Search for:

On January 25, 2017, the U.S. President signed an Executive Order on “Enhancing Public Safety in the Interior of the United States” containing rules for government privacy policies pertaining to foreigners. This caused concerns in Europe, but should not affect the EU-U.S. Privacy Shield.

Section 14 of the Executive Order is entitled “Privacy Act” and provides that “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.” This is intended to support U.S. immigration law enforcement.

According to the U.S. Privacy Act of 1974 (5 U.S.C. §552a), government agencies must not disclose records with personal data of U.S. citizens and lawful permanent residents, subject to broad exceptions (www.gpo.gov/fdsys/pkg/USCODE-2012-title5/pdf/USCODE-2012-title5-partI-chap5-subchapII-sec552a.pdf). In 2015, Congress enacted the “Judicial Redress Act” to extend some rights to judicial redress to citizens of certain designated countries. The U.S. Justice Department designated the EU as protected in support of Art. 19 of an Umbrella Data Protection and Privacy Agreement (“DDPA”) between the EU and the United States, which is intended to enhance cooperation and information sharing for law enforcement and terrorism prevention purposes, see www.justice.gov/opcl/judicial-redress-act-2015. Section 14 of the Executive Order does not specifically address this designation and includes a catch-all qualification “to the extent consistent with applicable law,” which would include the terms of the Judicial Redress Act and of the DDPA when effectuated.

When the EU Commission issued its adequacy decision regarding data transfers under the EU-U.S. Privacy Shield on July 12, 2016, its decision did not mention the “Judicial Redress Act” at all. The Privacy Act is only mentioned once in an Annex, see Decision 2016/1250/EU of July 12, 2016, O.J. 1.8.2016, L 207/76. The U.S. Privacy Act of 1974 and the Judicial Redress Act of 2015 concern record disclosures by U.S. government agencies and thus the separate DDPA, which contemplates more record sharing between agencies in the EU and U.S. for law enforcement and prevention purposes. But, the two Acts seem much less relevant with respect to private sector data transfers to U.S. companies under the EU-U.S. Privacy Shield. Companies are subject to similar government surveillance and access demands on both sides of the Atlantic and regardless of how they legitimize EU data transfers, whether they use consent, standard contractual clauses, binding corporate rules or other compliance mechanisms, see overview and detailed comparative analysis at www.bakermckenzie.com/QRGGlobalSurveillanceLawApr16/.

Given the limited relevance of the U.S. Privacy Act for the EU Commission’s adequacy decision pertaining to the EU-U.S. Privacy Shield, the Executive Order of January 25, 2017 should not have an impact.

Author

Brian Hengesbaugh is chair of the Firm's Global Data Privacy and Security Business Unit, a Member of the Firm's Global IP Tech Steering Committee, and a Member of the Firm's Financial Institutions' Group. Brian is listed in The Legal 500 Hall of Fame and was recognized as a Regulatory & Compliance Trailblazer by the National Law Journal. He is also listed as a Leading Lawyer for Cyber law (including data protection and privacy) in The Legal 500 and is listed in Chambers. Formerly Special Counsel to the General Counsel of the US Department of Commerce, Brian played a key role in the development and implementation of the US Government’s domestic and international policy in the area of privacy and electronic commerce. In particular, he served on the core team that negotiated the US-EU Safe Harbor Privacy Arrangement (Safe Harbor), and earned a Medal Award from the US Department of Commerce for this service. In addition, Brian participated on behalf of the United States in the development of a draft Council of Europe Treaty on Cyber Crime, and in the negotiation of a draft Hague Convention on Jurisdiction and the Recognition of Foreign Judgments. Brian has been quoted in the Wall Street Journal, New York Times, Forbes, CNET, Slate Magazine, Compliance Weekly, BNA Bloomberg, PCWorld and other news publications on global privacy and security issues.

Author

Julia Kaufmann is a partner in Baker McKenzie's Munich office. She has been admitted in Germany since 2006 and in New York, USA, since 2009. In addition to her studies in Germany, Mrs. Kaufmann obtained her Master of Laws degree at the University of Texas at Austin, USA. Mrs. Kaufmann worked in the Firm’s Dallas office from 2011-2012 and handled matters primarily for US clients.

Author

Lothar Determann has been helping companies in Silicon Valley and around the world take products, business models, intellectual property and contracts global for nearly 20 years. He advises on data privacy law compliance, information technology commercialization, interactive entertainment, media, copyrights, open source licensing, electronic commerce, technology transactions, sourcing and international distribution at Baker McKenzie in San Francisco & Palo Alto. He is a member of the Firm's International/Commercial Practice Group and the TMT and Healthcare industry groups.