In the struggle between national security and individual privacy, President Trump has made it clear that he chooses security. What does this mean for the rest of the world?
Just as it seemed the EU was finally managing to hoist U.S. companies up into higher standards for data protection, along comes a new administration to change everything. During his first week in office, President Trump signed an executive order that essentially unravels years’ worth of government and business negotiation toward better protection for data collected in Europe.
The reason? It’s no less than national security. To quote the executive order itself, “Many aliens who illegally enter the United States and those who overstay or otherwise violate the terms of their visas present a significant threat to national security and public safety.”
And how will the new order address that threat? Partly by altering the privacy rights of non-U.S. citizens, even though they may never set foot on U.S. soil. Sec. 14, entitled “Privacy Act”, states, “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”
Our country needs strong borders and extreme vetting, NOW. Look what is happening all over Europe and, indeed, the world – a horrible mess!
— Donald J. Trump (@realDonaldTrump) January 29, 2017
What’s at Stake: the EU-US Privacy Shield
There’s a lot at stake here. Data transfer frameworks are a key policy issue these days and for many in the U.S., the topic suddenly came alive after Trump was inaugurated. The way companies like Facebook collect, handle, and store personal data on millions of users has been a hot topic of discussion and regulation for years now but only recently has it permeated the consciousness of the general public in the U.S.
But here comes President Trump to put a spotlight on the heart of the matter for everyone to see: security vs. privacy. It may as well be “security or privacy”. Framed this way in no uncertain terms as a dichotomy – an “either-or” proposition, the whole issue of data transfer and privacy rights is now cast in an “us against the terrorists” framework. It’s a sentiment it seems Trump supporters can clearly understand and get behind.
Others, including major blue-chip businesses, see the issue in a different light. This new development directly threatens an important agreement between the U.S and the EU, called Privacy Shield. Privacy Shield essentially holds U.S. companies to data privacy standards that rival the ultra-tight protection that’s already in place for EU citizens’ data.
Big Companies Were On Board, Too
Google, Apple, Amazon, IBM, and almost 1500 other companies were all set to uphold their end of Privacy Shield. They had signed an agreement under the guise of Digital Europe, a collective of tech companies who support the notion of stringent data protection policies like they have in the EU.
By signing, companies essentially promised to uphold EU-level protection of data they collect there. That means, no matter where collected data eventually winds up, EU citizens can feel confident their personal information is protected.
So, why doesn’t the United States have progressive data protection and privacy laws on the books yet?
“Mom, It’s Not Fair- All My Friends are Doing it!”
The problem here is governance. In the U.S., the Federal Communication Commission (FCC) has jurisdiction over Internet Service Providers (ISPs) but companies like Facebook and Google are regulated by a different agency, the Federal Trade Commission (FTC).
When either one of these agencies tries to toughen up regulations, those affected cry “unfair!” and point out how the other agency isn’t imposing such strict rules.
That’s exactly what happened when the new Broadband Consumer Privacy Rules were passed by the FCC. Imposed only last November, they require ISPs to ask for permission from users before they may share browsing data and other types of personal information with third-party organizations like advertising agencies.
In protest, ISPs point out that Google and Facebook don’t have to abide by strict privacy standards so why should they? But the FCC maintains there’s a clear answer to ISP’s protests of unfairness. Since consumers often face limited choices when it comes to who they hire to deliver their data, it’s only logical that ISPs should be held to tougher privacy standards. The ISP industry isn’t exactly teeming with a multitude of competitors.
It’s a case of two governing bodies setting different rules with different levels of stringency. Compare it to different sets of parents who set varying degrees of limitations on their children. Once the kids get wind of how “lenient” their friends’ parents are, all bets are off and you’ve got a mess on your hands. It’s going to be that much tougher to enforce your rules.
This is the type of bickering that takes place when there’s no central authority, no over-arching regulatory body in place for settling matters on a national scale. The EU has it. Canada has it. But so far the United States has made no move toward forming a single, central authority on data protection and privacy matters.
The Rest of the World
For the rest of the world, it’s an uncertain future if you’re at all concerned with what happens to your personal information after you do business with a company in the United States. For the U.S., there could be negative repercussions for businesses who curry favor with customers in the EU. That may well be true for companies who want to take part in any type of international trade.
For the rest of the world, it’s perhaps a larger message, that for now at least, U.S. domestic security and immigration matters take precedence over the privacy rights of the rest of the world.
Marc-Roger Gagné CCIE, CHTI, CCII, CCTA, CIPP/G/C, CTFI, MAPP
Services Juridiques Gagné Legal Services
275 Slater St, Suite 943