Does Trump's Executive Order Threaten the EU-U.S. Privacy Shield? Does Trump's Executive Order Threaten the EU-U.S. Privacy Shield?

Does Trump's Executive Order Threaten the EU-U.S. Privacy Shield?

On January 25, 2017, President Donald Trump signed an executive order entitled “Enhancing Public Safety in the Interior of the United States” that focuses on combating illegal immigration. This order includes a provision limiting the privacy protections the U.S. government affords to individuals who are not U.S. citizens or lawful permanent residents. Many are concerned about the impact the provision may have on global business transactions that depend on cross-Atlantic data transfers under the EU-U.S. Privacy Shield framework

Specifically, Section 14 of the Executive Order states that federal government agencies “shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” The Privacy Act of 1974, in relevant part, requires federal agencies to abide by “fair information practices” with respect to the collection, use, and disclosure of personally identifiable information that they maintain in federal records systems. Although the Privacy Act provides statutory rights only to U.S. citizens and lawful permanent residents, several federal agencies, such as the Department of Homeland Security, the Department of Justice, and the Department of State have voluntarily issued policies extending most of the Privacy Act’s protections to “mixed” federal systems that also maintain information about visitors and aliens. President Trump’s Executive Order essentially rescinds the Privacy Act protections applied by these policies to visitors and aliens, enabling federal agencies to use and disclose information about such individuals—including visitors from the EU—largely without constraint.

The Executive Order triggered a growing apprehension that the Trump administration has undermined the foundation of the EU-U.S. Privacy Shield framework, which is premised on the U.S.’s agreement to more vigorously protect the personal information it receives about EU individuals than was possible under its predecessor, the EU-U.S. Safe Harbor program. But a close analysis of the Executive Order suggests that from a legal standpoint, Section 14 is not inconsistent with the ability of U.S. companies and organizations to adhere to the Privacy Shield principles. Significantly, the Privacy Act applies solely to federal government agencies and their information systems. Any potential limitation on the applicability of the Privacy Act to certain categories of individuals, such as EU citizens, would not prevent non-governmental U.S. entities from protecting information about those individuals in compliance with the Privacy Shield or other mechanisms. Indeed, the U.S. Mission to the EU assured that the Executive Order “does not affect Privacy Shield because Privacy Shield protections are not dependent on the Privacy Act.” Even if the Executive Order affects the degree to which federal agencies will protect the information it maintains about EU citizens, the order will not have any bearing on the private sector’s ability to comply with the Privacy Shield.

Notwithstanding the Privacy Shield concerns, Section 14 of the Executive Order may not even apply to the majority of EU citizens. The order permits federal agencies to exclude information about visitors and aliens from the Privacy Act’s protections only “to the extent consistent with applicable law.” Notably, the Judicial Redress Act of 2015 permits the extension of Privacy Act protections to citizens of other countries designated by the U.S. Attorney General. And on January 17, 2017, Attorney General Loretta Lynch deemed EU member countries (other than Denmark and the United Kingdom) as “covered countries” under the Judicial Redress Act. As long as the Judicial Redress Act covers EU citizens, the Executive Order arguably cannot be invoked to weaken Privacy Act protections for EU citizens without being contrary to the “applicable law.”

Still, there remains a broader question as to the effect the Executive Order will have on the European Commission’s overall confidence in the U.S. government’s commitment to protecting the information of EU data subjects. If the order causes the European Commission to question whether the U.S. will continue to guarantee an adequate level of protection for EU data, then the Privacy Shield program’s future may be in jeopardy.

For more information on the implications of this order, contact Nick Merker, Deepali Doddi or another member of Ice Miller's Data Security and Privacy practice.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

View Full Site View Mobile Optimized