The US Response to Schrems II: The Next Phase of EU-US Data Transfers

On July 16, 2020, the Court of Justice of the European Union (“ECJ”) held that the EU-US Privacy Shield, a mechanism to transfer data from the EU to the US, was invalid. (You can see our summary of the ECJ’s Schrems II decision here). This decision rocked much of the international privacy world, causing organizations to  question the ability of any company to legally transfer data from  Europe to  the US. Companies are still wrapping their heads around what this will mean for long term data storage and infrastructure architectures. 

In September 2020, the US weighed in on the Schrems II decision with its white paper entitled, “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II” (the “White Paper”). In essence, the White Paper is a direct response to various findings in the Schrems II decision.  The White Paper is intended to provide clarity to the ECJ’s concerns raised in Schrems II regarding  US Intelligence Laws.

The White Paper focuses on three key areas of consideration:

  1. Many companies are not subject to, and do not collect, information that is of interest to the Intelligence Community.
  2. Intelligence information is often shared between the US and the EU. 
  3. US law does include privacy protections regarding governmental access to personal information. 

The White Paper’s Pointed Response to the ECJ 

The White Paper highlights that the ECJ relied on two sources of US law in its decision: (1) Executive Order 12333 (“EO 12333”); and (2) Section 702 of the Foreign Intelligence Surveillance Act (“FISA 702). According to the White Paper, EO 12333 relates to general surveillance matters and provides no specifics related to accessing personal information collected and stored by private companies. Additionally, FISA 720 establishes a judicial process regarding data acquisition for non-US persons. The White Paper makes clear that “the overwhelming majority of companies have never received orders to disclose data under FISA 702 and have never otherwise provided personal data to U.S. intelligence agencies.” White Paper at 2. 

FISA 702 permits the US government to conduct targeted surveillance of non-US citizens located outside of the US. These requests relate to electronic communications obtained via the assistance of an electronic communications service provider. Before information can be obtained, the US Government must seek approval from the Foreign Intelligence Surveillance Court (“FISA Court”) and inform the service provider. The White Paper emphasized that, based on the language of the FISA 702, it does not apply to every business that could  transfer data from the EU to the US, but only a small subset of businesses  

The White Paper stressed that the ECJ decision did uphold the Standard Contractual Clauses as a mechanism to continue to transfer data internationally. But, it noted the caveat provided by the ECJ: “companies are responsible for determining whether the law of the United States ensures adequate protection as afforded in EU law, including by providing, where necessary, additional safeguards.” Id. at 6. 

In order to help provide guidance for US companies that may face questions regarding how it ensures adequate protection measures exist, the White Paper provides an in-depth look at current US Surveillance law. The White Paper emphasizes that appropriate mechanisms, from the US perspective, are in place to address privacy concerns related to data gathering by US surveillance. Therefore, from the perspective of the White Paper authors, those adequate measures already exist within US law, mitigating most, if not all, of the concerns raised by the ECJ. 

What does this all mean for US domestic companies?

In short, the legality of international data transfers is still not clear. There is a growing tension in the area of data, privacy, and access to personal information between the EU and the US. The EU wants to see more of a commitment by the US towards privacy. And, the US has strong reasons to defend its surveillance laws. 

While  the White Paper takes the position that most companies are not at risk of violating the GDPR with any international data transfers, the ECJ views transfers as a potential risk.Therefore, companies need to conduct an in-depth analysis of how they could be implicated by FISA 702. Working with resources that understand both EU privacy law and US legal requirements is key to ensure the organization creates a comprehensive cross-border data strategy that mitigates risk. This includes addressing those risks in any international data transfer agreements so that all parties are aware of, and understand, the implications of the balance of US and EU law. If your organization performs international data transfers, reach out to our team today to learn more, and understand how these  laws impact your organization! 

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.