An Executive Order from President Trump’s first days in office raised questions about its impact on the hard-won Privacy Shield, which allows about 1,700 companies to legally transfer data between the EEA and Switzerland and the US. The Order adds a new layer of complexity to the agreements and regulations already at play through the Privacy Act, Judicial Redress Act, Umbrella Agreement, and Privacy Shield.
What Do You Need to Know?
The section in question of the Executive Order, which was generally aimed at “public safety” and US domestic immigration, reads: Sec. 14. Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
This Order represents a significant policy change in how the US federal government promises to treat the personal information collected on noncitizens. It has already raised concerns from European politicians and data protection authorities and made headlines for potentially putting the Privacy Shield in jeopardy.
We’ve reviewed the Order’s language alongside what we know about the Privacy Shield and note as follows:
- The Order directly affects the US Privacy Act, which applies to US federal agencies.
- The framework of the Privacy Shield does not rely on the Privacy Act.
- The Privacy Shield governs businesses subject to FTC and DOT jurisdiction, and their transfer of data from the EEA or Switzerland to the US.
- The Order must align itself “to the extent consistent with applicable law,” which in this case is the Judicial Redress Act.
- The Judicial Redress Act ensures that all EU citizens have the right to enforce data protection rights in US courts.
The separation of the Privacy Shield from the Privacy Act, and the supporting mechanisms of the Umbrella Agreement and Judicial Redress Act, supports the conclusion that the Order has not affected the legal viability of the Privacy Shield at present. This does not mean that foreign regulators, particularly the EU Commission and the EU data protection authorities, will not raise the issue of the Order during their meeting with the US Commerce for the first Privacy Shield annual review, particularly considering that government handling of data was an important consideration in the invalidation of the US-EU Safe Harbor and the drafting of the new Privacy Shield. However, at this time, the Privacy Shield remains in effect, and legally unaffected by the Order.
The Privacy Shield, which navigated international court cases, European and Swiss data protection authorities, the Federal Trade Commission, the European Commission, and the US Department of Commerce (not to mention the general aftermath of Schrems and Snowden), must now weather the new US administration.
The EC is particularly concerned with “essentially equivalent” European citizen data protection at home and abroad. If European and Swiss regulators believes that their citizens do not have adequate data protections under the recently negotiated Privacy Shield, a response is highly likely, if not inevitable, as we’ve seen with the invalidated Safe Harbor. While it remains to be seen if the new administration will directly affect the Privacy Shield, privacy representatives in the EEA, Switzerland, the US, and the companies transferring data under the Privacy Shield will and should remain on high alert.
Arent Fox’s Cybersecurity & Data Protection group monitors developments in data transfer relating to the Privacy Shield and other agreements. For more information, please do not hesitate to contact Sarah L. Bruno, Eva J. Pulliam, and Lourdes M. Turrecha.