The Federal Trade Commission's enforcement of the Privacy Shield should not be impeded by an executive order signed by Donald Trump in January, shortly after he took office, according to Acting FTC Chairwoman Maureen Ohlhausen.
“We will continue to enforce the Privacy Shield protections, and we hope we will move ahead as planned,” Ohlhausen said to a group of reporters attending a US Chamber of Commerce event, Morning Consult reported. “In my opinion, nothing has changed.”
The Enhancing Public Safety in the Interior of the United States executive order signed by Donald Trump in January left privacy advocates closely scrutinising a provision to see what, if any, impact the action could have on the Privacy Shield and the EU-US Umbrella Agreement that was hammered out in 2015 and which took effect 1 February.
"Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information," according to the order.
Nuala O'Connor, who helped implement policy around the Privacy Act while serving as the first chief privacy officer at the Department of Homeland Security, said at the time, “With the stroke of a pen, the new Administration has erased an important principle” that extended “Privacy Act coverage to non-US persons for data about them held by the federal government.”
The Privacy Act affords only “US persons” full coverage, including access to their records as well as redress if those records are found to be incorrect. “However, in practical reality, it is operationally inefficient to bifurcate these databases into two separate systems [for US and non-US persons], or to create policies and procedures for the relatively minimal percentage of record requests (compared to the vast number of records held) to deprive non-US persons of their information,” O'Connor said. “Further, it is often the non-US person – the applicant for asylum or legal permanent residence or citizenship – who most needs to see their records, to correct them, or to access relevant information in a legal procedure because documents may be lost, and sometimes in harrowing circumstances.”
She said at the time that not only does the EO fail “the fundamental standards of fairness, openness, decency, and respect for human dignity” valued in America, but it “is also profoundly bad” from a business perspective. “At a time when the international dialogue on privacy, data, and technology expansion is fraught, this is a clear shot across the bow of our trading partners and allies, stating that the United States will not adhere to even the most moderate and conventional human rights norms in the data privacy space,” said O'Connor. “This puts at risk the fragile Privacy Shield agreement on cross-border data flows that is essential to American businesses large and small.”
In the wake of the EO, the EU Article 29 Working Party is reportedly preparing a letter for the Trump administration, requesting clarification of the US's stance on privacy protection, according to a Bloomberg BNA report.
Aaron Tantleff, an information security and privacy lawyer at Foley & Lardner LLP, told SC Media when the order was signed that it is “narrowly devised,” with its tone and purpose indicating it was “trying to target certain populations.”
But the EO raises other privacy concerns. “Another interesting twist, if protection is not offered under the Privacy Act, the next question comes: what can be done with your information and what will be done with that information,” Tantleff said.