On January 25, 2017, the U.S. President signed an Executive Order on “Enhancing Public Safety in the Interior of the United States” containing rules for government privacy policies pertaining to foreigners. This caused concerns in Europe, but should not affect the EU-U.S. Privacy Shield.
Section 14 of the Executive Order is entitled “Privacy Act” and provides that “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” This is intended to support U.S. immigration law enforcement.
According to the U.S. Privacy Act of 1974 (5 U.S.C. §552a), government agencies must not disclose records with personal data of U.S. citizens and lawful permanent residents, subject to broad exceptions (www.gpo.gov/fdsys/pkg/USCODE-2012-title5/pdf/USCODE-2012-title5-partI-chap5-subchapII-sec552a.pdf). In 2015, Congress enacted the “Judicial Redress Act” to extend some rights to judicial redress to citizens of certain designated countries. The U.S. Justice Department designated the EU as protected in support of Art. 19 of an Umbrella Data Protection and Privacy Agreement (“DDPA”) between the EU and the United States, which is intended to enhance cooperation and information sharing for law enforcement and terrorism prevention purposes, see www.justice.gov/opcl/judicial-redress-act-2015. Section 14 of the Executive Order does not specifically address this designation and includes a catch-all qualification “to the extent consistent with applicable law,” which would include the terms of the Judicial Redress Act and of the DDPA when effectuated.
When the EU Commission issued its adequacy decision regarding data transfers under the EU-U.S. Privacy Shield on July 12, 2016, its decision did not mention the “Judicial Redress Act” at all. The Privacy Act is only mentioned once in an Annex, see Decision 2016/1250/EU of July 12, 2016, O.J. 1.8.2016, L 207/76. The U.S. Privacy Act of 1974 and the Judicial Redress Act of 2015 concern record disclosures by U.S. government agencies and thus the separate DDPA, which contemplates more record sharing between agencies in the EU and U.S. for law enforcement and prevention purposes. But, the two Acts seem much less relevant with respect to private sector data transfers to U.S. companies under the EU-U.S. Privacy Shield. Companies are subject to similar government surveillance and access demands on both sides of the Atlantic and regardless of how they legitimize EU data transfers, whether they use consent, standard contractual clauses, binding corporate rules or other compliance mechanisms, see overview and detailed comparative analysis at www.bakermckenzie.com/QRGGlobalSurveillanceLawApr16/.
Given the limited relevance of the U.S. Privacy Act for the EU Commission’s adequacy decision pertaining to the EU-U.S. Privacy Shield, the Executive Order of January 25, 2017 should not have an impact.