By Amanda J. Katzenstein and Daniel L. Farris
President Trump signed an Executive Order last week that potentially puts the six-month old Privacy Shield in jeopardy. While mostly aimed at immigration and border patrol, the Executive Order entitled “Enhancing Public Safety in the Interior of the United States,” also includes a provision aimed at eliminating privacy protection for foreigners. Section 14 of the Executive Order reads:
"Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information."
By specifically excluding non-U.S. citizens or residents from the protections of the Privacy Act, the U.S. safeguards provided by the Privacy Shield regarding the adequacy of protection of the personally identifiable information of EU citizens could be destroyed, leading to the invalidation of the Privacy Shield Agreement outright.
In response to the Executive Order, the European Commission (EC) issued a statement expressing support for Privacy Shield and downplaying the impact of Trump’s Executive Order. "The U.S. Privacy Act has never offered data protection rights to Europeans," an EC spokeswoman said. In other words, the EC’s current position is that Privacy Shield does not rely on the Privacy Act, which covers data held by U.S. agencies, not by private companies.
Others in Europe have not been as accepting of the Executive Order. European Parliament Member Jan Philipp Albrech expressed fear that the Executive Order would undermine the EU-U.S. Privacy Shield Agreement, tweeting: “If this is true @EU_Commission has to immediately suspend #PrivacyShield & sanction the US for breaking EU-U.S. umbrella agreement.”
While the EC statement may be technically accurate, Albrecht’s views may more realistically reflect the view of European regulators. A comparison of the Executive Order against the Judicial Redress Act, for example, demonstrates that the Privacy Shield and the Umbrella Agreement between the U.S. and EU (which governs information sharing by law enforcement across the Atlantic) both remain intact.
On the other hand, it is hard to imagine that the Executive Order and the apparent protectionist policies announced by the Trump Administration will not impact the viability of Privacy Shield. Enforcement of the Privacy Shield, for example, is the responsibility of the Department of State and the FTC. Those are executive agencies under President Trump’s direction. If Trump directs them not to prosecute privacy violations, or if enforcement is reduced, it is hard to imagine Privacy Shield surviving in the long-term. After all, a key component of the Privacy Shield framework, in light of Safe Harbor's invalidation, was increased U.S. enforcement of EU privacy rights. That agreement includes US recognition of the right of Europeans to bring enforcement actions in the U.S. against companies that might not otherwise be reachable in the EU.
It is also worth remembering that the Privacy Shield Agreement must be renewed annually by the U.S. Department of Commerce and the European Commission. It is difficult to imagine the European Commission agreeing to renew a deal that is founded upon U.S. enforcement where the President has directed the executive branch not to enforce non-citizen privacy rights. Ultimately, the question may come down to how the FTC enforces both privacy violations generally, and the Privacy Shield specifically, during the first half of 2017. U.S.-EU diplomacy in other areas may also bleed over into the Privacy Shield debate.
To date, more than 1,500 companies have self-certified under the Privacy Shield, which was approved in July 2016 and began accepting self-certifications in August 2016 after the predecessor Safe Harbor agreement was invalidated in October 2015. US companies certified under the Privacy Shield would be wise to monitor the situation, and might consider Model Contract Clauses as a “belt and suspenders” approach to compliance.
If you would like advice regarding different options your business can take including model contracts, please contact a member of Polsinelli’s Privacy and Data Security team.