President Trump Strips Privacy for Non-Citizens

With the furor over President Trump’s immigration ban reaching fever pitch around the nation, conversation around his many other executive orders has died down substantially–especially considering how many we’ve seen in the last few weeks.  However, these many orders have ushered in sweeping changes.  Among these changes, buried in one of these many orders, is a drastic change from recent years in how the protections of the Privacy Act apply to immigrants, refugees, and those abroad.

On January 25th, Trump issued an executive order titled “Enhancing Public Safety in the Interior of the United States.”  The order is primarily focused on changing policies as to how immigration laws would be enforced.  However, embedded within the order was a section which strips many of privacy rights.

Section 14 of the order, titled “Privacy Act,” reads as follows: “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

The changes have the potential to remove privacy protections from not only green card, visa holders, and would be immigrants–but also citizens of every other county.  Thus, this order has led to serious concerns both in terms of the dangers created for some by this loss of rights and the potential to shatter treaty agreements with the EU undermine companies big and small doing business abroad that requires data collection.  In order to explore both these concerns, let’s first look at privacy rights and what exactly the Privacy Act itself does.

Understanding the Privacy Act and Privacy Rights

The Supreme Court has ruled that the constitutional right to privacy is implied through a combination of the 1st and 14th Amendments.  However, the exact breadth of this right is a bit more amorphous.  The privacy rights you have are mostly a product of combination of federal statutes and state law–most notably in Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina and Washington where the right to privacy is guaranteed by the state constitutions.  Among the federal statutes guaranteeing privacy rights, the U.S. Privacy Act of 1974 provides some of the broadest protections.

The Privacy Act prevents government agencies from disclosing personally identifiable information about U.S. citizens and lawful permanent residents without the consent of the person whose information they are disclosing.  Personally identifiable information is a concept which has seen many different definitions under the law.  However, here it can be understood to refer to information that, alone or in conjunction with other information, could be used to contact, identify, or find any given person.  The Privacy Act also allows a person to request access to information on them and request corrections to any mistakes.  There are a number of (occasionally quite broad) exceptions to these protections such as when the information is disclosed for law enforcement purposes, national security purposes, census taking, or congressional investigations.

While the Privacy Act doesn’t require the inclusion of people other than U.S. citizens or lawful permanent residents, since 2007 it has been the policy of the Department of Homeland Security and other agencies to extend its protections more broadly and include non-citizens.   In 2014, a policy directive signed by President Obama also imposed limits on the ability of U.S. agencies to use intelligence collected in bulk “whatever their nationality and regardless of where they may reside.”  Trump’s order rolls back the clock on these changes–and governments abroad have taken notice.

Privacy Shield: Potential Problems for Businesses Big and Small?

Among the governments keeping an eye on our changes in privacy policy, the EU is certainly going to be keeping a particularly close eye.  This is because, in the wake of the Edward Snowden leaks and many complaints to the European Court of Justice (ECJ) of privacy violations by companies such as Facebook, the ECJ decided in 2015 that the Safe Harbor arrangement between the EU and US was no longer valid.  These Safe Harbor Privacy Principles allowed U.S. companies whose business involved storing the data of EU citizens to operate without fear of lawsuit so long as they enacted policies complying with the principles.  Without these protections, over 1,500 businesses–including many of our largest tech giants–were left in legal limbo.

With so many businesses and so many jobs at risk, the U.S. was quick to begin negotiations to establish a new agreement setting up a framework of privacy policies within the U.S. that could restore the protections the Safe Harbor Privacy Principles provided.  Last year, these negotiations finally culminated into an agreement known as the EU-US Privacy Shield.

The Privacy Shield hinges on agreements by the U.S. to provide a certain level of privacy protection to EU citizens.  Trump’s order would, at least at first glance, remove these protections–at least when it comes to the Privacy Act.  This has understandably led to concern and outcry from businesses worried that order has, in its haste, torpedoed the Privacy Shield and their businesses along with it.

Fortunately, this is not the case.  The reason being that the order acts “consistent with applicable law;” as it must because executive orders do not have the power to overturn laws enacted by Congress.  When it comes to the Privacy Shield, that applicable law is the Judicial Redress Act.  This Act specifically extends the protections of the Privacy act to citizens of 26 countries, including the EU, and provides access to U.S. courts should they need to sue over any violations.  The order cut it close however–the protections of the Judicial Redress Act were signed into effect by the previous Attorney-General just three days before Trump took office and only truly became law on February 1st of this year.

EU officials have made statements announcing that the Privacy Shield is not affected by rights under the Privacy Act–instead relying on the Judicial Redress Act.  However, they have made it very clear that Trump’s executive order has raised alarm bells and that they will be keeping a close eye on how privacy rights develop within the U.S.  This means that, even though this particular order hasn’t set businesses adrift just yet, if your business operates internationally through the internet–specifically if it services EU citizens–it’s going to be very important to keep an eye for any developments when it come to Privacy Shield protections.

Dreamers in Danger

While the Privacy Shield may not be in danger, the order certainly strips privacy protections from many individuals.  In some cases, this loss of protection has created a particularly awful situation–the potential to turn a dream into a nightmare.

Dreamers is a term commonly used for those who would be granted citizenship under the Development, Relief, and Education for Alien Minors Act or DREAM act.  The act, which would have provided a path to legal citizenship to younger illegal immigrants brought to the U.S. as child, has been introduced in Congress several times but has never succeeded in becoming law.  However, in 2012, President Obama implemented the Deferred Action for Childhood Arrivals (DACA) program through a policy directive.  The directive allowed those who might have applied for citizenship under a DREAM act to instead apply for a stay on deportation.  The act also provided those who applied to receive a social security number and apply for a work visa.  Those who applied under the directive where called Dreamers and over 700,000 people benefitted from DACA.

However, applying for DACA requires an applicant to provide quite a bit of personal information–from addresses and phone numbers to what school the young person attends.  Under Trump’s executive order, all protections on this information have been stripped away.  Immigration and Customs Enforcement need only ask to access information provided in hopes of obtaining a visa and turn that information towards deporting those people.

Uncertain Orders Affecting Sweeping Areas of Law

President Trump’s order has, much like his immigration ban, applied broad strokes to complicated areas of law and left the public puzzling over its exact breadth and struggling to pick up the pieces.  For example, it’s still unclear whether this order is meant to revoke privacy rights for people around the country with dual citizenship.  As time passes, lawsuits will certainly develop to figure out the exact boundaries of this order.  However, for now, we are simply left to assume the broadest possible interpretation–stripping privacy rights from an enormous number of people–from foreign students to refugees to dreamers.