In the wake of the Court of Justice of the European Union’s (“ECJ”) Schrems II decision invalidating the EU-U.S. Privacy Shield (“Privacy Shield”) but upholding the validity of standard contractual clauses (“SCCs”), the U.S. government has released a White Paper entitled “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II.” The Schrems II ruling requires companies relying on SCCs “to verify, on a case-by-case basis,” whether the level of protections afforded by the SCCs are respected and observed in the recipient country. According to the cover letter accompanying the White Paper, it “outlines the robust limits and safeguards in the United States pertaining to government access to data” as part of “an effort to assist organizations in assessing whether their transfers offer appropriate data protection in accordance with the ECJ’s ruling.”
The cover letter emphasizes that while the White Paper is intended to help companies make the case that they can transfer personal data from the EU to the United States in compliance with EU law, it does not “eliminate the urgent need for clarity from European authorities or the onerous compliance burdens generated by the Schrems II decision.” It concludes by citing the importance of the “$7.1 trillion transatlantic economic relationship” and stating that “the Trump Administration is exploring all options at its disposal and remains committed to working with the European Commission to negotiate a solution that satisfies the ECJ’s requirements while protecting the interests of the United States.”
The White Paper was prepared by the U.S. Department of Commerce in conjunction with the Department of Justice and the Office of the Director of National Intelligence. It begins by stating that as a practical matter, most U.S. companies do not deal in data that is of interest to U.S. intelligence agencies and therefore do not engage in data transfers that present the type of privacy risks that appear to have concerned the ECJ in Schrems II. And the “theoretical possibility” that a U.S. intelligence agency could access EU data is “no different than the theoretical possibility that other governments’ intelligence agencies, including those of EU Member States, or a private entity acting illicitly, might access the data.”
The White Paper next states that companies transferring data from the EU that have received orders requiring data disclosure to U.S. intelligence agencies may consider the applicability of the “public interest” derogation in Article 49 of the GDPR as a basis for those transfers. In support of this position, the White Paper describes the frequent sharing of intelligence information between the U.S. government and EU Member States to counter threats such as terrorism, weapons proliferation, and hostile foreign cyber activity. According to the White Paper, this information sharing “undoubtedly serves important EU public interests by protecting the governments and people of the Member States.”
The remainder of the White Paper focuses on relevant U.S. law and practice in light of the Schrems II ruling that reliance on SCCs requires companies to independently assess whether U.S. law ensures adequate data protection under EU law, including by providing additional safeguards where necessary. It focuses on the two sources of U.S. intelligence law that have been the focus of the ECJ, FISA 702 and EO 12333, and includes information not addressed by the Privacy Shield adequacy decision in 2016 and also new developments that have occurred since that time.
For FISA 702, the topics covered include supervision by the Foreign Intelligence Surveillance Court, individual redress for violations, additional privacy safeguards added since 2017, and a statement that FISA 702 is “essentially equivalent” to EU law because “data transferred to the United States enjoys comparable or greater privacy protections relating to intelligence surveillance than data held within the EU.” On EO 12333, the White Paper highlights that it does not require any disclosure of data to the U.S. government and that “bulk collection is expressly prohibited.” It also details several restrictions on the acquisition of personal data under EO 12333 based on significant publicly available information that was not addressed by the ECJ.