Trump executive order threatens major EU-U.S. data privacy agreement, activists say
An executive order signed this week by President Donald Trump curtails data privacy protections that were extended to foreigners during the Obama administration.
President Barack Obama signed the Judicial Redress Act into law last year, effectively expanding the scope of the Privacy Act of 1974 — which governs the use, collection, maintenance and dissemination of personally identifiable information stored by the federal agencies. Policy experts say the executive order will diminish the influence of the law, not dismantle it entirely.
“In effect, [Trump’s executive order] seems to push for a narrow application of the Judicial Redress Act, or JRA. Though the JRA’s protections were [always] limited, it was an important signal that the U.S. was beginning to respect the rights of non-U.S. persons,” said Drew Mitnick, policy counsel with Access Now, a nonprofit digital rights activist organization.
“Walking back those protections could have serious implications for Privacy Shield, a [separate] agreement that enables the sharing of commercial data from the European Union to U.S.,” explained Mitnick. “That agreement is still in its infancy and is at risk of being overturned if European data protection officers or the European Commission find the U.S. government and companies transporting data aren’t adequately protecting the rights of Europeans.”
Because the U.S. is home to one of the most advanced internet infrastructures on Earth, the country’s tech sector has increasingly served as custodian to the world’s data.
Privacy Shield was designed as a framework to enable the sharing of commercial data owned by companies on each side of the Atlantic Ocean. Negotiations leading up to the passage of Privacy Shield centered on assurances made by the U.S. government to apply sufficient privacy protections for information belonging to European citizens.
A suspension of Privacy Shield would result in legal uncertainty for the more than 1,500 businesses who signed the authorization framework and are currently routing European data through U.S. internet infrastructure. The companies relying on Privacy Shield to publicly ensure privacy protections of their users include the likes of Facebook, Twitter, Google and Microsoft.
Few U.S. privacy laws distinguish between U.S. and non-U.S. citizens, explained Marc Rotenberg, president of the Electronic Privacy Information Center, or EPIC, a public interest research center focused on privacy and civil liberties issues. The Privacy Act is an exception, he said. Some efforts were made in the last several years — beyond just the JRA — to update the Privacy Act. And at the time, these reforms were largely considered legally necessary to permit U.S. firms to obtain access to the data of European consumers, Rotenberg said.
Though the Privacy Act does not apply to non-U.S. persons, Obama’s push to expand the law via the JRA was considered “commendable” by some observers, said Electronic Frontier Foundation Staff Attorney Sophia Cope.
“It’s disappointing to see the Trump administration rolling this back because even non-U.S. persons have privacy interests in the personal data the U.S. government may have on them,” she said.
A spokesperson for the European Commission told TechCrunch that Privacy Shield “does not rely on … protections under the U.S. Privacy Act.”
Privacy Shield is due for its first joint annual review this summer, conducted by the European Commission, the U.S. Department of Commerce, and national intelligence experts from the U.S. and European Data Protection Authorities.
It remains unclear exactly how or if Trump’s executive order will have any impact on the review.
Earlier this month, the European Commission expressed concerns with how the U.S. government had handled a request for information regarding the reported existence of an NSA tool to scan Yahoo emails.
“I am not satisfied because to my taste the answer came relatively late and relatively general, and I will make clear at the first possible opportunity to the American side that this is not how we understand good, quick and full exchange of information,” said EU Justice Commissioner Vera Jourova in an interview with Reuters.
“I would expect that Trump’s administration would understand what is good and what is bad for business. This is good for business,” Jourova said.
