Why Schrems II Might Not Be a Problem for EU-U.S. Data Transfers

Editor’s note: This piece is adapted from a longer article available at DataMatters.Sidley.com.

In its July 16 opinion in Data Protection Commissioner v. Facebook Ireland Ltd, Maximillian Schrems, et al.,the Court of Justice of the European Union (CJEU) invalidated the U.S.-EU “Privacy Shield” framework, which authorized the transfer of personal data from the European Economic Area (EEA) to the U.S. The CJEU also imposed onerous new obligations on the use of “standard contractual clauses” (SCCs) as an alternative mechanism for such transfers. Key to the court’s judgment were concerns that national security surveillance conducted by the U.S. under two particular authorities—Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333—could take place without according European data subjects the privacy rights guaranteed in principle in the EU.

In a nutshell, the CJEU appeared to believe these surveillance authorities involved possible bulk collection with insufficient predication and overly broad targeting criteria, and did not provide sufficient individual redress rights. Yet the CJEU’s articulated concerns are inapplicable to the overwhelming bulk of data transfers to the U.S. under SCCs—and nearly all U.S. companies should have no difficulty showing, as the CJEU requires, that U.S. surveillance authorities at issue will not interfere with their ability to comply with SCCs.

The reason why is simple. Surveillance under Section 702 and Executive Order 12333 may not target communications of U.S. persons–including American companies—or persons reasonably believed to be in the U.S. Data transfers pursuant to SCCs between an American company in Europe to its American headquarters in the U.S. are exactly the types of communications that may not be targeted under those authorities.

Neither the U.S. nor the EU has previously taken this view. If the plain text of Section 702 and EO 12333 is so clear, how is it that neither party adopted this interpretation—and that this dramatically consequential reading would mirabile dictu only now surface to help save the future of SCCs? The answer is likely that transfers of corporate EU data to the U.S. have previously been viewed as characteristically EU data, rather than as U.S. person data being communicated by one U.S. person (the data-exporting American company) to another U.S. person (the data-importing American company) located in the U.S. Such communications simply cannot be targeted under the authorities called into question by the CJEU.

Might this same theory apply to foreign companies transferring data pursuant to SCCs to persons located in the U.S.? The answer is, probably yes: so long as there is a U.S. person or person located in the U.S. who is on the receiving side of the SCC transfer, the same prohibitions on targeting should apply. Where American companies (U.S. persons) are on both sides of the SCC transfer, rather than just on the receiving end, the privacy protection against U.S. government surveillance would be at its zenith. EU data protection authorities would undoubtedly find this to be an ironic twist—the more American, the more private.

The EU’s General Data Protection Regulation prohibits transfers of personal data outside the European Economic Area (EEA) to any country whose legal regime for data privacy has not yet been deemed “adequate” by the EU Commission, unless the data exporter implements certain approved mechanisms or invokes certain (relatively narrow) derogations—such as individual consent, “public interest,” necessity for contractual performance, and so on. The Privacy Shield was just such a mechanism approved only for transfers to the U.S., while SCCs were approved for general use to authorize data transfers data to any “non-adequate” country, including the U.S. SCCs can also potentially be used to transfer data to China or Venezuela, or to any other country whose privacy regime has not yet been deemed adequate by the EU, or whose privacy regime really is inadequate.

Over the course of litigation initiated by Austrian privacy activist Maximilian Schrems, the CJEU has essentially adjudicated the U.S. not to have an “adequate” legal framework for data privacy. The highest EU court perceives U.S. intelligence agencies to have the authority to collect excessive data to protect U.S. national security, and also ruled that such agencies suffer from perceived deficits of independent oversight and judicial redress rights and remedies—particularly for non-U.S. persons.

While President Obama’s 2014 President Policy Directive (PPD-28) directed U.S. intelligence agencies to respect the privacy rights of foreign citizens in conducting electronic surveillance, the CJEU dismissed this in Schrems II as a mere executive order. The text of PPD-28, however, is compelling with regard to protecting foreign privacy rights: “All persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and all persons have legitimate privacy interests in the handling of their personal information” and

Departments and agencies shall apply the term “personal information” in a manner that is consistent for U.S. persons and non-U.S. persons. Accordingly, for the purposes of this directive, the term “personal information” shall cover the same types of information covered by “information concerning U.S. persons” under section 2.3 of Executive Order 12333.

And, as the Office of the Director of National Intelligence (ODNI) stated in its 2018 response to the Privacy and Civil Liberties Oversight Board (PCLOB) Report on PPD-28, the Obama directive is still fully in effect and implemented by intelligence community agencies:

PPD-28 remains in full force and effect. As a formal presidential directive, it has the force of law within the Executive Branch, and compliance is mandatory. As described further below, the IC has systematically implemented the requirements of PPD-28 to ensure that U.S. signals intelligence (SIGINT) activities continue to include appropriate safeguards for the personal information of all individuals, regardless of the nationality of the individual to whom the information pertains or where that individual resides. IC elements have prepared and published the policies called for by PPD-28, and have been following those policies in conducting their activities.

The CJEU’s analysis of relevant U.S. laws and facts in Schrems II was not terribly substantial. It does not address the fact that EU intelligence agencies and citizens benefit directly from U.S. intelligence sharing, nor that surveillance laws and practices of EU member states do not necessarily compare favorably to those of the U.S.). But however fallible its reasoning, the CJEU’s judgment is final. Accordingly, unless companies can satisfy the CJEU’s concerns, they will not be allowed to use SCCs to transfer personal data of their customers, employees, business contacts and other individuals from Europe to the U.S.

In order to continue using SCCs to transfer personal data to the U.S., Schrems II obligates the U.S. entity to “certif[y] that it has no reason to believe that the legislation applicable to it prevents it from fulfilling its obligations under the [SCCs] … and under

[…]