Already Under Attack In Top EU Court, Privacy Shield Framework For Transatlantic Data Flows Further Undermined By Trump

from the you're-not-really-helping-things,-Donald dept

A year ago, Techdirt wrote about the melodramatically-named "Privacy Shield." Under EU data protection laws, the transfer of EU citizens' personal data is only legal if the destination country meets certain basic conditions for data protection. Signing up to Privacy Shield is designed to allow US companies to meet that requirement. The earlier framework, called "Safe Harbor," was thrown out by the EU's highest court, the Court of Justice of the European Union (CJEU), largely because of NSA spying on data flows. Privacy Shield was hurriedly cobbled together because, without it, the vast flows of data across the Atlantic that occur all the time would be much harder to square with EU laws.

However, since the NSA has not stopped spying on data flows, some in the EU feel that Privacy Shield offers as little protection for personal data as Safe Harbor. This led the Irish civil liberties group Digital Rights Ireland (DRI) last October to ask the EU's General Court -- one of the more obscure courts of the CJEU -- to annul the Privacy Shield framework, arguing that it too lacks adequate privacy protections. Although there are still some procedural matters to be settled first, largely to do with whether DRI has standing to bring this legal action, the case is considered a serious enough challenge to the Privacy Shield framework that the US government is getting involved directly:

The US government has applied to be an intervening party in a challenge by Irish privacy campaign group Digital Rights Ireland against the Privacy Shield transatlantic data transfer pact.

As the article from the Irish Times explains, the US is not alone: also keen to see the framework upheld are the British, Dutch, and French governments, as well as Microsoft and the Business Software Alliance, all of whom have applied separately to join the action. DRI's basic argument is the following:

In questioning Privacy Shield's adequacy, it says its provisions are not actually fixed in US law. The privacy group will also argue that the agreement neither adequately addresses the court's specific objections to Safe Harbour, nor protects citizens' rights provided for under the EU Charter of Fundamental Rights and by the general principles of EU law.

The DRI's case may have just received a boost from an unusual quarter. As Techdirt reported, the President of the United States has signed an executive order that strips those who are not US citizens of certain rights under the Privacy Act. A spokeswoman for the European Commission told TechCrunch that Privacy Shield "does not rely on the protections under the US Privacy Act." But Jan Philipp Albrecht, a Member of the European Parliament, and the leading expert on data protection regulation there, is not so sure that the framework will escape unscathed. He wrote in a tweet that:

If this is true [about the stripping of privacy protections] @EU_Commission has to immediately suspend #PrivacyShield & sanction the US for breaking EU-US umbrella agreement.

The "EU-US umbrella agreement" refers to another recently-agreed deal that puts in place a comprehensive high-level data protection framework for EU-US law enforcement cooperation. The long thread that follows Albrecht's tweet explores to what extent the Privacy Shield framework is likely to be impacted by the new executive order. There's no clear consensus yet on that. But one thing is for sure: the general thrust of Trump's order probably indicates a broader shift in policy that makes it more likely that the CJEU will strike down Privacy Shield just as it struck down Safe Harbor.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: donald trump, eu, privacy, privacy act, privacy shield, safe harbors, us

New Trump Executive Order Says Federal Agencies Should Exclude Foreigners From Privacy Protections

from the immigrants-founded-this-country,-but-what-have-they-done-for-us-lately? dept

It's America first, everyone else second. That's the new administration's message. An executive order full of disturbing mandates contains a proposed rollback of privacy protections extended to foreign residents' personal information, as ProPublica's Julie Angwin pointed out on Twitter.

Here's the section detailing the clawback of privacy rights from President Trump's "Enhancing Public Safety in the Interior of the United States" executive order.

Sec. 14. Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

This doesn't appear to touch the Obama's Presidential Policy Directive issued in response to the Snowden leaks, which ordered US agencies to show a bit more respect to the personal information on foreigners harvested by multiple surveillance programs. The relevant part of PPD-28 reads:

All persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and all persons have legitimate privacy interests in the handling of their personal information. U.S. signals intelligence activities must, therefore, include appropriate safeguards for the personal information of all individuals, regardless of the nationality of the individual to whom the information pertains or where that individual resides.

What it never instructed agencies to do is stop collecting it, or to even scale their collection programs back. The solution isn't less spying -- despite the Snowden revelations -- but more policies. This is still intact despite Trump's executive order. He has the option of revoking previous Presidential Policy Directives, so it's not as though this extension of rights is untouchable.

The order basically states that government agencies no longer need to extend privacy protections to foreign residents' data that they may possess. The problem with this rollback is that it rolls back very little. Foreign data isn't covered by the Privacy Act. The president may have been targeting Obama's presidential directive with this executive order, but he has missed badly.

What it does do, however, is screw with the Passenger Name Record agreement the US signed with the European Commission back in 2007.

IV. Access and Redress: DHS has made a policy decision to extend administrative Privacy Act protections to PNR data stored in the ATS regardless of the nationality or country of residence of the data subject, including data that relates to European citizens. Consistent with U.S. law, DHS also maintains a system accessible by individuals, regardless of their nationality or country of residence, for providing redress to persons seeking information about or correction of PNR.

Then again, this was screwed with before the ink was even dry. The Bush Administration changed the terms of the deal less than two weeks later by stripping everyone -- US citizens and foreigners -- of these privacy protections by exempting the DHS's Arrival and Departure System, as well as the multi-agency Automated Targeting System from the Privacy Act.

The more disturbing part of the order is the installation of a Two Minutes Hate program for foreigners and any municipalities deemed to be "sheltering" aliens from the federal government.

To better inform the public regarding the public safety threats associated with sanctuary jurisdictions, the Secretary shall utilize the Declined Detainer Outcome Report or its equivalent and, on a weekly basis, make public a comprehensive list of criminal actions committed by aliens and any jurisdiction that ignored or otherwise failed to honor any detainers with respect to such aliens.

One would think it might be just as useful to collect information on domestic, US person-created "public safety threats" and make a "comprehensive list of criminal actions" committed by people who can't be expelled from the country. Presented without comparison, it will skew public perception, making it appear as though the main criminal force in the US is people who aren't here legally. (The order doesn't specify whether non-residence will be considered a "criminal action" worth listing in the report.)

On top of that, the order mandates the creation of an office that will cater solely to victims of criminal acts committed by non-US residents. It also orders the funding of additional personnel to man the borders and expedite the expulsion of non-residents. There's no stipulation for random testing of US persons' bodily fluids for dilution or impurities, but one assumes the nascent order will be undergo further alteration during rollout.

Filed Under: donald trump, executive order, foreigners, privacy, privacy act