On January 25, 2017, President Trump signed a new Executive Order on Enhancing Public Safety in the Interior of the U.S. Among other elements, the Executive Order directs U.S. government agencies to “ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information,” but only if doing so is “consistent with applicable law.”
This prompted certain commentators, such as Member of the European Parliament Jan-Philipp Albrecht, to question whether the Executive Order would have an impact on the robustness of the EU-U.S. Privacy Shield data transfer framework.
The European Commission moved swiftly to confirm that the Privacy Shield does not rely on the U.S. Privacy Act of 1974 (“Privacy Act”). Indeed, the Privacy Act is only necessary to protect EU residents when their data is sent directly to U.S. law enforcement agencies. The Privacy Act applies to EU citizens pursuant to a U.S. law (the Judicial Redress Act) and the EU-U.S. Umbrella Agreement, neither of which are overridden by the new Executive Order. And the EU has already been designated as a “covered country” under the Judicial Redress Act, thus extending Privacy Act protections to EU citizens.
The protections afforded under the Privacy Shield—which concerns transfers to U.S. companies, not law enforcement authorities—are based on a sweeping framework of domestic U.S. laws, international commitments, the Privacy Shield’s own Principles, and a European Commission Decision. Thus, the EO does not alter the applicability of the Privacy Act to EU citizens—although it may exert additional political pressures on the Privacy Shield, which is already subject to challenge in EU courts.