Privacy Shield: cutting off data flows to spite your face

On the sixth day after the clock struck thirteen we learned that Donald Trump is willing to throw the tech industry under a bus in order to stage political theatre and get the database of refugees he wants.

Privacy Shield, the framework for data transfers between the EU and the US, is collateral damage.

We learned this in Section 14 of his Executive Order Enhancing Public Safety in the Interior of the United States issued last night. Section 14 reads:

Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

The Privacy Act of 1974 is the relatively small US statute on privacy and the use of personal data by federal agencies.

In 2014, as a result of the Snowden revelations, President Obama extended the Privacy Act with a piece of legislation called the Judicial Redress Act. This extended what little data protection safeguards there are for US citizens to non-US persons, and also gave them the right of appeal within the US justice system in the event of the misuse of their data.

Interestingly enough, the Judicial Redress Act does not even take effect in the EU until 1 February (six days from this writing).

The need for that right of redress was one of the main obstacles to getting a replacement for Safe Harbor up and running. With that in place, Privacy Shield could go forward. US companies which certified through the scheme could do business in Europe, and European businesses likewise could send their data to America.

Section 14 says to the extent consistent with applicable law. In this case, the Judicial Redress Act is the law. Privacy Shield is only a framework.

Put simply, no right of judicial redress means no Privacy Shield means no transatlantic data flows.

Your small digital agency cannot upload data to a cloud server in the US. Your multinational cannot store data on European citizens. Your app may not be able to accept European customers.

It now falls to the European Commission to examine the implications of Section 14 and to take action. They have said this tonight:

They have seemingly forgotten that the judicial redress which made Privacy Shield possible is an extension of the U.S. Privacy Act. They said so themselves at the time.

The U.S. Privacy Act and Privacy Shield stand or fall together like dominoes.

Update 27/01 9 AM

Here is the question we need to sort this morning.

On the American side, the Judicial Redress Act of 2015 grants Privacy Act remedies to the EU as a whole and to its 26 member states. That law was dated 17 January (Obama administration) but published in the Federal Register on 23 January (Trump administration) and takes effect on 1 February.

You see the problem there?

On inauguration day (last Friday) the White House issued a regulatory freeze (pdf) on Obama-era regulations which were in the pipeline of the legislative process.

The memorandum says:

 3.  With respect to regulations that have been published in the OFR but have not taken effect, as permitted by applicable law, temporarily postpone their effective date for 60 days from the date of this memorandum, subject to the exceptions described in paragraph 1, for the purpose of reviewing questions of fact, law, and policy they raise.  Where appropriate and as permitted by applicable law, you should consider proposing for notice and comment a rule to delay the effective date for regulations beyond that 60-day period.

The question then becomes whether this regulatory freeze applies to the Judicial Redress Act. If so, Privacy Shield is absolutely dead.

Legal ambiguity aside, three things are clear at this point.

One is that the tech industry must speak out. No transatlantic data flows means no ability to do business in Europe. No trust in data flows to America means no trust in America. It also means no protection for the industry in the face of executive data demands in the name of “public security”.

The second is the Tor project’s first principle for user protection in hostile states: do not rely on the law to protect systems or users. We knew it was going to be bad. But not this fast and not like this.

The third is that this is day six of four years.

For more coverage see TechCrunch, The Register, and Brookings.