Governance & Risk Management , Privacy
Trump Executive Order May Shatter 'Privacy Shield' Pact
What Would Be the Impact If US-EU Agreement Gets Voided?European officials are asking the United States if the EU-U.S. deal for sharing individuals' personal information among businesses - dubbed the Privacy Shield - should be considered null and void as a result of an executive order issued by President Donald Trump.
See Also: Using the Netskope HIPAA Mapping Guide
The EU-U.S. Umbrella Agreement on Data Protection - aka the Privacy Shield - is a voluntary, self-certification agreement issued by the European Commission after a previous and similar arrangement, called Safe Harbor, was struck down by the European Court of Justice in October 2015.
The Privacy Shield is due to take effect on Feb. 1.
Since taking office on Jan. 20, President Trump has signed a number of executive orders - legally binding orders that federal agencies and officials must follow. Historically, many presidents have employed these orders to bypass Congress. Trump's initial orders have focused, for example, on blocking any costs to the government related to the Affordable Care Act as well as ordering "the immediate construction of a physical wall on the southern border" of the United States.
But Trump's Jan. 25 executive order titled "Enhancing Public Safety in the Interior of the United States" could undercut the Privacy Shield.
Section 14 of the order instructs federal agencies to "ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information."
The Privacy Act, passed in 1974, establishes a code of fair information practices that governs the collection, maintenance, use and dissemination of information about individuals that is maintained in systems of records by federal agencies, according to the U.S. Department of Justice.
Negotiations during President Obama's tenure resulted in the United States promising that the protections afforded by the Privacy Act would also be applied to Europeans. That arrangement was crucial for getting the Privacy Shield in place.
US Businesses Rely on Privacy Shield
Whether the agreement stands is a concern for U.S. businesses because the Privacy Shield gives them a legal way to gather Europeans' personally identifiable information and transfer it to servers in the United States without running afoul of EU data protection and privacy laws.
Under the terms of the EU's new General Data Protection Regulation, which is now in effect - but not due to be enforced until May 2018 - organizations anywhere in the world that violate Europe's privacy regulations can be fined up to 4 percent of their global annual revenue for violating the regulation.
The previous EU-U.S. data sharing arrangement, known as the Safe Harbor, was thrown out thanks to a case launched by Austrian privacy campaigner Max Schrems, who pointed to documents leaked by former National Security Agency contractor Edward Snowden that suggested Europeans' private information was being shared with U.S. intelligence agencies, thus violating Europeans' right to privacy.
Europe Demands Clarity
Already, European politicians have demanded that the EU clarify what the impact of Trump's executive order will be.
Sophia Helena in 't Veld, a Dutch member of the European Parliament, has written to the EU's Justice Commissioner, Vĕra Jourová, seeking immediate answers in relation to "your discussion with the new U.S. administration in order to ensure that the existing exemptions to the U.S. Privacy Act, for those U.S. databases which may process personal data of EU individuals and receive personal information pursuant to the EU-U.S. Umbrella Agreement, are lifted without any delay."
If Trump's executive order does not get revised, and Europeans are henceforth exempted from the protections of the U.S. Privacy Act, "I would be interested to know the reasons whereby they are exempted and which consecutive measures the European Commission is intending to take with regard to this material breach of the agreement," she writes.
Jan Philipp Albrecht, a member of the EU Parliament, says that if Trump's executive order means that the Privacy Act will now only apply to U.S. citizens and lawful residents of the United States, then Europe should immediately "suspend Privacy Shield and sanction the U.S." for breaking its agreement.
If this is true @EU_Commission has to immediately suspend #PrivacyShield & sanction the US for breaking EU-US umbrella agreement. #CPDP2017 https://t.co/0TBAnIWydq
— Jan Philipp Albrecht (@JanAlbrecht) January 26, 2017
Nuala O'Connor, president and CEO of the nonprofit Center for Democracy and Technology, previously served as the Department of Homeland Security's first chief privacy officer. While there, she implemented new rules that allowed anyone - U.S. citizen or otherwise - to see whatever information that DHS held on them.
O'Connor says the executive order overturns those efforts and may also upend the "fragile Privacy Shield" agreement and warns that the result could be "profoundly bad for American business."
O'Connor adds: "At a time when the international dialogue on privacy, data and technology expansion is fraught, this is a clear shot across the bow of our trading partners and allies, stating that the United States will not adhere to even the most moderate and conventional human rights norms in the data privacy space."
Attorney General's Move Could Exempt EU
On the other hand, section 14 of the executive order says that it will apply "to the extent consistent with applicable law." And Adam Klein, a senior fellow at the Center for a New American Security, a think tank, and Carrie Cordero, a professor of law at Georgetown University Law Center, write in a blog for Lawfare that there's an applicable law that would seem to exempt Privacy Shield from the executive order.
"Our preliminary analysis is that the order does not actually deny Privacy Act protections to Europeans," Klein and Cordero write, noting that the Judicial Redress Act of 2015 gives citizens of "covered countries' designated by the Attorney General" the right to file suit, as specified under the Privacy Act.
"On Jan. 17, 2017, in a little-noticed move, the Attorney General designated 26 countries and the European Union as a whole. That designation takes effect on Feb. 1, 2017, when the Umbrella Agreement enters into force," they write.
The Judicial Redress Act applies the Privacy Act to "covered countries."
— Adam Klein (@adam_i_klein) January 26, 2017
EU is "covered country" effective Feb 1: https://t.co/kdhkVzJdmh.
Updated Jan. 30, 2017, with analysis from Klein and Cordero.