Fears that U.S. President Trump has destroyed the Privacy Shield Transatlantic data transfer agreement with one of the many executive orders he has signed this week are unfounded, the European Commission said Friday.
On Wednesday, Trump signed an executive order entitled “Enhancing Public Safety in the Interior of the U.S.,” one of several he has issued since taking office on Jan. 20. Such executive orders are used by U.S presidents to manage the operations of the federal government.
Like the “Border Security and Immigration Enforcement Improvements” executive order signed the same day, the public safety order seeks to repatriate foreigners who have either entered the U.S. illegally or entered legally but overstayed or otherwise violated the terms of their visas.
To do that, law enforcers need to be able to track the foreigners concerned, but privacy laws can make it difficult for them to obtain the information necessary to identify them.
That’s why Trump ordered U.S. government agencies to “ensure that their privacy policies exclude persons who are not U.S. citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”
There has been concern that the president’s move would have an impact on Privacy Shield. Guaranteeing privacy rights for foreigners’ data processed in the U.S. was one of the requirements the European Union imposed on the U.S. when negotiating Privacy Shield, the agreement that allows businesses to transfer the personal information of EU citizens to the U.S. for processing. Such transfers are forbidden by EU privacy law unless the destination country provides privacy protection at least equal to that required in under EU law.
One EU legislator who had fought for the protections enshrined in Privacy Shield immediately criticized the president’s public safety order. Member of the European Parliament Jan Philipp Albrecht feared the order would undermine Privacy Shield and another EU-U.S. privacy agreement, the so-called Umbrella Agreement, which is due to take effect next Wednesday.
“If this is true @EU_Commission has to immediately suspend #PrivacyShield & sanction the US for breaking EU-US umbrella agreement,” tweeted Albrecht.
But the fears of Albrecht and others are unfounded, said a Commission spokeswoman. Privacy Shield protects data of EU citizens that is transferred to the U.S. but does not cover the privacy of data gathered in the U.S.
“The U.S. Privacy Act has never offered data protection rights to Europeans,” she said. Privacy Shield does not rely on the Privacy Act, which covers data held by U.S. agencies, not by private companies.
Otherwise, the Umbrella Agreement that MEP Albrecht referred to covers the exchange of personal information between U.S. and EU law enforcers during the course of their investigations. However, it depends on a law that appears to exclude Europeans from Trump’s executive order.
“To finalize this agreement the U.S. Congress adopted a new law last year, the U.S. Judicial Redress Act, which extends the benefits of the U.S. Privacy Act to Europeans and gives them access to U.S. courts,” the Commission spokeswoman said.
And since Trump only asked agencies to exclude Europeans from the Privacy Act “to the extent consistent with applicable law,” it seems that the protections of the Judicial Redress Act still apply.
The Commission remains vigilant. “We will continue to monitor the implementation of both instruments and are following closely any changes in the U.S. that might have an effect on European’s data protection rights,” the spokeswoman said.