September 26, 2020

Volume X, Number 270

September 25, 2020

Subscribe to Latest Legal News and Analysis

September 24, 2020

Subscribe to Latest Legal News and Analysis

September 23, 2020

Subscribe to Latest Legal News and Analysis

Trump Executive Order Puts Privacy Shield’s Future in Doubt

President Trump signed an Executive Order last week that potentially puts the six-month old Privacy Shield in jeopardy. While mostly aimed at immigration and border patrol, the Executive Order entitled “Enhancing Public Safety in the Interior of the United States,” also includes a provision aimed at eliminating privacy protection for foreigners. Section 14 of the Executive Order reads:

"Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information."

By specifically excluding non-U.S. citizens or residents from the protections of the Privacy Act, the U.S. safeguards provided by the Privacy Shield regarding the adequacy of protection of the personally identifiable information of EU citizens could be destroyed, leading to the invalidation of the Privacy Shield Agreement outright. 

In response to the Executive Order, the European Commission (EC) issued a statement expressing support for Privacy Shield and downplaying the impact of Trump’s Executive Order. "The U.S. Privacy Act has never offered data protection rights to Europeans," an EC spokeswoman said. In other words, the EC’s current position is that Privacy Shield does not rely on the Privacy Act, which covers data held by U.S. agencies, not by private companies.

Others in Europe have not been as accepting of the Executive Order. European Parliament Member Jan Philipp Albrech expressed fear that the Executive Order would undermine the EU-U.S. Privacy Shield Agreement, tweeting: “If this is true @EU_Commission has to immediately suspend #PrivacyShield & sanction the US for breaking EU-U.S. umbrella agreement.” 

While the EC statement may be technically accurate, Albrecht’s views may more realistically reflect the view of European regulators. A comparison of the Executive Order against the Judicial Redress Act, for example, demonstrates that the Privacy Shield and the Umbrella Agreement between the U.S. and EU (which governs information sharing by law enforcement across the Atlantic) both remain intact. 

On the other hand, it is hard to imagine that the Executive Order and the apparent protectionist policies announced by the Trump Administration will not impact the viability of Privacy Shield. Enforcement of the Privacy Shield, for example, is the responsibility of the Department of State and the FTC. Those are executive agencies under President Trump’s direction. If Trump directs them not to prosecute privacy violations, or if enforcement is reduced, it is hard to imagine Privacy Shield surviving in the long-term. After all, a key component of the Privacy Shield framework, in light of Safe Harbor's invalidation, was increased U.S. enforcement of EU privacy rights. That agreement includes US recognition of the right of Europeans to bring enforcement actions in the U.S. against companies that might not otherwise be reachable in the EU. 

It is also worth remembering that the Privacy Shield Agreement must be renewed annually by the U.S. Department of Commerce and the European Commission. It is difficult to imagine the European Commission agreeing to renew a deal that is founded upon U.S. enforcement where the President has directed the executive branch not to enforce non-citizen privacy rights. Ultimately, the question may come down to how the FTC enforces both privacy violations generally, and the Privacy Shield specifically, during the first half of 2017. U.S.-EU diplomacy in other areas may also bleed over into the Privacy Shield debate. 

To date, more than 1,500 companies have self-certified under the Privacy Shield, which was approved in July 2016 and began accepting self-certifications in August 2016 after the predecessor Safe Harbor agreement was invalidated in October 2015. US companies certified under the Privacy Shield would be wise to monitor the situation, and might consider Model Contract Clauses as a “belt and suspenders” approach to compliance. 

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume VII, Number 31


About this Author

Daniel L. Farris, Polcinelli PC, fiber optic networking Lawyer, data center operations attorney, Chicago

As a former software engineer and network administrator in the telecommunications industry, Daniel offers his clients real-world experience in fiber optic networking, data center operations, cloud computing, mobile app development, and data privacy and security matters.  His practice is founded upon understanding how technology can strengthen and expand the core mission of his clients’ businesses.

Amanda Katzenstein, Polsinelli, Media Technology Lawyer, Trademark Rights Attorney

Amanda Katzenstein uses her extensive media and technology experience to assist clients with resolving their legal challenges. She started her career in television news, serving as a reporter and producer for CLTV, Chicago’s 24-hour news network; as a reporter, editor, and photographer for both WYCC-TV and the Evanston Community Cable Channel; and working in production for a nationally syndicated TV talk show.

Additionally, Amanda’s experience includes dealing with the practical effects of trademark rights at a national advertising agency, analyzing music licenses at a well-known music TV station, helping to build the legal department at an online media company, and assisting with media transactions at the Federal Communication Commission.