Trump’s Executive Order Impact on the Privacy Shield
Background
The Court of Justice of the European Union has invalidated the U.S.-EU Safe Harbor framework (October 2015), which was replaced by the Privacy Shield on 12 July 2016.
“Enhancing Public Safety in the Interior of the United States” (Executive Order) was issued by the US President Donald Trump on 25th January 2017. This act’s main aim was the immigration laws enforcement in the U.S.
In its Section 14 we may read: “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”
The so-called “Umbrella Agreement” (signed on 2nd December 2016) between the U.S. and EU, ensured the personal data transfers for law enforcement purposes. This agreement applies also to the pre-existing agreements between the U.S. and EU along with the various Mutual Legal Assistance Treaties (“MLATs”), Passenger Name Records Agreement, and Safe Harbor framework.
Part 19 of the Umbrella Agreement enables every European citizen to seek judicial review in case of an unlawfully disclosure individual’s personal data or denial of the right to access or amend the personal data in agency’s possession.
Before the Umbrella Agreement, there was no such legal possibility, although the Privacy Act of 1974 extended those rights to permanent residents of the U.S. and its citizens. EU would only agree with the Umbrella Agreement once U.S. extends protections to the European citizens under the Privacy Act, so that the U.S. is expected to comply with the Umbrellas Agreement Art. 19.
Moreover, in February 2016 the Judicial Redress Act was passed as the U.S. and EU got along with each other, which extended protections of the Privacy Act (disclosure, access, amendment) to citizens of “covered countries’’ (as named in the Judicial Redress Act).
On 17th of January 2017 Loretta Lynch (new former U.S. Attorney General) designated “covered jurisdictions’’ (as named in the Judicial Redress act) to include in the Judicial Redress Act all the EU Members apart from Denmark and the UK, which has become effective on 1st February.
The Attorneys General designation however, is not subject to administrative or judicial review (within the Judicial Redress Act).
Conclusion
Donald Trump’s Executive Order is believed not to affect the Judicial Redress Act (which is applicable law in the context of data transfers for law enforcement purposes) in terms of the Privacy Act rights to the European citizens extension, so as to say that the Executive Order should not impact Privacy Shield Framework’s legal viability.
Unresolved is still an aspect of “covered countries’’ designation, as the Judicial Redress Act includes a “covered countries’’ designations removal process, which is still subject of a dispute.