For the last few weeks, the news has been full of stories about President Trump's controversial 'Travel Ban', officially known as the Executive Order on Enhancing Public Safety in the Interior of the United States (the Order).
Among the furore surrounding the ban on travel from certain countries, you would be forgiven for missing one other important provision of the Order, though that provision has potentially far-reaching consequences for the flow of data between the EU and the USA. Section 14 of the Order requires federal agencies to exclude all non-US citizens from the protections of US privacy laws ensuring the protection of personal data.
The Order comes just six months after the Privacy Shield arrangement was agreed between the EU and the USA, having been several years in the making. Its predecessor, Safe Harbor, was put in place to allow personal data to be transferred from the EU to certified organisations in the US without breaching UK data protection laws.
As a result of concerns around US government access to personal data following the Snowden revelations, Safe Harbor was declared invalid in October 2015. The replacement Privacy Shield arrangement was finally agreed in August 2016 and aimed to address some of those concerns and provide more robust protections for the personal data of EU citizens when processed in the USA.
Privacy Shield is due for its first annual review this summer and has already been challenged by Digital Rights Ireland, a privacy rights organisation. President Trump's Order means we may see Privacy Shield come unstuck earlier than expected.
The full text of Section 14 reads as follows:
Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
At first glance, the Order seems to fly in the face of the intention of Privacy Shield, which was to ensure strong privacy protections for EU citizens whose data is processed in the US. However, it is important to note that Section 14 only allows federal agencies to exclude EU citizens from their protections "to the extent consistent with applicable law".
Privacy Shield is predicated on the basis of the US Judicial Redress Act, which extends the applicability of the US Privacy Act to EU citizens. This will constitute "applicable law" for the purposes of Section 14 and as such, certainly in the short term, Privacy Shield is unlikely to be significantly impacted by the Order.
However, the Order has certainly ruffled some European feathers and the European Commission is likely to keep a close eye on future actions by President Trump which could impact the privacy of EU individuals.
The European Commission is in the process of seeking reassurances from President Trump that Privacy Shield protections will remain for EU citizens. In particular, there are concerns that the list of 'designated countries' in the Judicial Redress Act could be amended to remove some, or all, EU countries, which would almost certainly result in the suspension of Privacy Shield.
EU organisations whose businesses rely on data being able to flow freely between the EU and the US will want to monitor closely any developments going forward, as any suspension of Privacy Shield would significantly affect those organisations' ability to continue transferring data to the US. Even under Privacy Shield, there are concerns around the adequacy of US data protection laws, and the Order and associated reactions show that those concerns are not going away anytime soon.
Businesses that rely on US data transfers would be well-advised to consider whether they can rely on other mechanisms apart from Privacy Shield to legitimise US transfers, such as model contract clauses or consent. However, those mechanisms come with practical difficulties, and model contract clauses are currently undergoing legal challenge to the extent they allow transfers of data to the US. US data transfers therefore appear likely to continue to cause headaches for many EU organisations.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at March 2017. Specific advice should be sought for specific cases. For more information see our terms & conditions.