• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy Blog

  • Home
  • Services
  • Events
  • Contacts

U.S. Department of Commerce Releases White Paper to Assist Organizations in Conducting Schrems II Assessments

September 28, 2020 By James Harvey and Kelley Chittenden

In a letter from Deputy Assistant Secretary James Sullivan, the U.S. Department of Commerce introduced a white paper, “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II,” to assist organizations in conducting independent analyses of data transfers in light of the July 16, 2020 Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, Case C-311/18 (“Schrems II”) decision by the Court of Justice of the European Union (“CJEU”) and, ultimately, in making the case for transferring personal data to the United States using EU-approved transfer mechanisms.

The white paper outlines privacy safeguards relating to government access to data provided by U.S. law, focusing on those that are relevant to the issues that appear to have concerned the CJEU in Schrems II, and is organized into three main parts:

  • As a threshold matter, the white paper asserts that most U.S. organizations do not handle data U.S. intelligence agencies are interested in and therefore do not engage in data transfers that present the type of privacy risks that appear to concern the CJEU in the first place.
  • The white paper further analyzes whether the “public interest” derogation in Article 49 of the GDPR may provide a basis for transferring data to U.S. intelligence agencies for foreign intelligence purposes pursuant to authorized FISA 702 orders.
  • The white paper points out that organizations relying on standard contract clauses (“SCCs”) have access to a wealth of public information on the law, regulations, and governmental practices related to surveillance in the United States.  According to the Department of Commerce, some of these protections are equal to or exceed protections afforded by EU member states that the CJEU neither considered nor addressed in Schrems II.  Specifically, the white paper offers additional information regarding FISA 702 and EO 12333, such as Presidential Policy Directive 28 (“PPD-28”), and asserts that these and other U.S. privacy safeguards, “ensure that U.S. intelligence agencies’ access to data is based on clear and accessible legal rules, proportionate access to data for legitimate purposes, supervision of compliance with those rules through independent and multi-layered oversight, and effective remedies for violations of rights.”

Alston & Bird is actively involved in responding to challenges posed by the Schrems II decision and has written extensively on the topic, including:

  • Schrems 2.0: CJEU invalidates EU-US Privacy Shield and emphasizes exporter obligations when using Standard Contractual Clauses
  • EU DPAs Announce Post-Schrems Enforcement Plans
  • European Data Protection Board Statement Provides Preliminary Insight into Use of Standard Contractual Clauses Following Schrems II Judgment
  • European Parliament Committee Meeting Provides Insight into the Future of EU-US Personal Data Flows

For further information, please contact the Alston & Bird Privacy & Data Security Team.

Filed Under: Data Protection, GDPR, International Tagged With: Cross-border, EU Data Protection, EU Privacy, European Court of Justice, International Data Transfers

About James Harvey

Jim advises clients on a wide range of data, privacy, cybersecurity, and technology services initiatives. Jim founded and co-chairs our Privacy & Data Security and Cybersecurity Preparedness & Response teams. His practice crosses all data, privacy, and security lines and ranges from all aspects of breach and incident response to board-level advice to proactive data transfer and data governance counseling.

[Read Bio]

About Kelley Chittenden

Kelley Chittenden is an associate on Alston & Bird’s Privacy & Data Security team. She focuses her practice on cybersecurity and privacy compliance and enforcement, as well as emerging technology issues.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy & Data Security team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Federal Court Rules Cyber Forensic Report Is Not Protected Under Attorney-Client Privilege Or Work Product Doctrine
  • Financial Regulatory Agencies Announce Proposed Rule Requiring Notice of Computer Security Incidents
  • Brexit Trade Agreement Provides a Temporary Solution for Companies Transferring Personal Data from the EEA to the UK
  • UK ICO Publishes New Data Sharing Code
  • SolarWinds Hack: Unparalleled Supply Chain Attack Results in Potential Compromise of Private and Public Sector Organizations
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.
This website uses cookies to improve functionality and performance. By continuing to browse this site, you are consenting to the use of cookies on this website. OkCookie policy