Lauren Kreps Blog Post

Lauren Kreps

Information Privacy Law

Professor Ira Rubinstein

March 6, 2017

Amidst the steady current of Executive Orders President Trump has issued in his first two months in office, it would have been all too easy to miss his January 25, 2017 Executive Order threatening to place US-EU agreements on privacy regulation in jeopardy. After all, just two days later the President issued another Executive Order announcing an unprecedented travel ban on refugees and citizens of certain predominantly Muslim countries into the US, inciting nationwide protest and rebuke.

Though the human toll implied by the latter justifiably dominated national debate, both Executive Orders presented potentially seismic shifts in their respective international policy landscapes – one concerning the movement of people, the other of data.

Having already been rattled by the fall of the decades-long Safe Harbor agreement that facilitated data flow between Europe and the US, those with a political, commercial or philosophical stake in the transnational flow of information saw the January 25 Executive Order as an open threat – albeit one of a lesser order of magnitude than what was to follow. Particularly concerning was Section 14 of the January 25 presidential order, mandating that US agencies “shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

This came as a surprise to European officials, who in the wake of the Safe Harbor invalidation had spent months collaborating with the Obama administration to ensure the July 2016 enactment of The EU-US Privacy Shield. Addressing privacy “holes” that Safe Harbor had left untended, the Privacy Shield aims to guarantee the continued flow of commercially-essential personal information (PI) from the EU to the US, while also allaying European fears of surveillance by American security services.

The implications of the unwinding of US-EU cooperation on privacy regulation are extensive. Over 2,000 companies have already signed on to the Privacy Shield framework – companies including Google, Facebook, Twitter and Microsoft, whose businesses rely on the ability to store data about EU citizens on US servers. A recent New York Times article stated that the Privacy Shield made possible as much as $260 billion of trade in digital services. Commercial interests aside, assurances of equal treatment of EU citizens are also crucial to cooperation on the Umbrella Agreement, which enables the sharing of law enforcement data between the US and the EU.

Concerned by the potential effects of President Trump’s unilateral decree, EU Justice Commissioner Vera Jourova expressed in an interview with Bloomberg that she would require assurance from the Trump administration that Privacy Shield would not be affected by the Executive Order. Otherwise, she claimed the EU would be prepared to suspend the pact.

Apparently responsive to these concerns, the US Department of Justice wrote a letter to Jourova’s office stating that “Section 14 [does not] affect the commitments the United States has made under the DPPA (Umbrella Agreement) or the Privacy Shield.” Still, Jourova will be traveling to Washington to meet with officials from the Trump administration regarding the ongoing viability of Privacy Shield at the end of March, where she has stated she will expect “reconfirmation and reassurances.”

Whether this most recent EU-US data transfer mechanism can truly survive in the face of diminished privacy protections for non-US citizens remains to be seen. For now, at least the data doors remain open.