The recent decision by the Court of Justice of the European Union (CJEU) in Schrems II has created uncertainty around the transfer of personal data to the United States in compliance with EU law. In addition to invalidating the European Commission’s 2016 adequacy decision for the EU-U.S. Privacy Shield Framework, Schrems II requires companies that use EU-approved data transfer mechanisms, such as Standard Contractual Clauses (SCCs), to now verify on a case-by-case basis whether foreign legal protections concerning government access to personal data meet EU standards.
Now, both the U.S. and EU regulators are attempting to provide clarity, guidance, and oversight to businesses relying on these mechanisms post-Schrems II. Recently, the U.S. Department of Commerce, jointly with the U.S. Department of Justice and U.S. Office of the Director of National Intelligence, issued a white paper designed to assist businesses conduct independent analyses of personal data transfers in light of Schrems II. The white paper outlines privacy safeguards relating to U.S. government access to personal data, and advances arguments that U.S. law ensures adequate protection for such imported personal data.
Specifically, the U.S. government advances three central positions that companies may explore and evaluate to bolster the underlying justification for their international transfer of personal data:
- Industry-Specific Implications: First, according to the white paper, “most U.S. companies do not deal in data that is of any interest to U.S. intelligence agencies[,]” and thus, most personal data imported to the U.S. implicates no concerns raised in the Schrems II decision.
- Sharing of Intelligence Information in the Public Interest: Second, the U.S. government asserts that it “frequently shares intelligence information with EU member states, including [personal] data disclosed by companies in response to FISA 702 orders.” As a result, the transfer of personal data may be a legitimate Article 49 derogation in the public’s interest under the EU’s General Data Protection Regulation. To bolster this argument, the white paper outlines several de-classified examples of information that the U.S. government has previously shared with foreign governmental intelligence agencies that was directly beneficial to EU member states.
- Limited Review of U.S. Surveillance Law: Finally, the U.S. government points out that the Schrems II decision was not a sweeping review of whether U.S. privacy protections are sufficient or consistent with EU law. Rather, Schrems II contained an assessment of a limited set of U.S. surveillance laws, and the CJEU did not consider other U.S. laws that afford protections that are equal to or exceed those protections afforded by EU members states. As such, companies wishing to take advantage of SCCs should consider post-2016 changes to U.S. law as well as laws outside of the U.S. surveillance legal framework that the CJEU did not consider.
For companies seeking to justify their international transfers of personal data, the government has offered a boon that can, if utilized properly, ensure such transfers are compliant with EU law. Essentially, it assembles the components of a justifiable basis that many companies are actively developing or exploring. In principal, the white paper provides the U.S. government’s views of how the various safeguards and remedies built into the U.S. surveillance framework establish that it provides “essentially equivalent” protections available in the EU, and, therefore, provide the basis even under Schrems II for companies to rely on SCCs to support continued transfers of personal data.
In addition, in early September 2020, the European Data Protection Board (EDPB) created two task forces responsible for developing guidelines and overseeing complaints related to the international transfer of personal data post-Schrems II.
One task force will prepare recommendations designed to assist controllers and processors with understanding and complying with their responsibilities under Schrems II. These recommendations are expected to address the duty to implement measures and additional safeguards that ensure adequate protection for personal data transferred to third countries, including the U.S. Companies have been eagerly awaiting guidance from the EDPB since it adopted the FAQ on July 23, 2020, which provided initial clarification on the use of legal instruments for the transfer of personal data to third counties.
The second task force will address complaints filed against controllers for failing to comply with Schrems II requirements. This task force will be responsible for processing, evaluating, and responding to complaints. The EDPB noted that over 100 complaints have been received by data protection authorities in several EU member states since Schrems II. These complaints were filed by None of Your Business, a special interest NGO led by Maximillian Schrems, alleging that certain controllers are unlawfully and without adequate protection transferring personal data about EU data subjects to the U.S.
The EDPB has not given any indication as to the timeframe in which either taskforce will publish its recommendations. However, Andrea Jelinek, the EDPB’s chair, cautioned that there would be no “one-size-fits-all, quick fix solution” to the implications raised in the Schrems II ruling. She did, however, emphasize that “[e]ach organisation will need to evaluate its own data processing operations and transfers and take appropriate measures.”
Companies seeking to legitimize data import from the EU into the U.S. should consider the information provided in the white paper and are likewise advised to keep an eye on the EDPB taskforces for evolving guidance. At the same time, practically, companies should (if they have not already) commence the process of identifying their EEA to U.S. transfers of personal data, the current legal basis relied upon, and any further justification or basis required as a result of Schrems II. This follows the guidance of the EDPB to “evaluate its own data processing operations and transfers and take appropriate measures.”
Baker Botts plans to host a webinar to discuss the implications of the Schrems II decision. Additional details will be forthcoming. For more information in the meantime, please contact the Baker Botts Privacy and Data Security team.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm of approximately 700 lawyers practicing throughout a network of 13 offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the technology, energy, and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.