U.S. President Donald Trump’s executive order titled ‘Enhancing Public Safety in the Interior of the United States’ appears to threaten the future of the EU/US Privacy Shield, but that may not be the case.
Privacy Shield is the agreement that allows US organizations to store personal data of EU citizens on servers in the US. Without it, US companies trading with Europe will almost certainly and automatically be in breach of the General Data Protection Regulation (GDPR).
Sec 14 of the executive order states “Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”
Privacy Shield does not directly rely on the US Privacy Act, but rather on the Judicial Redress Act which extends benefits of the Privacy Act to Europeans and gives them access to US courts. The executive order phrase, ‘to the extent consistent with applicable law’, consequently provides some wiggle room but remains ambiguous. If ‘applicable law’ implies that European PII is still protected, then all might still be well.
The European Commission seems to be optimistic. In a statement, it says, “The US Privacy Act has never offered data protection rights to Europeans… [We] are following closely any changes in the U.S. that might have an effect on European’s data protection rights.”
But other European politicians are more concerned. Sophie in ‘t Veld Veld, an MEP, has written to the Commission saying, “It is therefore urgent that the Commission provides clear answers with regards to the exemptions to the US Privacy Act and their impact on the legality of transatlantic transfer of personal data.”
Jan Philipp Albrecht, the European Parliament’s rapporteur for the GDPR, is more forthright, tweeting, “If this is true @EU_Commission has to immediately suspend #PrivacyShield & sanction the US for breaking EU-US umbrella agreement.”
The stakes are high. If Privacy Shield is revoked, then any US organization using it to allow the removal of European PII to the US will immediately be contravening European law. In the most extreme interpretation, this would mean that Facebook, Google, Microsoft and a host of commercial enterprises, around 1500, would have to cease European operations or risk GDPR fines.
“The Privacy Shield agreement,” wrote the WSJ this morning, “which replaced the Safe Harbor data-sharing pact that was struck down in October 2015 by Europe’s top court, may no longer apply since the executive order was signed on Monday.”
“Moreover,” writes Michael Geist, “the order will raise major concerns in the European Union, creating the possibility of restrictions on data transfers as it seemingly kills the Privacy Shield compromise.”
It is more than possible, however, many that people are making a rapid emotional judgment on the executive order rather than a considered legal judgment.
Dr. Brian Bandey, a Doctor of Law specializing in Computer Law and the International application of Intellectual Property Law, suggests that Section 14 needs to be considered in the context of the full executive order. Executive orders are specifically designed to aid the management of existing legislation. The first paragraph of this order specifies that it is designed “to ensure that our Nation’s immigration laws are faithfully executed.”
Dr. Bandey also points out that Section 1 of the order specifies, “The purpose of this order is to direct executive departments and agencies (agencies) to employ all lawful means to enforce the immigration laws of the United States.”
He also notes that Section 18 repeats ‘applicable law’ condition. Sec. 18 (b) states, “This order shall be implemented consistent with applicable law and subject to the availability of appropriations.”
“I suspect strongly,” Dr. Bandey told SecurityWeek, “that it can be argued that the Executive Order is a creature of Immigration Law and is directed to illegal (and other) aliens present in the US.” If he is correct, and if it is interpreted within US law to be so, then Section 14 has nothing to do with European personal information stored within the US under Privacy Shield. But he added, “I also strongly suspect that nobody, right now, really knows one way or the other.”