Buried deep within the executive order on immigration policy that President Trump issued Wednesday is a section that significantly alters the way that the Privacy Act will be applied going forward.
A small section of the executive order, which mostly focuses on changes to immigration policy and enforcement, lays out a change that will force federal agencies to rewrite their privacy policies to make sure that anyone who isn’t a U.S. citizen or permanent resident isn’t covered by the policy.
“Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information,” the order says.
The change to the Privacy Act excludes non-US persons from protections under the law.
The change means that any PII collected from people who aren’t citizens or permanent by government agencies isn’t protected by the Privacy Act. In most cases, privacy policies don’t make distinctions between citizens and permanent residents on the one hand and non-U.S. persons on the other. Policies are designed to protect people against agencies and organizations mishandling or disclosing their personally identifiable information without notification or permission.
Privacy and legal experts say the change is a signal from the Trump administration that it intends to move away from the privacy policies Barack Obama established during his administration.
“It’s not something we expected to see in an immigration order and it’s important to take note of because it specifically highlights the fact that we have yet to take action to extend legal protections to citizens of other countries. It really importantly applies only to the Privacy Act protections and it’s saying that they’re limiting the protections afforded to non-U.S. persons, and that’s significant in and of itself,” said Amie Stepanovich, U.S. policy manager at Access Now.
The Privacy Act is more than 40 years old and hasn’t changed significantly in that time. This policy change is a significant one, as the federal government now collects a good amount of information on non-U.S. persons, which wasn’t necessarily the case when the law was written.
“The previous administration had taken steps to open up privacy protections to citizens of other countries, and this walks that back,” Stepanovich said. “The constitutional and legal rights afforded to people in the United States will survive this order because it includes the necessary exemption that it’s subject to applicable law.”
Stepanovich added that the change may well affect the Privacy Shield agreement between the U.S. and the European Union and Switzerland. That pact allows companies to transfer data between countries while still complying with data protection and privacy laws.
“This should be considered by Europeans a slap in the face for the Privacy Shield agreement that we entered into last year. This creates a new challenge,” she said.