EU Privacy Chiefs Want Trump to Uphold Data Transfer Pact

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

European Union privacy regulators will soon question President Donald Trump on the U.S. commitment to the EU-U.S. Privacy Shield data transfer pact.

Although Trump’s Jan. 25 immigration executive order limiting extension of the Privacy Act to non-U.S. citizens doesn’t have a direct legal effect on the Privacy Shield, it has raised concerns over U.S. intentions. The Article 29 Working Party of data protection officials from the 28 EU countries said in a Feb. 16 statement that it would write to the Trump administration “pointing out concerns and asking for clarifications on the possible impact” the order may have on the Privacy Shield.

The Privacy Shield allows U.S. companies that self-certify with the Commerce Department their compliance with EU-approved privacy and security principles to legally transfer personal data from the EU to the U.S. The Privacy Shield is relied upon by over 1,000 U.S. companies, including Alphabet Inc.'s Google, Microsoft Corp. and Facebook Inc., as well as thousands more EU companies that send data to those U.S. companies.

An Art. 29 Party spokeswoman told Bloomberg BNA Feb. 17 that the group would publish a letter to the Trump administration on the Privacy Shield within the next 10 days.

The executive order at issue has been stayed by the U.S. Court of Appeals for the Ninth Circuit. However, the Trump administration has vowed to issue a new immigration executive order.

A White House official familiar with the matter told Bloomberg BNA Feb. 17 on background that the executive order applies to agencies only “to the extent within applicable law” and that the “Trump administration will ensure that no privacy laws are violated.” It is too early to speculate on whether there would be similar language in upcoming executive orders, the official said.

The regulators also said, in the statement, that it is delaying its next round of guidance on the EU’s new privacy regime until at least April.

Daniel Fesler, a partner with Baker McKenzie in Brussels, told Bloomberg BNA Feb. 17 that the late delivery of guidance could mean that companies will need to review their data protection compliance programs late in 2017 or in 2018, shortly before the EU General Data Protection Regulation (GDPR) takes effect in May 2018. That could be “extremely cumbersome” and “a challenge for organizations trying to prepare themselves,” Fesler said.

Redress Concerns

Privacy advocates raised concerns over Trump’s executive order when it was issued. But attorneys and political leaders on both sides of the Atlantic tried to quell the storm, saying the order was aimed at immigration and national security concerns rather than commercial data transfer arrangements. The order is also limited to actions that aren’t already authorized by law. The Redress Act authorizes EU citizens to utilize the Privacy Act to complain about alleged government misuse of personal data transferred under the Privacy Shield. The Obama administration’s Department of Justice specifically included EU countries as being covered by the Redress Act.

European Commission spokesman Christian Wigand told Bloomberg BNA Feb. 17 that the commission, the EU’s executive arm, had already contacted U.S. officials “to ask for some clarifications on the U.S. Judicial Redress Act.” Wigand didn’t give details of the commission’s specific concerns.

EU privacy regulators are authorized to “enforce and uphold individual rights. They do this independently and are therefore free to raise questions with U.S. counterparts,” Wigand said.

Mauricio Paez, a privacy and data protection partner with Jones Day in New York, told Bloomberg BNA Feb. 17 that the EU privacy regulators weren’t being unreasonable in asking the Trump administration about the Privacy Shield. EU data privacy regulators have a “great interest in understanding these questions and the administration’s views,” he said.

Slow Progress on GDPR Guidance

The privacy regulators also are moving forward with guidance on the GDPR. Parts of the guidance are expected in April, while others won’t be available until the later part of 2017.

Guidance on data protection impact assessments that must be carried out under the GDPR for high-risk processing would be provisionally adopted in April, the Art. 29 statement said.

The working party indicated that new guidance on consent, profiling and notification of data breaches, which is prioritized for 2017, would likely appear later in the year. A workshop on those issues is slated for April, they said.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security