Citizens of the U.S. have a right to reasonable privacy, which includes access to sensitive personal information. A 2007 policy that extended those rights to foreigners was removed in January 2017, which has caused a number of U.S. firms to migrate their data abroad. 

What is Protected Personal Information and how is it regulated in the US?

The U.S. Code of Federal Regulations defines protected personal information (PPI) as "Any information or characteristics that may be used to distinguish or trace an individual's identity, such as their name, SSN, or biometric records."

The Privacy Act of 1974 established a code of practices governing the collection, maintenance and use of personal information. The act prohibited bulk dissemination of PPI and set down regulations for how federal agencies should store information that could be accessed by an individual identifier.

Foreigners to the U.S. can not expect that their data will be protected by privacy laws.Foreigners to the U.S. can not expect that their data will be protected by privacy laws.

Why Foreigners to the US Are No Longer Protected

The Judicial Redress Act of 2015 extended certain rights of judicial redress to citizens of certain foreign countries, including those of the EU. However, an executive order signed Jan. 25, 2017 by President Donald Trump effectively retracted those rights from foreigners. The order states:

"Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information."

For Canadians and EU nationals, this order places their data in an unprotected position. Essentially, if a Canadian citizen's data enters the U.S., but the individual remains in Canada, the U.S. sees him or her as a nonresident alien, and therefore U.S. privacy rights are not extended.

The executive order effectively established what University of Toronto law professor Lisa M. Austin calls a "constitutional black hole," in which the data protection laws of neither country apply.

This becomes an issue for firms that use U.S. facilities to process, transmit or store data belonging to foreigners. Although the people who own the data never step foot in the U.S., their data may cross the border as they use the products and services of multinational institutions. Because foreigners can no longer trust that their data will be treated with the same protections found in their home countries, they may opt to find alternative solutions. Therefore, U.S. businesses that want to keep their foreign customers are looking to migrate their data centers to nations with more comprehensive privacy laws.

Companies that need to ensure the integrity of their foreign-owned metadata – such as the identifying information stored in a text message – will likely migrate their data abroad. The language of the executive order is clear: It does not simply say that organizations can choose not to extend privacy rights to foreigners; it states that organizations must actively exclude foreigners from privacy protections.

If your organization is moving data to Canada, trust the SMS gateway that is 100 percent Canadian. Learn more by scheduling a free Swift SMS Gateway demo today.