Did Trump Modify PPD-28 Last Year before Retaining It?
In a series of questions for the record about whether CIA will continue to publicly post its surveillance procedures, CIA Director nominee Gina Haspel suggested she wouldn’t note changes if doing so would expose sources and methods.
Yes, subject only to my duty to protect classified information and intelligence sources and methods.
One question to which she gave that answer pertained to PPD-28, the Obama directive that provided some protections to foreign citizens.
The CIA’s PPD-28 Section 4 policies and procedures are publicly available. Will you ensure that the CIA continues to post these procedures as well as any modifications, superseding policies and procedures, or significant interpretations?
When Wyden asked about the importance of PPD-28 to bilateral relationships, Haspel explained that the Trump Administration had reviewed and retained it last year (Mike Pompeo had floated ditching it in his confirmation hearing). But in discussions about modifications, she envisioned only substantial modifications might interest allies.
PPD-28 underlies the US commitment to the EU/US Privacy Shield. This administration reviewed PPD-28 last year and decided to retain it. If PPD-28 were substantially modified or eliminated, our European partners might re-evaluate their commitment to the Privacy Shield that support trans-Atlantic commercial data flows.
The answers certainly leave the possibility that, in reviewing PPD-28 last year, the Trump Administration did make classified modifications, but did not consider them major enough to tell our European friends about.
“[T]he Trump Administration did make classified modifications, but did not consider them major enough to tell our European friends about.”
Heaven knows, the US and its biggest corporations care a lot about protecting the privacy of all their citizens, workers and customers. I wonder, however, if the US and the EU would agree on what changes would be major enough for the US to tell the Europeans about. And how well will this arrangement comply with the EU’s General Data Protection Regulation that comes into force in about a week.