The state of EU-US data transfer, in a tweet

Two weeks ago the Conference on Privacy and Data Protection — more commonly referred to as CPDP — took place in Brussels. CPDP gathers privacy enthusiasts (or non-enthusiasts), activists, academics, industry representatives, and decision-makers to debate current challenges and opportunities in the field of privacy and data protection.

As usual, commercial data transfers between the EU and the US was one of the most discussed issues, both at the conference and on Twitter. Issued during the conference, the Trump Administration’s Executive Order on “Enhancing Public Safety in the Interior of the United States” heightened the debate on the universality of the right to privacy. In this post, we will reflect on the discussions that took place at the conference and explain how the US administration’s decision could impact the privacy of people around the world.

Read our letter here to Commissioner Vera Jourová and EU Parliament LIBE Chair Claude Moraes asking for the suspension of the Privacy Shield arrangement.

What happened?



On January 25th, the Trump administration released an Executive Order on “Enhancing Public Safety in the Interior of the United States.” Section 14 of the executive order states the following:

Sec. 14.  Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

Particularly in the context of the rest of the Executive Order, this provision seems explicitly geared toward undermining the privacy of immigrants living in the United States. However, it also sends a clear message to the world that this administration does not acknowledge privacy as a universal fundamental right. This move ignores the timid steps made by the Obama administration to extend limited privacy protection to so-called non-US persons. While it doesn’t explicitly overrule the US recognition of “privacy interests” in Presidential Policy Directive 28 (issued by President Obama), it undermines the spirit and so-called written assurances of Privacy Shield, forecasts future actions in this area, and will undoubtedly have significant implications for users around the world.

The EU-US Umbrella Agreement

There has been extensive discussion on whether and how this Executive Order impacts the Umbrella Agreement. The short answer is: not directly, as the US had adopted legislation (the Judicial Redress Act) to implement certain provisions of the Umbrella Agreement. The provision above specifies that it operates “to the extent consistent with applicable law,” meaning it will not overrule this provision. But the ramifications are a bit more complex.

The EU-US Umbrella Agreement is a data protection framework that aims to provide a series of measures to protect personal data that is transferred overseas for law enforcement purposes. Prior to its adoption last November, the US had passed legislation to extend certain privacy protections to non-US citizens: the Judicial Redress Act (JRA). The JRA grants a very limited right to remedy under the  US Privacy Act of 1974 to people who are not US citizens or permanent residents. Notably, many surveillance programs are exempt from this statute, making the Judicial Redress Act’s protections limited in fact. The Privacy Act also does not  allow persons to initiate legal claims against companies for privacy breaches and,  perhaps most importantly, the Judicial Redress Act grants broad discretion to the US Attorney General to decide which countries are eligible for even those limited avenues for remedy. This discretion extends to decisions to remove a country’s eligibility. The JRA specifies several reasons why this designation could be removed, including if a country “impedes the transfer of information…to the United States by a private entity or person.” How convenient!

The Privacy Shield

Trump’s Executive Order also directly impacts the EU-US data transfer arrangement known as Privacy Shield. By explicitly negating the universality of privacy rights, Trump contradicts the previous administration’s commitment to ensure the privacy of EU data subjects and breaches the essence of the adequacy decision and the underlying commitments of Privacy Shield required to allow US companies to lawfully transfer personal data from Europe.

Over the past few weeks, the US has also extended the ability of US agencies to share surveillance information collected pursuant to Executive Order 12333, which, broadly and without remotely adequate oversight, authorizes surveillance that takes places outside the US and is targeted at non-US persons. US surveillance capacity could also be further extended in the upcoming months as Section 702 of the FISA Amendments Act — which is the basis of the authorization of mass surveillance programmes such as Prism and Upstream — will undergo a battle around its reauthorisation or sunset.

Faced with this avalanche of privacy-invasive measures, the EU can in no way ensure that the US provides users with an adequate level of privacy protection. The Privacy Shield was flawed from the beginning and the recent changes in US law and policy only add insult to injury.

This is why today we have sent a letter to Commissioner Vera Jourová and EU Parliament LIBE Chair Claude Moraes asking for the suspension of the arrangement. Read our letter here.