Are the US-EU data agreements still alive?

By EDRi · February 8, 2017

Late on the first day of Computers, Data Protection and Privacy (CPDP) Conference on 25 January 2017, word came through that US President Donald Trump had issued Executive Order (EO), “Enhancing Public Safety in the Interior of the United States”, which included the following:

Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

Member of the European Parliament (MEP) Jan Philipp Albrecht immediately tweeted that the European Commission must suspend Privacy Shield and sanction the US for breaking the Umbrella Agreement. To the many experts at CPDP, the situation was less clear-cut. Much of the conference’s closing discussion, the Caspar Bowden panel on Privacy Shield and Mass Surveillance, focused on it.

----------------------------------------------------------------- Support our work - make a recurrent donation! -----------------------------------------------------------------

The executive order places three things at risk: Privacy Shield, the EU-US Umbrella Agreement, and the EU-US Passenger Name Records (PNR) Agreement.

The Umbrella Agreement is a framework for transferring law enforcement data from the EU to the US, and was created under the Judicial Redress Act (JRA). Passed in 2015 as an enabler for Privacy Shield, the JRA gives citizens from the EU and its member countries limited rights under the US Privacy Act. The Umbrella Agreement and the list of EU countries were published in the Federal Register on 23 January 2017. Because the pre-conditions have now been met, a data protection lawyer Peter Swire, speaking at CPDP, said that the Umbrella Agreement will enter into force on 1 February.

Swire, therefore, believes that while unknown political implications will stem from the executive order, there is no operational legal effect on Privacy Shield; the ombudsperson is still in place. He then listed three positive and three negative thoughts.

The positive:

  1. Trump’s campaign platform did not include hurting American business, and disrupting Privacy Shield makes no business sense;
  2. there is no important US constituency opposing Privacy Shield;
  3. Safe Harbor was signed under Bill Clinton and became routine under George W. Bush. With 1 700 companies now signed up for Privacy Shield and more applications pending, there seems to be no reason why the agreement negotiated by Barack Obama should not become routine under Trump. Immigration, on the other hand, was a big campaign issue, and accordingly, Swire believes the executive order is focused on the immigration authorities’ mixed records. However, the incoming Attorney General could change or revoke the list of covered countries, forcing the EU to decide how to act.

The negative:

  1. few are optimistic about the Trump administration with respect to privacy;
  2. Trump is against free trade and is fundamentally shifting the US away from it;
  3. Trump is proud of not being polite or politically correct.

Swire added that the relative peace and prosperity of recent times provided a fortunate opportunity to work on data protection; he believes in the coming years privacy will be forced to take a back seat to even more fundamental issues – nuclear arms, for example.

Marcy Wheeler from the blog was more pessimistic. Presidents modify or waive older Executive Orders rather than issue new ones. On 3 January 2017, Obama approved procedures to allow the US’s 17 intelligence agencies to share signals intelligence data collected under EO 12333, which was originally issued by Ronald Reagan in 1981. Together with statements by the new Central Intelligence Agency (CIA) director, Mike Pompeo, that leads Wheeler to believe that Trump will demand that the EU participates in sharing data. She also noted that a key element of Privacy Shield is assuming that the US will adhere to Presidential Policy Directive 28 (PPD-28), “Signals Intelligence Activities”, which specifies how the US will use the data it collects. Meanwhile, the US immigration service is already asking arriving international travellers for their social media identifiers, and Immigration and Customs Enforcement (ICE) and the Department of Homeland Security can share this data via the Intelligence Cloud the US government began setting up in 2013.

Edward Hasbrouck, an EDRi observer from the organisation Papers Please, argues that Trump’s EO more directly affects the EU-US PNR Agreement, which depends on administration action. PNR specifies that any individual should be entitled to request their PNR data, correct or delete it, and seek effective redress if it’s been misused. However, neither the US Privacy Act nor the JRA requires giving foreigners these rights; instead, they depend on administration action that Trump’s EO has now eliminated for foreigners. Some access to records should still be available under the Freedom of Information Act, but not the rights of correction or deletion. Hasbrouck accordingly pronounces the EU-US PNR Agreement dead and asks what the EU and its citizens and residents are going to do about it.

----------------------------------------------------------------- Support our work with a one-off-donation! -----------------------------------------------------------------

The ironies of the EO 12333 sharing expansion for Obama and Trump (30.01.2017)

Trump repudiates agreement with EU on PNR data (29.01.2017)

(Contribution by Wendy M. Grossman, freelance writer, member of the advisory councils of EDRi members Open Rights Group and the Foundation for Information Policy Research, the United Kingdom)