April 20, 2021

Volume XI, Number 110

Advertisement

April 19, 2021

Subscribe to Latest Legal News and Analysis

A White House Executive Order May Affect Validity of Privacy Shield

On January 25, 2017, U.S. President Donald Trump signed an Executive Order titled, “Enhancing Public Safety in the Interior of the United States,” which may affect the validity of the EU and Swiss Privacy Shield Framework that allow companies to transfer personal data to the US. The order (under Section 14) directs all federal agencies to exclude non-US citizens or lawful permanent residents from the protections of the US Privacy Act regarding personally identifiable information. While the language of the order appears to carve out any “applicable laws,” it remains unclear how the order will be implemented.

Background:  The EU-US Privacy Shield framework was only recently negotiated between the EU and US – as recent as six months ago – and the Swiss-US Privacy Shield was just announced this month.  The Privacy Shield Framework guarantees certain rights to EU and Swiss citizens’ personal data, and requires that such data is handled in specific ways.  Over 1,500 organizations have already signed up for Privacy Shield and rely on the framework to transfer EU citizens’ personal data to the US.

Potential Effects: According to Section 14 of the January 25, 2017 Executive Order:

Privacy Act.  Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

Under the EU Commission’s interpretation, EU citizens can rely on the Judicial Redress Act of 2015 (not the US Privacy Act under Privacy Shield), to exert their rights and gain access to US courts. The Commission has negotiated the EU-US Umbrella Agreement with the US, which becomes effective on February 1, 2017, to extend the same benefits of the US Privacy Act to EU citizens via the Judicial Redress Act.  Whether the Judicial Redress Act and EU-US Umbrella Agreement are stipulated within the “applicable law” carve out remains to be seen.  For the time being Privacy Shield will likely remain in place, though the framework will be up for annual review this summer.

Recommendation:  Companies relying on the Privacy Shield framework as their data transfer mechanism should consider having a “back up” data transfer mechanism for key contracts, such as Standard Contractual Clauses (“Model Clauses”) or Binding Corporate Rules (“BCRs”), in the event the Privacy Shield framework is invalidated.  However, given the validity of Model Clauses is being challenged in the Irish High Court, they may not be a perfect solution.

Advertisement
© Copyright 2021 Squire Patton Boggs (US) LLPNational Law Review, Volume VII, Number 28
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

For almost every business, protecting and productively using intellectual property is a critical element of long-term growth and success. Our Intellectual Property practice is well positioned to help you integrate IP into your business plan and execute it effectively. Ranked as one of the Top 15 global law firm platforms in the world by Law360, our global presence enables us to quickly address your intellectual property needs anywhere in the world.

650 843 3378
Advertisement
Advertisement