Yesterday’s Executive Order on “Enhancing Public Safety in the Interior of the United States” triggered alarm among privacy advocates in the U.S. and EU about the continued viability of the economically important Privacy Shield agreement. Extending certain rights conferred by the Privacy Act of 1974 to EU citizens was “a long-standing demand of the EU” and a key element of the deal that secured Privacy Shield. In addition, the U.S.-EU “umbrella agreement” for law-enforcement data-sharing requires the U.S. to grant Europeans these rights.
Section 14 of yesterday’s Order, read in isolation, appears to instruct federal agencies to deny Privacy Act protections to Europeans:
Sec. 14. Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
Fortunately, our preliminary analysis is that the Order does not actually deny Privacy Act protections to Europeans. An Executive Order, of course, cannot supersede a statute—which Section 14 implicitly acknowledges with its caveat “to the extent consistent with applicable law.”
The “applicable law” here is the Judicial Redress Act of 2015, codified at 5 U.S.C. § 552a note. The Judicial Redress Act extends the right to sue conferred by the Privacy Act to citizens of “covered countries” designated by the Attorney General. And on January 17, 2017, in a little-noticed move, the Attorney General designated 26 countries and the European Union as a whole. That designation takes effect on February 1, 2017, when the Umbrella Agreement enters into force.
As of today, the Attorney General’s designation remains in effect. Also continuing in effect is Presidential Policy Directive (PPD)-28, which provides enhanced privacy protections to all persons regardless of nationality, in the context of U.S. signals intelligence activities. Although we have no more to go on than the text of the Order itself, we suspect that its intent in including Section 14 was geared towards the enforcement of immigration laws, and not towards influencing the global economic activity affected by Privacy Shield.
Of course, even the suggestion that the Administration is cutting back privacy protections for Europeans could be damaging in the ongoing litigation over Privacy Shield’s validity; the Court of Justice of the EU showed in the Schrems decision that is moved less by the hard facts of U.S. surveillance policy than by a hazy sense of U.S. overreach. To fend off another Schrems-like decision, the U.S. should work to alter prevailing misperceptions about its surveillance and privacy policies. (One of us has proposed in a recent report various steps the United States could take to do so.) But this Executive Order is ancillary to those debates.