BRANDON BERG, Class of 2021 (Submitted while a student at Maine Law)
We are still feeling the ripple effects from the European Court of Justice’s Schrems II decision. Among other things, the decision ripped apart the E.U.-U.S. Privacy Shield with particular exception to the data subject’s inability to seek redress from a court or tribunal. With the goal of U.S. adequacy in mind, the question becomes, how do we move forward? With several privacy bills currently being debated in Congress, one important question must be addressed: do these bills address the judicial remedy concerns cited in Schrems II?
By way of background, an adequacy decision can be made if a country, jurisdiction, or part of a jurisdiction provides an adequate level of protection essentially equivalent to that ensured within the European Union. Under Article 79 of the GDPR, European data subjects have a right to judicial redress against controllers or processors. Under Article 47 of the Charter of Fundamental Rights of the European Union, European citizens have a right to an effective remedy in a tribunal established by law and fair trial for any EU rights and freedoms that are violated. The Privacy Shield was, in theory, a program that provided an essentially equivalent protection but fell short of providing the judicial redress required by the GDPR and the Charter. Instead, it provided an ombudsperson and mandatory arbitration as a means of resolving disputes between data subjects and organizations.
Primarily by citing Article 47, and without addressing the arbitration remedy, the Schrems II Court steeped much of its concern with the adequacy of Privacy Shield around the role of this ombudsperson. The Court found that the ombudsperson did not constitute a tribunal for the purposes of Article 47 giving the Court one of its legal basis to strike down the Privacy Shield as a whole.
What provides an essentially equivalent level of protection by way of judicial redress?
To understand what the United States can do to achieve and maintain an adequacy decision, one can look to other countries that have successfully done so. Such countries and their privacy laws may provide effective guidance as to what a U.S. law should have to achieve sufficient judicial redress. Two of these countries, Argentina and Canada, are noteworthy in comparison to the United States.
Argentina’s privacy law, the Personal Data Protection Act, provides for “habeas data remedy.” This remedy allows any individual whose rights and freedoms have been violated to bring a lawsuit in an appropriate court for the matter to be remedied.
Similarly, Canada’s Personal Information Protection and Electronic Documents Act, allows for data subjects to file a complaint with the Privacy Commissioner, who may choose to file a complaint with a court. Alternatively, if the Commissioner decides not to take action, the data subject may file their own complaint with a court.
Notably, both of these countries are federal systems with autonomous sub-divisions whose all-encompassing privacy laws create the judicial redress necessary for data subjects to litigate a violation of their rights within the system. As it exists, most of the United States’ sectoral laws do not allow for an individual to bring a complaint for judicial redress. Instead, only the regulators can bring actions against companies for privacy rights violations. Unlike Canada’s law, the data subject is stuck with the decision of the regulator—the data subject cannot bring an action if the regulator chooses not to. This “private right of action” in the U.S. exists only in limited circumstances depending on the applicable sectoral law. There is no general private right of action. Under the Privacy Shield, a private right of action was non-existent.
How does current proposed legislation stack up?
There are several bills currently making their way through Congress, the vast majority of which do not include a private right of action. However, three specifically do. All three bills introduced in the previous Congress, the Consumer Online Privacy Rights Act (S.2968), the Online Privacy Act of 2019 (H.R. 4978) and the Privacy Bill of Rights Act (S. 1214), allow for the individual alleging a violation of the respective act to bring an action in “any court of competent jurisdiction.”
This language greatly resembles that of Argentina’s law and, to a degree, Canada’s as well. Whether including such language in an all-encompassing privacy law would satisfy the European Court of Justice is still an open question, but for two reasons it certainly wouldn’t hurt.
First, the underlying principles of the Charter and GDPR are individual empowerment and control over one’s personal information. Where under the previous E.U., U.S. Privacy Shield landscape enforcement was dependent on a third party, namely the government, to determine whether the individual’s rights had been violated, including language that allows the individual to bring actions on their own behalf eliminating a barrier to relief.
Second, the proposed language in these bills mimics the functional reality created by the Charter and GDPR. In essence, European data subjects that have been aggrieved can expect similarity in terms of their options when seeking relief from a judge: find a lawyer, file a case, and await a decision.
Conclusion
No doubt there are certain issues that must be addressed on the road to U.S. adequacy. Addressing the private right of action in the context of national security, surveillance, and a court’s jurisdiction is chief among them. These issues aside, the private right of action in a judicial setting is an essential component to international data transfers and will create additional trust between the United States and other jurisdictions, if such a mechanism were to be included in any future privacy legislation. It should be noted that, as more countries pass legislation based on the GDPR, more countries will require similar protections for their citizens. Not having a private right of action may leave the United States in a perpetual state of limbo, where the legal transfer mechanisms that we have come to rely upon will always be subject to another country’s determinations that what we have is not enough. We should not give another country a reason to doubt the protections afforded to data subjects, especially when it comes to being able to seek judicial remedies in the United States.
