On January 25, 2017, President Trump issued an Executive Order titled “Enhancing Public Safety in the Interior of the United States.” Although, and somewhat ironically, the Order is primarily focused on the enforcement of immigration laws in the U.S., it could potentially expose Privacy Rights of EU citizens.
Section 14 declares that “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”
In short, No Privacy for Non Americans. The Order is explicitly seeking to strip non Americans of their Privacy Rights.
The Privacy Rights for US citizens and permanent US residents are unchanged. However, some have described this Order as allowing US officials access to whatever non-US data they can lay their hands on. This has called into question the robustness and legal viability of the newly adopted Privacy Shield Framework that became effective in July of last year. Edward Snowden tweeted this Order ‘could end Privacy Shield’ .
Based on our research, and amid much speculation on both sides of the Atlantic, it would appear that nobody can really say for certain at this point what the full impact will be on Privacy Shield Framework or on the data rights of European citizens.
Among the confusion and panic, the European Commission stated rather vaguely and not committing to any timeline, that ‘if adequate protection for EU citizens cannot be guaranteed, we will suspend the Framework`.
EU Parliament rapporteur on Data Protection, Albreacht tweeted calling on the Commission to suspend the Privacy Shield Framework and sanction the EU-US for breaching the Umbrella Agreement.
Privacy Shield allows EU citizens data to be transmitted to the US for processing with the promise of ‘essentially equivalent’ privacy to that enjoyed in Europe. Over 1500 companies have signed up to the framework to do business with Europe. Now, if the legal viability of this framework is challenged, this will have immediate and urgent consequences for these 1500 companies.
Privacy Shield Framework is not explicitly dependent on the Umbrella Agreement or the Judicial Redress Act. Nor does the Framework rely on the protections provided by the US Privacy Act of 1974. It follows that, the Executive Order should not impact these Acts or Agreements either. We are certain that EU nationals still have access to US courts by the Judicial Redress Act.
One worrying outcome to watch out for is that this Order has made it too easy for Non US individuals to be identified as ‘potentially removable alien’ . We are watching with caution this low threshold and the Privacy implication for individuals listed on it.
The Privacy Shield Framework is due for its Annual Review in July, but indications show that it may be suspended by then. We will update you as soon as we hear more. If you are one of the 1500+ companies impacted by this Order, we would like to hear from you to discuss your concerns.