Yesterday President Obama signed the Judicial Redress Act into law. European Union Commissioner for Justice Věra Jourová described the new law as, “a historic achievement [that] will ensure that all EU citizens have the right to enforce data protection rights in U.S. courts…. The entry into force of the Judicial Redress Act will pave the way for the signature of the EU-U.S. Data Protection Umbrella Agreement.”
Is the Judicial Redress Act really so historic? And will it actually “ensure that all EU citizens have the right to enforce data protection rights in U.S. courts”?
Europeans should not be fooled by statements such as those from Commissioner Jourová or her counterparts in other EU institutions. As we know from our own experience in court as US citizens, there are almost no real-world cases in which the Judicial Redress Act will provide any actual protection or enforceable legal rights to citizens or residents of the EU, or anywhere else.
The Judicial Redress Act gives some foreign citizens some of the rights that US citizens currently have, with respect to some of the uses and misuses by the US government of their personal information. But in no case will any foreigner have more rights under the Judicial Redress Act than US citizens have under the Privacy Act.
Serious scrutiny of the terms of the Privacy Act, and of the history of attempts by US citizens to use the Privacy Act to protect themselves against misuse of our personal information by the US government, has been largely absent from the debate about the Judicial Redress Act. But from our experience as parties to one of the key lawsuits attempting to assert Privacy Act claims by US citizens in relation to one of the most controversial categories of personal information being transferred from the EU to the US — passenger name records (PNRs) for international airline flights — we have learned an important lesson that Europeans need to know: the Privacy Act is so limited and riddled with exceptions that it is almost worthless. It is because the Privacy Act is useless, not because the US government follows fair personal information practices in its dragnet surveillance, that there are so few examples of successful litigation against the US government by US citizens under the Privacy Act.
All of the limitations and exceptions that always rendered the “protection” of the Privacy Act inadequate — even for US citizens — will continue to render the protection of the Judicial Redress Act inadequate for foreigners, in all of the same ways, and in additional ones.
Federal agencies can exempt themselves from almost all of the requirements of the Privacy Act with respect to “investigatory material compiled for law enforcement purposes,” a catch-all category that has been applied to records of dragnet surveillance and other information compiled and used for “pre-crime” profiling, even when the data subjects have never been accused or suspected of any crime. All an agency has to do to opt-out is to publish a notice in the Federal Register that a particular system of records has been declared exempt by the agency that maintains the records. An agency can wait to promulgate such a notice until after it receives a request for access to records, a request for an accounting of disclosures, or a request for correction of records.
What does this mean in practice, when the courts have been asked to apply the Privacy Act to sensitive PNR data pertaining to a US citizen? As we noted in 2012 at the conclusion of our Privacy Act litigation against the US government for the government’s copies of PNR data contained in the CBP Automated Targeting System (ATS):
Under the interpretation of the Privacy Act adopted by Judge Seeborg’s ruling in our case, additional Privacy Act exemptions could be promulgated at any time in the future, and applied even to requests that had already been made. Nobody can rely on any “rights” under the Privacy Act that could be retroactively revoked at any time. In addition, the new notices fail to give any additional detail about the data-mining or search-and-retrieval capabilities of the software (which Judge Seeborg ruled that CBP does not have to disclose, notwithstanding the specific requirement of the Privacy Act law that a SORN include the “practices of the agency regarding … retrievability” of records) or the algorithms used for processing data and making “targeting” decisions… (The use of secret algorithms makes it impossible for airlines or other travel companies subject to European Union jurisdiction, but which provide PNR or other data to CBP for ATS, to fulfill their duty under EU law to inform data subjects how their data is processed — a point we’ve made in complaints against airlines to European data protection authorities.)…
Individuals and governments abroad should also take due note of the US government’s claims in this case, and judge their collaboration with ATS accordingly. Individuals — even US citizens — have no right under US law to see what ATS records are being kept about them, and no right to know how or according to what algorithms data about themselves is mined, processed, or otherwise used. No records are kept of requests for access to records, and no logs are kept of who retrieves records.
The rules published by the DHS to exempt records in the Automated Targeting System (including copies of airline PNR data, “targeting rule sets”, and “risk assessment analyses”) from the requirements of the Privacy Act are typical of the exemptions that have been promulgated for numerous other systems of Federal records about individuals:
The Secretary of Homeland Security has exempted this system from the following provisions of the Privacy Act, subject to the limitations set forth in 5 U.S.C. 552a(c)(3) and (4); (d)(1), (2), (3), and (4); (e)(1), (2), (3), (4)(G) through (I), (e)(5), and (8); (f); and (g) pursuant to 5 U.S.C. 552a(j)(2)…. These exemptions also apply to the extent that information in this system of records is recompiled or is created from information contained in other systems of records.
To understand what this means, one has to read the clauses of the Privacy Act referred to in the exemption rules. The contents of ATS, including PNR data, have been exempted by the DHS from each of the following requirements of the Privacy Act:
- The right of a data subject to access records about herself.
- The right of a data subject to receive, on request, an accounting of disclosures of her personal data to other agencies or third parties.
- The prohibition on maintaining records about individuals that are not relevant and necessary to accomplish a legal purpose of the agency.
- The requirement to maintain records which are used in making determinations about individuals “with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual.”
- The requirement to collect personal information “to the greatest extent practicable” directly from the data subject rather than from third parties.
- The requirement to notify data subjects of what information about them is being collected, and from whom it is being collected.
- The right of a data subject to to dispute, amend, or correct records about herself.
- The right of a data subject to add a notice of disputed data in records about herself, and to have that notice included whenever the disputed portion of the record is disclosed to a third party.
It’s not just the DHS that has opted out of the Privacy Act, as Federal courts have upheld that the law allows it to do. The NSA has similarly exempted its dragnet surveillance records from the Privacy Act, as other experts have noted:
The problem is that Europeans are likely to notice that the Privacy Act provides no meaningful redress to targets of NSA surveillance. Agencies can exempt themselves from the Privacy Act’s access and redress provisions on grounds of national security. 5 U.S.C. § 552a(k). The NSA has taken full advantage of this section. 32 C.F.R. § 322.7(a).
Once an agency has published a notice exempting a system of records from these requirements of the Privacy Act, it is completely legal (or at least, it is not a violation of the Privacy Act for which a US citizen or anyone else can sue the agency) for the agency to fill that database with secret information about individuals, collected from undisclosed third parties, that it knows is likely to be inaccurate, outdated, incomplete, and irrelevant to any lawful purpose. The agency can withhold all of this information from the data subject, and secretly disclose any or all of it to any other government agency or third party anywhere in the world. Any disclosure of exempt records that an agency chooses to make is “discretionary” and not subject to judicial review.
But wait, there’s more! For the reasons discussed above, the Privacy Act gives US citizens inadequate legal protection. But even with the Judicial Redress Act, Europeans and other foreigners will continue to have even less protection and fewer rights than US citizens. The Judicial Redress Act gives foreign citizens (even citizens of the most preferred foreign nations) fewer rights than US citizens, in important ways that most Europeans probably are not aware of.
First, even with respect to records that have not been exempted from the Privacy Act, the Judicial Redress Act gives foreign citizens the right to sue to enforce only some, but not all, of the rights that US citizens can sue to enforce under the Privacy Act. Specifically, foreign citizens can bring lawsuits in US courts only for violations of “section 552a(g)(1)(D) of title 5, United States Code” or “subparagraphs (A) and (B) of section 552a(g)(1) of title 5, United States Code” but not under any of the other provisions of the Privacy Act. These sections cover refusal by a Federal agency to comply with a subject access request or request for amendment of a record, but notably exclude lawsuits by foreigners for violations of subparagraph (C), which allows a US citizen to sue an agency that “fails to maintain any record concerning any individual with such accuracy, relevance, timeliness, and completeness as is necessary to assure fairness in any determination relation to … the individual that may be made on the basis of such record, and consequently a determination is made which is adverse to the individual.”
The very deliberate exclusion of this subparagraph (C) of this section of the Privacy Act from the causes of action allowed by the Judicial Redress Act, while including subparagraphs (A), (B), and (D), appears to have been deliberately crafted to preclude challenges by foreigners to the use of unreliable and irrelevant third-party data in “garbage in, garbage out” pre-crime profiling, risk assessments, and similar algorithmic processing and scoring systems.
Second, records are “covered” by the Judicial Redress Act only if they have been transferred:
(A) by a public authority of, or private entity within, a … covered country; and
(B) to a designated Federal agency or component for purposes of preventing, investigating, detecting, or prosecuting criminal offenses.
It might not be obvious at first glance, but this excludes two key categories of records: records maintained for purposes other than enforcement of criminal laws, and records transferred from the EU to the US government by way of commercial intermediaries in the US (or in third countries that are not covered by the Judicial Redress Act).
Records maintained by the US government for the enforcement of civil laws — such as the civil penalties for violations of aviation “security” orders — are thus exempt from the Judicial Redress Act, as are all records maintained for other purposes, or for no defined or particularized purpose at all. Records maintained for criminal law enforcement purposes can be (and almost always have been) exempted from the Privacy Act, and records for all other purposes are exempt from the Judicial Redress Act. The result, undoubtedly intentional, is that hardly any records will fall through the cracks between the exemptions in these two laws, and provide a basis for a lawsuit by a foreign citizen. The Judicial Redress Act is a carefully constructed paper tiger.
Even if either or both the Privacy Act and/or the Judicial Redress Act were amended to remove some or all of these exemptions (which is highly unlikely, to say the least), the limitation of the Judicial Redress Act to records transferred directly from an entity in the EU to the US government would leave a huge loophole, of exactly the sort the US has exploited in the past to intercept information about financial transfers between European banks from servers of SWIFT in the US, information about electronic communications between other countries from intermediaries in the US through which messages were routed, and information about PNR data collected and stored by European airlines, travel agents, and tour operators stored with computerized reservation systems in the US.
As we have pointed out in our previous testimony to the European Parliament, most transfers of PNR data from the EU to the US government are indirect, and occur by way of CRSs/GDSs and/or other commercial intermediaries in the US. These indirect but routine transfers already evade the EU-US “agreement” on direct PNR transfers, and now also evade the Judicial Redress Act, due to its limitation to direct transfers from the EU to the US government.
The Privacy Act provides inadequate data protection for US citizens, and the Judicial Redress Act would provide even more inadequate protection for non-US citizens. Neither of these laws provides any basis for a finding that anyone’s rights are adequately protected in the US, for approval of the proposed Safe Harbor 1.1 Privacy Shield, or for approval of the proposed EU-US “umbrella agreement” on data transfers.