An Executive Order signed by U.S. President Donald Trump in his first few days in office could jeopardize a six-month-old data transfer framework that enables EU citizens’ personal data to flow to the U.S. for processing — with the promise of ‘essentially equivalent’ privacy protection once it gets there.
Close to 1,500 companies have signed up to the framework so far, which only got up and running in August, following a multi-year negotiation process.
MEP Jan Philipp Albrecht, the European Parliament’s rapporteur on data protection regulation, tweeted earlier today suggesting that Trump’s presidential order, signed yesterday, might invalidate Privacy Shield.
Section 14 of the Executive Order signed by Trump — ostensibly aimed at enhancing domestic enforcement of U.S. immigration laws — reads:
Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
Earlier this month European Commissioner Vera Jourova said she would be traveling to the U.S. this spring to meet with the Trump administration to assess its commitment to the EU-US Privacy Shield.
The data transfer framework is also be due for its first annual review this summer.
Talks to agree the Privacy Shield stepped up urgently in October 2015 after the prior Safe Harbor arrangement was struck down by Europe’s top court, following a legal challenge related to U.S. Government mass surveillance programs. That self-certification regime had been operational for fifteen years.
The question now is whether the replacement EU-US data flow mechanism is about to come unstuck far more quickly — helped on its way by the Trump administration’s privacy-related policy choices.
According to Albrecht’s analysis, there could also be ramifications for another EU-US umbrella agreement, which covers data-sharing between law enforcement agencies in the two regions — with the MEP suggesting sanctioning the administration for making this executive order.
At the time of writing the MEP could not be reached for comment.
It’s not clear at this point exactly how damaging the policy change might be to the continued functioning of Privacy Shield — that depends on how important the extensibility of the U.S. Privacy Act to non-U.S. citizens was during the EU Privacy Shield negotiations, and whether another relevant piece of U.S. legislation (the Judicial Redress Act) is also affected by Trump’s executive order.
But the order on “Enhancing Public Safety in the Interior of the United States” certainly looks likely to deepen concerns about the legal robustness of the EU-US data transfer mechanism, given it’s explicitly seeking to strip away privacy protections from non-U.S. citizens. Aka the opposite of what the European Commission was intent on achieving during negotiations.
A spokeswoman for the Commission told TechCrunch it does not have a statement on the implications of Trump’s executive order at present — but did confirm: “We’re looking at it at the moment.” Update: The spokeswoman has now sent us a statement in which the EC asserts that Privacy Shield “does not rely on the protections under the U.S. Privacy Act”.
On the Umbrella Agreement the spokeswoman said this relies on the Judicial Redress Act which she said “extends the benefits of the U.S. Privacy Act to Europeans and gives them access to U.S. courts”.
“We will continue to monitor the implementation of both instruments and are following closely any changes in the U.S. that might have an effect on European’s data protection rights,” she added.
The Commission does look to have fired a warning shot across the U.S. administration’s bows at a privacy conference taking place in Brussels this week, by reiterating that if adequate protection for EU citizen’s personal data under U.S. law can no longer be guaranteed then the framework would indeed have to be suspended.
Any suspension of Privacy Shield would mean a return to legal uncertainty for the 1,500+ businesses currently processing EU data in the U.S. via this authorization framework — which includes the likes of Facebook, Twitter, Google and Microsoft. (You can find a full list of sign-ups here.)
A key sticking point in the lengthy EU-US Privacy Shield negotiations was the need for the arrangement to ensure essential equivalence of privacy protections for European citizens’ data in the U.S. — so there really can be little doubt that a presidential order seeking to strip privacy protections from Europeans (regardless of the stated intent) will be viewed very dimly by EU officials.
Compare and contrast Trump’s order with a policy directive signed by President Obama at the start of 2014 — which imposed limits on U.S. agencies’ use of signals intelligence collected in bulk with the stated aim of protecting “the privacy and civil liberties of all persons, whatever their nationality and regardless of where they might reside” [emphasis mine].
Obama’s extension of privacy protections to non-U.S. citizens was lauded as a very positive step by EU officials during the Privacy Shield negotiations. So it’s hard not to conclude the trajectory of the new U.S. administration vis-a-vis privacy and foreigners does not bode well for easy data flows between the two regions.
Earlier this month, as the inauguration of President Trump loomed, the Commission was already signalling public concern about the U.S.’ response to questions it sent following the Yahoo email scanning scandal — after news broke last fall the company had built a custom scanning tool at the behest of U.S. intelligence agencies to enable real-time keyword scanning of the incoming email of all Yahoo users.
On that issue Jourova complained the U.S. response had been tardy and lacking in detail. “This is not how we understand good, quick and full exchange of information,” she told Reuters in an interview earlier this month.
Critics of Privacy Shield –– including the lawyer who brought the original challenge against Safe Harbor — have consistently argued the arrangement contains the same fundamental flaws as its invalidated predecessor, given ongoing U.S. government agency surveillance programs accessing European citizens’ data.
And even before President Trump’s signing-in the Privacy Shield had attracted its first legal challenge. (Which might well find fresh fuel for its fight in Trump’s executive order.)
But the European Commission has previously rejected these structural criticisms of the framework — professing itself satisfied with “assurances” secured from the Obama administration that any access to personal data for law enforcement or national security would be “limited to what is necessary and proportionate”, and arguing the mechanism strengthens privacy protections via new components such as an ombudsperson to handle complaints, and an annual review of how Privacy Shield is operating.
However the arrival of Trump could really put the cat among the Commission’s pigeons.
Its overarching aim for Privacy Shield has been to grease the wheels of digital commerce by providing a streamlined mechanism for authorizing EU-US personal data transfers, while achieving an adequate level of compliance with European privacy law. But the new U.S. administration’s priorities on immigration and on business suggest Trump’s America is intent on pulling in a very different direction.
Other data transfer mechanisms for enabling the processing of EU personal data in the U.S. do exist but are generally more complex for businesses to comply with. And their legality has also been called into question.