Analysis US President Donald Trump may have undermined a critical data sharing agreement between the United States and Europe that internet giants rely on to do business overseas.
In an executive order focused on illegal immigrants that was signed by the president this week, one section specifically noted that privacy protections would not be extended past US citizens or permanent residents in America.
Section 14 of the Enhancing Public Safety order reads:
Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
By agencies, the president means the NSA, the FBI, and so on. The order's language appears to directly contradict a critical component of the new Privacy Shield agreement between the US and Europe that provides essential legal protections for US businesses sending and receiving data across the Atlantic. In short, that agreement is supposed to ensure non-Americans are not treated as second-class citizens by US organizations, with weaker privacy safeguards than Americans are afforded.
The Privacy Shield was developed and approved in record time last year after the previous Safe Harbor arrangement was deemed illegal by Europe's top court back in October 2015. It has only been in place for six months, it is still on probation as far as Europe's data protection authorities are concerned, and it is almost certain to be challenged in the courts.
The language in the executive order leads to immediate concerns in Europe, with the European Parliament's rapporteur on data protection, Jan Philipp Albrecht, tweeting: "If this is true @EU_Commission has to immediately suspend #PrivacyShield & sanction the US for breaking EU-US umbrella agreement."
A few hours later, a frantic European Commission put out a statement in an effort to calm the waters. "We are aware of the executive order on public safety," noted the statement. "The US Privacy Act has never offered data protection rights to Europeans."
It then goes on to flag two pieces of new legislation that it believes made the new Privacy Shield legal under European law: "The Commission negotiated two additional instruments to ensure that EU citizens' data is duly protected when transferred to the US:
- The EU-US Privacy Shield, which does not rely on the protections under the US Privacy Act.
- The EU-US Umbrella Agreement, which enters into force on 1 February. To finalise this agreement the US Congress adopted a new law last year, the US Judicial Redress Act, which extends the benefits of the US Privacy Act to Europeans and gives them access to US courts."
In addition to the Judicial Redress Act – which was signed into law by President Obama late last year – privacy experts have also spotted a notice that was signed by the outgoing Attorney General just three days before Donald Trump became president and only appeared in the Federal Register three days after the inauguration.
That notice lists 26 countries – in addition to the European Union as a whole – as being "covered countries" that benefit from the "extension of certain Privacy Act remedies." That decision is due to become law on February 1 – the same day as the new US-EU Data Protection and Privacy Agreement.
The combination of the EU's official statement and the discovery of the Justice Department note has led privacy experts to focus on the critical sub-clause in Trump's executive order: that "agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons..." (our emphasis).
In theory, therefore – with the Judicial Redress Act law, the attorney general's designations due to become law in less than a week, and the executive order including a clear carve-out for existing law – the situation should be that the Privacy Shield agreement holds. The executive order would then only apply to countries outside the European Union – although Canada and Mexico are notably absent, which may have its own political repercussions.
But the Trump Administration has been nothing if not erratic and has repeatedly shown it is willing to tear up existing agreements and protocols. Many are wondering why Trump's team felt the need to include the section at all, especially given the fact that it serves no real purpose. As a result, the European Union's statement concludes with some significant degree of uncertainty:
"We will continue to monitor the implementation of both instruments and are following closely any changes in the US that might have an effect on Europeans' data protection rights," it ends.
It is with some degree of irony that Facebook – which was at the center of the legal case that resulted in the previous Safe Harbor agreement being found illegal – chose today to release its new "Privacy Basics" approach to data privacy, and two-factor authentication for security.
"Today we're introducing a new Privacy Basics to make it easier for people to find tools for controlling their information on Facebook," the company boasted. Facebook has long been criticized for its opaque and confusing policies over what level of control it grants users of the service.
While the company claims to have simplified things (again), it is notable that there are no fewer than 32 "interactive guides" to help Facebook users figure out how the company is trying to sell people's data as much as possible while giving them the sense that their data is not being abused.
And in a second irony, in two days – January 28 – it will be the official annual Data Protection Day in Europe. President Trump has certainly given privacy advocates, government officials, and just about every major online corporation something to discuss. ®
PS: Lawfare's Adam Klein and Carrie Cordero reckon the executive order "does not actually deny Privacy Act protections to Europeans," however "even the suggestion that the administration is cutting back privacy protections for Europeans could be damaging in the ongoing litigation over Privacy Shield’s validity."