Last Wednesday, President Trump signed an immigration-related Executive Order (EO) titled “Enhancing Public Safety in the Interior of the United States” that, among other things, removed the ability of federal agencies to extend protections under the Privacy Act to anyone other than U.S. citizens or legal permanent residents. Some initial observers have suggested that this means that the U.S. government is pulling back from its commitments to provide privacy protections to EU citizens, thus putting in peril the EU-U.S. Privacy Shield Framework. Upon closer examination, however, the EO does not impact any of the U.S. commitments under the Privacy Shield, nor does it revoke protections for EU citizens under the Privacy Act provided pursuant to the Judicial Redress Act.
The EO primarily concerns the President’s enforcement of immigration laws. Relevant here, Section 14 of the EO states:
Sec. 14. Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
With respect to the EO’s impact (or non-impact) on Privacy Shield, there are two key components of Section 14 of the EO: (1) its status as an executive order that can only take effect “consistent with applicable law,” in this case the Judicial Redress Act, and (2) the fact that it relates to the federal Privacy Act, which does not impact any U.S. commitments under the Privacy Shield agreement.
Under U.S. Constitutional law, the President cannot enact Executive Orders to overturn statutes duly enacted by Congress. Section 14 of the EO acknowledges this, stating that the EO can only be enforced “to the extent consistent with applicable law.” Therefore, while the EO permits the President to direct U.S. federal agencies to refrain from offering Privacy Act protections to citizens of foreign countries, it cannot (and does not) revoke coverage from jurisdictions already designated as covered under the Judicial Redress Act or countries that could receive such designation in the future from the Department of Justice pursuant to the Judicial Redress Act.
But even if coverage under the Privacy Act were affected by this EO—which it is not—it would not impact any explicit commitments made by the U.S. under Privacy Shield. This is for a simple reason: the Privacy Shield Framework and the European Commission’s official Adequacy Decision approving Privacy Shield did not rely on the Privacy Act’s protections.
Moreover, the Privacy Act addresses the right to obtain redress with respect to government databases, whereas Privacy Shield addresses privacy rights with respect to private company databases. The EO will not affect EU citizens’ right to redress against Privacy Shield organizations through their independent recourse mechanisms, as well as through binding arbitration. Privacy Shield also provides for an EU-U.S. Ombudsperson to facilitate EU requests related to national security access to data transmitted from the EU to the United States. The Ombudsperson mechanism is untouched by the EO. And the other commitments by the US Government that were relied upon by the European Commission in approving Privacy Shield – such as limitations on signals intelligence under Presidential Policy Directive 28, executive and judicial branch oversight of collection programs, and transparency measures related to government access requests – are also untouched by the EO.
The bottom line: EU citizen rights under both Privacy Shield and the Privacy Act are not directly affected by this EO. However, going forward, it will be important to pay attention to European officials’ reaction to the EO. It will also be important to watch how the EO may impact the Attorney General’s designations of countries covered under the Judicial Redress Act or countries that could receive such designation in the future.