Doing business in Europe? Trump just screwed that up

Trump executive order threatens data-sharing agreements that grease the wheels of digital commerce and help in the prevention of terrorism

Doing business in Europe? Trump just screwed that up

In his first fortnight in office, President Trump has shown himself willing to upend precedents and protocols. He may also have shredded the basis for a data-sharing framework that U.S. businesses -- particularly tech companies -- rely on to facilitate transatlantic digital services worth $260 billion per year.

Among the executive orders that newly inaugurated Trump signed in a flurry of activity was Enhancing Public Safety, primarily aimed at setting deportation priorities and punishing sanctuary cities. But buried in the order is a section that threatens to torpedo the EU-U.S. data-sharing agreement known as Privacy Shield, as well as the U.S.-EU Umbrella Agreement, which covers exchanges of personal data for the purposes of preventing and investigating crime and terrorism.

Section 14 of the order specifically strips all people who are not U.S. citizens of privacy protections:

Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

That clause was enough to throw E.U. officials into a panic, with the European Parliament's rapporteur on data protection, Jan Philipp Albrecht, tweeting: "If this is true @EU_Commission has to immediately suspend #PrivacyShield & sanction the US for breaking EU-US umbrella agreement."

A primer in data sharing

The Privacy Shield framework "greases the wheels of digital commerce." It enables companies to transfer the personal data of Europeans to the United States, while ensuring compliance with Europe's stringent privacy laws. It effectively enforces EU privacy standards, regardless of whether the data is "sitting on a server in Paris, France or Paris, Texas," says Engadget.

More than 1,500 U.S. companies, including Apple, Google, Facebook, Twitter, and Microsoft, have voluntarily agreed to abide by Privacy Shield. They do so not out of an altruistic respect for data privacy, but because without that authorization framework they would be operating in a legal gray zone. There are other mechanisms for transatlantic data transfers, but they are more complex and costly to comply with, and their legality has been called into question.

A previous data-sharing agreement, known as Safe Harbor, had been in effect for 15 years before it was struck down by European Courts in the wake of revelations about NSA spying on transatlantic communications. Privacy Shield was rapidly crafted to fill that void.

During negotiations on the agreement, then-President Obama gave the EU written assurances in the form of a presidential policy directive that ruled out the indiscriminate mass surveillance of Europeans' data by U.S. national security agencies. "Obama's extension of privacy protections to non-U.S. citizens was lauded as a very positive step by EU officials during the Privacy Shield negotiations," noted TechCrunch. "The arrival of Trump could really put the cat among the Commission's pigeons."

In the room where it happens

It's unclear whether Trump's administration was even aware of the ramifications of the privacy clause. Two people familiar with the situation told Politico that Trump aides didn't consult with agency officials who had hashed out the data-sharing agreements before he signed the executive order.

"It's just a stick they're beating foreigners with, without giving any thought to the diplomatic repercussions," said a federal official who requested anonymity because the Trump administration has prohibited talking to journalists. "If agencies and Congress had been consulted or even given a heads-up, we would've been able to deal with this proactively, and it wouldn't have been an issue that ginned up the Europeans."

Regardless of intent, an order that could strip away Europeans' privacy rights strikes at the very heart of Privacy Shield's protections. At a privacy conference in Brussels, EU officials reiterated that if adequate protection for EU citizen's personal data could no longer be guaranteed, then the framework would have to be suspended.

Fuel for the fire

Privacy Shield is already being challenged in European courts with claims that it insufficiently protects the privacy of Europeans' data. But the EC had said it was satisfied with Obama's assurances that access to personal data would be "limited to what is necessary and proportionate." Now Trump, with a hastily drafted and seemingly ill-thought-out order, has thrown fuel on the fire and given ammunition to Privacy Shield and Umbrella Agreement opponents.

In an effort to calm the situation, the European Commission rushed to put out a statement, saying, "We are aware of the executive order on public safety. [But] the U.S. Privacy Act has never offered data protection rights to Europeans." Rather, a spokeswoman for the European Commission told TechCrunch, Privacy Shield is protected by the JRA (Judicial Redress Act), adopted by the U.S. Congress last year, which extended the benefits of the Privacy Act to Europeans and gives them access to U.S. courts.

U.S. government officials are also scrambling to reassure companies and European allies. Amid the confusion, Rep. Jim Sensenbrenner (R-Wis.), who sponsored the JRA, attempted damage control. "I urge our European allies to be patient as we transition into the new Administration. In particular, I think the reaction to President Trump's new executive order is overblown," Sensenbrenner said in a statement to Politico. "It would take an act of Congress to repeal [the JRA] and there is no effort I'm aware of in either Congress or the Administration to do so.... The Privacy Shield and the Umbrella Agreement are important pillars supporting the transatlantic relationship. I am prepared to defend them if they're challenged."

(One disquieting sidebar to that assurance: The only vote against the Judicial Redress Act in the Senate Judiciary Committee came from Jeff Sessions, Trump's pick for attorney general.)

While the order may not remove any rights directly afforded by Privacy Shield, it adds unnecessary uncertainty around the deal, which is up for a scheduled review by the EC this spring. "Even the suggestion that the administration is cutting back privacy protections for Europeans could be damaging in the ongoing litigation over Privacy Shield's validity," says Lawfare.

What happens if the privacy shield shatters?

Many U.S. businesses found their activities hamstrung after the demise of Safe Harbor, and they clamored for a new deal to be approved. If "America first" crushes Privacy Shield, it would mean a return to legal uncertainty for American businesses.

"U.S. companies will need to comply with individual European countries, [each EU country has its own data privacy czar to enforce laws] rather than engage in uniform compliance for entering the European market," Four Oh Four writes. "Companies already established will have a headache but with a significant legal budget they can engage in this kind of compliance work. New companies and startups likely won't enter the European markets as easily."  

On the same day that Trump signed the executive order, Brookings reposted a Lawfare blog in defense of Privacy Shield, "because it is vital to transatlantic digital trade and ecommerce." According to the blog's authors:

Digital trade and the information economy are subject to rampant protectionism and increasing balkanization. There is a growing array of regulatory barriers to digital services and the flow of data across all sectors. Data localization measures that require data to be kept inside the country of origin and other restrictions on the flow of information across borders amount to virtual tariffs that threaten U.S. trade and commerce. U.S. information technology and internet companies are hardest hit. The new administration should take care not also to discard the Privacy Shield framework.

Perhaps it could also take care to consider some of the long-reaching effects of executive orders before they are signed.

Copyright © 2017 IDG Communications, Inc.

How to choose a low-code development platform