Late on the first day of this year's Computers, Privacy, and Data Protection conference, US President Donald Trump had issued Executive Order 13768, "Enhancing Public Safety in the Interior of the United States". The cause for conference uproar was Section 14:
Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
MEP Jan Philipp Albrecht, who shepherded the EU's new General Data Protection Regulation into law immediately tweeted that the European Commission must suspend the EU-US Privacy Shield agreement and sanction the US. To CPDP's many experts, the situation was less clear-cut. Much of the conference's closing discussion, the Caspar Bowden panel on Privacy Shield and Mass Surveillance, focused on whether Albrecht was correct.
Left out of the discussion were three pending court cases which will have a lot to say about how this will develop. First, the next stage in Austrian privacy advocate Max Schrems' second case against Facebook, covering its use of "standard contractual clauses", is due in the Irish High Court next week, and the US government has successfully petitioned to join the case. Schrems' first case precipitated the nullification of the Safe Harbor agremeent, which in turn led to the creation of Privacy Shield as a replacement. Also pending is Digital Rights Ireland's legal action is challenging the independence of Ireland's Data Protection Authority.
The Umbrella Agreement is a framework for transferring law enforcement data from the EU to the US, and was created under the Judicial Redress Act (2015), which was passed specifically to enable Privacy Shield and which gives EU citizens limited rights under the US Privacy Act (1974). The Umbrella Agreement and the list of covered countries were published in the Federal Register on January 23, 2017, and, said Georgia Tech professor Peter Swire during the panel, would enter into force on February 1, 2017.
Swire therefore suggested that while the executive order has its policy implications, there is no operational legal effect on Privacy Shield; the ombudsperson is still in place. At Lawfare, Adam Klein and Carrie Cordero agree with him, as does Hunton and Williams; Chris Pounder, at HawTalk, generally agrees, but believes the result is nonetheless to show that the US's privacy protection is not adequate as per the requirements of GDPR.
Swire went on to list three positive and three negative thoughts.
The positive. First, Trump's campaign platform did not include hurting American business, and disrupting Privacy Shield makes no business sense. Second, there is no important US constituency opposing Privacy Shield. Third, Safe Harbor was signed under Bill Clinton and became routine under George W. Bush, and with 1,700 companies now signed up for Privacy Shield and more applications pending there seems no reason why the agreement negotiated by Barack Obama should not become routine under Trump. Immigration, on the other hand, was a big campaign issue, and accordingly Swire believes the executive order is focused on the immigration authorities' mixed records. However, the incoming Attorney General could change or revoke the list of covered countries, forcing the EU to decide how to act.
The negative. It is hard to be optimistic about the future of privacy protection under the Trump administration. Consistent with the many statements he's made on the subject, Trump is fundamentally shifting the US away from the free-trade policies that have held sway in the US since the end of World War II. Swire added that the relative peace and prosperity of recent times provided a fortunate opportunity to work on data protection; he believes in the coming years privacy will be forced to take a back seat to more fundamental issues - nuclear arms, for example.
The indefatigable policy blogger Marcy Wheeler was more pessimistic. Presidents modify or wave older EOs rather than issue new ones. On January 3, Obama approved procedures to allow the US's 17 intelligence agencies to share signals intelligence data collected under EO 12333, which was originally issued by Ronald Reagan in 1981. Together with statements by new CIA director Mike Pompeo, that leads Wheeler to believe that Trump will demand that the EU participate in sharing data. She also noted that a key element of Privacy Shield is assuming that the US will adhere to Presidential Policy Directive 28 (PPD-28), "Signals Intelligence Activities", which specifies how the US will use the data it collects. Meanwhile, the US immigration service is already asking arriving international travellers for their social media identifiers, and Immigration and Customs Enforcement (ICE) and the Department of Homeland Security can share this data via the Intelligence Cloud the US government began setting up in 2013.
But don't get too relieved. Edward Hasbrouck argues that Trump's action does kill the EU-US PNR Agreement, which depends on administration action. This agreement, which covers sharing passenger name records, specifies that individuals should be entitled to request their PNR data, correct or delete it, and seek effective redress if it's been misused. However, neither the US Privacy Act nor the JRA requires giving foreigners these rights; instead, they depend on administrative action that Trump's EO has now eliminated for foreigners.
Illustrations: Caspar Bowden panel; Peter Swire; Marcy Wheeler.
Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.