Trump Order Won’t Harm EU-U.S. Data Transfer Pact: Attorneys

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

President Donald Trump’s recent executive order limiting extension of the Privacy Act to non-U.S. citizens won’t have a direct impact on an important European Union-U.S. data transfer program, attorneys and political leaders on both sides of the Atlantic said.

The thousands of companies that rely on the EU-U.S. Privacy Shield to transfer personal data out of the EU to the U.S. shouldn’t worry that Trump’s order will curtail their ability to use the system, attorneys said.

The Privacy Shield allows U.S. companies that self-certify their compliance with EU-approved privacy and security principles with the Commerce Department to legally transfer personal data from the EU to the U.S. The Privacy Shield is relied upon by over 1,000 companies, including Alphabet Inc.'s Google, Microsoft Corp. and Facebook Inc.

The Jan. 25 executive order, “Enhancing Public Safety in the Interior of the United States,” included a provision that limits executive branch agencies from giving data security protections to non-U.S. citizens in their privacy policies. The agencies can’t provide the protections under the Privacy Act to non-U.S. citizens’ personally identifiable information (PII) “to the extent consistent with applicable law,” the order said.

The Privacy Act allows U.S. citizens to sue in federal court over allegations of governmental misuse of personal data. Last year, the Judicial Redress Act extended the right to sue to EU citizens whose data was transferred to the U.S. EU officials conditioned the passage of a law enforcement data exchange deal between the U.S. and EU on the passage of the Judicial Redress Act.

The executive order provision, on first glance, may appear to impact data transfers from the U.S. to any country, and vice versa. However, the executive order does little to change the existing EU-U.S. Privacy Shield data transfer program and the EU-U.S. umbrella law enforcement data sharing pact, Brian Hengesbaugh, privacy partner at Baker & McKenzie LLP in Chicago, told Bloomberg BNA Jan. 30.

Is Trump Pro-Privacy Shield?

The executive order wasn’t aimed at “transatlantic commercial issues,” and was rather focused on immigration and related national security concerns, according to Hengesbaugh, who was part of the core team that negotiated the Privacy Shield’s predecessor—the U.S.-EU Safe Harbor agreement.

Hengesbaugh said the Executive Order was focused on immigration and related national security concerns. The order doesn’t affect the Privacy Shield, the EU-U.S. umbrella law enforcement data sharing agreement, or the Judicial Redress Act, all important mechanisms for cross-border data transfers to the EU, he said.

Don’t expect the Trump administration to come out against the Privacy Shield or other data transfer mechanisms, Hengesbaugh said. The Trump administration may not respond right away on this issue, but the administration should “be a strong supporter of the Privacy Shield given its vital role in the protection of trans-Atlantic data flows and its importance in protecting and promoting highly skilled jobs in the U.S.,” he said.

Representatives for the Trump administration didn’t immediately respond to Bloomberg BNA’s e-mail requests for comment.

False Alarm?

The executive order’s language, when taken alone, may indicate that data transfers between the U.S. and any other country may be impacted by Trump’s decision.

Jan Philipp Albrecht, a German Green lawmaker, wrote in a Jan. 26 tweet that if Trump’s executive order did exclude all non-U.S. citizens from Privacy Act protections, then the EU Commission has to suspend the Privacy Shield and sanction the U.S for not complying with the EU-U.S. umbrella law enforcement agreement.

But, some U.S. lawmakers decided to speak out to quell such fears. Rep. Jim Sensenbrenner (R-Wis.) said in a Jan. 27 statement that the Privacy Shield, the umbrella agreement and the Judicial Redress Act “remain in full effect.” The language, “to the extent applicable with current law,” limits executive agency action that would harm these data transfer programs, he said. If there are future orders hurting the data transfer programs, Sensenbrenner said he’ll defend them. Until then, it is only a “false alarm,” he said.

Attorneys at Hunton & Williams LLP in a Jan. 28 blog post agreed that the executive order won’t directly impact the Privacy Shield, but did highlight indirect consequences of the action. The post said that “the negative perception created by Trump’s actions could have an adverse effect on the Privacy Shield’s annual review in 2017.”

The EU Commission, the EU’s executive arm, has also limited fears that the Privacy Shield may be harmed by the executive order. Christian Wigand, spokesman for the Commission, said in an interview with Bloomberg News Jan. 26 that the “Privacy Act has never offered data protection rights to Europeans.” For example, the EU-U.S. umbrella agreement, which takes effect Feb. 1, and the Judicial Redress Act are separate instruments “which extends the benefits of the U.S. Privacy Act to Europeans and gives them access to U.S. Courts,” he said.

Even if the Privacy Shield and related cross-border trade mechanisms aren’t harmed by the executive order, it doesn’t mean EU officials will turn their attention away from Trump and his policies. Speaking to reporters in Malta Jan. 25, EU Justice Commissioner Vera Jourova said that the EU Commission, the bloc’s executive arm, is being “very vigilant” on developments in the U.S. Jourova called for the U.S. to reassure EU member countries that “the Privacy Shield can remain” unharmed.

Hengesbaugh said that Jourova is expected to visit the U.S. in the Spring to discuss cross-border trade issues.

With assistance from Jimmy Koo in Washington and Stephanie Bodoni in Luxembourg

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

The executive order is available at http://src.bna.com/lOG.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security