On September 28, 2020, the U.S. Department of Commerce, along with the U.S. Department of Justice and the Office of the Director of National Intelligence, released a White Paper entitled Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II (the “White Paper”). The White Paper outlines privacy safeguards in and updates to the U.S. surveillance provisions flagged by the Court of Justice of the European Union (“CJEU”) in its Schrems II decision. It is intended to serve as a resource for companies transferring personal data from the EU to the U.S. in the wake of the CJEU’s decision overturning the EU-U.S. Privacy Shield. Particularly, it focuses on companies relying on Standard Contractual Clauses (“SCCs”) for data transfers, and provides information to help them determine whether the U.S. ensures adequate privacy protections for companies’ data.
The White Paper is divided into three sections: (1) it notes that many companies transferring data from the EU to the U.S. do not handle data that is of any interest to the U.S. intelligence community; (2) it states companies may still consider the applicability of the “public interest” derogation under Article 49 of the GDPR as a basis for data transfers; and (3) it provides companies relying on SCCs for data transfers with information to help them determine whether U.S. law provides adequate protection as afforded in EU law.
Most of the White Paper is dedicated to the third section on SCCs, which notes that while the CJEU overturned the Privacy Shield on the basis of the shortcomings of privacy protections in U.S. surveillance law, the CJEU did not consider several existing privacy protections in their analysis, either because they were not part of the record in the case or because they are the result of recent updates to U.S. law. It looks particularly at two laws reviewed by the CJEU in their decision – Section 702 of the Foreign Intelligence Surveillance Act (“FISA 702”) and Executive Order 12333 (“EO 12333”) – and identifies the privacy protections therein that were not part of the record before the CJEU. Most notably the White Paper states:
- Because it was not part of the record, the CJEU did not fully consider the Foreign Intelligence Surveillance Court’s (“FISC”) supervisory role over individual targeting decisions, and that the CJEU has “an active role in supervising whether individuals are properly targeted to acquire foreign intelligence information.”
- A review of applicable U.S. law demonstrates that several U.S. statutes, such as FISA itself, the Electronic Communications Privacy Act and the Administrative Procedure Act, authorize individuals of any nationality to seek redress in U.S. courts through civil lawsuits for violations of FISA 702.
- Privacy safeguards have been added to FISA 702 in recent years. In 2017, the FISC issued an order terminating “about” collection under FISA 702, and in 2018, FISA was amended to provide additional privacy protections and safeguards.
- EO 12333 does not directly authorize the government to require any company or person to disclose data, and thus it, on its own, does not permit bulk data collection. It is therefore unclear how companies relying on SCCs for data transfers could consider it in their analysis of relevant surveillance law.