Trump order stripping privacy rights for non-US citizens raises concern about EU data transfers

26 January 2017. By Amy Miller and Mike Swift. 

An executive order signed by President Donald Trump Wednesday directing all federal agencies to strip the privacy rights of non-US citizens has raised concerns about the future of the EU-US Privacy Shield data-transfer agreement.

While European Commission officials have said the six-month-old Privacy Shield won't be affected by the order, it prompted a terse response on Twitter from a leading voice on privacy among European lawmakers.

The 1974 US Privacy Act establishes information practices to govern the collection, use, and dissemination of personally identifiable information about individuals maintained by federal agencies.

Section 14 of "Enhancing Public Safety in the Interior of the United States," signed by Trump and aimed at enhancing domestic enforcement of US immigration laws, provides that "agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information."

The EU-US Privacy Shield agreement replaces a previous mechanism struck down in 2015 by Europe's highest court because it failed to safeguard EU citizens' personal information. A new agreement was adopted in July 2016 after intense negotiations between the commission and the US government.

The latest agreement is clearer on the role and independence of a new US supervisor, who will oversee how US intelligence authorities comply with the mechanism. It's also more explicit on companies' obligation to erase personal information that no longer serves the purpose for which it was collected.

After Trump signed the order, Jan Philipp Albercht, the European Parliament's rapporteur on data protection regulations, posted on Twitter than the Privacy Shield should be "immediately" suspended and the US sanctioned for breaking the agreement.

But European Commission officials have since said the order's impact on the agreement would be minimal, pointing out that the US Privacy Act has never offered data protection rights to Europeans. Instead, as part of the EU-US agreement, US lawmakers adopted the Judicial Redress Act, which gives Europeans access to US courts, officials said.

"The specific [US government] commitments in the Privacy Shield are not linked to the Privacy Act," Bruno Gencarelli, head of the data protection unit at the European Commission, said at a conference in Brussels.*

Gencarelli added that European Commissioner Vera Jourova "will be extremely vigilant on any evolution that would impact the legal environment on which we have the Privacy Shield."

Nevertheless, Trump's executive order could cause turbulence for the fledgling data-transfer agreement, said Mauricio Paez, a lawyer whose practice centers on Privacy Shield issues.

"This step I think will raise some concerns and result in a dialogue between the US and jurisdictions" in Europe that tend to have stricter privacy restrictions, Paez told MLex Thursday.

Trump's step could strengthen the arguments of those in Europe who argue the Privacy Shield doesn't provide enough protections.

"The intent of the executive order really is to facilitate investigations by law enforcement related to public safety," Paez said. "Privacy Shield tries to strike a balance between legitimate national security concerns and individual privacy. The executive order definitely means there will be an ongoing discussion about whether that is the right balance."

* "Computers, Privacy and Data Protection 2017;" Brussels; Jan. 25-27, 2017.

—With reporting from Vesela Gladicheva in Brussels.

Receive MLex Editor's Picks in Your Inbox

Complete this form to receive emails from MLex with selected highlights from our global coverage of regulatory risk and opportunity, as well as upcoming events, special reports and exclusive interviews.