Companies adopting a wait-and-see approach for cross-border data flows after Schrems II needn’t wait any longer. In what appears to be the first substantive response to the July 16 judgment by the Court of Justice of the European Union (CJEU), the U.S. government released a white paper offering much-needed guidance for businesses still wrestling with the impact of that decision.
Issued jointly by the Department of Commerce, the Department of Justice, and the Office of the Director of National Intelligence, the white paper tackles not only the CJEU’s rationale for invalidating the EU-U.S. Privacy Shield, but also its requirement for companies to undertake a “case-by-case assessment” of U.S. surveillance laws.
In short, the white paper makes three points:
(1) Most companies are not disclosing personal data to U.S. intelligence agencies because they do not deal in data that is of any interest to those agencies. Indeed, companies that transfer ordinary commercial information would have no reason to believe that U.S. intelligence would seek to collect such data.
(2) To the extent any companies are ordered to make disclosures under the Foreign Intelligence Surveillance Act (FISA), those disclosures undoubtedly serve important EU public interests in accordance with GDPR Art. 49. The white paper notes that the U.S. government frequently shares intelligence information with EU Member States “to counter a variety of threats, including international terrorism, the proliferation of weapons of mass destruction, and the activities of hostile foreign cyber actors.”
(3) Companies relying on standard contractual clauses (SCCs) may consider information not addressed by the CJEU when making individualized assessments on whether U.S. laws offer an adequate level of protection.
On the third point, the white paper emphasizes that the CJEU in Schrems II ruled only on the validity of Commission Decision 2016/1250, which recorded limited findings about U.S. law for purposes of the Privacy Shield. The white paper identifies relevant information not mentioned in Decision 2016/1250, as well as developments occurring after 2016, to aid companies with their assessments.
In particular, the white paper notes that the Foreign Intelligence Surveillance Court has an active role in supervising whether individuals are properly targeted under FISA. It also identifies statutes that allow individuals of any nationality (including EU citizens) to seek redress in U.S. courts for FISA violations.
Indeed, the white paper contends that “data transferred to the United States enjoys comparable or greater privacy protections relating to intelligence surveillance than data held within the EU.”
Companies needing justification for ongoing data transfers to the U.S. should consider reviewing the arguments made in the white paper as a first step in their Schrems-mandated assessments. With any luck, those arguments may convince organizations—and, more importantly, European regulators—that their transatlantic data flows may continue post-Schrems.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.