U.S. President Donald Trump signed an Executive Order on January 25, 2017, “Enhancing Public Safety in the Interior of the United States” that requires agencies “to the extent consistent with applicable law ... exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” While many have been quick to question if the Executive Order will throw the Privacy Shield back into limbo status, a carveout in the Executive Order, coupled with the statements from the European Commission issued on Thursday, suggest that the status of Privacy Shield remains unchanged by the Executive Order.
However, in the continued midst of uncertainty of the validity of the Privacy Shield, companies must continue to assess the legality of the mechanisms they are using to transfer personal data internationally. It should be noted that because the Executive Order specifically references the Privacy Act and not the Privacy Shield, it remains to be seen what impact this Executive Order will have on the privacy rights of citizens outside the EU and the overall validity of the Privacy Shield.
Formerly known as the Safe Harbor, but invalidated by the European Court of Justice in October 2015, the Privacy Shield is a revamped legal framework used for transatlantic exchanges of personal data for commercial purposes between the EU and the United States. However, because this Executive Order deals with enhancing the public safety in the interior of the United States, it appears to be clear that the protections afforded to personally identifiably information of non-U.S. citizens or lawful permanent residents have been removed.
After comments surfaced on social media from Jan Philipp Albrecht, the European Parliament’s rapporteur on data protection regulation, suggesting that the Executive Order would invalidate the Privacy Shield, a spokesperson for the European Commission put out a statement noting that “The US Privacy Act has never offered data protections rights to Europeans” and cited the EU-U.S. Privacy Shield and EU-U.S. Umbrella Agreement as two additional instruments that ensure that EU citizens’ data is protected when transferred to the United States.
The EU-U.S. Umbrella Agreement, set to take effect on February 1, introduces the concept of equal judicial redress via the U.S. Judicial Redress Act (JRA). JRA, signed into law in February 2016, extends the benefits of the U.S. Privacy Act to EU citizens and grants them access to U.S. courts for unlawful disclosures or transfers of personal data. In a notice signed by the outgoing attorney general three days before President Trump’s inauguration, the EU and 26 other counties (not including Canada or Mexico) were listed as receiving benefits from the “extension of certain Privacy Act remedies.” Therefore, since the JRA extends protections of the Privacy Act to EU citizens, the “applicable law” carveout in the Executive Order suggests that the protections afforded in Privacy Shield have not been removed by this Executive Order. Despite this carveout, news commentators suggest that Edward Snowden and other privacy activists and commentators are calling for the Privacy Shield to be invalidated because the Executive Order undermines the spirit of affording equal protections to personal data of non-U.S. citizens.
The European Commission’s statement also concluded by noting that it is “following closely any changes in the United States that might have an effect on European’s data protections rights.” As it is becoming increasingly important for companies to be able to move data freely around the world, and especially in light of GDPR set to take effect May 2018, every organization must undertake a methodical and deliberate review of its cross-border data transfers to assess whether it is transferring data through proper legal mechanisms.