Trump’s immigration move sparks fears for Privacy Shield protections

How much privacy does the US government promise to outsiders? Less today than before Donald Trump took power. Section 14 of Trump’s new Executive Order: Enhancing Public Safety in the Interior of the United States requires federal agencies, “to the extent consistent with applicable law,” to “ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information”.

Trump’s Executive Order aims to strengthen enforcement of immigration laws, but nothing in Section 14 appears to limit its use to individuals attempting to enter the US: it could easily refer to all personally identifiable data the US government can lay hands on, excluding data about US citizens and lawful permanent residents.

So, when the order was first publicized, Edward Snowden’s first reaction was that Trump was “suspend[ing the] legal framework enabling the US-EU data-sharing pact (#PrivacyShield)”.

German Green MEP Jan Philipp Albrecht quickly responded: “If this is true @EU_Commission has to immediately suspend #PrivacyShield & sanction the US for breaking EU-US umbrella agreement.” Uproars quickly ensued among both privacy and international business communities.

Four days later, however, the story seems a bit more nuanced… maybe.

Remember what Privacy Shield is: a recently negotiated agreement between the US and EU (and separately, Switzerland) to “provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data… to the US. in support of transatlantic commerce”. As TechCrunch writes, Privacy Shield promised to give Europeans “essentially equivalent” privacy protection whether their data was stored in the EU or the US.

Privacy Shield became necessary after the EU’s Court of Justice ruled that older “Safe Harbour” rules didn’t adequately protect EU residents’ privacy. The court stated, among other things, that:

… national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements.

Given the court’s language, it’s no surprise privacy advocates instantly feared Trump’s new executive order would override Privacy Shield. But a closer look suggests that this might not be the case – at least not yet. As reported by PC World, a European Commission spokeswoman pointed out that as part of the deal, the US Congress adopted “the US Judicial Redress Act, which extends the benefits of the US Privacy Act to Europeans and gives them access to US courts”. That law, says the EC, is still at work protecting Europeans’ data as it sojourns in the States.

Just before the Obama administration left office, its Justice Department gave notice of new regulations that will implement the Judicial Redress Act by extending Privacy Act protections to 26 European countries. These rules are set to go into effect February 1. Nobody’s said otherwise. (Yet!)

Want to get even further down into the weeds on this? Check out Lawfare’s ongoing discussion/debate on the meaning of Trump’s ambiguous executive order.

Ready to climb out of the weeds? Here are a few bigger-picture thoughts:

  • Privacy Shield is focused on data transfers between EU and US, and doesn’t protect any of the rest of the world’s juicy, surveillable data.
  • As Snowden tweeted in response to a question from Forbes , “EU-US [Data Protection] is more than [Privacy Shield]… The problem is bulk collection combined with lack of enforceable regs.”
  • Privacy Shield faces its own privacy-related legal challenges inside the UK. Until recently, says TechCrunch, the EC has “professed itself satisfied with ‘assurances’ secured from the Obama administration”. If “Obamassurances” become inoperable, Privacy Shield may become tough for EU authorities to defend.
  • Besides the US Privacy Act, other US regulations relate to foreigners’ data privacy (for example, Obama’s PPD-28 establishing principles for balancing intelligence data collection with non-citizen privacy). Will Trump’s new order impact these? Nobody knows for sure.