On September 28, the U.S. government released a “White Paper” addressing how U.S. companies might justify their continued transfer to the U.S. of personal data of EU residents, following the decision of the Court of Justice of the European Union (“CJEU,” or “ECJ”) in Schrems II – more formally known as Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, Case C-311/18 (July 16, 2020). The Schrems II decision struck down the EU-U.S. Privacy Shield as a basis for transferring EU personal data to the United States because of the Court’s view that U.S. national security law did not provide equivalent privacy protections to those available in the EU. While the CJEU upheld Commission-approved Standard Contractual Clauses (“SCCs”) as a basis for transfers of EU personal data to the U.S., the Court imposed significant new hurdles for the use of SCCs.
As a result, U.S. companies now face a difficult issue of whether they can lawfully continue to transfer EU personal data to the United States. The U.S. White Paper is intended to help companies navigate this transatlantic dilemma by providing arguments and citing legal authorities for U.S. companies to consider in conducting the newly required legal assessments of how U.S. national security law protects EU personal data.
The White Paper was issued by the Departments of Justice and Commerce, as well as the Office of the Director of National Intelligence. The White Paper indicates that companies facing the post-Schrems II world can approach compliance with the EU’s General Data Protection Regulation (“GDPR”) by preparing an assessment that “defends” their continued reliance on SCCs as a legitimate basis for continuing to transfer data. While not opining on EU law, the Paper seeks to “provide a detailed discussion” of “privacy protections in current U.S. law and practice relating to government access to data for national security purposes,” especially as that information bears on “issues that appear to have concerned the ECJ in Schrems II” and as it “may bear on many companies’ analyses” of how their reliance on SCCs conforms to EU law.
The Paper is premised on the notion that, under Schrems II, “companies relying on SCCs are responsible for determining whether the recipient country’s law concerning government access to data provides privacy protections meeting EU legal standards.” To make these determinations, the U.S. agencies authoring the Paper suggest that “companies may consider the information set out [in the White Paper] in undertaking their own independent reviews of U.S. law for purposes of SCC transfers.” Accordingly, it would appear reasonable for companies assessing their ability to comply with SCCs in light of Schrems II to draw from the Paper’s careful analysis and detailed compilation of U.S. safeguards – including safeguards and rights that were not reflected in the CJEU’s opinion.
In fact, the Paper highlights “[t]he reality … that data transferred to the United States enjoys comparable or greater privacy protections relating to intelligence surveillance than data held within the EU.” Given the detail set forth in the Paper, and the CJEU’s silence regarding any actual comparison of the relative national security safeguards of the U.S. and EU Member States, the position of the U.S. agencies is compelling. (Indeed, the position that U.S. safeguards are stronger than those available in Europe comports with and updates the conclusions previously documented in “Essentially Equivalent: A Comparison of the Legal Orders for Privacy and Data Protection in the European Union and the United States” issued by Sidley Austin LLP in 2016, and available at https://www.sidley.com/en/insights/publications/2016/01/essentially-equivalent.)
Without being disrespectful toward the CJEU, the Paper documents “numerous other privacy safeguards in this area of U.S. law, [that were] not discussed by the ECJ in its review of Commission Decision 2016/1250 in Schrems II.” It thus provides ample authority for companies to conclude that U.S. surveillance “is based on clear and accessible legal rules, proportionate access to data for legitimate purposes, supervision of compliance with those rules through independent and multi-layered oversight, and effective remedies for violations of rights.”
The White Paper also makes the crucial point that the U.S. government’s “[s]haring of FISA 702 information undoubtedly serves important EU public interests by protecting the governments and people of the Member States” and that “the interruption of FISA 702 collection would severely and adversely impact EU public interests.” In other words, the national security of Europe depends on benefits from U.S. electronic surveillance.
The Paper makes three basic suggestions for U.S. companies responding to Schrems II. First, as a practical matter, many (perhaps most) companies’ practices do not implicate the CJEU’s concerns at all “because the data they handle is of no interest to the U.S. intelligence community.” Those companies never receive FISA Section 702 orders or other orders to produce national security-related information, and they do not otherwise provide such information. For these companies, explaining how their practices do not implicate the Schrems II concerns should be an important component of establishing that US surveillance laws and practices will not interfere at all with their ability to comply in full with their SCC obligations.
Second, the Paper notes how even “companies transferring data from the EU that have received orders authorized by FISA 702 … may consider the applicability of the ‘public interest’ derogation in Article 49 of the GDPR as a basis for the transfers.” That is, to the extent that EU law recognizes the lawfulness of transfers where justified by the public interest, the White Paper argues that that public interest exists in the sharing of information between the U.S. government and EU governments for common interests related principally to combatting international terrorism. The Paper then describes a series of examples where such sharing has worked to counter terrorist attacks, as well as public sources describing the importance of such sharing. While the Paper does not directly address how companies may use these arguments to defend their data transfers, the implication appears to be that whatever orders companies receive to produce information to U.S. national security agencies should not be viewed as creating tension with EU law or creating an exception to equivalence because that resulting production can, under Article 49, be defended as consistent with EU requirements.
And third, the Paper principally seeks to “identif[y] information about relevant U.S. law and practice” that may be useful to companies that seek to rely on SCCs to support their transfers, based on a further determination “whether the law of the United States ensures adequate protection as afforded in EU law, including by providing, where necessary, additional safeguards.” The bulk of the White Paper presents information and points designed to address concerns, raised in Schrems II, that FISA Section 702 or EO 12333 permit the U.S. government to operate without the restraints and protections afforded to EU citizens by EU law with respect to EU governments’ intelligence collection.
This analysis, in turn, rests on the characterization of Schrems II as a relatively narrow decision, limited to appellate review of the particular European Commission Decision 2016/1250 and reflecting only “the ECJ’s assessment of U.S. law [which] relied primarily on the limited findings about U.S. law recorded by the Commission in 2016 in Decision 2015/1250.” As a result, the White Paper suggests that a company’s defense of its transfers can rest on protections or clarifications of law developed since 2016, or on assessments of law that reflect a broader understanding of U.S. law than that reflected in the Commission’s 2016 analysis.
Within that framework, the Paper first addresses concerns related to orders to produce information authorized by FISA Section 702. The Paper makes an extensive case for concluding that, properly viewed, U.S. law authorizes the Foreign Intelligence Surveillance Court (“FISC”) to conduct oversight and exercise supervisory authority that the CJEU suggested was lacking. That is, contrary to the CJEU’s assessment of the limited information cited by the Commission and thus before the Court, “there is significant information demonstrating that the FISC does have an active role in supervising whether individuals are properly targeted to acquire foreign intelligence information.”
The White Paper surveys the various FISC and Intelligence Community documents and processes that it asserts support this conclusion. In addition, the White Paper challenges the CJEU’s suggestions that U.S. law lacks adequate personal remedies for violations of safeguards related to surveillance and compelled provision of information. It points in particular to the private rights of action provided by FISA itself, by the Electronic Communications Privacy Act, and by the Administrative Procedure Act, claiming that these statutes “authorize individuals of any nationality (including EU citizens) to seek redress in U.S. courts through civil lawsuits for violations of FISA” and that “[t]his information was not addressed by the ECJ in Schrems II.”
In addition to focusing on the statutory safeguards and redress opportunities provided by the Acts discussed above, the White Paper also elaborates on the role and protections of the Privacy and Civil Liberties Oversight Board (“PCLOB”) and Presidential Policy Directive 28 (“PPD-28”) regarding privacy protections applicable to U.S. “signals intelligence activities.” (Indeed, PPD-28 specifically protects “the legitimate privacy and civil liberties concerns of U.S. citizens and citizens of other nations.”) And, finally, the Paper argues that the absence of significant safeguards and remedies for many EU nations’ national security information collections further buttresses the conclusion that U.S. law provides protections that are “essentially equivalent” to those provided by EU law.
The Paper then seeks to address concerns raised by the CJEU related to intelligence collection abroad, authorized by Executive Order 12333. Its principal point is that EO 12333 has nothing to do with compelled production of information from companies, and that companies have no basis to ascertain whether their information abroad is subject to surveillance – by the U.S. government or any other government. The White Paper also argues that companies also have no basis to assess whether any U.S. legal protections are comparable to EU law because EU law simply does not address Member States’ collection of information abroad (as opposed to setting standards related to domestic surveillance). That is, “there is no discernable comparator in EU law.” And finally, even if companies could know the scope of surveillance and had some baseline of EU law to apply, the White Paper further argues that significant legal protections exist with respect to U.S. practices that cannot be found in EU Member State law. It then surveys the various policy directives and internal procedures that limit when U.S. intelligence agencies can secure information abroad and how they may use such information.
Overall, the White Paper undertakes a dual exercise. On the one hand, it essentially argues that the CJEU’s Schrems II decision rested on a series of misunderstandings of and blind spots regarding U.S. law, and failed to account for various instances where U.S. law affords more legal protection than does EU law. On the other, it seeks to assemble the components of the arguments that many companies are already developing or exploring to justify their data transfers as consistent with EU law. In particular, the Paper provides support for an argument that EU law accommodates such transfers where, as here, they further the public interest. And, principally, the Paper provides the U.S. Government’s views of how the various safeguards and remedies built into U.S. surveillance practices, properly and fully understood, establish that U.S. law provides the “essentially equivalent” protections available in the EU– and thus provide the basis even under Schrems II for U.S. companies to rely on SCCs to support their continued transfers of data.
What the Paper does not do, however, is provide any particular basis to conclude that European enforcement authorities will accept those arguments. For that, we continue to await the long-promised “guidance” from the European Commission and the European Data Protection Board as well as the actions of national data protection authorities.