On March 6th, 2017, President Donald Trump signed a new executive order on immigration that now excludes any mentions of the U.S. Privacy Act. The previous executive order, issued in January, instructed public agencies to limit privacy protections under the Privacy Act to only U.S. citizens, which caused some to question the validity of the recently negotiated EU-U.S. Privacy Shield.
Currently, over 1,700 companies rely on the Privacy Shield Framework, which allows them to transfer personal data from the EU into the U.S. Before the Privacy Shield Framework, companies relied on the Safe Harbor Framework to transfer personal data between the EU and U.S. However, in October 2015, in Maximillian Schrems v. Data Protection Commissioner, the EU Court of Justice found that Safe Harbor was invalid as it did not adequately protect EU personal data since U.S. public agencies (i.e. intelligence authorities) were processing EU personal data on a large-scale without providing privacy protections.
Since Trump’s January executive order specifically provided the U.S. Privacy Act would not apply to non-U.S. citizens, it appeared to expose EU personal data to such large-scale processing without privacy protections. Despite the assurances of EU and U.S. lawmakers and attorneys that the January executive order would not affect EU to U.S. transfers, many were still concerned that it could result in a non-renewal of the Privacy Shield Framework and impact transfers of personal data with other countries. At a time where Standard Contractual Clauses (“SCCs”) are being challenged in Ireland, the potential threat to the Privacy Shield Framework had many concerned about a valid legal mechanism for EU personal data transfers.
However, for the moment, the new executive order appears to be a positive sign in relation to the longevity of the Privacy Shield Framework. We will continue to update our blog with any relevant new developments on the White House or EU Commission’s response to the new executive order.