Only last year the news was in a frenzy over the U.S.-EU Safe Harbor Framework being invalidated near the end of 2015, followed by a collective sigh of relief as the EU-U.S. Privacy Shield was implemented as a replacement by summer. That new agreement enabled US companies to transfer the personal data of citizens of the European Union member states to the United States while ensuring that those same companies will comply with Europe’s more stringent Data Protection Directive, and the soon to come into effect General Data Protection Regulation (GDPR).
But fast forwarding to January 25th, President Trump has just delivered an Executive Order on Enhancing Public Safety that includes some language regarding the US Privacy Act, which you can read here: https://www.whitehouse.gov/the-press-office/2017/01/25/presidential-executive-order-enhancing-public-safety-interior-united
The global corporate legal community has been in an uproar since, with many wondering whether the Order will invalidate the Privacy Shield. Notably the order explicitly includes the following clause:
Sec. 14. Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
This language would seem to be in direct contrast to the Privacy Shield framework which ensures legal protection for American businesses sending and receiving data from EU member states. As privacy is a paramount right in the European Union, the European Commission (EC) immediately reacted and released a statement yesterday saying, “We are aware of the executive order on public safety. The US Privacy Act has never offered data protection rights to Europeans.” The EC went on to assure citizens of the EU that they will keep a watchful eye on this development and react appropriately as needed.
In its initial analysis, the EC highlighted its belief that the Privacy Shield, the EU-US Umbrella Agreement (which goes into effect Feb 1) along with the Judicial Redress Act (which does extend privacy protection to EU citizens) together provide adequate protection for EU citizens and that these really have nothing to do with the US Privacy Act, or any changes to it.
Worth mentioning is also a notice signed by Loretta E. Lynch, the outgoing US AG, just prior to the inauguration, that lists 26 countries + the EU as being covered countries that benefit from the extension of ‘certain Privacy Act remedies’.
A summary of this notice from the Federal Register reads:
In accordance with the Judicial Redress Act of 2015, relating to the extension of certain Privacy Act remedies to citizens of designated countries, notice is given that the Attorney General has designated 26 countries and 1 regional economic integration organization, as set forth below, as “covered countries.” Notice is also given that the United States anticipates designating additional EU member countries as soon as practicable. In addition, notice is given that the Attorney General has designated four Federal agencies and nine components of other Federal agencies, as set forth below, as “designated Federal agencies or components.”
The designations herein are effective on February 1, 2017, the date of entry into force of the U.S.-EU Data Protection and Privacy Agreement.
The EU’s official statement, plus the existence of the Umbrella agreement and recently the AG’s notice has altogether led many privacy experts world-wide to focus on the phrase, “agencies shall, to the extent consistent within applicable law, ensure that their privacy policies…”. In particular the phrase, “to the extent consistent with applicable law,” seems to offer hope that the current agreements will continue as mechanisms for protecting EU citizens’ privacy.
Another area for hope is that President Trump has consistently pledged to improve U.S. business and it seems unlikely that he would do anything to jeopardize trade in such an important global relationship. An environment in which US businesses cannot freely transfer data and operate across borders would have a significant negative impact on the US economy.
As of today, I am confident in believing business will continue as normal and that our current concern is simply a panicked reaction to what on the surface might seem to be horrible news for global businesses. The current laws and agreements noted above should in fact extend adequate protection and keep the global transfer of data possible, at least within the covered countries.
Trump could decide to invalidate the above agreements too, but so far he has not done so. If he does, it will be important to remember that the Privacy Shield is not the only means of transferring data safely across borders. Model Clauses and Binding Corporate Rules are other equally valid means often employed by American companies to safeguard the transfer of personal data from the EU to the US. Should the Privacy Shield be invalidated because of this Executive Order and changes to the Privacy Act, the only companies impacted with be the 1500 or so that have signed up to the Privacy Shield since last summer, and who rely solely on its protections for the transfer of data.
The EC is keeping a close watch on this issue, over the next few weeks and months. As will I and others who care deeply about this issue. We just need to keep paying attention to these developments and ensure that we are keeping data as safe as possible for EU citizens.
The timing of Trump’s Executive Order could not be better, as tomorrow, January 28th, just happens to be the annual Data Protection Day in the EU. Hahahahahaha!