EU Privacy Shield intact despite Trump executive order
ICO and EU counterparts see no immediate impact to data sharing arrangements with US; further clarity to be sought from country during upcoming annual review of Privacy Shield
The Information Commissioner’s Office (ICO) says there is no indication that an executive order introduced by President Donald Trump revoking protections in the country’s Privacy Act for information held by the state on non-US citizens will impact a major EU data sharing arrangement.
While “concerned” with provisions in the executive order entitled, ‘Enhancing Public Safety in the Interior of the United States’, the UK data regulator said the legal changes were not believed to immediately impinge on protections provided under the EU-US Privacy Shield, which was introduced last year.
“We will be studying the effect of this development and discussing it with other European regulators,” said an ICO spokesperson. “Businesses in Britain wanting to transfer data to the US should continue to use the Privacy Shield, or other approved schemes.”
The US executive order introduced by the new president last week calls for, “state agencies to the extent consistent with applicable law, [to] ensure that their privacy policies exclude persons who are not US citizens or lawful permanent residents from the protections of the Privacy Act” with regards to personally identifiable information.
However, the ICO said the US Privacy Act has never offered data protection rights to European citizens.
A spokesperson for the European Commission reiterated that the Privacy Shield, implemented last year as an update and replacement for the defunct Safe Harbour arrangement, was one of two instruments introduced to try and safeguard personal information when transferred to the US by companies.
The second mechanism, called the EU-US Umbrella Agreement, will come into force on February 1 under law adopted by the US Congress last year. It will be supported by the US Judicial Redress Act that extends benefits of the US Privacy Act to Europeans, allowing them access to the country’s courts to seek legal redress.
A spokesperson for the commission said both of the instruments were being monitored, particularly for further potential legislative changes that might impact European data protection rights and information handled by companies.
Commissioner Vera Jourová, who heads up EU data protection reform, will be travelling to the US in early spring to prepare to conduct a joint annual view of the arrangement with American counterparts and looking at the existing arrangements.
"I need to be reassured that Privacy Shield can remain. I need to have reconfirmation that there is continuity,” said Jourová in a statement.
The Privacy Shield had been devised to set out clear safeguards and transparency obligations for US-based organisations processing data from EU citizens and will impact technology functions across the public and private sector.
It replaces the 'Safe Harbour' transfer arrangement that was invalidated by the European Court of Justice (ECJ) in 2015, although critics argue the new agreement could face a similar fate without clearer safeguards and revisions moving forward.
With a new and controversial administration now in power following November’s presidential elections, certainty around protections and provisions in transnational agreements is being sought.
UKCloud, a private sector supplier that works with organisations and authorities across the UK, has suggested that legitimate concerns have been raised over potential implications for the EU-US Privacy Shield.
The company specifically has raised fears about the potential for foreign data to be accessed by agencies such as the FBI and National Security Agency (NSA).
Bill Mew, the company’s cloud strategist, said that in replacing the previous Safe Harbour agreement, which was struck down by the European Court of Justice over a citizen-led legal challenge, the Privacy Shield relies on commitment and trust from both sides to be effective.
“We have entered an era of uncertainly as the Trump administration takes office, with potentially many more unsettling executive orders to follow,” he said. “As a result, many European organisations with systems or data that require specific data sovereignty and privacy guarantees will surely begin to move away from US public cloud providers, in favour of local providers that are beyond the reach of intrusive US regulations.”
As a UK-based cloud service provider, he called for public sector bodies in the country to undertake privacy impact assessments about storing information with a view to both privacy and sovereignty.
US-based, multinationals such as Amazon Web Services, Microsoft and IBM have all sought to launch UK data centres to underpin their cloud service operations in the country.