Data protection and privacy professionals today voiced concerns about an executive order issued by US President Donald Trump which, they say, violates the Privacy Shield agreement.
Privacy Shield is the voluntary data protection framework between the US and the EU. EU data protection law mandates that if EU personal data is being sent outside EU borders, the destination country must have a data protection agreement in place for that data which is deemed equal and adequate to EU data protection standards.
In other words, a US company doing business with European customers must adhere to EU data protection standards. Likewise, Europeans who are customers of US companies – even if that's just through using an app – have a right to assume their data is being protected in the US to EU standards.
In the executive order named, “ENHANCING PUBLIC SAFETY IN THE INTERIOR OF THE UNITED STATES”, section 14 states:
“Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”
Digital law specialist Heather Burns spoke with SC Media UK and said: “This implies that a Federal agency which wants to access the data of non-US citizens held by a company which had signed up to the Privacy Shield framework can do just that. The non-US citizen no longer has privacy rights or a right of redress.”
Burns added: “The worst case scenario is that if the Department for Ethnic Cleansing wants to order a social media site to hand over all data on European Muslims who have visited the US in the past year under the rationale of ‘public safety', they can, and the social media site has no legal recourse save for resistance.”
Speaking of the implications of this problem, Burns said: “First, it's Trump. All matters are now escalated to issues of law enforcement and national security. All foreigners are a threat. Second, it likely rolls back the Judicial Redress Act; at the very least it sets up a major conflict with it. Third, it likely means that US federal agencies which have used the Privacy Act to safeguard non-US citizens' data are no longer required to do so.”
Section 14 states to the extent consistent with applicable law, but Privacy Shield is not a law, merely an agreement and a framework.
The EU, and possibly the ECJ, now have to jump into action to request clarification from the new administration on what exactly this means. If they feel that Section 14 annuls the adequacy agreement, that kills Privacy Shield, and the legal basis for transatlantic data transfers.
Privacy Shield went into effect last summer to replace the previous adequacy framework, Safe Harbor, which was struck down by the European Court of Justice in light of the Snowden revelations.
Some sort of adequacy framework was needed: without one, there is no safe legal basis for transferring and storing European data in the US outside complex intra-corporate agreements which are only an option for the biggest companies. Privacy Shield made it possible for data to continue to flow transatlantically.
In 2014 President Obama extended the relatively limited Privacy Act of 1974 with a piece of legislation called the Judicial Redress Act. This extended what little data protection safeguards there are for US citizens to non-US persons, and also gives them the right of appeal within the US justice system in the event of the misuse of their data.
The need for that right of redress was one of the main obstacles to getting a replacement for Safe Harbor up and running. With that in place, Privacy Shield could go forward.
Interestingly enough, the Judicial Redress Act doesn't even take effect in the EU until 1 February.