Overview of the Privacy Act: 2020 Edition
Judicial Redress Act
In 2016, the Congress enacted and the President signed the Judicial Redress Act of 2015. 5 U.S.C. § 552a note (2018). Section 2 of the Judicial Redress Act extends the right to pursue certain civil remedies under the Privacy Act to citizens of designated foreign countries or regional economic organizations. It provides in pertinent part:
“(a) CIVIL ACTION; CIVIL REMEDIES. – With respect to covered records, a covered person may bring a civil action against an agency and obtain civil remedies, in the same manner, to the same extent, and subject to the same limitations, including exemptions and exceptions, as an individual may bring and obtain with respect to records under –
(1) section 552a(g)(1)(D) of title 5, United States Code, but only with respect to disclosures intentionally or willfully made in violation of section 552a(b) of such title; and
(2) subparagraphs (A) and (B) of section 552a(g)(1) of title 5, United States Code, but such an action may only be brought against a designated Federal agency or component.
(b) EXCLUSIVE REMEDIES. – The remedies set forth in subsection (a) are the exclusive remedies available to a covered person under this section.
(c) APPLICATION OF THE PRIVACY ACT WITH RESPECT TO A COVERED PERSON. – For purposes of a civil action described in subsection (a), a covered person shall have the same rights, and be subject to the same limitations, including exemptions and exceptions, as an individual has and is subject to under section 552a of title 5, United States Code, when pursuing the civil remedies described in paragraphs (1) and (2) of subsection (a).” Section 2 of the Judicial Redress Act of 2015, 5 U.S.C. § 552a note (2018).
A. Extension of Privacy Act Remedies to Citizens of Designated Countries
Comment:
The Judicial Redress Act extends the right to pursue certain civil remedies under the Privacy Act to citizens of designated foreign countries or regional economic organizations.
The Judicial Redress Act extends certain rights of judicial redress established under the Privacy Act to citizens of designated foreign countries or regional economic organizations, in the same manner, to the same extent, and subject to the same limitations, including exemptions and exceptions, as an individual may bring and obtain with respect to: (1) intentional or willful unlawful disclosures of a covered record under subsection (g)(1)(D); and (2) improper refusal by a designated Federal agency or component to grant a covered person access to or amendment of a covered record under subsection (g)(1)(A) & (B). For more information on judicial redress rights under the Privacy Act, see “Civil Remedies” subsections below: “5 U.S.C. § 552a(g)(1)(A) - Amendment Lawsuits,” “5 U.S.C. § 552a(g)(1)(B) - Access Lawsuits,” “5 U.S.C. § 552a(g)(1)(C) - Damages Lawsuits for Failure to Assure Fairness in Agency Determination,” “5 U.S.C. § 552a(g)(1)(D) - Damages Lawsuits for Failure to Comply with Other Privacy Act Provisions.”
As described in the House Committee Report on the Judicial Redress Act, the Act was primarily enacted to complement an anticipated agreement between the United States and the European Union (“EU”) harmonizing legal protections of personal information shared between the United States and EU member states for the prevention, investigation, detection, and prosecution of criminal offenses:
For many years, the European Union and many of its member states have complained to U.S. officials about the fact that the Privacy Act of 1974 only applies to U.S. citizens and lawful permanent residents, and not to foreign citizens. Although other U.S. laws provide any person with judicial remedies for specified types of privacy violations, the absence of a broader right of action with respect to privacy violations by the Federal Government has remained a point of friction with the European Union. Complaints have accelerated as it has become possible, due to digitalization of the economy, and indeed necessary for public security reasons, for U.S. and EU law enforcement agencies to exchange increasing quantities of information. In contrast to the Privacy Act, U.S. citizens have rights under EU and member state data protection laws to challenge adverse decisions by European government agencies in court.
. . .
[T]he United States has been in the process of negotiating a Data Protection and Privacy Agreement (DPPA, often referred to as the “umbrella agreement”) with the European Union, in order to address the EU desire for clear standards governing the privacy of personal information exchanged for law enforcement purposes. The United States entered into these negotiations in order to ensure that robust information sharing with Europe for law enforcement purposes will continue. During the course of the negotiations, the European Commission and Parliament have both made it clear that there will be no agreement without the enactment of a U.S. law that enables EU citizens to sue the U.S. government for major privacy violations.
H.R. Rep. No. 114-294, at 2-3 (2015) (Judicial Redress Act).
The District Court for the District of Columbia has exclusive jurisdiction over claims arising under the Judicial Redress Act.
Unlike the Privacy Act’s jurisdictional provisions for its civil remedies, the United States District Court for the District of Columbia has exclusive jurisdiction over any claim arising under the Judicial Redress Act. § 2(g). Currently, the D.C. District Court has not substantively interpreted the provisions in the Judicial Redress Act. As a result, the text of the Act, its legislative history, and the Attorney General’s designations serve as the best source material for interpreting the Judicial Redress Act.
The Judicial Redress Act applies to citizens of “covered countries,” so designated by the Attorney General.
The Judicial Redress Act affords “covered persons” – defined as natural persons (other than an “individual” as defined under the Privacy Act) who are citizens of a covered country – with civil remedies as provided for in the Act. § 2(h)(3). A “covered country” is a country or regional economic integration organization, or member country of such organization, that has been designated by the Attorney General, with the concurrence of the Secretary of State, the Secretary of the Treasury, and the Secretary of Homeland Security, to have met certain protections outlined in Section 2(d)(1) of the Judicial Redress Act. Id. § 2(h)(5).
Civil remedies under the Judicial Redress Act are limited to claims involving “covered records.”
The Judicial Redress Act’s civil remedies are limited to a “covered record,” id. § 2(a), which, for a covered person, has the same meaning as a “record” under the Privacy Act (see subsection for “5 U.S.C. 552a(a)(4) - Record” in “Definitions” below ), once the covered record is transferred – (A) by a public authority of, or private entity within, a country or regional economic organization, or member country of such organization, which at the time the record is transferred is a covered country; and (B) to “a designated Federal agency or component” for purposes of preventing, investigating, detecting, or prosecuting criminal offenses. Id. § 2(h)(4). A covered person’s right to access or amend a covered record is limited to only those covered records maintained by a designated Federal agency or component. See id. § 2(a).
The Attorney General is responsible for designating Federal agencies and components for purposes of the Judicial Redress Act.
The Attorney General determines that an agency or component of an agency is a “designated Federal agency or component” if: (1) the information exchanged by such agency, or component thereof, with a covered country is within the scope of an agreement with the United States that provides for appropriate privacy protections for information shared for the purpose of preventing, investigating, detecting, or prosecuting criminal offenses; or (2) designating such agency, or component thereof, is in the law enforcement interests of the United States. Id. § 2(e), (h)(5).
B. Attorney General Designations Related to the U.S.-EU Data Protection and Privacy Agreement
Comment:
The Data Protection and Privacy Agreement between the United States and the European Union, and its Member States, provides privacy protections for information shared to prevent, investigate, detect, or prosecute criminal offenses.
As referenced in the House Committee Report, the U.S. Government’s efforts to enact the Judicial Redress Act were, in part, a response to negotiations of an Executive Agreement between the United States and the EU relating to privacy protections for personal information transferred between the U.S., the EU, and the EU Member States for the prevention, detection, investigation, or prosecution of criminal offenses – commonly known as the “Data Protection and Privacy Agreement” (“DPPA”) or the “Umbrella Agreement.” See Agreement on the Protection of Personal Information Relating to the Prevention, Investigation, Detection, and Prosecution of Criminal Offenses, U.S.-EU, June 2, 2016, 17 U.S.T. 201, https://www.justice.gov/us-eu_dppa.
The DPPA went into force on February 1, 2017, and established a set of protections that the United States and the EU must apply to personal information exchanged for the purpose of preventing, detecting, investigating, or prosecuting criminal offenses. The DPPA establishes an obligation for the United States and the EU to provide, in their respective domestic laws, specific judicial redress rights to each other’s citizens. Id. at Art. 19. The Judicial Redress Act is implementing legislation for Article 19 of the DPPA.
1. Covered Countries under the DPPA
Following the approval of the DPPA, the Attorney General designated 26 countries and one regional economic integration organization as “covered countries.”
On January 17, 2017, the Attorney General designated 26 countries and one regional economic integration organization as “covered countries” to be effective on February 1, 2017 – the date of entry into force of the DPPA. See Attorney General Order No. 3824-2017, “Judicial Redress Act of 2015; Attorney General Designations,” 82 Fed. Reg. 7860 (Jan. 23, 2017). On February 12, 2019, following notification from the European Commission, the Attorney General designated the United Kingdom as a “covered country,” effective April 1, 2018. See Attorney General Order No. 4381–2019, “Judicial Redress Act of 2015; Attorney General Designations,” 84 Fed. Reg. 3493 (Feb. 12, 2019). Overall, the Attorney General has designated the following regional economic integration organization and countries as “covered counties” for purposes of the DPPA:
- European Union;
- Austria;
- Belgium;
- Bulgaria;
- Croatia;
- Republic of Cyprus;
- Czech Republic;
- Estonia;
- Finland;
- France;
- Germany;
- Greece;
- Hungary;
- Ireland;
- Italy;
- Latvia;
- Lithuania;
- Luxembourg;
- Malta;
- Netherlands;
- Poland;
- Portugal;
- Romania;
- Slovakia;
- Slovenia;
- Spain;
- Sweden;
- United Kingdom.
2. Designated Federal Agency or Component under the DPPA
Following the approval of the DPPA, the Attorney General identified “designated Federal agencies or components.”
On January 17, 2017, the Attorney General designated four Federal agencies and nine Federal agency components as “designated Federal agencies or components,” to be effective on February 1, 2017. See Attorney General Order No. 3824-2017, “Judicial Redress Act of 2015; Attorney General Designations,” 82 Fed. Reg. 7860 (Jan. 23, 2017). The following Federal agencies and all of their respective components are “designated federal agencies”:
- United States Department of Justice;
- United States Department of Homeland Security;
- United States Securities and Exchange Commission;
- United States Commodity Futures Trading Commission.
In addition, the Attorney General designated the following agency components as “designated Federal . . . components”:
- Bureau of Diplomatic Security, United States Department of State;
- Office of the Inspector General, United States Department of State;
- Alcohol and Tobacco Tax and Trade Bureau, United States Department of the Treasury;
- Financial Crimes Enforcement Network, United States Department of the Treasury;
- Internal Revenue Service, Division of Criminal Investigation, United States Department of the Treasury;
- Office of Foreign Assets Control, United States Department of the Treasury;
- Office of the Inspector General, United States Department of the Treasury;
- Office of the Treasury Inspector General for Tax Administration, United States Department of the Treasury;
- Special Inspector General for the Troubled Asset Relief Program, United States Department of the Treasury.
Tracking the provisions of the Privacy Act itself, the Overview analyzes each section of the Act in turn, and provides reference to and legal analysis of court decisions interpreting the Act’s provisions.
Next Section: Definitions