Privacy Paradox

So Much for the Privacy Shield

By Paul Rosenzweig
Thursday, January 26, 2017, 11:55 AM

Digital commerce across the Atlantic is highly dependent on the free flow of data. And that, in turn, is dependent on the existence of roughly equivalent privacy protections on both sides of the Atlantic that provide legal, and practical, comfort to Europeans and Americans about the security and privacy of their personal information. As Cameron Kerry and Alan Charles Raul have noted in this blog, the privacy promises made by the US government have significant economic impact in fostering digital trade.

So much for that. Yesterday's Executive Order on Enhancing Public Safety contained this notable provision:

Sec. 14. Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

The promise of equal treatment for Europeans was a cornerstone of the Privacy Shield agreement. To be sure, the caveat is "consistent with applicable law" and that means the prior statutory agreement in the Judicial Redress Act to advance equivalency has not been repealed (nor could it be). But to the best of my knowledge the JRA has yet to be implemented -- and I doubt now that it will be since doing so requires an Executive certification.

[UPDATE: In a notice dated January 17, but published in the Federal Register on January 23, the outgoing Attorney General published a list of countries covered under the Privacy Act, pursuant to the Judicial Redress Act. 26 European countries, along with the European Union were designated, with two additional European countries anticipated to be designated soon (Denmark and United Kingdom).]