Privacy Paradox

The US-EU Privacy Shield -- Maybe Yes, Maybe No

By Paul Rosenzweig
Sunday, January 29, 2017, 1:30 PM

The problem with President Trump is that he moves so quickly from quixotic disaster to quixotic disaster that we can lose track of what is happening. Problems flare up in an instant only be overtaken by the next wave of chaos. So it is with the President's seeming repeal of policy relating to the privacy act and its effect on the US-EU privacy shield. Though the policy is only 4 days old now, it seems to have been forgotten completely, buried under the landslide of concern about the new immigration policy. That seems to me unwise. Having reflected more on the question my views are now more nuanced and more uncertain.

To recall: Last week President Trump issued an Executive Order on Enhancing Public Safety contained this notable provision:

Sec. 14. Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

This provision was problematic, in my view, for digital commerce across the Atlantic which is highly dependent on the free flow of data. I worried that the provision was, in effect, a rejection of portions of the Privacy Shield which guaranteed roughly equivalent privacy protections on both sides of the Atlantic and gave legal, and practical, comfort to Europeans and Americans about the security and privacy of their personal information.The promise of equal treatment for Europeans was a cornerstone of the Privacy Shield agreement and the recission seemed to negate that promise.

Co-bloggers Adam and Carrie had a decidedly different view concluding that the Privacy Shield was preserved. They argued that the Shield turned on two components -- the Judicial Redress Act and PPD-28 -- both of which were unaffected by the new EO. The former is a statute that extends the right to sue pursuant to the Privacy Act to citizens of designated foreign countries. The latter provides enhanced privacy protections to people of all nationalities in the context of US Signals Intelligence collection. These two pillars, they argue, are unaffected by the EO.

On further reflection, however, I think they may be only half right. It is absolutely clear that an EO cannot rescind a statute. Thus, the JRA portions of the Privacy Shield agreement must remain in effect.

But the effect of a subsequent EO on a prior EO is not at all clear to me. Plainly the better practice would have been to explicitly rescind the seeming conflicting portions of PPD-28 or, if you wish, to explicitly say that they are unchanged. Even the least bit of thoughtful and lawyerly review would have made clear that the effects were ambiguous (which supports the point others have made similarly about the immigration EO -- namely that it is the product of incompetence). But in the face of ambiguity, my instinct is that the last in time is the first in right -- i.e. that the newer EO trumps (no pun intended) conflicting provisions of earlier EOs. This makes me concerned (since it would be BAD policy) that, in effect, the Trump EO calls into question some of PPD-28, especially those portions relating to retention and dissemination limitations.

I hope I am wrong -- and the EO will be the subject of much discussion and interpretation within the IC. But ... this is yet another instance where the Trumpian penchant for haste simply causes confusion.