On January 25, 2017, U.S. President Donald Trump signed an Executive Order titled, “Enhancing Public Safety in the Interior of the United States,” which may affect the validity of the EU and Swiss Privacy Shield Framework that allow companies to transfer personal data to the US. The order (under Section 14) directs all federal agencies to exclude non-US citizens or lawful permanent residents from the protections of the US Privacy Act regarding personally identifiable information. While the language of the order appears to carve out any “applicable laws,” it remains unclear how the order will be implemented.
Background: The EU-US Privacy Shield framework was only recently negotiated between the EU and US – as recent as six months ago – and the Swiss-US Privacy Shield was just announced this month. The Privacy Shield Framework guarantees certain rights to EU and Swiss citizens’ personal data, and requires that such data is handled in specific ways. Over 1,500 organizations have already signed up for Privacy Shield and rely on the framework to transfer EU citizens’ personal data to the US.
Potential Effects: According to Section 14 of the January 25, 2017 Executive Order:
Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
Under the EU Commission’s interpretation, EU citizens can rely on the Judicial Redress Act of 2015 (not the US Privacy Act under Privacy Shield), to exert their rights and gain access to US courts. The Commission has negotiated the EU-US Umbrella Agreement with the US, which becomes effective on February 1, 2017, to extend the same benefits of the US Privacy Act to EU citizens via the Judicial Redress Act. Whether the Judicial Redress Act and EU-US Umbrella Agreement are stipulated within the “applicable law” carve out remains to be seen. For the time being Privacy Shield will likely remain in place, though the framework will be up for annual review this summer.
Recommendation: Companies relying on the Privacy Shield framework as their data transfer mechanism should consider having a “back up” data transfer mechanism for key contracts, such as Standard Contractual Clauses (“Model Clauses”) or Binding Corporate Rules (“BCRs”), in the event the Privacy Shield framework is invalidated. However, given the validity of Model Clauses is being challenged in the Irish High Court, they may not be a perfect solution.