The death of Privacy Shield has probably not been exaggerated - Donald Trump disables privacy for non-US citizens

I have never been very happy about Privacy Shield as a get-out-of-gaol-free card for storing the Personally identifiable information (PII) for EU citizens in US databases. Now, if this report in El Reg is correct, Donald Trump has just issued the death knell for Privacy Shield (only announced as recently as February 2016; see press release). What this means is that I expect that the EU will consider the USA an unsafe place to hold data that can be identified with a particular EU citizen and, by implication, could well extend this to the UK, if we are a close partner with the USA and its security services.

The key issue is in section 14 of an Executive Order, “Enhancing Public Safety in the Interior of the United States“: “Agencies [CIA, FBI, NSA etc] shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information”.

This could have a significant impact on our doing business with the EU and USA (as even information only concerned with EU transactions could be stored in a US datacentre, if a company also operates there) which is why we had Privacy Shield in the first place (and, by the way, that wasn’t an easy negotiation, and Privacy Shield is still “on probation”; EU data protection regulators already distrust US attitudes to privacy). It could certainly affect the design and governance of UK data processing.

Brexit isn’t really an issue here. Post-Brexit. the GDPR (the EU privacy law) still applies to UK companies trading in the EU. Theresa May has said that the GDPR will be incorporated into UK law, post-Brexit, and remember that the GDPR applies to EU citizens even outside the EU. So, anybody in the UK who wants EU customers post-Brexit has to comply with the GDPR anyway, regardless of whether May does a U-turn on the GDPR in UK law.

We could even be moving towards a situation where you might get prosecuted twice for a GDPR breach, once in the EU, and again in the UK, under its own independent GDPR regulations.

To put your mind at rest, at least your maximum exposure under GDPR is quite well-defined: “Breaches of some provisions by businesses, which law makers have deemed to be most important for data protection, could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater” – Out-law.com. So that’s all right then.