On February 24, 2016, President Obama signed into law the Judicial Redress Act giving citizens of certain “covered countries” access to U.S. courts to protect their privacy and take legal action against U.S. government agencies if their personal data is unlawfully disclosed. The Act provides that the U.S. Secretary of State, the Treasury Secretary and the Secretary of Homeland Security, will designate which countries and “regional economic integration organizations” (REIOs) will be “covered countries.” To be designated, however, the countries and REIOs must have either shared or agreed to share information with the U.S. for the purpose of “preventing, investigating, detecting or prosecuting” crimes, and must permit the transfer of personal data for commercial purposes to the US in a manner that does not materially impede the national security interests of the U.S. The Judicial Redress Act is intended to rebuild trust among European and other allies following the highly publicized leaks by former National Security Agency contractor Edward Snowden in 2013 and is a step by the U.S. to meet the requirements of the recently negotiated agreement with the EU for the exchange of information with U.S. law enforcement agencies.
The Judicial Redress Act gives citizens of covered countries who are not lawful permanent residents of the U.S. privacy protections similar to those available to U.S. citizens under the Privacy Act of 1974, 5 U.S.C. § 552a. In particular, it allows covered foreign citizens to request their records and correct information held by a designated federal agency that the person believes is not accurate, relevant, timely or complete — mistakes that could subject innocent people to criminal charges or unnecessary surveillance. In addition, foreign citizens may bring a civil action in federal court against a U.S. agency that intentionally and unlawfully discloses their personal data. Supporters of the new law suggest that extending privacy protections to citizens of U.S. allies is a crucial element to the U.S. law enforcement strategy because it helps ensure that these nations will continue to share law enforcement data with the United States.
With two decades of experience as a practicing attorney, Karin McGinnis, CIPP US, has handled a wide variety of privacy and data security matters for her clients, with a special emphasis on privacy and data security issues in the workplace. Ms. McGinnis’ privacy and data security experience includes counseling and litigation regarding misappropriation of trade secrets, violation of the Computer Fraud and Abuse Act and state computer trespass laws, common law privacy torts, discovery challenges posed by the Stored Communications Act, privacy of consumer financial information under Gramm-Leach-Bliley, and confidentiality rights concerning mental health consumers. Ms. McGinnis also handles a wide variety of data breach matters for her clients, including those involving PCI-DSS compliance, and has worked with the USSS and the FBI in investigating potential cyber-crime. She has assisted clients with drafting and creating data breach procedures, mobile device policies and agreements, FACTA Red Flag policies and procedures, online privacy policies, international ethics hotlines, international data transfer agreements, vendor agreements, and employee data security training. Ms. McGinnis is co-chair of the firm’s Privacy and Data Security Group.