On January 25, 2017, President Trump issued an Executive Order entitled “Enhancing Public Safety in the Interior of the United States.” While the Order is primarily focused on the enforcement of immigration laws in the U.S., Section 14 declares that “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” This provision has sparked a firestorm of controversy in the international privacy community, raising questions regarding the Order’s impact on the Privacy Shield framework, which facilitates lawful transfers of personal data from the EU to the U.S. While political ramifications are certainly plausible from an EU-U.S. perspective, absent further action from the Trump Administration, Section 14 of the Order should not impact the legal viability of the Privacy Shield framework.
Adoption of the Privacy Shield in July 2016
The Privacy Shield framework was formally adopted on July 12, 2016, replacing the U.S.-EU Safe Harbor framework, which had been invalidated in October 2015 by the Court of Justice of the European Union. The timing of the Privacy Shield’s adoption coincided with other related EU-U.S. diplomatic efforts that were ongoing regarding law enforcement access to personal data in the EU and U.S. In particular, prior to the Privacy Shield’s adoption in July 2016, on June 2, 2016 the EU and U.S. successfully completed a multi-year negotiation of the so-called “Umbrella Agreement” to ensure the protection of personal data transferred for law enforcement purposes between the EU and U.S. pursuant to existing international agreements involving the EU and U.S. The Umbrella Agreement’s privacy protections are intended to apply to the many existing EU-U.S. agreements that pre-date the adoption of the Umbrella Agreement and that contemplate transfers of personal data for law enforcement purposes, such as the Passenger Name Records Agreement, various Mutual Legal Assistance Treaties ("MLATs"), and the now defunct Safe Harbor framework.
The Interplay Between the Umbrella Agreement and the Judicial Redress Act
In relevant part, Article 19 of the Umbrella Agreement affords any citizen of the EU the right to seek judicial review in the event a U.S. law enforcement agency unlawfully discloses the individual’s personal data or denies the individual the right to access or amend his or her personal data in the possession of the agency. At the time of the Umbrella Agreement negotiations, existing U.S. law did not afford such rights of judicial review to non-U.S. citizens or permanent residents, although the Privacy Act of 1974 did extend these rights to citizens and permanent residents of the U.S. As a result, the EU would not agree to the Umbrella Agreement until the U.S. extended those protections under the Privacy Act to citizens of the EU so that the U.S. could comply with Article 19 of the Umbrella Agreement.
The U.S. agreed with the EU and passed the Judicial Redress Act in February 2016, which extended Privacy Act protections regarding access, amendment and disclosure to citizens of “covered countries.” This enactment of the Judicial Redress Act in February 2016 paved the way for the execution of the Umbrella Agreement, which occurred in June 2016. Subsequently, on January 17, 2017, now former U.S. Attorney General Loretta Lynch designated “covered jurisdictions” in the Judicial Redress Act to include the citizens of all EU Member States other than Denmark and the United Kingdom (which are expected to be included in the definition soon), and this designation becomes effective on February 1, 2017. Notably, in accordance with the Judicial Redress Act, this designation by the Attorney General is not subject to judicial or administrative review.
The Impact of the Executive Order
The EU’s assent to the Privacy Shield framework was influenced, at least in part, by the Umbrella Agreement which was, in turn, conditioned upon the enactment of the Judicial Redress Act. President Trump’s Executive Order calls for federal agencies in the U.S. to ensure that their privacy notices make clear that Privacy Act protections extend only to citizens and permanent residents of the U.S. Importantly, Article 14 of the Order explicitly states that the federal agencies must do so in a manner that is “consistent with applicable law.” In the context of EU-U.S. data transfers for law enforcement purposes, the Judicial Redress Act constitutes applicable law, and thus President Trump’s Executive Order, as written, should not impact the Judicial Redress Act’s extension of the Privacy Act’s protections to citizens of the EU. As a result, absent further action from the U.S. government, we do not expect this Executive Order to impact the legal viability of the Privacy Shield Framework. That said, tempers are running high and the negative perception created by Trump’s actions could have an adverse effect on the Privacy Shield’s annual review in 2017.
One issue to monitor is the process of designating “covered countries” under the Judicial Redress Act. While former Attorney General Lynch’s designation is not subject to judicial or administrative review, the Judicial Redress Act does include a process by which “covered country” designations can be removed. There are specifically enumerated criteria for such removal and if the pending designation of EU countries as “covered countries” were to be removed by the Trump Administration, that removal could negatively impact the Privacy Shield framework. If such removal occurred, it certainly would undermine the viability of the Umbrella Agreement between the EU and U.S. Although the Privacy Shield is not explicitly dependent on the Umbrella Agreement or the Judicial Redress Act, their unraveling could have far-reaching political consequences regarding U.S.-EU law enforcement data sharing efforts, including with respect to the Privacy Shield.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code