Earlier this week the Judicial Redress Bill was passed by the US Senate. The Bill approved by the Senate contained an amendment to the version that was previously backed by the US House of Representatives. The House subsequently approved the amended Bill and put it before president Barack Obama to sign into law.
"This Bill would allow foreign citizens in European countries to sue the United States for unlawful disclosure of personal information - under the terms of the Privacy Act - obtained in connection with international law enforcement efforts," according to a summary of the Bill published on the Gov Track website. "Under current law, only US citizens and legal residents can bring claims against the federal government for unauthorised disclosure of their personal information."
The Bill will also give EU citizens rights to require US federal agencies to give them access to their data and correct inaccurate records they hold about them.
The passage of the Bill has been seen as a pivotal component of reforms aimed at strengthening privacy protections given to people in the EU when their personal data is transferred to the US.
In September last year EU and US officials agreed a new 'umbrella agreement' on data protection which sets out a range of privacy "protections" to data that is exchanged between law enforcement agencies in the EU and US. That agreement does not of itself provide a lawful authority for the transfer of the data to the US from the EU but would underpin such data transfers.
However, at the time the umbrella agreement was announced, EU justice commissioner Věra Jourová confirmed that the deal would not come into effect until the Judicial Redress Bill was adopted by US law makers.
In a ruling last October, the Court of Justice of the EU (CJEU) invalidated a framework that EU and US officials had agreed in 2000 to allow organisations to transfer personal data from the EU to the US in line with EU data protection law requirements. In its ruling the CJEU referenced concerns about the access US authorities have to the personal data transferred from the EU and the lack of rights to judicial redress EU citizens have in the US when their data is mishandled.
Last week the European Commission and counterparts in the US outlined a replacement for the 'safe harbour' framework that the CJEU had invalidated. In its statement the Commission said that EU citizens would gain rights to redress in the US if they feel "their data has been misused" under the EU-US Privacy Shield arrangement.
However, following that announcement Isabelle Falque-Pierrotin, chair of the Article 29 Working Party, a body of European data protection authorities, said that she does not think the Judicial Redress Bill will address concerns the CJEU had raised in its ruling in relation to EU citizen's redress. That is because the Bill would not apply to cases concerning access to data for national security purposes, she said.