Has the Privacy Shield Agreement Between the U.S. and the E.U. Been Fatally Undermined by President Trump’s Executive Order 13768?
An Analysis by Robert Gellman
February 24, 2017
The Analysis in Brief:
This analysis is an in-depth look at the January 2017 Executive Order 13768, Enhancing Public Safety in the Interior of the United States and its interaction with two laws, the Privacy Act of 1974 and the Judicial Redress Act of 2015. Regardless of the reasons underlying why the order was written, a key question this analysis considers is if the order damages the EU-US Privacy Shield agreement, which depends on the dual interactions of the Privacy Act and the Judicial Redress Act to function properly. This analysis finds the order indeed casts doubt on the viability of the limited privacy protections for non-resident aliens in the Judicial Redress Act of 2015. If so, the Judicial Redress Act of 2015 does not provide all EU citizens with the meaningful privacy protections that they expected. The effect may be to fatally undermine the EU-US Privacy Shield Agreement.
About the Authors:
Robert Gellman is the author of this analysis. He is a privacy and information policy consultant in Washington DC. (www.bobgellman.com.) Pam Dixon edited this analysis. She is the Founder and Executive Director of the World Privacy Forum and a privacy researcher. Gellman and Dixon are the authors of Online Privacy A Reference Handbook (ABC CLIO, 2011) as well as co-authors and authors of numerous and well-regarded privacy-focused research, articles, and analysis.
About the World Privacy Forum:
This analysis was written for the The World Privacy Forum. WPF is a non-profit public interest research and consumer education group focused on the research and analysis of privacy-related issues. The Forum was founded in 2003 and has published significant privacy research and policy studies in the area of health, online and technical privacy issues, self-regulation, financial, identity, and biometrics among other areas. WPF has testified before Congress, and is featured frequently in the press on privacy-related issues. For more information please visit www.worldprivacyforum.org.
Redress Revisited: Has the Privacy Shield Agreement Between the U.S. and the EU been Fatally Undermined by President Trump’s Executive Order 13768?
The Privacy Act of 1974 and the Judicial Redress Act of 2015 form twin foundational pillars of the admittedly fragile EU-US Privacy Shield Agreement, an agreement foundational to facilitate legal data flows from Europe to the US. Recent articles have sought to analyze the January 2017 Executive Order signed by President Trump titled Enhancing Public Safety in the Interior of the United States, and how it changes the implementation of the Privacy Act of 1974 and the Judicial Redress Act as they affect non-resident aliens, and for good reason. Much rests on the continuing functioning of the Privacy Shield Agreement.
By way of background, Executive Order 13768, Enhancing Public Safety in the Interior of the United States, removes the discretion that federal agencies exercised since 1975 to grant rights under the Privacy Act of 1974 to non-resident aliens on a case-by-case basis. The Order also calls into question the viability of the Judicial Redress Act of 2015, a law enacted to create enforceable privacy rights for some non-resident aliens and thereby address European Union concerns about the lack of privacy rights for EU citizens with respect to U.S. government records.
Enactment of the Judicial Redress Act of 2015 was a key element supporting the Privacy Shield Agreement between the United States and the European Union that removes barriers to the export of personal information from Europe to the United States by some American businesses. Now, the Executive Order appears to restrict the discretionary authority of the Attorney General to designate the countries whose citizens receive the benefits of the Judicial Redress Act of 2015.
This analysis considers these intersecting issues in greater depth, and comes to the conclusion that Executive Order 13768 casts significant doubt on the viability of the limited privacy protections for non-resident aliens in the Judicial Redress Act of 2015. If so, the Judicial Redress Act of 2015 does not provide all EU citizens with the meaningful privacy protections that they expected. The effect may be to fatally undermine the Privacy Shield Agreement.
We begin by looking first at the Privacy Act of 1974 and then at the Judicial Redress Act of 2015.
Part I. Routine Privacy Act Activities
In Executive Order 13768 dated January 25, 2017, President Trump included a provision affecting the operation of the Privacy Act of 1974. The provision states:
Sec. 14. Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
The Privacy Act referred to in the Executive Order is more properly cited as the Privacy Act of 1974. The Act establishes privacy rules for federal agencies that maintain records about individuals. The Act defines an individual as “a citizen of the United States or an alien lawfully admitted for permanent residence.” On the surface, the Act grants no rights to foreigners not lawfully admitted to the U.S. for permanent residence. Given the limits of the Privacy Act of 1974, what is the effect of E.O. 13768?
Prior to the new Executive Order, agencies traditionally took a nuanced approach to the application of the Privacy Act of 1974 to non-resident foreigners. The original OMB Guidelines on the Act “encouraged” agencies to treat systems of records covering both citizens and nonresident aliens as if they were, in their entirely, subject to the Act. This approach allowed nonresident aliens to exercise some rights (e.g., access and amendment) under the Act. However, a nonresident alien could not enforce those rights through the courts because any discretionary granting of rights by federal agencies did not and could not extend to the Act’s civil remedies.
Under the Privacy Act of 1974, most provisions apply to records maintained by federal agencies in systems of records. Some systems are mixed system in that they include records about U.S. citizens and foreigner. Some agencies treat all information in mixed systems as being subject to the Privacy Act of 1974 either as a matter of law (with respect to citizens and resident aliens) or as a matter of discretion (with respect to non-resident aliens). For example, the Department of Homeland Security extends administrative Privacy Act protections to all individuals, regardless of citizenship, when a Privacy Act of 1974 system of records includes information on U.S. citizens, lawful permanent residents, and visitors. Other agencies do the same, with some noting the discretionary policy in systems of records notices or simply as a matter of practice.
In a similar vein, when an agency exempts a system of records from some provisions of the Act, agencies sometimes allow an individual (both U.S. citizen and non-resident alien) to exercise a right as a matter of discretion. For example, an agency might grant an individual (citizen or not) access to a record in a system of records that the agency exempted from the access requirement if the agency decides that allowing access in that case would not undermine the purpose of the exemption.
Thus, agencies have, as a matter of practice, softened the sharp edges in the Privacy Act of 1974 in ways that serve both agency and individual interests. For example, it serves agency and individual interests to amend incorrect records used to make decisions about individuals. The Act’s provisions allowing individuals access to their records and the ability to seek amendment of the records are almost certainly the rights most used by non-resident aliens. By exercising discretion to give both non-resident aliens and U.S. citizens’ rights that cannot be formally enforced, agencies advance the goals of the law, serve agency interests, and meet individual needs when a strict interpretation denying rights would serve no purpose.
The Trump Executive Order takes a different approach and appears to direct agencies to “ensure” their privacy policies exclude non-resident aliens from the protections of the Privacy Act of 1974. While one can play with the words in an attempt to seek different conclusions, a simple reading suggests that agencies should no longer grant non-resident aliens rights under the Act as a matter of discretion as agencies have done since 1975.
To put it another way, it is apparent from the OMB Guidelines and other relevant documents that agencies may grant rights to non-resident aliens. Nothing in the Privacy Act of 1974 obliges agencies to reserve the right to exercise discretion or to actually exercise discretion, whether reserved or not. The President can direct executive agencies how to comply with the Privacy Act of 1974 within the boundaries of law, so a presidential order to withhold discretionary actions allowed by the Privacy Act of 1974 seems to be within the authority of the President. The President cannot direct independent regulatory agencies to comply, however, as independent regulatory agencies are not subject to presidential control.
The Executive Order says that agencies must ensure that their privacy policies exclude non-resident aliens. A fair reading suggests that the Order directs a change in published or other privacy policies because of the specific reference to privacy policies rather than privacy practices. The Order appears to direct agencies with policies that allow discretion to change those policies. It is less clear whether agencies whose policies are silent must amend the policies to affirmatively exclude the possibility of the exercise of discretion on behalf of non-resident aliens. Whether agencies with established written policies or system of records notices reflecting the discretionary policy must first change those policies or republish system notices before they stop granting discretion is also not entirely apparent.
Regardless of any publication requirements and because the intent of the Order seems clear, agencies seeking to comply with the Order should presumably stop taking discretionary actions under the Privacy Act of 1974 even if published policies allow the exercise of discretion. No agency policy that we know of establishes a formal procedure for seeking the exercise of discretionary authority under the Act, nor have we seen any binding published standards governing exercising discretion. As a result — and because the exercise of discretion by its very nature cannot be mandated — no non-resident alien has any apparent basis for complaint under the Act or the Executive Order as a result of an agency’s unwillingness to exercise discretion.
One problem that may arise relates to amendments of agency records. Consider a non-resident alien whose record held by an executive branch agency in a Privacy Act system of records contains an error (e.g., wrong nationality, birth date, etc.). If the alien seeks a correction, a strict reading of the Executive Order suggests that an agency could not correct the record at the request of the alien because that would be granting the individual a right not available to aliens under the Privacy Act of 1974, something that the Executive Order appears to expressly exclude. Whether the agency could find other authority requiring it to change the record might depend on the agency, the activity, and the circumstances. The Executive Order has a somewhat unclear exception that seems to allow an agency to grant Privacy Act of 1974 rights to non-resident aliens “to the extent consistent with applicable law.” It is not apparent whether “consistent with applicable law” means allowed by law, required by law, or something else.
One peculiarity about this circumstance arises if the agency holds the incorrect record in a system not subject to the Privacy Act of 1974. The agency could respond to a request and correct the non-Privacy Act of 1974 record because the Act is inapplicable and because a correction would not grant the non-resident alien a right protected by the Act. The inconsistent result here is striking.
Part II: The Judicial Redress Act and the U.S. — EU Privacy Shield Agreement
A more complex potential consequence of President Trump’s Executive Order is its effect on a recent agreement between the U.S. and the European Union. As a consequence of the 1995 EU Data Protection Directive, the export of personal data from EU member states to third countries is subject to strict regulation. Because the data export limits created problems for American businesses and consumers who wanted personal data exported from the EU to the U.S., the two governments established in 2000 a Safe Harbor Agreement. Under the agreement, many U.S. based businesses could voluntarily subscribe to the agreement and then export personal data to the U.S. The Safe Harbor agreement has a long history not relevant here. In 2016, the European Court of Justice ruled the Safe Harbor agreement invalid.
The two governments negotiated a replacement agreement — called the Privacy Shield — to accomplish the same general purpose of allowing complying businesses to export personal data to the U.S. from Europe. The details are, for the most part, not directly relevant here.
One of the sticking points in negotiating the Privacy Shield Agreement was the absence of enforceable privacy rights for EU citizens in the U.S. under the Privacy Act of 1974. As the first section of this analysis showed, rights for non-resident aliens were discretionary and unenforceable. In order to address the lack of rights under the Privacy Act of 1974, Congress enacted the Judicial Redress Act of 2015. The purpose of the Judicial Redress Act was to extend Privacy Act of 1974 remedies to citizens of designated countries. The rights granted by the Judicial Redress Act are not the full range of rights available to U.S. citizens under the Privacy Act of 1974, but the rights granted have enforceability in U.S. courts. The details are not relevant here. Regardless, the EU appears to have accepted the Judicial Redress Act as a meaningful response to the problem of enforceable rights for EU citizens.
The question presented by the Trump Executive Order is whether the Judicial Redress Act of 2015 survives the Executive Order.
The Judicial Redress Act of 2015 grants rights only to citizens of covered countries. A covered country must meet several requirements, but the details, which are not important to the argument here, are described in a footnote. What is important is the process for designation of a covered country.
The Judicial Redress Act of 2015 gives the Attorney General the authority to designate what nations qualify as a covered country. The Act provides:
The Attorney General may, with the concurrence of the Secretary of State, the Secretary of the Treasury, and the Secretary of Homeland Security, designate a foreign country or regional economic integration organization, or member country of such organization, as a ‘covered country’ for purposes of this section if…
The key word is here is bolded. The Attorney General may designate a country as a covered country. The Judicial Redress Act of 2015 does not require that the Attorney General designate a country as a covered country, even if that country meets all the requirements of the law. It gives the Attorney General the discretion to designate a country as a covered country. The Attorney General could also decide not to so designate a country meeting all the requirements. Designation is a discretionary act on the part of the Attorney General, and the Judicial Redress Act of 2015 does not establish any standards for the exercise of that discretion. The law could have directed the Attorney General to designate a qualifying country by using the verb shall.
The distinction here between may and shall is clear from other provisions of the Judicial Redress Act. The Act only allows citizens of designated countries to enforce their Privacy Act of 1974 rights against a designated federal agency or component. It is up to the Attorney General to decide what qualifies as a designated federal agency or component. The law assigns this task to the Attorney General using the verb shall, meaning that it an obligation that the Attorney General must carry out:
(e) Designation of Designated Federal Agency or Component. —
(1) In general. —
The Attorney General shall determine whether an agency or component thereof is a ‘designated Federal agency or component’ for purposes of this section. The Attorney General shall not designate any agency or component thereof other than the Department of Justice or a component of the Department of Justice without the concurrence of the head of the relevant agency, or of the agency to which the component belongs.
(2) Requirements for designation. — The Attorney General may determine that an agency or component of an agency is a ‘designated Federal agency or component’ for purposes of this section, if —
(A) the Attorney General determines that information exchanged by such agency with a covered country is within the scope of an agreement referred to in subsection (d)(1)(A); or
(B) with respect to a country or regional economic integration organization, or member country of such organization, that has been designated as a ‘covered country’ under subsection (d)(1)(B), the Attorney General determines that designating such agency or component thereof is in the law enforcement interests of the United States.
Paragraph (e) (2) reverts to using the verb may. The first paragraph says that the Attorney General must determine which agency is a designated agency. The second establishes standards that the Attorney General may use to make the determination. Presumably, the Attorney General could apply the criteria in the second paragraph when making a determination and could apply other criteria as well. The Attorney General’s discretion appears broad.
Why are the verbs important? If the Attorney General exercises the discretion to designate a covered country, the citizens of that country acquire rights under the Privacy Act of 1974 as defined by the Judicial Redress Act of 2015. However, the new Executive Order directs agencies to ensure that their privacy policies exclude non-resident aliens from the protections of the Privacy Act of 1974.
One reading is that the Executive Order prohibits the Attorney General from taking an action that gives rights under the Privacy Act of 1974 to non-resident aliens. If so, then the Judicial Redress Act of 2015 becomes a nullity because the President directed all federal officials not to take discretionary actions that grant privacy rights under the Privacy Act of 1974. Because of the importance of the Judicial Redress Act of 2015 to the EU’s acceptance of the Privacy Shield, it appears possible and perhaps likely that the EU would withdraw its approval of the Privacy Shield if this reading is correct.
The Privacy Shield may be saved, at least in part, because Obama Administration Attorney General Loretta Lynch took steps to define the member states of the EU as designated countries before she left office. That is a completed action. The Judicial Redress Act of 2015 has a procedure for removing the designation of countries that turns on specific statutory factors and appears to be unaffected by the Executive Order. However, the Attorney General’s action does not currently cover Denmark, Ireland, and the United Kingdom, which the Attorney General identified as countries “anticipated” to be designated. Whether these countries could eventually be designated given the limit in the Executive Order is unclear, as is the status of the Privacy Shield if it only covers some but not all EU member states. Another obvious point is that an Attorney General restricted by Trump’s Executive Order cannot extend the protections of the Judicial Redress Act of 2015 to other countries, such as Canada, Japan, Australia, and others. That may not matter to the Privacy Shield Agreement, but it may matter to U.S. allies who do not want their citizens to receive third class privacy treatment in the U.S.
Another reading is that the phrase to the extent consistent with applicable law somehow incorporates the Judicial Redress Act of 2015 and thereby saves the Privacy Shield Agreement. The words are too uncertain to interpret with any confidence, however.
Another possibility is that the Attorney General could simply “interpret” the Executive Order using any grounds that the Attorney General chooses to save the Judicial Redress Act of 2015. It would be clearer, perhaps, if the President revised the Executive Order with the same purpose or could indicate intent to save the Judicial Redress Act of 2015.
Without a clear statement, however, it is difficult to be certain of the effect of the Trump Executive Order on the Judicial Redress Act of 2015. The Judicial Redress Act of 2015 already includes a number of provisions that allow the United States to stop the judicial pursuit of Privacy Act of 1974 rights by a non-resident alien from a covered country. The Attorney General could remove the designation of the alien’s country as a covered country or could remove the designation of the federal agency or component as a designated federal agency or component.
There may be no need for the United States to rely on President Trump’s Executive Order to stop an unwanted lawsuit. However, the possibility that the Executive Order has already made or could be used to make the Judicial Redress Act of 2015 ineffective and thereby undermine a major element of the Privacy Shield Agreement remains a possibility. Further, the possibility that a future Executive Order could undermine privacy protections enacted into law in response to EU concerns by regulating the exercise of discretion by the Attorney General might well leave EU member states questioning the value of legislation that the President could effectively change at any time.
The Privacy Shield Agreement faces a number of challenges and uncertainties not relating to the Executive Order. It is possible, for example, that the European Court of Justice could find the Agreement invalid in the same way that it found the Safe Harbor Agreement invalid. The issue raised by President Trump’s Executive Order is just an additional uncertainty, and it is impossible to say whether the European Court will take notice of the Order.
While it seems unlikely that the Trump Administration expressly sought to undermine the Privacy Shield Agreement and its concomitant benefits for American businesses, it is possible that the Privacy Shield could be collateral damage. Regardless of whether the Privacy Shield Agreement was unintentionally undermined by poor drafting of the Executive Order, or a lack of foresight and consultation, Executive Order 13768 nevertheless casts doubt on the viability of the limited privacy protections for non-resident aliens in the Judicial Redress Act of 2015. If so, the Judicial Redress Act of 2015 does not provide all EU citizens with the meaningful privacy protections that they expected. The effect may be to fatally undermine the Privacy Shield Agreement.
 E.O. №13768, Enhancing Public Safety in the Interior of the United States, 82 Fed. Reg. 8799 (Jan. 30, 2017), https://www.gpo.gov/fdsys/pkg/FR-2017-01-30/pdf/2017-02102.pdf.
 Office of Management and Budget, Privacy Act Implementation, 40 Fed. Reg. 28948, 28951 (July 9, 1975) (“Files relating solely to nonresident aliens are not covered by any portion of the Act. Where a system of records covers both citizens and nonresident aliens, only that portion which relates to citizens or resident aliens is subject to the Act but agencies are encouraged to treat such systems as if they were, in their entirety, subject to the Act.”
 See, e.g., Department of Health and Human Services, ORR Division of Children’s Services Records (09–80–0321), 81 Fed. Reg. 46682 (July 18, 2016), https://www.gpo.gov/fdsys/pkg/FR-2016-07-18/pdf/2016-16812.pdf, [“The Privacy Act applies only to U.S. persons (citizens of the United States or aliens lawfully admitted for permanent residence in the United States). As a matter of discretion, ORR will treat information that it maintains in its mixed systems of records as being subject to the provisions of the Privacy Act, regardless of whether or not the information relates to U.S. persons covered by the Privacy Act. This implements a 1975 Office of Management and Budget (OMB) recommendation to apply, as a matter of policy, the administrative provisions of the Privacy Act to records about non-U.S. persons in mixed systems of records (referred to as the non-U.S. persons policy).”].
 Individuals often use the Freedom of Information Act, 5 U.S.C. § 552, https://www.law.cornell.edu/uscode/text/5/552, to seek access to their own records. The FOIA allows “any person” to make a request without regard to the nationality of the requester. The FOIA is a useful alternative to the Privacy Act of 1974 for citizens and non-resident aliens alike seeking access to their own records, but the FOIA and the Privacy Act of 1974 have different exemptions so that information may be available under one law but not under the other. Also, the FOIA has no equivalent to the amendment provision in the Privacy Act of 1974.
 A later policy issued by President Obama reinforced the notion of addressing the privacy rights of all individuals, including non-resident aliens. Presidential Policy Directive on Signals Intelligence Activities (PPD-28) (Jan. 17, 2014), https://obamawhitehouse.archives.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activities#_ftn8. The Obama policy directed the intelligence community to “to protect the privacy and civil liberties of all persons, whatever their nationality and regardless of where they might reside.” The policy did not mention the Privacy Act of 1974 specifically, and it did not appear to apply to federal agencies beyond the intelligence community. The Obama policy is generally consistent with the original OMB Guidelines, but the policy did not create any formal rights.
 One can question the wisdom of writing a rule that expressly denies the ability to exercise discretion in all cases. If a compelling case arose that otherwise justified a discretionary release or amendment of a record, an agency would be required to seek a change in the Executive Order first and then to amend its rule, a process that could take a long time to accomplish. An alternative presidential order could have told agencies not to exercise discretion without the approval of a high agency official or only after following a specified agency approval process.
 Whether anyone could complain that an agency exercised discretion in a discriminatory way that violated Equal Protection or a civil right statute is not explored here since the Executive Order seems to make the question moot.
 A collection of records with personal information only about non-resident aliens would not be subject to the Privacy Act of 1974.
 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1995), http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:31995L0046. The Directive is soon to be replaced by a General Data Protection Regulation, but the data export control will be much the same. See http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52012PC0011.
 See generally the European Commission’s webpage on the Privacy Shield agreement, http://ec.europa.eu/justice/data-protection/international-transfers/eu-us-privacy-shield/index_en.htm.
 The limits of the Judicial Redress Act are underscored by the small number of federal agencies and components designated by Obama Administration Attorney General Loretta Lynch. See 82 Fed. Reg. 7860 (Jan. 23, 2017), https://www.gpo.gov/fdsys/pkg/FR-2017-01-23/pdf/2017-01381.pdf. Only 13 agencies or components were designated. Citizens of designated countries have no Privacy act of 1974 rights at other agencies.
 A country is a ‘covered country’ for purposes of the Judicial Redress Act of 2015 if –
“(A) (i) the country or regional economic integration organization, or member country of such organization, has entered into an agreement with the United States that provides for appropriate privacy protections for information shared for the purpose of preventing, investigating, detecting, or prosecuting criminal offenses; or
(ii) the Attorney General has determined that the country or regional economic integration organization, or member country of such organization, has effectively shared information with the United States for the purpose of preventing, investigating, detecting, or prosecuting criminal offenses and has appropriate privacy protections for such shared information;
(B) the country or regional economic integration organization, or member country of such organization, permits the transfer of personal data for commercial purposes between the territory of that country or regional economic organization and the territory of the United States, through an agreement with the United States or otherwise; and
© the Attorney General has certified that the policies regarding the transfer of personal data for commercial purposes and related actions of the country or regional economic integration organization, or member country of such organization, do not materially impede the national security interests of the United States.”
Id. at § (d)(1)(A).
 Id. at § (e).
 82 Fed. Reg. 7860 (Jan. 23, 2017), https://www.gpo.gov/fdsys/pkg/FR-2017-01-23/pdf/2017-01381.pdf.
 Judicial Redress Act, §(d)(2)” Removal of designation. — The Attorney General may, with the concurrence of the Secretary of State, the Secretary of the Treasury, and the Secretary of Homeland Security, revoke the designation of a foreign country or regional economic integration organization, or member country of such organization, as a ‘covered country’ if the Attorney General determines that such designated ‘covered country’ —
(A) is not complying with the agreement described under paragraph (1)(A)(i);
(B) no longer meets the requirements for designation under paragraph (1)(A)(ii);
© fails to meet the requirements under paragraph (1)(B);
(D) no longer meets the requirements for certification under paragraph (1)©; or
(E) impedes the transfer of information (for purposes of reporting or preventing unlawful activity) to the United States by a private entity or person.”