Privacy Paradox

What the “Interior Security” Executive Order does to Foreigners’ Privacy Rights

By Stewart Baker, Zachary Schreiber
Friday, February 3, 2017, 11:52 AM

Last week, Adam Klein and Carrie Cordero persuasively argued against a broad reading of the Privacy Act language in the Executive Order on “Enhancing Public Safety in the Interior of the United States.” While the Executive Order primarily focuses on immigration, Section 14 states:

Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

Always eager to pick a privacy fight (actually, the same privacy fight) with the United States, some Brussels officials immediately detected a plan to overturn a recently negotiated deal extending Privacy Act rights to some Europeans. There were quick calls to suspend Privacy Shield if adequacy protections were no longer met. The deal extending Privacy Act rights, however, was implemented by a separate statute—the Judicial Redress Act—which remains in effect. Perhaps President Trump will push back against Europe’s longstanding privacy protectionism, but, as Adam and Carrie demonstrated, this provision is not aimed at Europe.

This raises the question: What is the provision aimed at? The short (and only a bit unfair) answer it that it seems to be intended to roll back the excesses of the Ford administration.

More than 40 years ago, the Office of Management and Budget (“OMB”) issued guidance that agencies should, as a matter of privacy policy, afford Privacy Act rights to noncitizens if their data exists in a mixed-record system (meaning a system that contains both citizen and noncitizen personally identifiable information). Agencies, such as DHS, have put in place policies that follow this OMB guidance. For years, this has extended informal, administrative Privacy Act rights to noncitizens, to the extent their data existed in a mixed-record system.

Those days are now over, except for nationals of the European Union and perhaps of other nations that are willing to bargain on their behalf.