The U.S. Government Issues a White Paper to Help EU Organizations Comply with Schrems II

Following the Court of Justice of the European Union’s (CJEU) Schrems II decision which invalidated the EU-U.S. Privacy Shield and upheld the validity of the Standard Contractual Clauses subject to certain conditions, the U.S. Department of Commerce has released a White Paper entitled “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II.”

Schrems argued that the Standard Contractual Clauses (SCCs) could not justify transfers of data to the United States given the potential for the U.S. government’s surveillance and access to personal data of the EU residents, particularly under Section 702 of the Foreign Intelligence Surveillance Act (FISA 702) and Executive Order 12333.  Although the CJEU upheld the SSCs, it concluded that data subjects whose personal data are transferred to another country pursuant to the SCCs must still be afforded a level of protection essentially equivalent to that guaranteed within the EU by the GDPR.  The CJEU’s decision requires organizations that rely on the SSCs or another EU-approved data transfer mechanism, Binding Corporate Rules, to verify, on a case-by-case basis, whether foreign legal protections concerning government access to personal data meet the EU standards.

The stated purpose of the White Paper is to provide – for consideration by companies transferring personal data from the EU to the United States – a detailed discussion about privacy protections in the current U.S. law and practice relating to government access to data for national security purposes with a focus on the issues that concerned the ECJ in Schrems II.

The following are some of the key points addressed in the White Paper:

• The U.S. government contends that most U.S. companies do not deal in data that is of any interest to the U.S. intelligence agencies. Companies whose EU operations involve ordinary commercial products or services, and whose EU-U.S. transfers of personal data involve ordinary commercial information like employee, customer, or sales records, would have no basis to believe that the U.S. intelligence agencies would seek to collect that data.  Thus, they presumably are not engaged in data transfers that present the type of risks to privacy that concerned the CJEU in Schrems II.

• The U.S. government asserts that it frequently shares intelligence information with the European Union Member States, including data disclosed by companies in response to FISA 702 orders, to counter threats such as terrorism, weapons proliferation, and hostile foreign cyber activity. The U.S. government argues that sharing of that information serves important EU public interests by protecting the governments and people of the Member States.  This, in turn, might justify disclosure of personal data to the U.S. intelligence agencies on the grounds of “public interest” derogation in Article 49 of the GDPR.

• The U.S. government cites various privacy protections in the U.S. law concerning government access to data for national security purposes that, it argues, were not considered and addressed by the CJEU, including some new developments in the U.S. law. According to the White Papers, some of these protections are equal to or exceed protections afforded by the EU member states. The U.S. government urges companies to take this information into account in any assessment of U.S. law post-Schrems II.

The CJEU’s ruling in Schrems II presents significant legal and operational challenges for EU organizations transferring personal data to the United States.  The U.S. government’s White Paper offers some grounds for organizations to make the case that they should be able to send personal data to the United States using EU-approved transfer mechanisms.  At the same time, further guidance from the EU’s authorities is necessary to help organizations comply with the CJEU’s ruling.

Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653