The Privacy Act is a privacy act.
The FPA applies only to agencies of the US Federal Government. It governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies.
It prohibits the disclosure of information from a system of records controlled by the federal agency absent of the written consent of the subject individual, unless the disclosure is pursuant to one of 12 statutory exceptions. Until recently, it only applied to lawful residents of the US. Read more >>
However, it was amended by the Judicial Redress Act, which allows citizens of ‘covered countries’ as determined by the Attorney General, with the concurrence of the Secretary of State, the Secretary of the Treasury, and the Secretary of Homeland Security, to sue in a federal court for willful disclosures of personally identifiable information by a federal agency.
According to the European Commission, “The EU-US Umbrella Agreement, entered into force on 1 February 2017. To finalize this agreement, the US Congress adopted a new law, the US Judicial Redress Act, which extends the benefits of the US Privacy Act to Europeans and gives them access to US courts.”
But since the FPA is limited to the US government, and since it does not preclude §702 of the FISA, it does not stop either the US National Security Agency (NSA) or private companies from obtaining, disclosing, or transferring personally identifiable information that is expressly prohibited by the GDPR.
Penalties and enforcement
Covered persons, which includes lawful residents of the US and citizens of certain foreign countries designated by the US Secretary of State, may sue in a US federal district court for actual damages or $1,000 (whichever is greater), attorney fees, and court costs. The court may also require the federal agency to amend or correct any information on file concerning the covered person.
All US federal agencies must:
- Not disclose any record that is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains
- Allow any individual to gain access to their record or to any information pertaining to them that is contained in the system, permit them and upon their request, a person of their own choosing to accompany them, to review the record and have a copy made of all or any portion thereof
- Maintain any record concerning any individual except with accuracy, relevance, timeliness, and completeness
- Assure fairness in any determination relating to the qualifications, character, rights, or opportunities of, or benefits to, the individual