In a panel discussion Wednesday at the Computers, Privacy, and Data Protection conference in Brussels, Edward Hasbrouck of the Identity Project pointed out that that both the so-called Privacy Shield and the EU-US agreement on transfers of Passenger Name Record (PNR) data from the European Union to the US government depend on non-treaty “promises”, “commitments”, “undertakings”, and executive orders by the Obama Administration.
These are not binding on President Trump, and there is no reason to expect Trump do anything just because Obama said he would do it.
Quite the contrary: President Trump has no intention of continuing many of President Obama’s policies, and every intention of reversing many of them — even if Trump continues others, such as mass surveillance, profiling of US citizens and foreigners, and reliance on executive orders to avoid the need for Congressional approval of his program, which Trump presumably will continue.
“As of this week, with Trump’s inauguration, the EU-US PNR agreement and Privacy Shield are dead letters. The only question is whether the Trump administration will officially renounce them, or whether it will simply ignore them,” Hasbrouck told the audience at CPDP.
The answer came just a few hours later the same day, when President Trump issued an executive order including the following:
Sec. 14. Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
The US recognized privacy as a human right when it ratified the International Covenant on Civil and Political Rights:
1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence….
2. Everyone has the right to the protection of the law against such interference or attacks.
But as we have complained to the relevant UN treaty bodies, the US has flouted its obligations under this and other provisions of the ICCPR related to freedom of movement as a human right, and has provided no effective means of redress for these violations.
Instead, on this and other issues the US has acted as though there are no human rights, only privileges of US citizenship. President Trump’s executive order on privacy is only the latest official restatement of this longstanding and bipartisan US government position.
With this Presidential decree, the EU-US PNR agreement is dead.
The next question is when EU institutions will recognize this legal fact, and what they will do about it.
In later sessions at the CPDP conference, some EU and US officials and government advisors tried to argue that the Privacy Shield agreement (1) doesn’t depend on the Privacy Act, and (2) to the extent it does, is made “enforceable” by the Judicial Redress Act.
If this were true, Privacy Shield might not depend on the decision by administrative agencies — which President Trump has now forbidden — to allow foreigners the same “privileges” to which US citizens are entitled under the Privacy Act.
We don’t buy that argument, and neither should European travelers or EU officials. The exceptions and limitations in the Privacy Act, even as it applies to US citizens, make the Judicial Redress Act essentially useless.
Whatever the merits of this attempt to salvage the Privacy Shield agreement, it doesn’t apply to the EU-US PNR Agreement. The PNR agreement clearly and explicitly depends on administrative action in favor of foreign citizens which President Trump’s executive order has now foreclosed:
[A]ny individual, regardless of nationality, country of origin, or place of residence is entitled to request his or her PNR from DHS. DHS shall timely provide such PNR…
Any individual regardless of nationality, country of origin, or place of residence may seek the correction or rectification, including the possibility of erasure or blocking, of his or her PNR by DHS pursuant to the processes described in this Agreement….
Any individual regardless of nationality, country of origin, or place of residence whose personal data and personal information has been processed and used in a manner inconsistent with this Agreement may seek effective administrative and judicial redress in accordance with US law….
Any individual is entitled to seek to administratively challenge DHS decisions related to the use and processing of PNR….
In response to our requests and our lawsuit for access and an accounting of disclosures to third parties of PNR data about US citizens, the DHS exempted the ATS database in which it stores its mirror copies of PNRs from most of the requirements of the Privacy Act.
DHS has said that, as a matter of administrative discretion, it will still provide travelers with access to its copies of their PNR data.
Even for US citizens, that is a matter of administrative policy and/or discretion, not required by the Privacy Act or the Judicial Redress Act.
President Trump’s executive order allows the DHS to continue to provide some rights with respect to PNR data to US citizens, as a matter of administrative discretion. But it orders the DHS, like all other Federal agencies, to exclude foreigners from these administrative policies.
The exercise of administrative discretion to allow any non-US citizen to obtain an accounting of disclosures or to challenge PNR data or how it is used, which would be necessary for US compliance with the PNR agreement, is now prohibited by executive order.
The DHS can, and probably will, continue to provide some access to redacted PNR data under the Freedom of Information Act (FOIA) rather than the Privacy Act. But FOIA provides no procedure for requesting correction or deletion of records, or for finding out or challenging how they have been used or disclosed to third parties.
A person who asks for a copy of the PNR data for a reservation made in the EU and transferred to the DHS will probably receive some sort of answer under FOIA, regardless of their citizenship.
But a person who is not a US citizen or resident who requests an accounting of disclosures of that data by DHS to third parties, or the expungement or correction of that data, will be told (a) that no US law requires this even for US citizens (since the DHS database of mirror copies of PNRs has been exempted from the Privacy Act), and (b) that President Trump’s executive order prohibits the DHS from waiving this exemption, as a matter of administrative discretion or policy, in favor of anyone who is not a US citizen or US resident.
Questions have already been raised in the European Parliament regarding the implications of this Executive Order for Privacy Shield. Similar questions about the EU-US PNR agreement will be even harder to answer.
The EU-US PNR agreement is dead. What is the EU, and what are EU citizens and residents, going to do about that?