Any hope Australians might have had of having their data protected from snooping US government agencies has been set back by an executive order signed by President Donald Trump on Friday.
In addition to having their social media accounts reviewed, and their browsing history assessed when seeking to visit the United States, Australians also face having their data accessed by law enforcement agencies with no regard for privacy.
It is not the most alarming of executive orders signed by the new President in his first week, but should cause concern for the security of personal data of Australians held in the United States. Buried in section 14 of Trump’s executive order to crack down on illegal immigration, the President has ordered that under the US Privacy Act, “agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information”.
Non-US citizens are not covered by the Privacy Act today. In fact, under the Patriot Act — the draconian post-September 11 national security law — companies located in the US, such as Amazon, can be forced to hand over user data they hold anywhere in the world. But following the Snowden revelations, the European Union had begun pushing back against the invasive surveillance regime in the country home to many online services holding the private data of people across the globe. The EU had negotiated with the United States protections for European data held in the US to be essentially the same as US citizens under a Privacy Shield framework with 1500 companies including Microsoft, Apple and Google signing up to the agreement.
Over the weekend, this led to some tech publications in the US and Europe suggesting the executive order might put the framework at risk, but the European Commission said that the Privacy Shield did not rely on protections under the Privacy Act.
That provides comfort for Europeans, but Australians lack any adequate protection — outside of an executive order signed by Barack Obama in 2014 requiring intelligence agencies to have appropriate safeguards and consideration of the legitimate privacy interests of people regardless of nationality or where they reside — and short of a new agreement with the Trump administration over data privacy, any data on Australians located in the US, or held by US companies remains at risk of snooping US government agencies.
While the impact on individual privacy may be something Australians already take into account when using Facebook, or Apple’s iCloud, the public has no say about where government data about them is held, as state and federal governments are increasingly moving services into cloud storage. There are guidelines around whether data should be located here or not, but as the federal government’s agile, innovative agenda results in more services being outsourced, there are privacy risks that need to be considered as Trump’s moves put Americans’ privacy first, and everyone else’s last — in that we don’t get any. No privacy.
The Information Commissioner declined to comment on the executive order and its potential impact on Australians, and directed Crikey to the Attorney-General’s Department. AGD did not respond by deadline.
The Australian Privacy Foundation said the order would keep Australians’ privacy as bad as it already was under existing US law, but suggested it may also lead to weaker policies for US government agencies over how Australians’ data is used.