the UK as a “covered country,” effective on April 1, 2018, the date the U.S.-EU DPPA became applicable to the UK. The Attorney General designation has been published in the Federal Register:
DPPA Article 14 Requirements
The DPPA imposes requirements on the federal government with respect to information shared with U.S. state and local authorities. Attached is a notification to U.S. state and local authorities of the safeguards in the DPPA.
The following regional economic integration organization and countries have each been designated by the Attorney General as a “covered country:”
- European Union;
- Republic of Cyprus;
- Czech Republic;
- Sweden; and
- United Kingdom.
With respect to three countries, Denmark, Ireland, and the UK, Article 27 of the DPPA excludes them from coverage unless the EC notifies the United States that Denmark, Ireland, or the UK has decided that the DPPA applies to its State. The EC has notified the United States that Ireland and the UK have agreed that the DPPA applies to it, and each country has been accordingly designated a “covered country.” With respect to Denmark, the Department of Justice intends to move promptly to designate it as a “covered country” upon receiving notice, in accordance with the provisions of Article 27 of the DPPA, that Denmark has decided that the DPPA applies to it.
Designated Federal Agencies and Components
The following Federal agencies, and all of their respective components, have each been designated by the Attorney General as a “designated Federal agency or component,” effective on February 1, 2017:
- United States Department of Justice;
- United States Department of Homeland Security;
- United States Securities and Exchange Commission; and
- United States Commodity Futures Trading Commission.
The following components of a Federal agency have each been designated by the Attorney General as a “designated Federal agency or component,” effective on February 1, 2017:
- Bureau of Diplomatic Security, United States Department of State;
- Office of the Inspector General, United States Department of State;
- Alcohol and Tobacco Tax and Trade Bureau, United States Department of the Treasury;
- Financial Crimes Enforcement Network, United States Department of the Treasury;
- Internal Revenue Service, Division of Criminal Investigation, United States Department of the Treasury;
- Office of Foreign Assets Control, United States Department of the Treasury;
- Office of the Inspector General, United States Department of the Treasury;
- Office of the Treasury Inspector General for Tax Administration, United States Department of the Treasury; and
- Special Inspector General for the Troubled Asset Relief Program, United States Department of the Treasury.