On January 25th 2017 US President Donald J. Trump adopted an Executive Order titled “Enhancing Public Safety in the Interior of the United States”.
The Executive Order mainly focuses on strengthening immigration enforcement. However, it also requires US federal administrative agencies to ensure that their privacy policies do not extend US Privacy Act protections to non-US persons. The Executive Order states that “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” It is expected that this will allow the US federal government to more easily share information (including personal data) between agencies and to publicly release information about non-US persons.
Many are concerned that the Executive Order would affect the so-called EU-US Umbrella Agreement, the data protection framework for EU-US law enforcement cooperation, which entered into force on February 1st 2017. The Umbrella Agreement covers all personal data (e.g. names, addresses, criminal records) exchanged between the EU and the US for the purposes of prevention, detection, investigation and prosecution of criminal offences, including terrorism.
One of the goals of the Umbrella Agreement was to ensure that EU citizens have the same judicial redress rights as US citizens in case of privacy breaches. Therefore, the EU made signing of the Umbrella Agreement conditional upon the US extending to EU citizens the protections of the US Privacy Act regarding access, amendment and disclosure. The US therefore passed the Judicial Redress Act to extend those protections to citzens of so-called “covered countries”. On January 17th 2017, the US Attorney General designated the EU and its Member States (except Denmark and the UK) as “covered countries” (effective as from February 1st 2017). The adoption of the Judicial Redress Act was considered by many observers as a key element in the negotiation of the EU-US Privacy Shield . This major privacy arrangement entered into force on July 12th 2016 following the invalidation of the former EU-US Safe Harbor program by decision of the Court of Justice of the European Union and provides a regulatory framework for personal data flows from the EU to the US for business purposes.
Although the Privacy Shield and the Umbrella Agreement each have a different object and purpose, it is fair to say that the EU approval of the Privacy Shield was to some extent influenced by the conclusion of the Umbrella Agreement (and the related extension of the Privacy Act protections to EU citizens following the adoption of the Judicial Redress Act).
The Executive Order provides that federal administrative agencies must ensure that their privacy policies do not extend US Privacy Act protections to non-US persons “to the extent consistent with applicable law”. Our interpretation is that the Judicial Redress Act constitutes applicable law and that, therefore, the Executive Order is unlikely to remove the judicial review rights extended to EU citizens following the Umbrella Agreement. Furthermore, the Privacy Shield does not rely on the privacy protections afforded by the US Privacy Act, as was confirmed in a statement made by an EU Commission spokesperson that has been reported by the press.
Watch out for the following legal and political developments that are expected to further shape the debate:
The first annual review of the Privacy Shield, which is to be performed jointly by the EU Commission and the US Department of Commerce in 2017.
A meeting between Vĕra Jourová, EU Commissioner for Justice, and representatives of the Trump administration (Attorney General Jeff Sessions and US Secretary of Commerce Wilbur Ross).
The opinion of the Advocate General of the EU Court of Justice on the ongoing legal challenges to strike down the Privacy Shield, which is likely to be delivered in 2017.