It's been a wild ride for any organization transferring customer data across different borders in the last couple of months. Less than a week after taking office, President Trump signed an Executive Order, "Enhancing Public Safety in the Interior of the United States," that sent privacy advocates reeling. It vowed to remove data privacy protections under the U.S. government's Privacy Act from non-U.S. citizens or lawful residents.
Experts worry that the move will further damage a long-fought and hard-won agreement on cross-border data privacy that was already under threat: the European Privacy Shield.
The Privacy Shield is a relatively young agreement, having only been enacted in July 2016. The EU and the U.S. arrived at the agreement after a long and painful journey which saw the demise of its predecessor, the Safe Harbor agreement.
Established in 2000, Safe Harbor enabled companies gathering data in European countries to transfer it to the U.S. In 2014, Austrian lawyer and privacy activist Max Schrems threatened it by challenging the Irish government's permission to let Facebook move his data from Ireland to the U.S. When the Irish government used Safe Harbor as justification, Schrems took the case to the European Court of Justice, which ruled it invalid in 2015. Privacy protections in the U.S. were too weak to support it because the U.S. government could access data held there for national security purposes, it decided.
The two countries crafted the European Privacy Shield agreement instead, which had a new element: European citizens could complain in U.S. courts if they felt their data was being mismanaged. This new aspect of the agreement was supported legally by the Judicial Redress Act, signed by former President Obama in February 2016.
The Judicial Redress Act also supported the EU-U.S. Umbrella Agreement, signed in December 2016. This is a high-level framework for protecting data shared between law enforcement groups in the EU and U.S.
EU MEPs (elected representatives in the EU) first worried that the Executive Order would kill the Privacy Shield, but spokespeople later argued that under the language of the Order, data collected outside the U.S. and simply transferred there will be safe.
“I think that's totally lame,” responded Ann Cavoukian, former privacy commissioner for Ontario. “Personally, I don't think that's going to withstand the scrutiny of the data protection commissioners of the EU.”
The Privacy Shield was already under threat before the Order, as court cases in France and Ireland challenge it on the grounds that U.S. surveillance powers are simply too strong. “Add this to the equation and it's going to weaken confidence in the Privacy Shield,” she warns.