An Executive Order signed by U.S. President Donald Trump in his first few days in office could jeopardize a six-month-old data transfer framework that enables EU citizens’ personal data to flow to the U.S. for processing — with the promise of ‘essentially equivalent’ privacy protection once it gets there.
Close to 1,500 companies have signed up to the framework so far, which only got up and running in August, following a multi-year negotiation process.
MEP Jan Philipp Albrecht, the European Parliament’s rapporteur on data protection regulation, tweeted earlier today suggesting that Trump’s presidential order, signed yesterday, might invalidate Privacy Shield.
Section 14 of the Executive Order signed by Trump — ostensibly aimed at enhancing domestic enforcement of U.S. immigration laws — reads:
Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
Earlier this month European Commissioner Vera Jourova said she would be traveling to the U.S. this spring to meet with the Trump administration to assess its commitment to the EU-US Privacy Shield.
The data transfer framework is also be due for its first annual review this summer.
Talks to agree the Privacy Shield stepped up urgently in October 2015 after the prior Safe Harbor arrangement was struck down by Europe’s top court, following a legal challenge related to U.S. Government mass surveillance programs. That self-certification regime had been operational for fifteen years.
The question now is whether the replacement EU-US data flow mechanism is about to come unstuck far more quickly — helped on its way by the Trump administration’s privacy-related policy choices.
According to Albrecht’s analysis, there could also be ramifications for another EU-US umbrella agreement, which covers data-sharing between law enforcement agencies in the two regions — with the MEP suggesting sanctioning the administration for making this executive order.
At the time of writing the MEP could not be reached for comment.
It’s not clear at this point exactly how damaging the policy change might be to the continued functioning of Privacy Shield — that depends on how important the extensibility of the U.S. Privacy Act to non-U.S. citizens was during the EU Privacy Shield negotiations, and whether another relevant piece of U.S. legislation (the Judicial Redress Act) is also affected by Trump’s executive order.
But the order on “Enhancing Public Safety in the Interior of the United States” certainly looks likely to deepen concerns about the legal robustness of the EU-US data transfer mechanism, given it’s explicitly seeking to strip away privacy protections from non-U.S. citizens. Aka the opposite of what the European Commission was intent on achieving during negotiations.
A spokeswoman for the Commission told TechCrunch it does not have a statement on the implications of Trump’s executive order at present — but did confirm: “We’re looking at it at the moment.” Update: The spokeswoman has now sent us a statement in which the EC asserts that Privacy Shield “does not rely on the protections under the U.S. Privacy Act”.
On the Umbrella Agreement the spokeswoman said this relies on the Judicial Redress Act which she said “extends the benefits of the U.S. Privacy Act to Europeans and gives them access to U.S. courts”.
“We will continue to monitor the implementation of both instruments and are following closely any changes in the U.S. that might have an effect on European’s data protection rights,” she added.
The Commission does look to have fired a warning shot across the U.S. administration’s bows at a privacy conference taking place in Brussels this week, by reiterating that if adequate protection for EU citizen’s personal data under U.S. law can no longer be guaranteed then the framework would indeed have to be suspended.