Despite Reassurances, Trump Immigration Order Stirring Concerns in Europe

President Donald Trump's executive order excluding foreigners from the 1974 Privacy Act apparently isn't meant to affect Privacy Shield, the trans-Atlantic data flow agreement, but that hasn't stopped Europe's data protection community from worrying, said representatives from industry and regulatory authorities. The possibility of changes to -- or an overturning of -- standard contractual clauses (SCCs) is also creating headaches. Meanwhile, the European Parliament Civil Liberties Committee (known as LIBE) will consider a motion urging the European Commission to do a "thorough and in-depth examination of all the shortcomings and weaknesses" in the agreement.

The executive order on enhancing public safety in the U.S. interior says, to "the extent consistent with applicable law," agencies' privacy policies should "exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information." Some privacy experts warned this could jeopardize Privacy Shield (see 1701260015).

Officials at the U.S. Mission to the EU in Brussels said at a late-January meeting that Trump's executive order isn't meant to reopen the door to debate over Privacy Shield or the commitments made by President Barack Obama's administration, said Linklaters (Brussels) data protection attorney Tanguy Van Overstraeten. The officials didn't confirm that position in writing, he told us. The White House didn't comment.

The European Commission said in a statement after the executive order was issued that Privacy Shield was finalized by the adoption last year of the U.S. Judicial Redress Act, which extends the benefits of the Privacy Act to Europeans and gives them access to U.S. courts. "Our understanding is that Mr. Trump's executive order does not affect this and the Commission has asked the U.S. administration to confirm this," the EC said. "We are following closely any changes in the U.S. that might have an effect on Europeans' data protection rights.”

“Whilst we are concerned about the message the executive order sends out, we don't have any indication that it creates a legal challenge to the protection afforded by the EU-US Privacy Shield," a U.K. Information Commissioner's Office spokeswoman emailed Wednesday. The office will "be studying the effect of this development and discussing it with other European regulators," she said. Businesses in Britain wanting to transfer data to the U.S. should continue to use the agreement or other approved mechanisms, she said.

“As with anything to do with Trump, this is just unpredictable," said Hogan Lovells (London) data protection attorney Eduardo Ustaran. Protections under Privacy Shield are unchanged, "but if Trump were to remove Obama's Presidential Policy Directive 28, for example, then the Privacy Shield would be seriously compromised," he emailed. PPD-28 provides government surveillance protections to non-U.S. individuals.

The Irish High Court's review of Facebook's use of SCCs to send personal data to the U.S. could also be challenging to businesses, said Van Overstraeten. SCCs could be called into question by the European Court of Justice (ECJ), where the Irish High Court may refer the Facebook case, he said (see 1702060029).

SCCs are under review by the EU Article 29 Data Protection Working Party (WP29) in order to adapt them to the general data protection regulation, which expressly recognizes them as a transfer solution, Van Overstraeten said. This should make them even stronger than they were, he said. The ECJ will have a hard time overturning them but could say the current clauses need improvement, he said. This is a "work in progress" during which the ECJ could question SCCs on the basis of the Irish case, new provisions could be adopted after the review, or the EU high court could order changes, he said. "I’m still optimistic" that there will be good solutions in place for trans-Atlantic data flows, but there's a lot of uncertainty, he said.

The European Parliament motion, introduced in the LIBE committee Jan. 12, arises in the context of the annual review of Privacy Shield, not the executive order. It acknowledges the agreement "contains significant improvements" over the previous data-transfer mechanism, Safe Harbor, and that U.S. companies that self-certify must comply with tougher data protection standards. But it says, despite U.S. clarifications by means of the letters attached to Privacy Shield, "important concerns remain as regards commercial aspects, national security and law enforcement," such as the possibility of bulk surveillance.

The draft urged the EC to show how concerns by the WP29, European Data Protection Supervisor and others have been addressed. Committee and plenary votes haven't been scheduled, and the draft resolution is expected to be debated in LIBE in March, said a European Parliament press officer.

Access Now meanwhile is asking EU officials to suspend Privacy Shield. In a letter sent Wednesday to Justice Commissioner Vera Jourová and European Parliament Civil Liberties Committee Chairman Claude Moraes, the digital rights group said the framework was flawed from the start since U.S. law and official statements were "insufficient" or carried "zero legal weight" in protecting Europeans' data. Access Now European Policy Manager Fanny Hidvégi and its U.S. Policy Manager Amie Stepanovich said developments since Privacy Shield's adoption "show a near-reckless disregard" for people's human rights "and foreshadow weakening of the already watered-down protections." The developments include the loss of several members on the Privacy and Civil Liberties Oversight Board (see 1612270051), which is expected to issue a report on executive order 12333. Hidvégi and Stepanovich also pointed to Trump's Jan. 26 order directing agencies to exclude privacy rights of foreigners under the 1974 Privacy Act.

The group said CIA Director Mike Pompeo (see 1701240043), Attorney General nominee Jeff Sessions (see 1701240003) and Director of National Intelligence nominee Dan Coats criticized limited changes to U.S. surveillance laws and sought broader power. "The significance of these measures in the U.S. require urgent action from EU institutions that cannot wait until the upcoming annual review of the adequacy decision," said Hidvégi and Stepanovich.