The Court of Justice of the European Union (CJEU) dealt a blow to transatlantic data flows in July with its decision in Schrems II, invalidating the EU-U.S. Privacy Shield while conditionally approving the continued use of Standard Contractual Clauses (SCC). In a white paper published late last month, the U.S. government responded to the CJEU’s critical appraisal of American intelligence agencies’ data-collection practices by identifying Schrems II’s shortcomings and offering guidance to companies seeking to comply with it. Schrems II is problematic in various ways, the multi-agency paper concludes, but with minor adjustments, most EU-U.S. digital dealings should be able to continue as before.
The White Paper
The white paper, a joint project of the U.S. Department of Commerce (DOC), Department of Justice (DOJ), and Office of the Director of National Intelligence (ODNI), makes three main points:
- Most companies do not have, send, or receive data the types of data U.S. intelligence agencies want or collect, and therefore the CJEU’s privacy and security concerns are not relevant to the vast majority of data transfers.
- The only American intelligence-gathering mechanism truly at issue is the Foreign Intelligence Surveillance Act (FISA) 702 orders, and the U.S. not only conducts robust supervision of that collection but also regularly shares with EU nations the crucial public safety information gathered through those FISA orders.
- The CJEU’s review of American law and practice is otherwise incomplete, so businesses looking to send and receive data from the EU should consult publicly available U.S. government documents for more context and to ensure the compliance of their SCC-enabled data transfers.
What concerned the CJEU in Schrems II should not concern most companies
With respect to the first point, the agencies note that the U.S. collects data for foreign intelligence purposes but that U.S. public policy prohibits collection to obtain a commercial advantage. This means the CJEU’s concerns about national security access in Schrems II would not apply to most companies’ data transfers.
The paper repeatedly clarifies Executive Order 12333, which the CJEU focused on in its decision, includes no authorization to compel private companies to disclose data and, therefore, poses no more threat to transatlantic data transfers than that posed by other governments or private hackers.
While FISA does provide for orders requiring U.S. companies to disclose data of non-U.S. persons, potentially implicating EU privacy interests, the white paper emphasizes that the U.S. Foreign Intelligence Surveillance Court (FISC) independently and thoroughly vets those searches and interceptions to minimize stray collection.
Is intelligence sharing in the public interest?
Continuing to its second point, the white paper argues that the General Data Protection Regulation (GDPR) public interest derogation allows for sharing data “in the spirit of reciprocity for international cooperation” as an “important public interest” under GDPR Art. 49. In that “spirit,” the paper offers instances when the U.S. has shared intelligence with EU nations to solve crimes or thwart terrorism. We don’t yet know how much companies can rely on this exception for SCC-enabled data transfers.
What the CJEU missed but companies seeking to comply with Schrems II should not
The meat of the white paper is devoted to the third thesis, i.e., that companies should look beyond Schrems II’s incomplete analysis to comply with it.
Primary among the CJEU misconceptions the paper seeks to correct is the extent to which the FISA 702 order process is supervised and vetted, before and after the targeted monitoring. The paper argues that the FISC oversight process is as robust as the supervision of any European intelligence program, which means that “data transferred to the United States enjoys comparable or greater privacy protections relating to intelligence surveillance than data held within the EU.” The paper links to several agency procedure and decision documents that support this premise for the benefit of companies that handle potentially sensitive data.
The details of FISC’s and the agencies’ checks and balances and how they have played out over the past five years in individual cases are beyond the scope of this overview, but it’s worth noting that the paper’s supporting evidence is often a double-edged sword. For instance, per its thirty-fifth footnote, a joint DOJ-ODNI oversight assessment submitted to FISC in late 2016 showed a “significant” increase in the rate of “targeting compliance incidents” (i.e., data collections beyond the authorized scope of the FISA 702 order) in mid-late 2015 – from .35% to .53%, an uptick in the error rate of more than half.[1]
The paper also notes that businesses or individuals have avenues of redress for wrongly collected data that the CJEU did not cite, specifically private rights of action under FISA, the Electronic Communications Privacy Act, and the Administrative Procedures Act. Suits brought under the APA have been successful in the federal appellate courts, the paper points out.
Further, the FISA Amendments Reauthorization Act of 2017 added privacy safeguards the CJEU could not have considered but that companies analyzing their SCCs now should.
* * *
As you might expect, the paper defends the U.S. position and challenges the European court’s decision, noting that “there are numerous other privacy safeguards in this area of U.S. law, not discussed by the [CJEU] in its review of Commission Decision 2016/1250 in Schrems II, that ensure that U.S. intelligence agencies’ access to data is based on clear and accessible legal rules, proportionate access to data for legitimate purposes, supervision of compliance with those rules through independent and multi-layered oversight, and effective remedies for violations of rights.” Regardless of whether the paper’s arguments are ultimately convincing, companies reassessing the legality of EU-U.S. data transfers in light of Schrems II should take its sources and premises under consideration.
[1] See Semiannual Assessment of Compliance with Procedures and Guidelines Issued Pursuant to Section 702 of FISA, Submitted to the FISC by the Attorney General and the Director of National Intelligence, Reporting Period: June 1, 2015 – November 30, 2015 at 35 (Nov. 2016), https://www.dni.gov/files/documents/icotr/15th-702Joint-Assessment-Nov2016-FINAL-REDACTED1517.pdf.