On January 25, 2017, President Trump issued an Executive Order entitled “Enhancing Public Safety in the Interior of the United States.” While the Order is primarily focused on the enforcement of immigration laws in the U.S., Section 14 declares that “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” This provision has sparked a firestorm of controversy in the international privacy community, raising questions regarding the Order’s impact on the Privacy Shield framework, which facilitates lawful transfers of personal data from the EU to the U.S. While political ramifications are certainly plausible from an EU-U.S. perspective, absent further action from the Trump Administration, Section 14 of the Order should not impact the legal viability of the Privacy Shield framework.
Adoption of the Privacy Shield in July 2016
The Privacy Shield framework was formally adopted on July 12, 2016, replacing the U.S.-EU Safe Harbor framework, which had been invalidated in October 2015 by the Court of Justice of the European Union. The timing of the Privacy Shield’s adoption coincided with other related EU-U.S. diplomatic efforts that were ongoing regarding law enforcement access to personal data in the EU and U.S. In particular, prior to the Privacy Shield’s adoption in July 2016, on June 2, 2016 the EU and U.S. successfully completed a multi-year negotiation of the so-called “Umbrella Agreement” to ensure the protection of personal data transferred for law enforcement purposes between the EU and U.S. pursuant to existing international agreements involving the EU and U.S. The Umbrella Agreement’s privacy protections are intended to apply to the many existing EU-U.S. agreements that pre-date the adoption of the Umbrella Agreement and that contemplate transfers of personal data for law enforcement purposes, such as the Passenger Name Records Agreement, various Mutual Legal Assistance Treaties (“MLATs”), and the now defunct Safe Harbor framework.
The Interplay Between the Umbrella Agreement and the Judicial Redress Act
In relevant part, Article 19 of the Umbrella Agreement affords any citizen of the EU the right to seek judicial review in the event a U.S. law enforcement agency unlawfully discloses the individual’s personal data or denies the individual the right to access or amend his or her personal data in the possession of the agency. At the time of the Umbrella Agreement negotiations, existing U.S. law did not afford such rights of judicial review to non-U.S. citizens or permanent residents, although the Privacy Act of 1974 did extend these rights to citizens and permanent residents of the U.S. As a result, the EU would not agree to the Umbrella Agreement until the U.S. extended those protections under the Privacy Act to citizens of the EU so that the U.S. could comply with Article 19 of the Umbrella Agreement.
The U.S. agreed with the EU and passed the Judicial Redress Act in February 2016, which extended Privacy Act protections regarding access, amendment and disclosure to citizens of “covered countries.” This enactment of the Judicial Redress Act in February 2016 paved the way for the execution of the Umbrella Agreement, which occurred in June 2016. Subsequently, on January 17, 2017, now former U.S. Attorney General Loretta Lynch designated “covered jurisdictions” in the Judicial Redress Act to include the citizens of all EU Member States other than Denmark and the United Kingdom (which are expected to be included in the definition soon), and this designation becomes effective on February 1, 2017. Notably, in accordance with the Judicial Redress Act, this designation by the Attorney General is not subject to judicial or administrative review.
The Impact of the Executive Order
The EU’s assent to the Privacy Shield framework was influenced, at least in part, by the Umbrella Agreement which was, in turn, conditioned upon the enactment of the Judicial Redress Act. President Trump’s Executive Order calls for federal agencies in the U.S. to ensure that their privacy notices make clear that Privacy Act protections extend only to citizens and permanent residents of the U.S. Importantly, Article 14 of the Order explicitly states that the federal agencies must do so in a manner that is “consistent with applicable law.” In the context of EU-U.S. data transfers for law enforcement purposes, the Judicial Redress Act constitutes applicable law, and thus President Trump’s Executive Order, as written, should not impact the Judicial Redress Act’s extension of the Privacy Act’s protections to citizens of the EU. As a result, absent further action from the U.S. government, we do not expect this Executive Order to impact the legal viability of the Privacy Shield Framework. That said, tempers are running high and the negative perception created by Trump’s actions could have an adverse effect on the Privacy Shield’s annual review in 2017.
One issue to monitor is the process of designating “covered countries” under the Judicial Redress Act. While former Attorney General Lynch’s designation is not subject to judicial or administrative review, the Judicial Redress Act does include a process by which “covered country” designations can be removed. There are specifically enumerated criteria for such removal and if the pending designation of EU countries as “covered countries” were to be removed by the Trump Administration, that removal could negatively impact the Privacy Shield framework. If such removal occurred, it certainly would undermine the viability of the Umbrella Agreement between the EU and U.S. Although the Privacy Shield is not explicitly dependent on the Umbrella Agreement or the Judicial Redress Act, their unraveling could have far-reaching political consequences regarding U.S.-EU law enforcement data sharing efforts, including with respect to the Privacy Shield.