President Trump may be on track to derail the European Union-US Privacy Shield, an agreement that protects European citizens’ privacy when their personal data is transferred stateside.
The agreement is already on shaky ground with two legal challenges pending in European Courts. Now, with Mr. Trump seemingly poised to undo Obama administration reforms curtailing bulk metadata collection, the deal is at even greater risk.
Privacy Shield was negotiated early last year after the EU's top court invalidated a 1998 agreement known as Safe Harbor, put in place to assure Europeans that US companies “adequately protected” their information.
Even before Safe Harbor was invalidated, there were numerous calls to update the agreement to reflect new developments in cloud computing, mobile technology, and social networking. Privacy watchdogs across the Atlantic repeatedly called for reform, expressing concern that US companies couldn't be trusted with Europeans' data.
Those calls grew louder after Edward Snowden leaked classified information in 2013 that revealed mass surveillance programs affecting EU citizens. And, the EU’s effort to modernize its data protection regime – culminating in the recent adoption of the so-called General Data Protection Regulation – only served to underscore the need to update Safe Harbor.
Now, Privacy Shield, the successor to Safe Harbor, faces a raft of challenges. In September, an advocacy group known as Digital Rights Ireland asked the second highest European Court to annul the agreement on the grounds that it doesn’t provide enough privacy protection for EU data. Shortly thereafter, a French civil liberties group filed a similar suit.
By itself, the legal uncertainty over Privacy Shield is problematic for industry, with an estimated $260 billion in commerce reliant on transatlantic data flows on the line.
But the situation may be even worse. Privacy Shield comes up for annual review later this year, and there's growing concern that Trump could undermine US commitments – particularly on surveillance and judicial redress – that are essential to the agreement.
One major concern centers around the USA Freedom Act, which ended the National Security Agency's bulk collection of telephone metadata (e.g., phone numbers called and the time and duration of calls). Trump’s newly confirmed CIA head Mike Pompeo expressly called for a return to bulk collection of metadata as recently as January 2016. If Trump heeds this call and walks back USA Freedom Act protections, the administration could undermine the continued viability of the Privacy Shield.
Presidential Policy Directive-28 (PPD-28) also was a factor in the European Commission’s acceptance of Privacy Shield. Issued by President Obama in 2014, PPD-28 not only limited the purposes for which bulk signals intelligence can be used, but also acknowledged that “all persons should be treated with dignity and respect … [and] have legitimate privacy interests in the handling of their personal information.”
Mr. Pompeo has argued that PPD-28 “undermines our intelligence capabilities in service of a novel cause: foreign privacy interests.” If Trump repeals PPD-28 – whether at Pompeo’s urging or to make good on his pledge to repeal "every single Obama executive order” – an essential foundational element of the Privacy Shield agreement would be lost.
Another critical element of the Privacy Shield is redress. The Safe Harbor agreement was invalidated in part because it failed to provide Europeans a right of redress for NSA surveillance that violated their privacy. Under the Privacy Shield, EU citizens have rights to redress – including judicial redress – for improper disclosure of their data. The Judicial Redress Act (JRA) of 2015, which extended to EU citizens the protections of the Privacy Act of 1974, was critical to European acceptance of the Privacy Shield.
Last month, with a stroke of the pen that could unsettle EU privacy watchdogs, President Trump issued an executive order directing that federal agencies craft their privacy policies to exclude non-US citizens from Privacy Act protections.
Notwithstanding the executive order, EU citizens will retain the Privacy Act protections granted by the JRA, including rights to judicial redress, because executive orders do not supersede statutes. Regardless, the administration’s decision to weaken privacy protections for non-US persons could be a sticking point for the Europeans when Privacy Shield comes up for review later this year.
Trump should tread cautiously. Privacy Shield bridges fundamental differences between US and EU approaches to data protection. Disturbing this tenuous deal could jeopardize the transatlantic data flows essential to the global economy.
Melanie Teplinsky teaches information privacy law at the American University Washington College of Law as an adjunct professor. She started her career in cybersecurity in 1991 as an analyst at the National Security Agency.