31 Jan 2017

Section 14 of the Executive Order on "Enhancing Public Safety in the Interior of the United States" provides:

"Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information."

The immediate reaction in Europe included suggestions that the Executive Order might undermine the EU-US Privacy Shield because it departed from assurances given to the EU Commission by the Obama administration (and which were further supported by a five page letter from US intelligence agencies).

The EU Commission moved swiftly to soothe those concerns, pointing out that the relevant protections (from an EU perspective) are in the EU-US Umbrella Agreement (in force 1 February) and in the US Judicial Redress Act, which extends the benefits of the US Privacy Act to Europeans and gives them access to US courts.

Although we tend to agree with the analysis by the EU Commission, the events of the last few days have ensured that concerns remain, and that the Executive Order is likely to be cited as a real and ongoing cause for concern by those already challenging the legal basis for Privacy Shield (notably, Max Schrems, whose legal challenge led to the Court ruling that brought the previous "Safe Harbor" arrangement to an end). At the very least, the Executive Order has revived concerns about the security and processing of personal data in the US. That is not helpful from a commercial perspective given the business-critical nature of data transfers, and the fact that both Privacy Shield and the Model Clauses are already subject to close scrutiny and legal challenge.