- Will European Privacy in the United States be Trumped?
- March 30, 2017 | Authors: Steven Baker; Jenna Rennie; Janaki Tampi
- Law Firm: Cadwalader, Wickersham & Taft LLP - London Office
In recent weeks there has been significant debate among commentators about whether Europeans’ privacy is becoming less protected in the US and what that may mean for the privacy protection arrangements between the EU and the US.
The debate was sparked on 25 January 2017, when US President Donald Trump signed the Executive Order “Enhancing Public Safety in the Interior of the United States”. Section 14 of the Executive Order provides that:
“Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”
Despite initial concerns raised over the Executive Order’s exclusionary language, it should not have an immediate negative impact on the privacy protection arrangements between the EU and the US for two reasons:
- First, the US Privacy Act protects the collection, processing and disclosure of personal data by the federal executive and federal agencies. It does not impact the transfer of data between private organisations. Data transferred from the EU to the US is instead protected under the EU - US Privacy Shield Framework (“Privacy Shield”). The Privacy Shield provides a EU-compliant mechanism for the transfer of personal data by EU-based companies to US-based companies. The mechanism works when US-based companies commit to the Privacy Shield and agree to comply with applicable EU data protection and privacy laws. That commitment is then enforceable under US law, and there is an independent recourse mechanism for breach of commitment. Section 14 of the Executive Order, which applies to federal agencies, should therefore have limited impact on personal data transferred from EU-based organisations to US-based organisations.
- Second, in terms of the processing of EU citizens’ information by US agencies, the EU-US Umbrella Agreement and the US Judicial Redress Act provide EU citizens with the same benefits as US citizens under the US Privacy Act, including access to US courts to obtain US Privacy Act remedies. However, EU residents do not necessarily benefit from these same protections.
Privacy Shield uncertainties continue
The EU-US Privacy Shield has been operating on uncertain ground even before the Executive Order.
On 12 July 2016 the European Commission (“EC”) adopted its Adequacy Decision, enabling companies to rely on the Privacy Shield. On 26 July 2016, only a few weeks after the Adequacy Decision, the EC Article 29 Working Party (“WP”) stated that it did not consider that the Privacy Shield adequately addressed EU privacy requirements. In particular, the WP expressed its regret in respect of matters including:
- the lack of certainty as to how the Privacy Shield Principles apply to data processors;
- the absence of ‘concrete assurances’ that bulk collection of personal data in the US will not occur again; and
- no specific rules on automated decisions and a general right to object.
Continued uncertainty persists for EU and US-based companies who are currently reliant on the provisions of the Privacy Shield to ensure their business operations comply with EU data protection requirements. Even though no immediate action is required, companies will need to carefully watch developments on both sides of the Atlantic.