deepagopi2011 - Fotolia

Privacy Shield threat overshadowed by US immigration row

EU citizens’ rights under the Privacy Shield Act are not directly affected by President Trump's executive order on public safety, according to international law firm Hogan Lovells

US President Donald Trump’s executive order on border security and immigration is causing a stir internationally, but another executive order is raising concern among privacy professionals.

Also signed on 25 January, the executive order on enhancing public safety in the US is sounding alarms because of fears that it may jeopardise the EU-US data transfer agreement known as Privacy Shield.

The European Commission (EC) adopted the framework for certifying US companies as being compliant with EU data protection regulations to enable data transfer between the EU and the US.

Privacy Shield was developed in consultation with the US to replace the Safe Harbour agreement, which was declared invalid by the Court of Justice of the European Union (CJEU).

Although adoption has been slow since its introduction in August 2016, about 1,500 companies are now reportedly using the Privacy Shield framework to transfer personal data between the US and Europe.

But privacy professionals are worried that Trump’s executive order on public safety could scupper Privacy Shield because section 14 of the order specifically excludes people who are not US citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

In a bid to quell concerns, the EC issued a statement saying that the US Privacy Act had “never offered data protection rights to Europeans” and that Privacy Shield did not rely on the Privacy Act.

But Jan Philipp Albrecht, rapporteur for the European Parliament’s committee on civil liberties, reignited debate and concern by tweeting that if it were true that the executive order excludes non-citizens from the Privacy Act, then the EC had to “immediately suspend #PrivacyShield and sanction the US for breaking EU-US umbrella agreement”.

On closer inspection, however, law firms and civil rights groups believe that although the executive order underlines the vulnerability of Privacy Shield, it is unlikely to have any marked effect.

Read more about EU-US Privacy Shield

When the Privacy Shield framework was agreed, human rights group Privacy International dubbed it “Paper Shield” because many of the commitments to protect personal data made by the US government were not enshrined in US law, and so could be vulnerable to a change of administration.

“The executive order issued by President Trump regretfully proves this point,” said the organisation’s legal officer Tomaso Falchetta.

“It may not yet fully unravel the Privacy Shield, but it represents a first, significant dent to it. The order also demonstrates clearly that the guarantees of data protection, without discrimination, must be enshrined within the law.”

International law firm Hogan Lovells has gone a step further, saying the executive order “does not impact any of the US commitments under the Privacy Shield, nor does it revoke protections for EU citizens under the Privacy Act provided pursuant to the Judicial Redress Act”.

This opinion is based on the fact that an executive order can only take effect “consistent with applicable law”, in this case the Judicial Redress Act, and on the fact that it relates to the Privacy Act, which does not affect any US commitments under the Privacy Shield agreement, the law firm said in a blog post.

Cannot overturn statutes

The law firm said the US president cannot enact executive orders to overturn statutes enacted by Congress, and therefore, although the executive order permits the president to direct federal agencies to refrain from offering Privacy Act protections to citizens of foreign countries, it cannot revoke coverage from jurisdictions already designated as covered under the Judicial Redress Act.

The law firm said executive order cannot affect any explicit commitments made by the US under Privacy Shield because the European Commission’s official Adequacy Decision approving Privacy Shield did not rely on the Privacy Act’s protections.

“The [executive order] will not affect EU citizens’ right to redress against Privacy Shield organisations through their independent recourse mechanisms, as well as through binding arbitration,” the blog post said.

“Privacy Shield also provides for an EU-US Ombudsperson to facilitate EU requests related to national security access to data transmitted from the EU to the US.”

Hogan Lovells further noted that the Ombudsperson mechanism is untouched by the executive order and that the other commitments by the US government that were relied upon by the European Commission in approving Privacy Shield – such as limitations on signals intelligence under Presidential Policy Directive 28, executive and judicial branch oversight of collection programmes, and transparency measures related to government access requests – are also untouched by the executive order.

EU citizens’ rights under both Privacy Shield and the Privacy Act are not directly affected by this executive order (EO), the law firm said.

“However, going forward, it will be important to pay attention to European officials’ reaction to the EO. It will also be important to watch how the EO may impact the Attorney General’s designations of countries covered under the Judicial Redress Act or countries that could receive such designation in the future,” the blog post concluded.

Key aspects untouched

Eduardo Ustaran, London-based partner at Hogan Lovells, told Computer Weekly that the key aspects of the Privacy Shield in this context are President Obama's ‘Presidential Policy Directive 28’  that was issued in response to Edward Snowden’s revelations and the Ombudsman mechanism. “Both of these remain untouched by President Trump’s executive order,” he said.

In a blog post on the topic that coincided with the publication of the executive order, Ustaran said the level of scrutiny of the Privacy Shield has been relentless since day one. 

“While the EU data protection authorities were prepared to give it the benefit of the doubt, various legal challenges were filed with the Court of Justice of the European Union seeking its invalidation,” he wrote. 

“In reality, the future of the Privacy Shield will be linked to the direction of travel of the new Trump administration and the extent to which the assurances given by the previous government on data access controls will stand.”

Ustaran also noted that beyond transfers of data to the US, global dataflows that are secured through standard contractual mechanisms are also in the spotlight because of a case launched by Irish Data Protection Commissioner Helen Dixon.

Dixon is asking the European Court of Justice to rule on the legality of EU-US data transfers, post-Safe Harbour, specifically to decide the validity of the channels – known as standard contractual clauses (SCCs) – being used for daily EU-US data transfers.

“Given that under the GDPR [General Data Protection Regulation], exporting data from the EU will not be any easier, it is a true business priority to get this issue right,” Ustaran wrote. 

“With both the Privacy Shield and standard contractual clauses under pressure, it is a matter of being alert and prepared to move quickly. Organisations are not short of options, but binding corporate rules or reinforced contractual solutions [SCCs] will continue to be seen as the most solid approaches.”

Read more on Privacy and data protection