The Matrix
{ Blog Post Bio Photo }

In the Wake of Schrems II: US Government’s White Paper Aims to Assist Confused Companies, Push Back on “Wild West” Privacy Characterization

Posted by

In response to the Court of Justice of the European Union’s (CJEU) recent Schrems II decision that, among other things, invalidated the Privacy Shield Framework (previously covered in The Matrix), various agencies of the US Government co-published a White Paper providing background on US intelligence agencies’ data collection activities and limitations thereon. Although the White Paper is intended to “assist organizations in assessing whether their transfers offer appropriate data protection in accordance with the [CJEU’s] ruling,” the agencies stressed that it “is not intended to provide companies with guidance on EU law or what positions to take before EU regulators or courts.”

Background

The Schrems II decision was largely motivated by US intelligence agencies’ ability to collect information on EU data subjects without meaningful recourse, including through FISA 702 (the statute that permits the Director of National Intelligence to authorize targeting of non-US persons reasonably believed to be outside the US) and Executive Order 12333 (EO12333, President Reagan’s executive order to direct federal agencies to cooperate with CIA information requests).

In addition to invalidating the Privacy Shield Framework, the decision requires companies using other approved data transfer mechanisms (such as standard contractual clauses) to engage in their own analysis of foreign legal protections to determine whether they meet EU standards. According to the US Department of Commerce, this decision “created enormous uncertainty about the ability of companies to transfer personal data from the EU to the US in a manner consistent with EU law.” Unsurprisingly, many companies lack the knowledge, visibility, or resources to perform the necessary analysis.

The White Paper

To aid companies tasked with making such determinations regarding the adequacy of data privacy protections in the US, the White Paper outlines certain data processing activities of US intelligence agencies and how they would (or more notably would not) implicate many companies’ operations. One key assertion in the White Paper is that “[m]ost US companies do not deal in data that is of any interest to US intelligence agencies, and have no grounds to believe they do. They are not engaged in data transfers that present the type of risks to privacy that appear to have concerned the [CJEU] in Schrems II.” In other words, despite US intelligence agencies’ ability to get data in certain situations, they do not necessarily want it. With respect to FISA 702, the White Paper details various protections and protocols in place to ensure individuals are properly targeted. The White Paper then goes on to discuss EO12333’s similar protections and limitations in response to the concerns raised by the CJEU in Schrems II

The White Paper concludes that notwithstanding the CJEU’s concerns in Schrems II, there are “numerous … privacy safeguards in this area of US law . . . that ensure that US intelligence agencies’ access to data is based on clear and accessible legal rules, proportionate access to data for legitimate purposes, supervision of compliance with those rules through independent and multi-layered oversight, and effective remedies for violations of rights.” The full White Paper, along with an introductory note by James M. Sullivan, Deputy Assistant Secretary for Services, U.S. Department of Commerce, can be accessed here.