On the third day of his presidency, President Trump signed an immigration-related executive order raising significant questions about the future of U.S. privacy law and EU-U.S. data transfers. The order, titled “Enhancing Public Safety in the Interior of the United States” (“Executive Order”), directs agencies to “ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”[1]
The Executive Order has raised a number of questions, among them, what will happen to the rights of non-U.S. persons (meaning those who are not U.S. citizens or lawful permanent residents) under the Privacy Act and the Judicial Redress Act, and how might EU-U.S. data transfers under the Privacy Shield be affected?
The Executive Order may reverse prior administrations’ expansion of certain Privacy Act protections to non-U.S. persons. It will unlikely have any legal effect on the Judicial Redress Act or the Privacy Shield. That said, it could foretell potential policy and political effects on EU-U.S. data transfer arrangements.
Background on the Privacy Act, the Judicial Redress Act, and the Privacy Shield
The Privacy Act governs federal agencies that collect, maintain, or use a system of records with personal information. The Act:
- prohibits agencies from disclosing information about “individuals” to “any person, or to another agency” without the individuals’ consent (absent certain exceptions);
- gives “individuals” the right to review and copy agencies’ records about them; and
- gives “individuals” the right to request amendment of records pertaining to them.[2]
Notably, the statute defines an “individual” as a U.S. citizen or lawful permanent resident (collectively, “U.S. persons”).[3]
One year after the statute was enacted, the Office of Management and Budget, the entity responsible for overseeing implementation of the Privacy Act, issued guidance to the heads of all Executive Departments. The guidance stated, “[w]here a system of records covers both citizens and nonresident aliens, only that portion which relates to citizens or resident aliens is subject to the Act, but agencies are encouraged to treat such systems as if they were, in their entirety, subject to the Act.”[4]
The Departments of Justice and State subsequently adopted this guidance, as did the Department of Homeland Security (DHS) in its 2007 Privacy Policy Guidance Memorandum, 2007-1.[5] The memorandum explained this policy would “advance [DHS’s] strategic goal of cross-border information sharing” and assured “foreign partners that their information would be safeguarded, which would make information sharing more likely.”[6] It further noted, “[i]f DHS wants foreign partners to afford protections to data collected about U.S. citizens, a positive commitment to honor privacy protections for non-U.S. persons, as demonstrated through application of the Privacy Act to mixed systems, will improve the chances for success.”[7]
In 2013, President Obama created the Review Group on Intelligence and Communications Technologies—a group of five leading privacy figures, including Peter Swire, Special Counsel at Alston & Bird and Professor of Law and Ethics at the Georgia Tech Scheller College of Business. In its Report and Recommendations, the Review Group recommended other agencies adopt DHS’s policy on mixed records.[8] In response, President Obama released Presidential Policy Directive PPD-28, which stated, “U.S. signals intelligence activities must . . . include appropriate safeguards for the personal information of all individuals, regardless of the nationality of the individual to whom the information pertains or where that individual resides.”[9] The Office of the Director of National Intelligence subsequently stated, “[a]ll agency policies implementing PPD-28 now explicitly require that information about a person may not be disseminated solely because he or she is a non-U.S. person . . . . Intelligence Community personnel are now specifically required to consider the privacy interests of non-U.S. persons when drafting and disseminating intelligence reports.”[10] A number of other agencies have similarly extended Privacy Act protections to non-U.S. persons with information in mixed records, including, for example, the Department of Health and Human Services (HHS), the Consumer Financial Protection Bureau (CFPB), the Department of Transportation (DOT).[11]
In 2015, Congress extended certain Privacy Act protections to non-U.S. persons under the Judicial Redress Act of 2015 (JRA).[12] The JRA was passed in connection with negotiation of the Umbrella Agreement—an agreement providing data protection safeguards for personal information transferred between EU and U.S. law enforcement.[13] Section 2 of the JRA allows non-U.S. persons in designated countries to sue federal agencies for intentionally or willfully disclosing their records in violation of the Privacy Act.[14] It allows these same non-U.S. persons to sue designated federal agencies that have denied their requests to review and/or amend their records.[15]
The JRA authorizes the Attorney General to designate a country as covered under the JRA if the country has entered a law enforcement information-sharing agreement with the United States; effectively shared information with the United States for law enforcement purposes; permitted the transfer of personal data to the United States for commercial purposes; and enacted no commercial-data transfer policies that impede U.S. national security interests.[16] The JRA authorizes the Attorney General to remove a designation if a country ceases to satisfy these requirements.[17]
Separate from the Privacy Act and JRA, the European Commission and the U.S. Department of Commerce negotiated the Privacy Shield in 2016.[18] The Privacy Shield provides U.S. companies a mechanism to comply with EU data protection requirements when transferring personal data from the EU to the United States. It replaces the Safe Harbor, which the European Court of Justice declared invalid in 2015.[19]
The Implications of the Executive Order on the Privacy Act, the Judicial Redress Act, and the Privacy Shield
President Trump’s Executive Order raises questions about the future of the Privacy Act, the Judicial Redress Act, and the Privacy Shield.
The major effect of the Executive Order will likely be to eliminate the policy of DHS and other agencies on mixed records, as it directs agencies to “ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” This change is consistent with the Executive Order’s overall goal of changing immigration practices; non-U.S. persons will no longer receive Privacy Act protection for mixed records used in immigration enforcement, although the prohibition on Privacy Act protections applies to other agency actions as well.
The Executive Order does not, however, specifically apply to the JRA. In the final days of the Obama administration, the Attorney General designated the EU and member states (except Denmark and the UK) as covered countries.[20] The Executive Order does not direct the Attorney General to revoke any of these designations.
The Executive Order also has no direct legal effect on the Privacy Shield. The text of the Executive Order does not itself address the Privacy Shield. Nor does its likely effect on mixed records have any direct legal effect on the Privacy Shield, as the Privacy Shield Agreement does not incorporate or otherwise reference the Privacy Act.
That said, there may be political or policy repercussions resulting from the Executive Order and other related developments from the Trump administration. Protection for EU citizens under the Privacy Act was an important factor in the negotiation of the Privacy Shield, and the EU will review implementation of the Privacy Shield in the summer of 2017 and annually thereafter.[21] The Executive Order and other related statements from the administration will likely influence these discussions.
___________________________________________________________________________
[1] The White House, Office of the Press Sec’y, Executive Order: Enhancing Public Safety in the Interior of the United States (Jan. 25, 2017).
[2] 5 U.S.C. §§ 552a(b), 552a(d)(1), 552a(d)(2).
[3] Id. § 552a(a)(2).
[4] Office of Mgmt. and Budget, Circular No. A-108 (1975) (emphasis added).
[5] U.S. Dep’t of Homeland Sec., Privacy Policy Guidance Memorandum, 2007-1 (Jan. 7, 2009); see id. at 4 (noting examples of mixed records that the Departments of Justice and State treated as though they were subject to the Privacy Act).
[6] Id. at 4-5.
[7] Id. at 5.
[8] President’s Review Group on Intelligence and Communications Technology, Liberty and Security in a Changing World: Report and Recommendations of the President’s Review Group on Intelligence and Communications Technology (Dec. 12, 2013), at 157-60.
[9] The White House, Office of the Press Sec’y, Presidential Policy Directive, Signals Intelligence Activities, PPD-28 (Jan. 17, 2014).
[10] Office of the Dir. Of Nat’l Intelligence, Signals Intelligence Reform 2015 Anniversary Report – Strengthening Privacy and Civil Liberties Protections, IC on the Record (2015).
[11] Privacy Act of 1974; System of Records Notice, 81 Fed. Reg. 46682 (July 18, 2016); Consumer Fin. Protection Bureau, Privacy Policy for Non-U.S. Citizens; Dep’t of Transp., Order 1351.18: Departmental Privacy Risk Management Policy, at 5;
[12] Judicial Redress Act of 2015, Pub Law No. 114-126, 130 Stat. 282.
[13] Agreement Between the United States of America and the European Union on the Protection of Personal Information Relating to the Prevention, Investigation, Detection, and Prosecution of Criminal Offenses, Draft for Initialing.
[14] Judicial Redress Act of 2015 § 2(a)(1), Pub Law No. 114-126, 130 Stat. 282.
[15] Id. § 2(a)(2).
[16] Id. § 2(d)(1).
[17] Id. § 2(d)(2).
[18] See Alston & Bird, Privacy and Data Security Blog, “An Overview of the Privacy Shield”; “EU-US Privacy Shield – FAQs”; “Revised Safe Harbor Agreed: Introducing the New ‘EU-U.S. Privacy Shield.’”
[19] See Alston & Bird, Privacy and Data Security Blog, “European Court of Justice Strikes Down Safe Harbor.”
[20] See U.S. Dep’t of Justice, Attorney General Designations Related to the U.S.-EU Data Protection and Privacy Agreement (Jan. 26, 2017); see also Alston & Bird, Privacy and Data Security Blog, “AG Empowers EU Privacy Suits with Redress Act Designations.”
[21] See U.S. Dep’t of Commerce, EU-U.S. Privacy Shield Framework Principles (2016) (providing for annual review).