Trump's recent Executive Order which brought in the 'Muslim Ban' has garnered a significant amount of coverage over the last number of weeks - for obvious reasons. However what has somewhat slipped through the media net is the potential impact that Section 14 of that Executive Order could have on Privacy Shield.
Section 14 declares that:
“Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”
This raises the question - how does this impact the application of Privacy Shield? The recently established Privacy Shield allows for the lawful transfer of personal data from the EU to the US. It was formally adopted in July 2016. One of the cornerstones of Privacy Shield is that the US is required to guarantee the data protection and privacy rights for EU personal data which is transferred to the US. In general, transfers of personal data to a third country outside the EU are prohibited, unless the country to which the data is being transferred provides adequate protection for that personal data. This protection should be to the level provided for under EU data protection laws.
When the Executive Order was initially entered into it was unclear what impact it would have on Privacy Shield. The Executive Order removed the ability of federal agencies to extend protections under the US Privacy Act to anyone other than U.S. citizens or legal permanent residents. This is entirely inconsistent with Privacy Shield which specifically provides protections for EU citizens.
The inclusion of the words 'consistent with applicable law' is crucial in assessing the impact of the Executive Order.
So what are the applicable laws that might apply? The Judicial Redress Act in the US is certainly an applicable law in this context. Under this Act, the US Attorney General also has to designate specific countries to be covered by the Judicial Redress Act. The Act and the country list were signed into law in the US on 1 February 2017.
This means Privacy Shield is go. Phew! However we still need to monitor the impact the Executive Order could have on the country list as designated under the Judicial Redress Act. This is what the EU will also be monitoring. If some countries or the EU's status were to be revoked under the Act by the new US Attorney General this would be very serious indeed for Privacy Shield.
The Executive Order also refers to the US Privacy Act which is an old piece of legislation and the exceptions under it could be very widely interpreted by the Trump administration. However the Privacy Act only relates to US government data bases and not corporate databases which is specifically what Privacy Shield deals with.
EU data protection authorities are entitled to carry out the first audit of Privacy Shield in June. This will be a very important audit. If the EU reviewers are of the view that Trump has eroded protection under Privacy Shield then there is every possibility it could be suspended.
With the large number of US multinationals operating out of the EU this will just be a business nightmare. This is not the only problem Privacy Shield faces. A case brought by Digital Rights Ireland is pending. This case will deal with the concern that Privacy Shield does not contain adequate privacy safeguards for EU citizens. The current case before the Irish Commercial Court on the adequacy of model clauses is also a serious one to watch if your business transfers data to the US.
If you need advice on data protection and GDPR compliance please contact a member of our Employment Law & Data Protection Team:
Disclaimer:This article is for guidance purposes only. It does not constitute legal or professional advice. No liability is accepted by Leman Solicitors for any action taken or not taken in reliance on the information set out in this publication. Professional or legal advice should be obtained before taking or refraining from any action as a result of the contents of this publication. Any and all information is subject to change.
A provision in the executive order also removed privacy protections for non-US citizens, explicitly instructing immigration officials to “exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” The removal of privacy protections will make non-Americans transiting through Customs entry points, at airports and elsewhere, liable to be searched more intrusively, according to a former senior Homeland Security official who requested anonymity.