On January 25, 2017, President Trump issued an Executive Order limiting privacy protections for non-U.S. persons whose information has been collected by the federal government. The Order instructs federal agencies to “exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” The Order elicited quick reactions from the European Union regarding the potential impact on the Privacy Shield framework governing data transfers between the EU and U.S.
On January 26, Jan Phillip Albrecht, the EU Parliament’s rapporteur on data protection, stated that the Privacy Shield should be suspended because the Executive Order breaks the EU-U.S. Umbrella Agreement that created a comprehensive, high-level framework for EU-U.S. law enforcement cooperation. The EU Commission, however, released a statement explaining that the Privacy Shield does not rely on Privacy Act protections, and that the Privacy Shield and Umbrella Agreement focus on protecting data transferred to the U.S. (as opposed to data gathered in the U.S.). The statement further noted that the Privacy Act never provided protection to Europeans. The language of the Privacy Act limits its application to U.S. citizens and lawful permanent residents, although agency practice often results in Privacy Act disclosure and access provisions applying to non-U.S. persons.
Furthermore, the Umbrella Agreement may remain intact because the Judicial Redress Act (JRA), signed by President Obama in February 2016, extends certain Privacy Act remedies to citizens of designated countries. On January 17, 2017, the Justice Department designated the EU and most of its member states as countries covered by the JRA. These designations became effective February 1, 2017, the same day the Umbrella Agreement took effect. Because the Executive Order strips privacy protections “to the extent consistent with applicable law,” it may not affect protections and remedies offered by the JRA and thus may not affect privacy interests within the scope of the Umbrella Agreement.
Stakeholders should continue to monitor both the implementation of the Privacy Shield and the Trump Administration’s approach to data protection and existing agreements with the EU. An EU Commission delegate is scheduled to meet with the Trump Administration this spring and discuss the Administration’s commitment to the Privacy Shield. Future U.S. legislation or policy changes that affect privacy protections and remedies once data has entered the U.S. could impact the Privacy Shield, if the effects of those changes strip Europeans of protection “essentially equivalent” to what they receive under EU laws. This summer, the Privacy Shield will undergo its first annual joint review—an assessment of its implementation, operation and data access policies—conducted by the EU Commission, the U.S. Department of Commerce, and national intelligence experts from the U.S. and European Data Protection Authorities.
Even without further executive or legislative action, there remain at least two issues potentially affecting companies and non-U.S. citizens implicated by international data transfers. One is whether any regulations created as a result of this Executive Order remain consistent with the JRA and recognize that the Privacy Act remedies remain available to Europeans. If agency practices conflict with the JRA, Privacy Shield, or Umbrella Agreement, transatlantic data transfer agreements may come under attack. The EU Commission maintains its position that, if the U.S. does not maintain adequate protection for Europeans’ data, the Privacy Shield will be suspended.
Second, companies transferring data between the U.S. and a non-EU member country should consider how the Executive Order affects any agreements governing data transfers. For example, Canada and Mexico are not designated countries under the JRA, and their citizens lack Privacy Act data protections and remedies afforded to citizens of EU member countries.