Trump Order Stripping Privacy Protections for Foreigners May Harm Privacy Shield, Say Experts
A provision in President Donald Trump's public safety executive order issued Wednesday directs agencies to exclude privacy rights of foreigners under the 1974 Privacy Act. Some privacy experts said they see the order as a harbinger of things to come in undermining the rights of non-U.S. citizens and permanent residents that could eventually endanger the EU-U.S. Privacy Shield, which was negotiated last year to provide adequate protection of Europeans' personal data.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
“The White House is playing a dangerous game cutting back on Privacy Act safeguards," emailed Electronic Privacy Information Center President Marc Rotenberg Thursday. "The impact on trade with Europe could be staggering." Member of European Parliament Jan Philipp Albrecht, its rapporteur on data protection regulation, tweeted that "if this is true," the European Commission "has to immediately suspend" Privacy Shield and "sanction the US for breaking the EU-US umbrella agreement." Albrecht later retweeted a statement that said it was from the EC saying the U.S. Privacy Act "never offered data protection rights to Europeans.”
Section 14 in Trump's order -- enhancing public safety in the U.S. interior -- says "to the extent consistent with applicable law," agencies' privacy policies should "exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”
Jake Laperruque, senior counsel at the Constitution Project, told us Trump's order will probably have little practical impact, but it "seems to very clearly show that privacy rights of non US persons are not a priority to them and ... without that, I think Privacy Shield, which was already on shaky ground, seems to be really headed off a cliff.” He said the administration doesn't seem to understand the economic ramifications of its action. Business leaders peg trans-Atlantic trade and investments in the trillions of dollars (see 1511020052, 1610270001 and 1602020040).
“The best we can say is this executive order should be a read as a signal for the approach the administration is going to take to rights of non-U.S. persons," said Access Now U.S. Policy Manager Amie Stepanovich in an interview. She said Europeans may view the order as a signal the administration won't make changes to Section 702 of the Foreign Intelligence Surveillance Act Amendments Act, which sunsets at the end of 2017. That program collects information about non-U.S. persons who are under investigation and located overseas.
Stepanovich said the Trump administration seems to be hinting it will fully renew Section 702 without additional protection and reform. That coupled with the change in attitude on non-U.S. persons will be central to the Privacy Shield review by Europeans, she said. Laperruque said presidential policy directive 28 under the Obama administration provided government surveillance protections to non-U.S. persons, but if PPD-28 is rolled back by the Trump administration and Section 702 isn't changed, it might mean Privacy Shield "is as good as dead.”
PPD-28, which extended privacy safeguards for citizens of foreign countries, "has been vital in restoring global trust in US technology and values," wrote Sidley Austin attorneys Alan Raul and Cameron Kerry, former general counsel at the Department of Commerce, in a Lawfare blog post last week. "It is central to the European Commission's conclusion in its Privacy Shield decision that US law adequately safeguards EU citizens. ... There has been no concrete suggestion from the transition that PPD-28 could be on this hit list but, if it is, the effect for transatlantic data transfers would be catastrophic.”
Along with PPD-28, Stepanovich said the Judicial Redress Act (JRA), signed into law after Privacy Shield was negotiated (see 1602110013), is also a central part of the trans-Atlantic agreement. JRA allows the U.S. government to certify certain countries and essentially extend the benefits of the Privacy Act to those Europeans, giving them legal redress if they believe their personal data was abused by U.S. federal agencies. A notice in Monday's Federal Register said JRA will cover 26 countries and the EU effective Feb. 1, with more to be certified later. Stepanovich said the Obama administration took small steps in right direction by extending privacy protection benefits through JRA and PPD-28, but the Trump order "is a sea change." She expects pushback from the business community, lawmakers and others.