New US president Donald Trump has signed, as well all know, a number of executive orders in his first few weeks in office.
Buried in one of them is a line around data privacy which could emerge to be a major headache for global OTAs, airlines, adtech firms and technology suppliers.
The paragraph appears in the “Enhancing Public Safety in the Interior of the United States” order, which contains the new administration’s approach to enforcing existing laws in terms of illegal aliens. It says:
“(RE: Privacy Act) Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”
In the context of enhancing public safety, the note can be read as a fairly straightforward green light for “agencies” to be allowed access to information which, under the current US Privacy Act, they are not entitled to.
But “privacy” is a legal minefield, particularly in a cross-border context. Some countries place a higher moral and legal value on the privacy of personal data than others.
The relationship between the US and the European Union on this matter has always been controversial. In the aftermath of 9/11, for example, the US authorities demanded data from European airlines which contravened EU legislation at the time.
A compromise was reached, and data sharing between US and European government and business was formalised in the so-called Safe Harbor agreement which was in turn replaced in 2016 by the much-more-exciting-sounding Privacy Shield.
With Trump looking to selectively rewrite the Privacy Act, could he also turn his attention to the Privacy Shield, threatening “the new framework [which] protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States, as well as bringing legal clarity for businesses relying on transatlantic data transfers”?
The European Commission is on the case. In an emailed statement, a Commission spokesperson confirmed that “we are aware of the executive order on public safety” but said “the US Privacy Act has never offered data protection rights to Europeans.”
Those rights for European individual and businesses are part of the Privacy Shield.
However, the situation is complicated by the EU-US Umbrella Agreement, which enters into force this week and “which extends the benefits of the US Privacy Act to Europeans and gives them access to US courts”.
Justice Commissioner Vera Jourová said: “I need to be reassured that Privacy Shield can remain. I need to have reconfirmation that there is continuity.”
Her wanting reassurance is a sign that, at the highest level, the European Commission is unsure where Trump is going with this new approach to personal and commercial data privacy. And if the European Commission is concerned, so should a lot of the travel industry.