A fragile legal agreement that lets U.S. companies store data about European citizens is under fresh strain following an order by President Trump to deny privacy protections to non-Americans. While Trump’s order doesn’t target the data pact directly, U.S. firms that rely on cloud computing to manage customer data are quietly pressing the White House to reassure Europeans the U.S. will stand by recent privacy promises.
“Transatlantic digital trade is valued at $260 billion annually, and we would encourage the Administration to keep these substantial economic benefits in mind,” Bijan Madhani, the privacy counsel for the Computer and Communications Industry Association, told Fortune. The trade group represents the interests of many U.S. tech firms like Google, Netflix, and Microsoft.
The concern for such companies is that Trump’s recent order could renew calls for European regulators to tear up a hard-won agreement called the Privacy Shield, a deal from last summer in which the European Commission agreed to allow U.S. companies to transfer customers’ data across the Atlantic. Such transfers are critical for all sorts of common Internet operations—from booking flights to running a social network—and the agreement helps U.S. companies avoid falling afoul of European data protection laws.
If the Europeans pulled their support for the Privacy Shield, data protection laws could spring up as a nasty kind of trade barrier.
So what does President Trump have to do with all this? The concern stems from a directive called “Executive Order on Public Safety” that the president signed last week. It was overshadowed by the chaos surrounding Trump’s other order on immigration, but likewise caused controversy by directing agencies to exclude non-citizens “from the protections of the Privacy Act regarding personally identifiable information.”
The order, which appears intended to make it easier for law enforcement or intelligence agencies to investigate threats posed by foreign nationals, led some media outlets to claim it put the Privacy Shield in jeopardy.
Legal experts, however, have downplayed that concern by pointing out that the order seems to include an exception for Privacy Shield. But given the recent skittishness of European regulators about U.S. surveillance, calls are mounting for the White House to publicly reassure Europeans the order doesn’t affect their data.
Cloud Confusion and a Parade of Horribles
Privacy Shield came about after a previous trans-Atlantic arrangement called Safe Harbor collapsed at the European Court of Justice in 2015, leaving U.S. companies to rely on the legal version of duct tape until European officials gave their blessing to new rules last July. This came as a relief for American firms.
“So far 1500 companies have applied for Privacy Shield with hundreds more applications pending,” said the CCIA’s Madhani. “The 2015 Safe Harbor invalidation shook the confidence of companies from insurance to technology engaged in digital trade across the Atlantic.”
Get Data Sheet, Fortune’s technology newsletter.
Privacy Shield, which has held up well so far, relies on a mind-bending set of laws and rules on both sides of the Atlantic. One of the most crucial is the Judicial Redress Act, passed by Congress early last year, which lets EU citizens bring privacy lawsuits in U.S. courts. This law, plus a related order signed by President Obama, served as sweeteners to convince the European Commission to sign onto the shield.
Trump’s order doesn’t target any of these arrangements and, as some have noted, an executive order can’t override a law like Judicial Redress Act. And as lawyers at Foley & Lardner point out, Trump’s order contains the all-important phrase “to the extent consistent with existing law”—which is another indication the order isn’t supposed to disrupt the Privacy Shield arrangement.
The bottom line, from a legal perspective, is that EU citizens should still be able to claim the Privacy Act protections Trump just zapped for other foreigners. But the law is one thing, and politics are another.
Given Trump’s track record so far of smash-mouth diplomacy, and his America First mantra, it’s no surprise some want more explicit assurance. A member of the European Parliament, for instance, has already said the order is grounds for Privacy Shield to be suspended and for the EU to sanction the U.S.
Such rumblings are causing concern for U.S. companies that rely on cloud computing for international business. According to a source close to the industry, tech executives are paying close attention to the reactions in Europe and are hoping for a statement from the White House. The source, who wasn’t authorized to speak on record, added that any breakdown in the Privacy Shield would inflict misery on smaller companies because they lack the legal and compliance teams to navigate EU privacy land mines.
Julie Brill, a former FTC Commissioner who now leads a privacy team at Hogan & Lovells, says the threat to the shield is real. In a phone interview, she noted that the European part of the Privacy Shield provides national data regulators with residual powers to investigate data transfers, and that the entire framework is subject to various reviews. In other words, the “shield” was never that strong to begin with—as lawyers pointed out last summer—and the controversy over Trump’s order isn’t going to help it.
Brill shares the view that, in legal terms, the executive order doesn’t affect the shield. But she agrees with others that it would be a good idea for the White House to says so publicly.
“If the Administration put out a statement to remove concerns about the executive order, and confirms it has nothing to do with the Privacy Act and has no effect, that would calm important policy makers and EU governments,” she said. “There’s a parade of horribles we all want to avoid. A statement now to clarify that would go long way to avoid going down that path.”
