On 1 February, US President Donald Trump signed an Executive Order on "Enhancing Public Safety in the Interior of the United States” which (amongst other things) amends Section 14 of the US Privacy Act which now states: " Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information." At first glance, the Executive Order seems to remove EU citizens' protections under the Privacy Shield and this has cast a doubt within the privacy community whether the rights of EU citizens under the EU-US Privacy Shield still exist. In recent years, the Privacy Act has been interpreted by federal agencies as extending to non-US citizens, which the Executive Order now reverses.
On closer examination, however, the Executive Order does not have any direct impact on the Privacy Shield. Indeed, the rights of EU citizens against US federal agencies, in particular the right to judicial redress, are guaranteed by the Judicial Redress Act, not the Privacy Act. Secondly, under US law, Executive Orders cannot overturn statutes enacted by Congress and, on the contrary, may only come into force "to the extent consistent with applicable law". The Judicial Redress Act would have to be amended (which would require a vote in Congress) in order to strip EU citizens from their rights under Privacy Shield. Thirdly, President Trump did not sign this Executive Order to repeal the Privacy Shield but to honor a promise made during his campaign to combat terrorism by limiting access by citizens from targeted (non-EU) countries to the United States and, as a result, limiting their rights under US law.
Reactions in Europe
At this stage, there is no indication that the EU Commission is planning to re-open negotiations on the Privacy Shield with the Trump administration following the adoption of this Executive Order. The EU Commission's immediate response to the press was merely to state 'we're looking at it at the moment' and that Privacy Shield 'does not rely on the protections under the US Privacy Act' (reported here). The EU Parliament reacted more vigorously through its MEP Jan Albrecht who tweeted: 'the Commission has to immediately suspend Privacy Shield'.
The EU Commission also added that the EU-US Umbrella Agreement (which entered into force on 1 February) would remain in place.
Privacy Shield in muddy waters
The Privacy Shield was adopted on assurances made by the Obama administration to limit US agencies' access to EU citizens' data, and so, this muddying of the waters is unhelpful and will not inspire confidence in business that other sudden dramatic policy shifts lurk around the corner. The future of the Privacy Shield is all the more uncertain that no one knows exactly what the Trump administration's position or plans for the Privacy Shield are, despite President Trump having given some indication of his position on cybersecurity during the presidential campaign. The EU's protection under the Judicial Redress Act is solely based on its designation as a 'covered country', a designation that can be altered by the Attorney General. EU Commissioner Jourova is due to travel to the US in the spring to discuss the new administration's commitment to Privacy Shield.
Since the Privacy Shield came into force in 2016, it has received a lukewarm endorsement from the Article 29 Working Party (found here), which in essence said that it did not comply on all points with EU data protection law, implying it may not survive the first joint annual review that is set for June 2017. The Privacy Shield is also subject to legal challenge by privacy campaigners. Digital Rights Ireland (the group that brought down the now invalidated Data Retention Directive) launched an action before the Court of Justice of the European Union to annul the Privacy Shield adequacy decision. French privacy groups have launched a similar action.
Since its entry into force, roughly 1,600 organisations have self-certified to the Privacy Shield, however, this is still a lot less than the 4,000 companies that were certified under Safe Harbor. Despite some large multinational tech companies having certified to the framework, overall the business community seems to be taking a 'wait and see' approach with a keen eye on future developments. In the meantime, many are putting in place standard contractual clauses or binding corporate rules as alternative for transferring personal data.
Stay tuned for more as we continue to analyse the future developments of the Privacy Shield. The two of us will be speaking on this topic at Fieldfisher's Privacy Summit in our London headquarters on Tuesday 7 February – hope to see some of you there!