Congress wants to allow Europeans to sue US over spying. What's next?

On Thursday, the House Judiciary Committee approved a bill aimed at assuaging European doubts about government surveillance. But questions linger about how effective it may be.

More than two years after former National Security Agency contractor Edward Snowden revealed the extent of the US government’s massive surveillance program, concerns about data privacy continue to echo internationally.

On Thursday, Congress advanced a bill which would allow European citizens to sue the US government if their data is misused in an international law enforcement investigation. The proposal is one of several cybersecurity bills currently in progress in the US and in Europe.

Known as the Judicial Redress Act, it’s intended to address imbalances in how the US and international governments share data in criminal investigations, including terrorism cases. It’s part of a larger “umbrella agreement” between the US and the European Union to further define how the two sides share information. Currently, US citizens can sue in European courts over the misuse of their data, but the US does not have similar protections.

The House Judiciary Committee’s stamp of approval came during during a Thursday mark-up session, with lawmakers emphasizing that it would be a key effort in restoring trust between the US and Europe, where officials have expressed outrage over the extent of the US government surveillance in the region.

“If we fail to pass the Judicial Redress Act, we will undermine several important international agreements, harm our businesses operating in Europe and severely limit the sharing of law enforcement information,” Rep. James Sensenbrenner (R) of Wisconsin, who introduced the bill in March, said during the meeting.

But the bill’s impact is somewhat limited, observers and privacy groups say.

“I don’t think the Judicial Redress Act does much, to be honest,” says Jim Kinsella, a former Microsoft executive who now runs a European cloud data storage company called Zettabox. “I don’t think it’s going to bring together the European Union and the US in terms of their approaches to data privacy.”

Mr. Kinsella says he feels upcoming European legislation called the General Data Protection Regulation (GDPR), provides a more robust approach to protecting citizens’ data, most notably by requiring that all companies that store data in Europe follow European laws.

The GDPR will also allow European countries to get more involved in cloud data storage, where American companies like Amazon, Google and China’s Alibaba have increasingly dominated the industry, he says.

The Judicial Redress Act focuses more narrowly on correcting the imbalance between European and American privacy law. It allows European citizens to sue the government for “intentional and willful” privacy violations, including the refusal to provide access to a particular record.

However, only data used by certain “designated agencies” picked by the Justice Department is covered, the Electronic Privacy Information Center (EPIC) said in a statement sent to the Judiciary Committee. If a federal agency is removed from this group by the Attorney General, it isn’t subject to review by a judge, EPIC notes. The group argues Congress should allow European citizens to sue every federal agency.

“To the extent that federal agencies maintain personal information on non-US persons, EPIC recommends that the Judicial Redress Act grant all such persons the same right of judicial redress currently available to US persons,” EPIC says.

Congress’ actions comes amid an ongoing battle between the Justice Department and technology companies like Apple and Microsoft over the release of data that it says is needed in ongoing criminal investigations.

The Microsoft case, which involves a Hotmail email account stored on a server in Dublin, Ireland, has attracted widespread attention, with the tech giant arguing that the government only provided a warrant valid in the US in order to obtain access to the account.

In contrast to the bitterly contested legal battle, which is currently before a federal court in Manhattan, both sides have supported the Judicial Redress Act, saying it will provide further guidelines on international data sharing.

Kinsella, the technology entrepreneur now based in Europe, isn’t convinced.

Compared to Europe’s more comprehensive data regulation, he says, the US approach to ensuring data is shared responsibly is “very reactive.”

Congress is also considering several other data privacy bills, including a cybersecurity bill backed by Homeland Security officials which has stalled in the Senate and an update to the the 1986 Electronic Communications Privacy Act in the House, which would require officials to obtain a warrant for US citizens’ emails.

Because there are so many pending data privacy regulations in the US and Europe, Kinsella says, while the Judicial Redress Act will likely pass, its impact on government surveillance may be muted.

“I think, definitely, the Judicial Redress Act will essentially spawn suits against the government,” by Europeans worried about how their data is used. But, he adds, “the US government is going to have presumption of duty on its side, and it’s going to be an exceptionally rare judge, especially at the appellate level, who will let this case win.”