President Trump sent the global business community scrambling for clarity after he signed an Executive Order (the “Order”) concerning data privacy protections for non-United States citizens. The Order, entitled “Enhancing Public Safety in the Interior of the United States,” appears to align with Trump’s declaration that America comes first, and signals that, in some cases, information or data linked to or originating from non-United States citizens may receive limited, if any, privacy protections.
While the Order initially appeared to threaten the newly formed EU-US Privacy Shield Framework (“Privacy Shield”) and the EU-US Umbrella Agreement (“Umbrella Agreement”) – both of which focus on guaranteeing that data transferred between the United States and Europe are protected by strict levels of security – a closer look suggests that the Executive Order may not, in fact, affect the Privacy Shield or Umbrella Agreement at all.
Impact of the Executive Order
The Order, signed on January 25, 2017, essentially directs all federal organizations to limit the protections afforded under the U.S. Privacy Act of 1974 (“Privacy Act”) to citizens of the United States. While it is true that the Privacy Act, by its very terms, limits data protection to citizens and lawful permanent residents, certain federal agencies– including the Department of Homeland Security, Department of Health and Human Service, and the Department of Justice – expanded those protections to include visitors and non-resident aliens in some situations. The Executive Order directs these federal agencies to rescind such expanded protections. The effect of the Order will therefore impact non-United States citizens who happen to have personal data stored in certain searchable records managed by governmental agencies.
What This Means for the Privacy Shield
While initial reports appeared to indicate that the Order may be on a collision course with the Privacy Shield and Umbrella Agreement, a closer look suggests that this is not necessarily the case. The nature and basis of the Privacy Shield as a separate and distinct regime from the Privacy Act, as well as the Executive Order’s express preservation of the Judicial Redress Act (see below), both suggest instead that the force of the Privacy Shield and Umbrella Agreement would remain intact.
The Privacy Shield developed from a series of negotiations and agreements independent of the Privacy Act and is applicable only to participating companies that have voluntarily committed to comply with the framework’s requirements. Despite this distinction, skeptics remain concerned about the indirect impact the Order may have on the Privacy Shield. On its face, the Executive Order appears to take a bite out of the legs of the Umbrella Agreement, which addresses data sharing between European and American law enforcement agencies. It would follow then, that if the Umbrella Agreement were to take such a foundational blow, the Privacy Shield could also be vulnerable to such threats. There are two factors, however, indicating that the intended applications of Umbrella Agreement and Privacy Shield are preserved rather than reduced by the Order.
The Judicial Redress Act, passed by Congress in 2015, officially extends Privacy Act protections to citizens of foreign countries designated by the Attorney General. Designations for countries in the European Union went into effect at the end of 2015. These protections cannot be revoked by Executive Order, but rather require action by the Attorney General. At this time no such actions have been taken. Rather, the Order merely directs the federal agencies listed above to rescind the expanded protections such agencies may have heretofore implemented.
President Trump’s Executive Order also contains a specific carve-out for existing legislation. Federal agencies must comply with the Order “to the extent consistent with applicable law.” While this may appear to be a throwaway clause, it has tremendous impact when considering the necessary implications of the Judicial Redress Act.
President Trump’s Executive Order thus appears to have a more limited scope than initially believed. As a result, the Privacy Shield and Umbrella Agreement, as well as the extended protections afforded by the Judicial Redress Act, seem to be safe from the waves the Order created amongst commentators.
Privacy Shield Likely Safe, Continued Monitoring Suggested
In addition to the Order’s carve-out for existing law and the fact that the Privacy Shield does not depend on the Privacy Act for protection, some have also noted that Trump, as an international businessman, would be unlikely to severely hinder existing transcontinental agreements that are meant to facilitate business between private corporations. Additionally, President Trump’s platform has consistently been touted as “pro-business,” so it would be peculiar for his administration to dismantle data transfer agreements championed by some of the most powerful companies in the world, including Apple, Google, and Microsoft.
Thus, while it appears as though the Executive Order does not derail the progress made by the Privacy Shield and Umbrella Agreement, companies conducting business with international clients should nonetheless stay abreast of the changes made to data privacy laws between the U.S. and international entities under the new administration.