Since the CJEU’s Schrems II decision companies have been haunted by the uncertainty surrounding transfers of personal data from the EU to the US. The Privacy Shield was invalidated with immediate effect and while the standard contractual clauses (“SCC’s”) are still valid an additional obligation has been placed on companies to assess the laws of the country to which the data is being transferred and ensure that those laws offer protections to data subjects that are ‘essentially equivalent’ to the EU. If they aren’t then supplementary measures above and beyond the SCC’s must be implemented or transfers should immediately cease.
The CJEU concluded that the US laws allowing intelligence agencies to access and use personal data do not provide essentially equivalent protections for data subjects as they are not proportionate, limited to what is strictly necessary nor do they offer individuals actionable rights before the courts against the US authorities. As such, any company relying on the SCC’s to transfer personal data from the EU to the US must undertake an assessment of the transfer and consider what (if any) supplementary measures are required to ensure the personal data is sufficiently protected. This was a huge blow to transatlantic businesses and a reprimand of the US privacy safeguards (or proposed lack thereof). However, the US Department of Commerce has hit back by publishing a White Paper titled ‘Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases For EU-U.S. Data Transfers after Schrems II’ which is also endorsed by the Department of Justice and the Office of the Director of National Intelligence (the “White Paper”).
The White Paper
The White Paper serves two purposes, it provides businesses with a detailed toolkit (complete with citations) to understanding the security laws in the US to assist businesses undertake the data transfer assessment now required and it methodically defends the US privacy safeguards against the accusations of inadequacy made by the CJEU. The White Paper carefully rebuts each conclusion made by the CJEU with a particular emphases on FISA 702 orders and new privacy protections implemented after the Decision 2016/1250 (the Privacy Shield) which were not considered by the CJEU in their reasoning. The White Paper is presented by its authors as a necessary reaction to the Schrems II decision, and on that support trade and growth of the $7.1 trillion transatlantic economic relationship.
The key points of the White Paper include:
1. An explanation that companies who operate in ordinary commercial products and services and whose transfer of personal data involves commercial information such as employee, customer or sales records, would not be of interest to U.S. intelligence agencies and the majority would never have received orders to disclose data under FISA 702.
2. Any sharing of information in compliance with an order under FISA 702 should be justified for serving an important EU public interest as the U.S. government frequently shares intelligence information with EU member states.
3. The CJEU did not take into consideration a number of more recent developments in U.S privacy laws relating to government agencies access to data for national security purposes. These include restrictions on collection information in which the target is mentioned and limiting access to communications that have been sent from or to the target and other oversight functions that have been created. In addition the White Paper emphasises the ways in which an individual may have recourse against a government authority in court should there be a breach of FISA.
This White Paper provides businesses with more clarity to deal with the uncertainty of the Schrems II case than any guidance or advice published by any supervisory authority within the EU to date. It’s defensive language and clear disdain for the Schrems II decision, does not take away from its genuine utility for businesses looking to transfer personal data from the EU to the US with the protection of the SCC’s, BCR’s or any other transfer mechanism which now requires an assessment of local laws.
That said, the inclusion of the suggestion that businesses can rely on the derogation under Article 49 (1)(d) (Public Interest) as a lawful basis to comply with a FISA 702 order could be construed as misleading in the context of Schrems II as this derogation would not be relevant to a transfer made from EU business to US business on a regular basis. Schrems II brought into question legal mechanisms for transfer from the EU to the US. It did not question the legal basis for disclosing personal data to U.S. intelligence agencies under a FISA 702 order once the information is already in the US, although the decision noted that businesses could be compelled to provide the information once it had already reached the US. As such, businesses should not be misled into believe they can rely on Article 49(1)(d) for the majority of B2B data transfers from the EU to the US. As such, the inclusion of the public interest derogation within this White Paper appears tangential.
It is now up to the European Commission to respond and provide clarify on how to best ensure the compliant transfer of personal data from the EU to the US under the GDPR in light of Schrems II and the U.S White Paper.
They [data flows] power the international operations and growth of American and European businesses of every size and in every industry, and underpin the $7.1 trillion transatlantic economic relationship.