Why Schrems II Might Not Be a Problem for EU-U.S. Data Transfers

An illustration of a cell phone surrounded by location markers, linked together to suggest movements over the course of a day. (Ifrah Yousef, https://cybervisuals.org/visual/tracking/; CC BY 4.0, https://creativecommons.org/licenses/by/4.0/) Editor’s note: This piece is adapted from a longer article available at DataMatters.Sidley.com . In its July 16 opinion in Data Protection Commissioner v. Facebook Ireland Ltd, Maximillian Schrems, et al., the Court of Justice of the European Union (CJEU) invalidated the U.S.-EU “Privacy Shield” framework, which authorized the transfer of personal data from the European Economic Area (EEA) to the U.S. The CJEU also imposed onerous new obligations on the use of “standard contractual clauses” (SCCs) as an alternative mechanism for such transfers. Key to the court’s judgment were concerns that national security surveillance conducted by the U.S. under two particular authorities—Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333—could take place without according European data subjects the privacy rights guaranteed in principle in the EU. In a nutshell, the CJEU appeared to believe these surveillance authorities involved possible bulk collection with insufficient predication and overly broad targeting criteria, and did not provide sufficient individual redress rights. Yet the CJEU’s articulated concerns are inapplicable to the overwhelming bulk of data transfers to the U.S. under SCCs—and nearly all U.S. companies should have no difficulty showing, as the CJEU requires, that U.S. surveillance authorities at issue will not interfere with their ability to comply with SCCs. The reason why is simple. Surveillance under Section 702 and Executive Order 12333 may not target communications of U.S. persons–including American companies—or persons reasonably believed to be in the U.S. Data transfers pursuant to SCCs between an American company in Europe to its American headquarters in the U.S. are exactly the types of communications that may not be targeted under those authorities. Neither the U.S. nor the EU has previously taken this view. If the plain text of Section 702 and EO 12333 is so clear, how is it that neither party adopted this interpretation—and that this dramatically consequential reading would mirabile dictu only now surface to help save the future of SCCs? The answer is likely that transfers of corporate EU data to the U.S. have previously been viewed as characteristically EU data, rather than as U.S. person data being communicated by one U.S. person (the data-exporting American company) to another U.S. person (the data-importing American company) located in the U.S. Such communications simply cannot be targeted under the authorities called into question by the CJEU. Might this same theory apply to foreign companies transferring data pursuant to SCCs to persons located in the U.S.? The answer is, probably yes: so long as there is a U.S. person or person located in the U.S. who is on the receiving side of the SCC transfer, the same prohibitions on targeting should apply. Where American companies (U.S. persons) are on both sides of the SCC transfer, rather than just on the receiving end, the privacy protection against U.S. government surveillance would be at its zenith. EU data protection authorities would undoubtedly find this to be an ironic twist—the more American, the more private. The EU’s General Data Protection Regulation prohibits transfers of personal data outside the European Economic Area (EEA) to any country whose legal regime for data privacy has not yet been deemed “adequate” by the EU Commission, unless the data exporter implements certain approved mechanisms or invokes certain (relatively narrow) derogations—such as individual consent, “public interest,” necessity for contractual performance, and so on. The Privacy Shield was just such a mechanism approved only for transfers to the U.S., while SCCs were approved for general use to authorize data transfers data to any “non-adequate” country, including the U.S. SCCs can also potentially be used to transfer data to China or Venezuela, or to any other country whose privacy regime has not yet been deemed adequate by the EU, or whose privacy regime really is inadequate. Over the course of litigation initiated by Austrian privacy activist Maximilian Schrems, the CJEU has essentially adjudicated the U.S. not to have an “adequate” legal framework for data privacy. The highest EU court perceives U.S. intelligence agencies to have the authority to collect excessive data to protect U.S. national security, and also ruled that such agencies suffer from perceived deficits of independent oversight and judicial redress rights and remedies—particularly for non-U.S. persons. While President Obama’s 2014 President Policy Directive (PPD-28) directed U.S. intelligence agencies to respect the privacy rights of foreign citizens in conducting electronic surveillance, the CJEU dismissed this in Schrems II as a mere executive order. The text of PPD-28 , however, is compelling with regard to protecting foreign privacy rights: “All persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and all persons have legitimate privacy interests in the handling of their personal information” and Departments and agencies shall apply the term "personal information" in a manner that is consistent for U.S. persons and non-U.S. persons. Accordingly, for the purposes of this directive, the term "personal information" shall cover the same types of information covered by "information concerning U.S. persons" under section 2.3 of Executive Order 12333. And, as the Office of the Director of National Intelligence (ODNI) stated in its 2018 response to the Privacy and Civil Liberties Oversight Board (PCLOB) Report on PPD-28, the Obama directive is still fully in effect and implemented by intelligence community agencies: PPD-28 remains in full force and effect. As a formal presidential directive, it has the force of law within the Executive Branch, and compliance is mandatory. As described further below, the IC has systematically implemented the requirements of PPD-28 to ensure that U.S. signals intelligence (SIGINT) activities continue to include appropriate safeguards for the personal information of all individuals, regardless of the nationality of the individual to whom the information pertains or where that individual resides. IC elements have prepared and published the policies called for by PPD-28, and have been following those policies in conducting their activities. The CJEU’s analysis of relevant U.S. laws and facts in Schrems II was not terribly substantial. It does not address the fact that EU intelligence agencies and citizens benefit directly from U.S. intelligence sharing, nor that surveillance laws and practices of EU member states do not necessarily compare favorably to those of the U.S.). But however fallible its reasoning, the CJEU’s judgment is final. Accordingly, unless companies can satisfy the CJEU’s concerns, they will not be allowed to use SCCs to transfer personal data of their customers, employees, business contacts and other individuals from Europe to the U.S. In order to continue using SCCs to transfer personal data to the U.S., Schrems II obligates the U.S. entity to “certif[y] that it has no reason to believe that the legislation applicable to it prevents it from fulfilling its obligations under the [SCCs] … and undertakes to notify the data controller about any change in the national legislation applicable to it which is likely to have a substantial adverse effect on the warranties and obligations provided by the standard data protection clauses …” The only “national legislation” the CJEU calls into question for interference with fundamental rights guaranteed in the EU is “the interference arising from the surveillance programmes based on Section 702 of the FISA and on E.O. 12333.” Based on explicit concerns expressed by the CJEU, it seems that the U.S. entities relying on SCCs will face dramatically fewer problems if they are not entities subject to Section 702—that is, they are not an “electronic communication service provider”—or if the data they wish to transfer to a person or entity in the U.S. pursuant to SCCs is not subject to lawful targeting under Section 702. Luckily, the overwhelming bulk of companies transferring data to the U.S. under SCCs are not electronic communications providers within the meaning of Section 702, and they do not transfer data that may be legally targeted for collection under Section 702. With this in mind, the CJEU’s concerns fall away for any U.S. entities that are not among the relatively small number of Section 702 “electronic communication service providers”—the discrete set of companies in the busine
Why Schrems II Might Not Be a Problem for EU-U.S. Data Transfers posted first on http://realempcol.tumblr.com/rss