A Congressional bill which would give citizens of European Union (EU) countries certain U.S. privacy rights was withheld from a scheduled vote by the Senate Judiciary Committee on Thursday.
Specifically, the Judicial Redress Act allows EU citizens to file a civil lawsuit against “U.S. government agencies” for privacy violations regarding “unlawful disclosures of records transferred from a foreign country to the United States”.
The enactment of the bill is necessary for the U.S. to start negotiating a revised version of the “Safe Harbor” framework agreement which was struck down by the EU’s Court of Justice in October 2015 because U.S. law didn’t satisfy their privacy protection standards.
The transfer of personal data by U.S. technology companies from their European customers back to the States has been a concern for EU officials since Edward Snowden exposed the National Security Agency’s mass surveillance programs in 2013.
Currently, 4,400 U.S.-based tech companies are able to transfer European data back to servers in the U.S. as a result of the Safe Harbor principles agreed to in 2000.
A tech lobbying firm in Washington, D.C. which represents the likes of Microsoft and Apple, sent a letter to President Obama and European Commission President Jean-Claude Juncker this week arguing that the consequences of failing to renegotiate the prior agreement would be “enormous”.
The EU has set the deadline for a deal by the end of January, and EU privacy regulators could begin enforcing European consumer protection laws, which are stricter than those in the U.S., as soon as February if no agreement is reached.
The seven principles of the 2000 Safe Harbor framework are the following:
- Notice – “An organization must inform individuals about the purposes for which it collects and uses information about them”.
- Choice – “An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (a) to be disclosed to a third party or (b) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected”.
- Onward Transfer – “Where an organization wishes to transfer information to a third party that is acting as an agent . . . it may do so if it first either ascertains that the third party subscribes to the Principles”.
- Security – “Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.”
- Data integrity – “An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual.”
- Access – “Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate”.
- Enforcement – “Effective privacy protection must include mechanisms for assuring compliance with the Principles, recourse for individuals to whom the data relate affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed.”
[Reuters] [The Hill] [eur-lex.europa.eu]