The transatlantic Privacy Shield data transfer agreement is not at risk from Trump's executive actions, former FTC Commissioner Julie Brill has promised.
In an article on her law firm's blog, Brill notes that the recent executive order (EO) from the Oval Office, which expressly limited privacy rights to US citizens only, does not impact the critical agreement between the European Union and the United States.
How come? Three reasons:
- The Privacy Act applies only to government databases, whereas the Privacy Shield covers corporate databases.
- No presidential Executive Order can override existing laws written by Congress – and Congress has already approved the Judicial Redress Act that grants EU citizens the right to use the US courts in the case of misuse of data.
- The other mechanism set up to make the Privacy Shield work legally – an Ombudsman that will look into any requests from Europe about access to data by the US government – remains in place.
Brill played an active role in developing the Privacy Shield with other US government agencies and their counterparts in the European Union, and so has as good an understanding of the law as anyone. The FTC is expected to act as a key enforcer of the agreement.
In arguing why the agreement still holds, despite's Trump's actions, Brill and her coauthor Bret Cohen also give mention to another key component – the Attorney General's designation of specific countries that are covered by the Judicial Redress Act.
That Act and the accompanying Attorney General list officially become law today, Wednesday February 1, 2017 – and the Trump Administration has done nothing to prevent or stymie what is now a legal reality.
And so the Privacy Shield is up and running, despite President Trump's isolationist approach. And a good job it is too, since every large internet company, including Facebook and Google, are heavily reliant on it to provide them with a legal foundation on which to offer their services outside the United States.
Not so fast
All that said, Brill and Cohen feel obliged to include some caveats – just as European Union officials did last week when they saw the text included in Trump's Enhancing Public Safety in the Interior of the United States order.
"Going forward, it will be important to pay attention to European officials' reaction to the EO," they wrote. "It will also be important to watch how the EO may impact the Attorney General's designations of countries covered under the Judicial Redress Act or countries that could receive such designation in the future."
The EU made a similar statement: "We will continue to monitor the implementation of both instruments and are following closely any changes in the US that might have an effect on Europeans' data protection rights."
In other words, it is possible that President Trump's pick for Attorney General, Jeff Sessions, could decide at a later date to revoke some countries' – or the EU's – designations under the Judicial Redress Act: a decision that would wreak immediate havoc to Privacy Shield.
While Sessions appears to be more of a racist than a xenophobe, he has also proven to be fiercely loyal to Trump. The president has already made it plain that he is prepared to fire any Attorney General who does not agree to his executive orders, even if they doubt those orders' legality.
To that end, government officials in both the US and Europe – as well as the management teams at every major online corporation – will be hoping that Donald Trump never hears about the Privacy Shield.
Not so fast a second time
That may still only be half the problem, however, as Lawfare's Adam Klein and Carrie Cordero point out on another post here on The Register.
The combination of the very old Privacy Act (written in 1974, since which time Europe has rewritten its privacy rules three times) and Trump's wide executive order could see government agencies insist on access to European citizens' personal data, having met a very low threshold of proof – a mere "risk to public safety" would be enough, and some agencies are likely to view that very broadly.
Trump's order actively exhorts government agencies to share such information between themselves – and that could mean an individual's personal details made available to huge numbers of government officials without any concern given to privacy laws.
One of the key aspects of the Privacy Act is that an individual's consent has to be sought before personally identifiable material can be shared (subject to a few important exceptions). But if someone is deemed to be outside of that Act, their personal information can not only be readily shared, but the individual in question would not know about it.
In that sense, the value of an Ombudsman is questionable: if someone doesn't know their personal data is being shared, how are they supposed to question it?
It is possible that the data protection authorities in Europe will take issue with this catch-22 situation when they carry out an annual audit of the new system in just under six months' time.
Hopefully by then the Trump Administration will have been sufficiently persuaded not to write and sign executive orders without first running them through the machinery of government. ®