In recent weeks there has been significant debate among commentators about whether Europeans’ privacy is becoming less protected in the US and what that may mean for the privacy protection arrangements between the EU and the US.
The debate was sparked on 25 January 2017, when US President Donald Trump signed the Executive Order “Enhancing Public Safety in the Interior of the United States”. Section 14 of the Executive Order provides that: “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”
Despite initial concerns raised over the Executive Order’s exclusionary language, it should not have an immediate negative impact on the privacy protection arrangements between the EU and the US for two reasons:
First, the US Privacy Act protects the collection, processing and disclosure of personal data by the federal executive and federal agencies. It does not impact the transfer of data between private organisations. Data transferred from the EU to the US is instead protected under the EU – US Privacy Shield Framework (“Privacy Shield”). The Privacy Shield provides a EU-compliant mechanism for the transfer of personal data by EU-based companies to US-based companies. The mechanism works when US-based companies commit to the Privacy Shield and agree to comply with applicable EU data protection and privacy laws. That commitment is then enforceable under US law, and there is an independent recourse mechanism for breach of commitment. Section 14 of the Executive Order, which applies to federal agencies, should therefore have limited impact on personal data transferred from EU-based organisations to US-based organisations.
Second, in terms of the processing of EU citizens’ information by US agencies, the EU-US Umbrella Agreement and the US Judicial Redress Act provide EU citizens with the same benefits as US citizens under the US Privacy Act, including access to US courts to obtain US Privacy Act remedies. However, EU residents do not necessarily benefit from these same protections.
EU-based organisations transferring data to the US are facing a period of uncertainty. The intention behind Section 14 of the Executive Order suggests a preparedness on the part of the new US administration to diminish privacy rights of non-US citizens in the US. Whether or not the new US administration will take steps to reduce the rights of non-US citizens under the Privacy Shield, the US Judicial Redress Act or other important data protection laws, which regulate health care data, telecommunications data and data held by financial institutions, remains uncertain.
Privacy Shield uncertainties continue
The EU-US Privacy Shield has been operating on uncertain ground even before the Executive Order.
On 12 July 2016 the European Commission (“EC”) adopted its Adequacy Decision, enabling companies to rely on the Privacy Shield. On 26 July 2016, only a few weeks after the Adequacy Decision, the EC Article 29 Working Party (“WP”) stated that it did not consider that the Privacy Shield adequately addressed EU privacy requirements. In particular, the WP expressed its regret in respect of matters including:
the lack of certainty as to how the Privacy Shield Principles apply to data processors;
the absence of ‘concrete assurances’ that bulk collection of personal data in the US will not occur again; and
no specific rules on automated decisions and a general right to object.
Added to this, in October 2016, privacy advocacy group Digital Rights Ireland filed a claim in the General Court division of the Court of Justice of the EU (“CJEU”), alleging that the Privacy Shield failed to guarantee an adequate level of data protection as required by EU law. This follows on from the October 2015 decision of the CJEU that the EU-US Safe Harbor mechanism was illegal because it was incompatible with the fundamental rights of EU citizens. It was this decision which led to the development and implementation of the EU-US Privacy Shield. The Safe Harbour case was also brought by Digital Rights Ireland.
Continued uncertainty persists for EU and US-based companies who are currently reliant on the provisions of the Privacy Shield to ensure their business operations comply with EU data protection requirements. Even though no immediate action is required, companies will need to carefully watch developments on both sides of the Atlantic.