We have previously noted that the the U.S.-E.U. Privacy Shield data transfer may not be dead, but it is ailing. These concerns have been exacerbated by a January 25, 2017 presidential Executive Order (EO) “Enhancing Public Safety in the Interior of the United States.” Section 14 of the EO reverses Bush era directives extending some privacy protections to non-U.S. persons. The new order instructs agencies to ensure that their privacy policies “exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”
Critics immediately pounced on the announcement. The European Parliament rapporteur on data regulation immediately complained that the order violated the Privacy Shield framework, and demanded its immediate suspension. The European Commission responded cautiously, offering standard boilerplate about monitoring developments in the United States that could impact a European citizen’s data protection rights, but communicating its dismay over the development.
However, the concerns may reflect a fundamental misunderstanding of the American regulatory framework. The EO affects rights under the United States Privacy Act. The Privacy Act by its own terms, controls the collection and processing of personal data by government agencies. It has no impact on trans-Atlantic data transfers between private entities.
Those private entity transfers are governed by the Privacy Shield framework. Privacy Shield offers a compliance mechanism to enable American companies to process EU personal data. It is premised on a voluntary certification arrangement under which the American company commits to adhere to the requisite European data protection laws. The commitment is a binding undertaking enforceable by federal regulators. Section 14 does not affect this arrangement.
Nevertheless, U.S. companies processing European data cannot afford to be too sanguine. European privacy advocates have already challenged Privacy Shield; the Executive Order sends an unambiguous signal that further American concessions are unlikely to be forthcoming. As privacy expert Stewart Baker recently stated, the feeling in Washington is that the EU has repeatedly sold it the same mule for two decades and offered nothing in return.
American companies falling under EU data processing jurisdiction – a definition that is set to expand significantly in May 2018 with the introduction of the GDPR, would be wise to adopt a belt and suspenders approach. They should certainly continue to adhere to their Privacy Shield commitments. But in addition, they should also consider the use of additional devices such as binding corporate rules or model contractual clauses as a further safeguard in the event of a Privacy Shield collapse. The redundant measures are parachutes; the user hopes never to use them, but it is better to have them and not need them rather than the other way around.