Trump looks over Executive Orders on April 21, 2017. Ron Sachs/Press Association. All rights reserved.On January 27, 2017, the US President issued an Executive Order entitled “Protecting the nation from foreign terrorists’ entry into the United States”.[1] The order suspended the admission to the US of nationals from seven countries – Iran, Iraq, Libya, Somalia, Sudan, Syria and Yemen – for a 90-day period. In addition, the order suspended the US Refugee Admissions Program for 120 days and placed a cap on the number of arrivals permitted in the fiscal year 2017. In another important move, the order requires the Department of Homeland Security together with the Attorney General to collect and publish, every 180 days, statistics on the number of foreign nationals charged with terrorism-related offences (or radicalised). The first travel ban also included a number of other grounds, which were removed from the second version.

The implementation of the Executive Order immediately resulted in substantial chaos in the travel industry as companies aligned their practices to the new reality of ‘non-admission’. It also sparked controversy in many parts of the country owing to the questionable legality of separating families and the constitutionality of the order itself. Several legal challenges were successfully waged in US trial courts, leading to a decision of the Court of Appeals for the 9th Circuit on February 9, which upheld the original decisions and refused to reverse the lower courts. The first plaintiffs in the matters were two states: Washington and Minnesota.

On March 6, the US President issued a new Executive Order[2] once again barring from entry into the US nationals of six countries – Iran, Libya, Somalia, Sudan, Syria and Yemen (Iraq had been taken off the list, a fact we will come back to shortly). Similarly to its predecessor, it suspended the refugee programme and ordered statistics on foreign offenders to be collected, but this time the argumentation for the selection of the six countries was (marginally) more sophisticated. A judge in Hawaii has already suspended the new Executive Order and at the time of writing it is not clear how far the US Government will appeal the matter.[3]

Despite the very considerable media coverage of the impact, effects and fate of the Executive Orders, there has been surprising silence about the core objective of the orders, as if the terminology ‘Muslim ban’, focusing on identity politics, has successfully distracted attention from the data harvesting objective of the order.

In fact, all countries which refuse to deliver the personal data of their citizens to the US could be put on the list. Therefore the objective is not to struggle against the state sponsors of terrorism, but to have an advantage regarding the harvesting of personal data in the world, in order to feed US intelligence agencies for many uses which may go far beyond the struggle against terrorism. Therefore the objective is not to struggle against the state sponsors of terrorism, but to have an advantage regarding the harvesting of personal data in the world.

Section 3 of the January 27 order and Section 2 of the March 6 order are substantially the same. They state the purpose of the Executive Order and what the President seeks by these rather dramatic actions. The purpose is simple: to require foreign countries to provide information about their citizens as requested by the US authorities. The information that the US authorities seek about nationals of foreign countries is for the purpose of adjudicating an application by the person for a visa, admission or other benefits under the Immigration and Nationality Act. Specifically, it is to determine “whether the presence of an alien in the country or area increases the likelihood that the alien is a credible threat to the national security of the United States”.

It is not specified what information that may be, but it is information that is additional to what is already available to the US authorities. The purpose of the adjudication is to determine that the person is not a security or public-safety threat. The objective is to assess the credibility of the alien not on the basis of his or her actions, but through a correlation of travel undertaken by the individual and a profile generated by an algorithm, which the US authorities call a “threat assessment”.

What this means is that the individual becomes a part of a class of persons with whom he or she has no connection at all except that which the algorithm has determined. There is no question of a presumption of innocent behaviour here but rather the production of an algorithm of suspicion accumulating in different watchlists the number of persons to flag or to refuse at the borders, as subjects who are “potentially dangerous” and almost guilty by association without any efficient causality. The section in addition permits the Secretary of Homeland Security to require certain information from particular countries about their nationals but not from others (no equality among countries is required).

What do they want to know?

Nowhere in the Executive Order is it made clear what information the US authorities want states to provide to them about their own citizens. We know, however, that the US Congress amended the Visa Waiver Program on 18 December 2015 (under the Obama Presidency) and required all travellers of Visa Waiver Program countries (which includes most EU citizens) travelling to the US after 21 January 2016 who had been present in Iraq, Iran, Libya, Somalia, Syria, Sudan or Yemen at any time on or after 1 March 2011 to obtain a visa before travelling to the US.[4] The Commission also noted this change in its report on visa reciprocity in April 2016.[5]

Perhaps some of the additional information that the US authorities seek relates to the travel activities of other citizens. However it is not evident that states are aware of their citizens’ travel histories. It may be that governments become aware of where their citizens have been in the process of renewing or replacing their passports. Yet this is not always necessarily the case. Only travel agencies and airlines through their shared passenger name record (PNR) systems have solid evidence of where people have been. According to experts, there are only three major companies that process and store PNR: Amadeus, Sabre and Travelport (the latter consisting essentially of Worldspan and Galileo, both of which are part of Travelport but with separate operations).[6] Amadeus is based in Spain, and the other two are US companies.

Perhaps the US has in mind achieving with other countries a similar kind of cooperation as the one established by its authorities, under a 2013 agreement, between the UK, Northern Ireland and the US,[7] in which the UK shares all data on all persons (except US nationals) seeking authorisation to transit through, travel to, work in the UK or take up UK citizenship, including data from admissibility, immigration and nationality compliance actions. This includes personal data, statistical data or both. Via an exchange of notes on 29 September 2016,[8] the scope of the agreement was enlarged to include British citizens (EU citizens had already been included in the original 2013 agreement). It may simply be that the US has decided that negotiating such agreements requires too much time and has the disadvantage of requiring reciprocity.

While citizens generally are not required to provide much in the way of documentation other than a passport to enter their own state, they may have to provide substantial amounts of personal data to sponsor third-country national family members or visitors. This information is also now freely available to the US authorities (on a reciprocal basis of course). But the US only has two such agreements in force: with Canada and the UK. Although in principle such agreements were to be concluded between the so-called ‘Five Eye countries’ (Australia, Canada, New Zealand, the UK and the USA), no agreement with the latter two countries has yet been concluded. It may simply be that the US has decided that negotiating such agreements requires too much time and has the disadvantage of requiring reciprocity, prompting the authorities to seek a more coercive way to encourage the “sharing” of personal data.

Convincing Iraq

Given that the objective of the first and second Executive Orders is to encourage states to provide the US with personal data about their citizens, have they been successful in achieving this objective? It seems so with the weakest. Between the first and the second Executive Order, the Iraqi government took steps to enhance travel documentation, information sharing and the return of Iraqi nationals subject to removal orders from the US (section 1(g) Executive Order 6 March 2017). This would seem to indicate that the threat of a blanket US travel ban based on citizenship has had the desired effect of convincing the Iraqi authorities to share more personal data about their citizens with the US. The order does not specify what additional information is now being shared that was not before.

Both the first and second Executive Orders provide that the governments of the countries whose nationals are subject to these bans will be requested to provide information within 60 days of notification or be subject to an extension of the ban (Section 2(d)). Furthermore, the Secretary of Homeland Security in consultation with the Secretary of State and the Director of National Intelligence will conduct a worldwide review to identify what additional information is needed from each country in order to determine that its citizens are not a security or public-safety threat (Section 2(a)). Failure to provide the information results in inclusion in the list of countries whose citizens are banned from entry to the US (Section 2). At any time the President can add more countries to the list (Section 2(f)).

Conflicting with the EU

Mass or bulk surveillance of EU citizens is not consistent with EU data protection rules as well as the legal principles of proportionality and necessity.

There is no consideration in the Executive Orders of the consequences for other countries of revealing personal data about their citizens to a foreign state. The assumption is that if the law of a country or jurisdiction presents an obstacle to personal data sharing, it is for the country concerned to change the law or accept a no-entry ban for its citizens to the US. This poses substantial conflicts with European Union laws which rely on a solid data protection and privacy legal framework.

In addition to the 2016 General Data Protection Regulation 2016/679 and the Data Protection Directive for police and criminal justice authorities 2016/680,[9] the Court of Justice of the EU has handed down a series of landmark judgments requiring the European institutions and Member States to refrain from permitting the transfer of personal data to third countries except where EU privacy standards are complied with.[10] In brief, the main EU rules on data protection essentially require the following legal standards to be effectively protected:

1. a clear limit on the use of data to the purpose for which it has been collected (purpose limitation principle);
2. time limits on retention of data consistent with the purpose;
3. deletion of personal data as soon as it is no longer needed;
4. limitation on access to data only to those specifically authorised;
5. a prohibition on onward transfer and use unless specifically authorised; and
6. the entitlement of the data subject to control of his or her personal data, correction and deletion as well as effective remedies and judicial redress rights.

In the 2015 Schrems case the Court of Justice concluded that access on a generalised basis to electronic communications is tantamount to compromising the essence of the EU fundamental right to respect for private life laid down in the EU Charter of Fundamental Rights.[11] This effectively means that mass or bulk surveillance of EU citizens is not consistent with EU data protection rules as well as the legal principles of proportionality and necessity. The Luxembourg Court held that access on a generalised basis to the context of electronic communications is tantamount to profoundly compromising the essence of the fundamental right to respect for private life.[12] The Court also found that ensuring access to effective remedies and independent judicial review of the derogations or interferences by state and national security authorities of the rights of privacy and data protection in the name of national security, constitute key conditions for ensuring the rule of law.[13] Access on a generalised basis to the context of electronic communications is tantamount to profoundly compromising the essence of the fundamental right to respect for private life.

Does the data subject have rights?

Access to EU citizens’ personal data has been much discussed in the context of EU-USA transatlantic data flows by commercial enterprises. The issue of the protection of EU fundamental rights of the data subject was a matter of controversy and some complexity in light of the US approach to personal data as belonging to the agency or entity which has collected it rather than the data subject, and persisting US practices of bulk surveillance. After the invalidation by the Court of Justice of the EU of the previous Safe Harbour decision in the above-mentioned Schrems Case C-362/14 in October 2015, a rather convoluted solution to the EU – US difference was found in order to enable companies to send persons data between the EU and the US, under the guise of the so-called ‘EU-US Privacy Shield’.[14]

The legality and adequacy of the EU-US Privacy Shield as sufficiently protective of EU personal data legal standards has since then been disputed.[15] The adoption on January 3, 2017 of yet another Executive Order 12333 by the US Attorney General on ‘Procedures for the availability or dissemination of raw signals intelligence information by the National Security Agency under Section 2.3’ puts the sustainability of the Privacy Shield and the EU right to privacy under increasing strain.[16] The Executive Order basically allows the US NSA ever greater and direct access and processing of raw data and communications of EU citizens and residents without any clear and effective democratic supervision, judicial guarantees and effective remedies. The Executive Order basically allows the US NSA ever greater and direct access and processing of raw data and communications of EU citizens and residents without any clear and effective democratic supervision.

An explosive EU-US cocktail

This Executive Order takes US security practices into yet another major step away from EU data protection rules, and when combined with the previously mentioned Executive Order aimed at ‘Protecting the nation from foreign terrorists’ entry into the United States’ the resulting cocktail is nothing but explosive. Consequently, the ‘adequacy decision’ that the European Commission conducts regarding the legality of transfer of data between commercial organisations from the EU to the US (in particular the extent to which the level of protection of the right to privacy and data protection in the US is essentially equivalent to the one in the EU) is simply bound to fall apart. All these Executive Orders constitute evidence that the US is effectively non-compliant.

All these Executive Orders constitute evidence that the US is effectively non-compliant. A similar conclusion has been reached by the European Parliament. In a Motion for a Resolution adopted on March 29, 2017 the Parliament expresses deep concerns about these developments in the US and calls on the European Commission to independently and transparently examine the compatibility of these new US orders and practices with the commitments by the EU under the Privacy Shield.[17]

The European Parliament is also calling on the Commission to re-consider its current decision about the adequacy, effectiveness and feasibility of the privacy and data protection granted by the US in the upcoming first joint annual review of the Privacy Shield,[18] in particular in the context of law enforcement activities and national security authorities.

The Parliament also reminds EU data protection authorities (EU DPAs) to closely monitor these latest developments and effectively exercise their envisaged powers, including the possibility of temporarily suspending or definitely banning personal data transfers to the US.

Sweetener or threat

The US approach in the 6 March 2017 Executive Order appears to be to require states to provide personal data about their citizens to the US or to face blanket travel bans against their citizens entering the US. This means that any concerns which states may have about the protection of the personal data of their citizens are by and large overridden. The negotiation of an agreement with the US which seeks to satisfy these requirements, such as the EU-US Privacy Shield, is no longer the US model. Instead, access to US territory is the sweetener or the threat which is being used to extract from states personal data about their citizens. Access to US territory is the sweetener or the threat which is being used to extract from states personal data about their citizens.

As the European Commissioner has recently stated, "The commitments the US has taken must be respected".[19] EU-USA Transatlantic data transfers can only happen under effective rule of law and fundamental rights protection. The European Commission should seek written clarification by US authorities about the intention and impact of all these recent US Executive Orders and closely engage the European Parliament in the follow-up process.

The evidence on inadequacy of protection in the US cannot be more solid. A Commission decision suspending the EU-US Privacy Shield would be an inevitable and welcomed step forward in ensuring more legal certainty for companies, citizens and authorities in the EU.

A clear message which must inform this new phase of transatlantic relations is that unilateral actions exclude the possibility of diplomacy and prevent a balanced weighing of different perspectives, costs and interests in complex times for international relations.

Let’s talk about this

The US Executive Orders examined in this paper reveal however a profound lack of consultation with the relevant actors affected by these decisions, chiefly the authorities of other states and supranational organisations such as the EU, but also the private sector, all of which have legitimate and critical interests in these matters.

More mistrust has inevitably followed, which calls in our view for more diplomacy and democratic rule of law with fundamental rights guarantees and cooperation as the most effective antidotes. One way to move this forward would be for the European Parliament to boost and further strengthen existing efforts under the Transatlantic Legislators Dialogue[20] in an attempt to substantially reinforce a regular and structured venue for inter-parliamentary dialogue with their relevant counterparts in the US Congress and Senate.

This could constitute a new democratic scrutiny framework for sharing information and cooperating more closely on relevant US and EU legal and policy developments which like the recent US Executive Orders have profound repercussions on transatlantic relations covering Justice and Home Affairs policies.

This briefing was first published by the Centre for European Policy Studies on April 5, 2017.

[1] The White House, Office of Press Department, Executive Order ‘Protecting the Nation from Foreign Terrorist Entry into the United States’, 27th January 2017. Retrievable from https://www.whitehouse.gov/the-press-office/2017/01/27/executive-order-protecting-nation-foreign-terrorist-entry-united-states

[2] The White House, Office of the Press Secretary, 6th March 2017, Available at https://www.whitehouse.gov/the-press-office/2017/03/06/executive-order-protecting-nation-foreign-terrorist-entry-united-states

[3] The New York Times, Hawaii Judge Extends Order Blocking Trump’s Travel Ban, https://www.nytimes.com/2017/03/29/us/politics/travel-ban-trump-judge-hawaii.html

[4] Visa Waiver Program Improvement and Terrorist Travel Prevention Act of 2015 (https://www.govtrack.us/congress/bills/114/hr158/summary) accessed 17 March 2017.

[5] European Commission, Communication on the “State of play and the possible ways forward as regards the situation of non-reciprocity with certain third countries in the area of visa policy”, COM(2016)221, 12 April 2016.

[6] Edward Hasbrouck, “What's in a Passenger Name Record (PNR)?”, The Practical Nomad (https://hasbrouck.org/articles/PNR.html) accessed 17 March 2017.

[7] Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America for the Sharing of Visa, Immigration, and Nationality Information 18 April 2013.

[8] Treaty Series No. 35 (2016).

[9] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, OJ L 119, 4.5.2016, p. 1; Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, OJ L 119, 4.5.2016, p. 89.

[10] Refer to C‑362/14 Schrems, 6 October 2015.

[11] For an analysis see S. Carrera and E. Guild (2015), Safe Harbour or into the Storm? EU-US Data Transfers after the Schrems Judgment, CEPS Liberty and Security in Europe Papers, Brussels, November 2015.

[12] Refer to paragraph paragraphs 94 and 95 of the judgment.

[13] Paragraph 95 of the Schrems judgement.

[14] Refer to http://europa.eu/rapid/press-release_IP-16-2461_en.htm See also European Commission, Communication Transatlantic Data Flows: Restoring Trust through Strong Safeguards, COM(2016) 117 final, 29.2.2016.

[15] See for instance http://www.alstonprivacy.com/eu-u-s-privacy-shield-faces-judicial-attack/ accessed 30 March 2017. For an overview of the Privacy Shield Programme visit https://www.privacyshield.gov/Program-Overview

[16] The full text of this Executive Order is available in the New York Times article ‘N.S.A. Gets More Latitude to Share Intercepted Communications’, 12 January 2017, retrievable from https://www.nytimes.com/2017/01/12/us/politics/nsa-gets-more-latitude-to-share-intercepted-communications.html

[17] European Parliament, Motion for a Resolution, on the adequacy of the protection afforded by the EU-US Privacy Shield (2016/3018(RSP)), 29. March 2017, accessible at http://www.europarl.europa.eu/sides/getDoc.do?type=MOTION&reference=B8-2017-0235&format=XML&language=EN

[18] European Commission, Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield, C(2016) 4176, OJ L 207/1, 1.8.2016.

[19] EUobserver, EU trying to salvage US deal on data privacy, 30 March 2017, available at https://euobserver.com/justice/137438 See also EUobserver, Trump's anti-privacy order stirs EU angst, 27 January 2017, retrievable from https://euobserver.com/justice/136699

[20] For more information see http://www.europarl.europa.eu/intcoop/tld/default_en.htm