Search for:

On January 25, 2017, the U.S. President signed an Executive Order on “Enhancing Public Safety in the Interior of the United States” containing rules for government privacy policies pertaining to foreigners. This caused concerns in Europe, but should not affect the EU-U.S. Privacy Shield.

Section 14 of the Executive Order is entitled “Privacy Act” and provides that “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” This is intended to support U.S. immigration law enforcement.

According to the U.S. Privacy Act of 1974 (5 U.S.C. §552a), government agencies must not disclose records with personal data of U.S. citizens and lawful permanent residents, subject to broad exceptions (www.gpo.gov/fdsys/pkg/USCODE-2012-title5/pdf/USCODE-2012-title5-partI-chap5-subchapII-sec552a.pdf). In 2015, Congress enacted the “Judicial Redress Act” to extend some rights to judicial redress to citizens of certain designated countries. The U.S. Justice Department designated the EU as protected in support of Art. 19 of an Umbrella Data Protection and Privacy Agreement (“DDPA”) between the EU and the United States, which is intended to enhance cooperation and information sharing for law enforcement and terrorism prevention purposes, see www.justice.gov/opcl/judicial-redress-act-2015. Section 14 of the Executive Order does not specifically address this designation and includes a catch-all qualification “to the extent consistent with applicable law,” which would include the terms of the Judicial Redress Act and of the DDPA when effectuated.

When the EU Commission issued its adequacy decision regarding data transfers under the EU-U.S. Privacy Shield on July 12, 2016, its decision did not mention the “Judicial Redress Act” at all. The Privacy Act is only mentioned once in an Annex, see Decision 2016/1250/EU of July 12, 2016, O.J. 1.8.2016, L 207/76. The U.S. Privacy Act of 1974 and the Judicial Redress Act of 2015 concern record disclosures by U.S. government agencies and thus the separate DDPA, which contemplates more record sharing between agencies in the EU and U.S. for law enforcement and prevention purposes. But, the two Acts seem much less relevant with respect to private sector data transfers to U.S. companies under the EU-U.S. Privacy Shield. Companies are subject to similar government surveillance and access demands on both sides of the Atlantic and regardless of how they legitimize EU data transfers, whether they use consent, standard contractual clauses, binding corporate rules or other compliance mechanisms, see overview and detailed comparative analysis at www.bakermckenzie.com/QRGGlobalSurveillanceLawApr16/.

Given the limited relevance of the U.S. Privacy Act for the EU Commission’s adequacy decision pertaining to the EU-U.S. Privacy Shield, the Executive Order of January 25, 2017 should not have an impact.

Author

Julia Kaufmann is a partner in Baker McKenzie's Munich office. She has been admitted in Germany since 2006 and in New York, USA, since 2009. In addition to her studies in Germany, Mrs. Kaufmann obtained her Master of Laws degree at the University of Texas at Austin, USA. Mrs. Kaufmann worked in the Firm’s Dallas office from 2011-2012 and handled matters primarily for US clients.

Author

Lothar Determann has been helping companies in Silicon Valley and around the world take products, business models, intellectual property and contracts global for nearly 20 years. He advises on data privacy law compliance, information technology commercialization, copyrights, open source licensing, electronic commerce, technology transactions, sourcing and international distribution at Baker McKenzie in San Francisco & Palo Alto. He is a member of the Firm's International/Commercial Practice Group and the TMT and Healthcare industry groups.