Data protection and privacy officials and interest groups across the globe produced a flurry of activity on social media this week. Countless tweets, blogs and articles have responded to President Trump’s executive order directed at Enhancing Public Safety, signed during his first full week in office.
The new U.S. executive order
The order, which is chiefly aimed at immigration-related activity, also limits privacy protection under the United States Privacy Act of 1974 to U.S. citizens and permanent residents of the United States – at least to the extent permitted by law.
Section 14 of the Enhancing Public Safety order reads:
“Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”
While initial concerns were raised about the potential negative impact that this order might have on the newly agreed-upon Privacy Shield – raising fears that non-Americans (and their personal data) would have their privacy protected less by American companies relying upon the Privacy Shield, and therefore the future of the Privacy Shield could be at risk – EU regulators responded quickly, putting most of these fears to rest.
In its response, the European Commission released a statement that provided clarity as to the limited impact that the order is likely to have on Europeans’ data protection rights.
Initially, the Commission pointed out that the EU-U.S. Privacy Shield places no reliance on the protections under the U.S. Privacy Act. The U.S. Privacy Act is only relevant to EU residents in instances when their data is sent directly to U.S. law enforcement bodies. The Privacy Act of 1974 governs the collection, use and disclosure of personal data by the United States government in its interactions with the government directly. It does not come into play in relation to business-to-business international transfers of data.
Secondly, the Commission pointed out that it is by way of other U.S. legislation (namely, the incoming EU-U.S. Umbrella Agreement and the U.S. Judicial Redress Act), that Europeans are granted the benefits of the U.S. Privacy Act and are provided access to U.S. courts.
It is also noted that one of the final acts of the outgoing U.S. attorney general was to sign a notice that extends U.S. Privacy Act remedies to 26 countries, in addition to the EU.
Privacy Shield unaffected
Despite the exclusionary language of the executive order, the order does not alter the applicability of the U.S. Privacy Act for EU citizens, nor does it have a direct legal impact on the adequacy of the Privacy Shield.
The intentions behind the order may raise concerns about the future of the Privacy Shield, which is not without its detractors on both sides of the pond. With a challenge brought before the European courts in 2016 by Digital Rights Ireland, the Privacy Shield has gotten off to a rough start in its first year of implementation.
Perhaps the most important signal of the order is the likelihood of substantial change in policy direction by the new administration on privacy and data protection matters. For example, whether the perceived goals of the order, limiting procedural and other substantive protections of U.S. law to citizens, might be extended to other laws providing significant data protection for financial institutions (GLBA), health care and insurance (HIPAA), and telecommunications (CPNI), or elsewhere remains unclear. Much of the initial outcry regarding the broader direct implications of the order could be attributed to a lack of widespread understanding of the Privacy Act of 1974 and its applicability. Nonetheless, the order itself, and the early actions of the new administration, will be watched carefully by technology and other businesses as it remains clear that the actions of policymakers in Washington can have an immediate, and sometimes material impact, on businesses reliant on international data transfers and processing.
Despite these initial hiccups, though, the Privacy Shield remains fully intact.