US to Europe: You can sue us if our agencies misuse your personal data
New bill could restore trust for both US and Europe around cross-border data transfers.
The US is on the verge of granting Europeans more legal rights in the US over personal information sent by EU law enforcement to assist US criminal and terror investigations.
The Judicial Redress Act, passed by the US Senate on Wednesday, will let Europeans bring civil actions in the US if agencies there intentionally violate the US Privacy Act when handling personal data, such as making unauthorized disclosures.
The bill, which still needs approval from President Obama, will also enable Europeans to sue if an agency refuses them the opportunity to review or amend incorrect records.
The legislation forms part of the US-EU Umbrella Agreement, aimed at offering Europeans equivalent rights to US citizens and supporting data transfers to combat crime and terrorism.
"I am pleased the full Senate has passed this legislation, which demonstrates that the United States respects cross-border data privacy," Orrin Hatch, Republican Senator for Utah and one of the bill's co-sponsors, said.
"It will complete an important agreement with the EU and thereby improve the ability of law enforcement to fight crime and terrorism."
The act isn't a requirement of the new Privacy Shield agreement for transatlantic commercial data transfers. However, it is seen as a key element in restoring trust on both sides, following Europe's top court's decision in October to strike down Safe Harbor, the framework US firms have relied on for legal data transfers to the US.
"I welcome the US Senate vote [on the Judicial Redress Act]," EU Commissioner Věra Jourová said. "Another key step to restore trust in transatlantic data flows."
"Passage of this bill is a sign to our allies that the US is committed to providing reciprocal rights for their citizens. We hope this becomes a turning point in rebuilding trust post-Snowden," Computer & Communications Industry Association privacy counsel Bijan Madhani said.
The EU and US announced Privacy Shield two weeks ago. The finalised text must be reviewed and approved by European data-protection authorities in the WP29 group, which has given the EC until the end of February to hand over all documents.
The group will assess whether the agreement is consistent with the ruling against Safe Harbor.
Jourová said this week that the text should be ready in the second half of this month.
The pressure to find a new agreement was illustrated this week after France's data protection authority, CNIL, gave Facebook three months to stop relying on Safe Harbor or else face the threat of fines.
While EC and US officials celebrated Privacy Shield as a workable replacement to Safe Harbor, others in Europe are less confident.
Jan Philipp Albrecht, Green home affairs and data protection spokesperson, said Privacy Shield amounted to a "reheated serving of the pre-existing Safe Harbour decision".