In a letter from Deputy Assistant Secretary James Sullivan, the U.S. Department of Commerce introduced a white paper, “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II,” to assist organizations in conducting independent analyses of data transfers in light of the July 16, 2020 Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, Case C-311/18 (“Schrems II”) decision by the Court of Justice of the European Union (“CJEU”) and, ultimately, in making the case for transferring personal data to the United States using EU-approved transfer mechanisms.
The white paper outlines privacy safeguards relating to government access to data provided by U.S. law, focusing on those that are relevant to the issues that appear to have concerned the CJEU in Schrems II, and is organized into three main parts:
- As a threshold matter, the white paper asserts that most U.S. organizations do not handle data U.S. intelligence agencies are interested in and therefore do not engage in data transfers that present the type of privacy risks that appear to concern the CJEU in the first place.
- The white paper further analyzes whether the “public interest” derogation in Article 49 of the GDPR may provide a basis for transferring data to U.S. intelligence agencies for foreign intelligence purposes pursuant to authorized FISA 702 orders.
- The white paper points out that organizations relying on standard contract clauses (“SCCs”) have access to a wealth of public information on the law, regulations, and governmental practices related to surveillance in the United States. According to the Department of Commerce, some of these protections are equal to or exceed protections afforded by EU member states that the CJEU neither considered nor addressed in Schrems II. Specifically, the white paper offers additional information regarding FISA 702 and EO 12333, such as Presidential Policy Directive 28 (“PPD-28”), and asserts that these and other U.S. privacy safeguards, “ensure that U.S. intelligence agencies’ access to data is based on clear and accessible legal rules, proportionate access to data for legitimate purposes, supervision of compliance with those rules through independent and multi-layered oversight, and effective remedies for violations of rights.”
Alston & Bird is actively involved in responding to challenges posed by the Schrems II decision and has written extensively on the topic, including:
- Schrems 2.0: CJEU invalidates EU-US Privacy Shield and emphasizes exporter obligations when using Standard Contractual Clauses
- EU DPAs Announce Post-Schrems Enforcement Plans
- European Data Protection Board Statement Provides Preliminary Insight into Use of Standard Contractual Clauses Following Schrems II Judgment
- European Parliament Committee Meeting Provides Insight into the Future of EU-US Personal Data Flows
For further information, please contact the Alston & Bird Privacy & Data Security Team.