Trump signs 'no privacy for non-Americans' order – what does that mean for rest of us?

Europe's Privacy Shield shaken by US prez

By Kieren McCarthy in San Francisco


Analysis US President Donald Trump may have undermined a critical data sharing agreement between the United States and Europe that internet giants rely on to do business overseas.

In an executive order focused on illegal immigrants that was signed by the president this week, one section specifically noted that privacy protections would not be extended past US citizens or permanent residents in America.

Section 14 of the Enhancing Public Safety order reads:

Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

By agencies, the president means the NSA, the FBI, and so on. The order's language appears to directly contradict a critical component of the new Privacy Shield agreement between the US and Europe that provides essential legal protections for US businesses sending and receiving data across the Atlantic. In short, that agreement is supposed to ensure non-Americans are not treated as second-class citizens by US organizations, with weaker privacy safeguards than Americans are afforded.

The Privacy Shield was developed and approved in record time last year after the previous Safe Harbor arrangement was deemed illegal by Europe's top court back in October 2015. It has only been in place for six months, it is still on probation as far as Europe's data protection authorities are concerned, and it is almost certain to be challenged in the courts.

The language in the executive order leads to immediate concerns in Europe, with the European Parliament's rapporteur on data protection, Jan Philipp Albrecht, tweeting: "If this is true @EU_Commission has to immediately suspend #PrivacyShield & sanction the US for breaking EU-US umbrella agreement."


A few hours later, a frantic European Commission put out a statement in an effort to calm the waters. "We are aware of the executive order on public safety," noted the statement. "The US Privacy Act has never offered data protection rights to Europeans."

It then goes on to flag two pieces of new legislation that it believes made the new Privacy Shield legal under European law: "The Commission negotiated two additional instruments to ensure that EU citizens' data is duly protected when transferred to the US:

In addition to the Judicial Redress Act – which was signed into law by President Obama late last year – privacy experts have also spotted a notice that was signed by the outgoing Attorney General just three days before Donald Trump became president and only appeared in the Federal Register three days after the inauguration.

That notice lists 26 countries – in addition to the European Union as a whole – as being "covered countries" that benefit from the "extension of certain Privacy Act remedies." That decision is due to become law on February 1 – the same day as the new US-EU Data Protection and Privacy Agreement.

The combination of the EU's official statement and the discovery of the Justice Department note has led privacy experts to focus on the critical sub-clause in Trump's executive order: that "agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons..." (our emphasis).

In theory, therefore – with the Judicial Redress Act law, the attorney general's designations due to become law in less than a week, and the executive order including a clear carve-out for existing law – the situation should be that the Privacy Shield agreement holds. The executive order would then only apply to countries outside the European Union – although Canada and Mexico are notably absent, which may have its own political repercussions.

But the Trump Administration has been nothing if not erratic and has repeatedly shown it is willing to tear up existing agreements and protocols. Many are wondering why Trump's team felt the need to include the section at all, especially given the fact that it serves no real purpose. As a result, the European Union's statement concludes with some significant degree of uncertainty:

"We will continue to monitor the implementation of both instruments and are following closely any changes in the US that might have an effect on Europeans' data protection rights," it ends.


It is with some degree of irony that Facebook – which was at the center of the legal case that resulted in the previous Safe Harbor agreement being found illegal – chose today to release its new "Privacy Basics" approach to data privacy, and two-factor authentication for security.

"Today we're introducing a new Privacy Basics to make it easier for people to find tools for controlling their information on Facebook," the company boasted. Facebook has long been criticized for its opaque and confusing policies over what level of control it grants users of the service.

While the company claims to have simplified things (again), it is notable that there are no fewer than 32 "interactive guides" to help Facebook users figure out how the company is trying to sell people's data as much as possible while giving them the sense that their data is not being abused.

And in a second irony, in two days – January 28 – it will be the official annual Data Protection Day in Europe. President Trump has certainly given privacy advocates, government officials, and just about every major online corporation something to discuss. ®

PS: Lawfare's Adam Klein and Carrie Cordero reckon the executive order "does not actually deny Privacy Act protections to Europeans," however "even the suggestion that the administration is cutting back privacy protections for Europeans could be damaging in the ongoing litigation over Privacy Shield’s validity."

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Chinese chip giant calls on US tech to help out with Trump tariffs – not a quid pro quo, obviously

Tsinghua Unigroup chairman says American firms could do more to ease trade tensions

Confused why Trump fingered CrowdStrike in that Ukraine call? You're not the only one...

Security biz that probed 2016 DNC hack makes an odd cameo in revealed transcript

One man went to mow a meadow, hoping Trump would spot giant grass snake under flightpath

Childish prank for childish visitor

Trump: Huawei ban will be lifted!
US Commerce Dept.: Yeah, about that…

It's not a two Huawei street just yet, says top brass

You only need to click once, fool: Gaming rig sales up as Trump presses continue on trade tariff tussle

God bless America panic buying

Scott McNealy gets touchy feely with Trump: Sun cofounder hosts hush-hush reelection fundraiser for President

Commander-in-Chief jets into Silicon Valley under cloud of secrecy

Trump attacks and appeals 'fundamentally misconceived' Twitter block decision

Legal argument reflects president’s refusal to follow rules of public office

Trump continues on the warpath: Now US tariffs cover nearly everything arriving from China

Settle in because we are here for the long haul

Donald Trump blinks in his one-man trade war with China: US govt stalls import tariff hike on Chinese phones, laptops, electronics

Updated You've got until Dec 15 to panic buy gear before 10% rise hits

Yuge U-turn: Prez Trump walks back on Huawei ban... at least the tech sector seems to think so

Can we get a translator in here?


Commvault Complete Backup and Recovery for Comprehensive Cloud Backup

Commvault Complete Backup & Recovery gives you powerful control to manage cloud backup and recovery.

Cyber Intrusion Services Casebook 2018

Threat actors are continuously adopting new means to achieve their objectives.

FlexPod running SAP HANA helps TasNetworks deliver unparalleled performance

TasNetworks uses FlexPod to integrate diverse systems and create a single source of truth.

How data architecture drives cloud transformation

You’re looking to move to the cloud because you know just how powerful the model can be. You’ve seen what you can make possible, if you harness the wealth of data now available to your applications. You’re looking to deliver on your digital transformation goals, respond to new business opportunities and disrupt your entire market.