A Senate committee advanced a bill Thursday granting EU citizens privacy rights similar to those enjoyed by U.S. citizens — legislation EU privacy regulators have deemed a must-have to restoring tech company data flows from Europe to the U.S.
The Senate Judiciary Committee voted 19-1 to move the Judicial Redress Act to the Senate floor for consideration Thursday, days ahead of the end-of-January deadline EU regulators gave negotiators to set up a new data exchange agreement before they take action against U.S. companies for failing to uphold EU privacy standards.
Last October the European Court of Justice struck down the “Safe Harbor” agreement between the U.S. and the European Union that allowed Internet companies to exchange data across the Atlantic, citing concerns about American spy agencies surveilling Europeans’ data.
Under the original agreement inked in 2000, U.S. companies including Apple, Microsoft, Facebook and Google were permitted to self-certify they observed EU privacy standards when transferring data on E.U. citizens across the Atlantic.
According to the court’s ruling, the more than 4,000 U.S. and European tech companies exchanging such data can’t be trusted to self-certify they appropriately protect Europeans’ data — a result of mass U.S. surveillance programs revealed by former National Security Agency contractor Edward Snowden in 2013.
Snowden himself alleged the agreement was used to facilitate surveillance practices legalized in Section 702 of the FISA Amendments Act, which gives NSA the legal authority to tap the physical infrastructure of the Internet, like undersea fiber cables, to collect and surveil the content of communications in transit between borders.
The Judicial Redress Act gives EU citizens the right to correct flawed information in U.S. records that could subject them to surveillance or criminal charges, and gives EU citizens of countries designated by the U.S. attorney general the right to sue in U.S. courts if their data is abused. Americans are already afforded similar rights in Europe.
“It is vital that Congress pass this bill to provide assurances to our European allies that the United States respects data privacy,” Utah Republican Sen. Orrin Hatch, one of the bill’s sponsors, said in a statement. “I am pleased that the Judiciary Committee reported the bill this morning and encourage prompt passage by the full Senate.”
The bill is also viewed as a staple by EU negotiators to approve an umbrella agreement to facilitate greater cooperation and data-sharing between law enforcement agencies across the Atlantic in criminal and terrorism investigations.
In addition to the version already passed by the House last year, the committee voted unanimously to add an amendment proposed by Texas Republican and Majority Whip John Cornyn prohibiting the bill from infringing on U.S. national security efforts and requiring EU countries taking advantage of the bill’s protections to allow data transfers with the U.S.
“Sharing law enforcement information should be a common interest,” Cornyn said Thursday. “We shouldn’t have to bargain for it. Period.”
“U.S. companies should not have to endure regulatory threats in an attempt to change our policy or laws,” he continued. “This amendment lays down these important markers.”
U.S. Commerce Secretary Penny Pritzker pleaded the U.S.’s case at the World Economic Forum in Davos, Switzerland, last week, explaining the new methods Europeans have to seek remedy in the states. Commissioner Julie Brill of the Federal Trade Commission — the U.S.’s top data privacy regulator, and Bruno Gencarelli — the EU’s chief data protection regulator, joined each other for a panel discussion on the progress of the talks between the two sides in Brussels Wednesday.
“You can look at what the U.S. has been doing, and has had in place — in some cases for centuries — with respect to protections against government access to data,” Brill said. “These protections are strong, they do show that we are essentially equivalent” with the EU.
Some European companies doubt the bill will have much effect on the negotiations, and point to the recently passed Cybersecurity Information Sharing Act as proof the U.S. doesn’t respect the privacy of its own citizens, let alone of Europeans.
“The progress of The Judicial Redress Act is a welcome development, however, it is unlikely to have a huge impact on Safe Harbor negotiations,” Mike Weston, the CEO of London-based data science consultancy Profusion, said in a statement. “The U.S. made it clear with the Cybersecurity Information Sharing Act that its citizens can expect little protection of their personal information online. In contrast, the EU is taking steps to beef up privacy with new data protection legislation.”
“In short, the U.S. and EU are on diverging paths.”
Groups representing U.S. companies were more enthusiastic.
“Today’s vote helps restore transatlantic trust as it extends privacy rights to Europeans and enables better law enforcement cooperation,” president of the Computer and Communications Industry Association Ed Black said in a statement. “It will also support finalization of a new Safe Harbor framework that thousands of U.S. and EU companies use to transfer data.”
“The Senate Judiciary Committee should be commended for taking this step to restore Europeans’ trust in the U.S. post-Snowden.”