Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Does Trump Executive Order Threaten EU/US Business? Probably Not.

U.S. President Donald Trump’s executive order titled ‘Enhancing Public Safety in the Interior of the United States’ appears to threaten the future of the EU/US Privacy Shield, but that may not be the case.

U.S. President Donald Trump’s executive order titled ‘Enhancing Public Safety in the Interior of the United States’ appears to threaten the future of the EU/US Privacy Shield, but that may not be the case.

Privacy Shield is the agreement that allows US organizations to store personal data of EU citizens on servers in the US. Without it, US companies trading with Europe will almost certainly and automatically be in breach of the General Data Protection Regulation (GDPR).

Sec 14 of the executive order states “Privacy Act.  Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

Privacy Shield does not directly rely on the US Privacy Act, but rather on the Judicial Redress Act which extends benefits of the Privacy Act to Europeans and gives them access to US courts. The executive order phrase, ‘to the extent consistent with applicable law’, consequently provides some wiggle room but remains ambiguous. If ‘applicable law’ implies that European PII is still protected, then all might still be well.

The European Commission seems to be optimistic. In a statement, it says, “The US Privacy Act has never offered data protection rights to Europeans… [We] are following closely any changes in the U.S. that might have an effect on European’s data protection rights.”

But other European politicians are more concerned. Sophie in ‘t Veld Veld, an MEP, has written to the Commission saying, “It is therefore urgent that the Commission provides clear answers with regards to the exemptions to the US Privacy Act and their impact on the legality of transatlantic transfer of personal data.”

Jan Philipp Albrecht, the European Parliament’s rapporteur for the GDPR, is more forthright, tweeting, “If this is true @EU_Commission has to immediately suspend #PrivacyShield & sanction the US for breaking EU-US umbrella agreement.”

The stakes are high. If Privacy Shield is revoked, then any US organization using it to allow the removal of European PII to the US will immediately be contravening European law. In the most extreme interpretation, this would mean that Facebook, Google, Microsoft and a host of commercial enterprises, around 1500, would have to cease European operations or risk GDPR fines.

Advertisement. Scroll to continue reading.

“The Privacy Shield agreement,” wrote the WSJ this morning, “which replaced the Safe Harbor data-sharing pact that was struck down in October 2015 by Europe’s top court, may no longer apply since the executive order was signed on Monday.”

“Moreover,” writes Michael Geist, “the order will raise major concerns in the European Union, creating the possibility of restrictions on data transfers as it seemingly kills the Privacy Shield compromise.”

It is more than possible, however, many that people are making a rapid emotional judgment on the executive order rather than a considered legal judgment. 

Dr. Brian Bandey, a Doctor of Law specializing in Computer Law and the International application of Intellectual Property Law, suggests that Section 14 needs to be considered in the context of the full executive order. Executive orders are specifically designed to aid the management of existing legislation. The first paragraph of this order specifies that it is designed “to ensure that our Nation’s immigration laws are faithfully executed.”

Dr. Bandey also points out that Section 1 of the order specifies, “The purpose of this order is to direct executive departments and agencies (agencies) to employ all lawful means to enforce the immigration laws of the United States.” 

He also notes that Section 18 repeats ‘applicable law’ condition. Sec. 18 (b) states, “This order shall be implemented consistent with applicable law and subject to the availability of appropriations.” 

“I suspect strongly,” Dr. Bandey told SecurityWeek, “that it can be argued that the Executive Order is a creature of Immigration Law and is directed to illegal (and other) aliens present in the US.” If he is correct, and if it is interpreted within US law to be so, then Section 14 has nothing to do with European personal information stored within the US under Privacy Shield. But he added, “I also strongly suspect that nobody, right now, really knows one way or the other.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...