Trump Executive Order Minimizes U.S. Privacy Act Protections for Non-U.S. Citizens

U.S. President Trump's recent executive orders have received significant attention. Among the recent changes, the January 25 executive order, Enhancing Public Safety In the Interior of the United States, includes a provision relating to the security of personal information of non-U.S. citizens held by U.S. departments or agencies. Specifically, the order states:

Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information. 

What You Need To Know

• U.S. government executive departments and agencies are expected to exempt personal information of individuals who are not U.S. citizens or permanent residents from federal public sector Privacy Act protections.
• These public sector agencies may be required to alter or apply their privacy policies differently to personal information about non-U.S. citizens/residents. This means that the information of non-U.S. citizens/residents would not be subject to the safeguards of use and disclosure of personal information by the U.S. government that may be afforded to U.S. citizens.
• Importantly, the potential reduction of either formal or practical safeguards around the personal information of foreign citizens will depend on executive agencies’ interpretations of the extent to which Privacy Act protections for personal information are required by "applicable law" as referenced in the order.

Although the order could have implications for personal information of Canadian citizens held by U.S. executive departments or agencies, in practice, the order is unlikely to have a significant impact on the privacy practices of Canadian businesses. The Office of the Privacy Commissioner of Canada addressed concerns raised several years ago about foreign government access to Canadians’ personal information when such information is transferred outside of Canada. As a result, Canadian organizations subject to the Personal Information Protection and Electronic Documents Act must give notice to Canadians if their information will be transferred or processed outside of Canada, and must inform individuals that the laws of other jurisdictions may not have the same protections for personal information as those of Canada. Therefore, the standard notices provided by Canadian organizations to their customers and employees likely already address the risk that personal information in the possession of public agencies may be disclosed without consent.

Impact Beyond Canada

This order will impact the nascent EU-US Privacy Shield framework. That framework is intended to provide legal protections for personal information of individuals in the EU that is transferred to the U.S. The Privacy Shield is meant to address the revocation of the previous Safe Harbor principles, overturned by the European Court of Justice in 2015 for failing to adequately protect the rights of European citizens. Because a central tenet of the Privacy Shield relates to safeguards preventing the U.S. government's access to personal information of Europeans, the order may jeopardize the European Commission's approval of this new framework.

To discuss these issues, please contact the author(s).

This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.

For permission to republish this or any other publication, contact Janelle Weed.

© 2024 by Torys LLP.

All rights reserved.