On September 28, 2020, the U.S. Department of Commerce (DoC) published a white paper co-authored by the U.S. Department of Justice (DoJ) and the Office of the Director of National Intelligence (white paper)[1] which provides information on the safeguards under U.S. law to limit the collection of data from private companies by U.S. intelligence services. The white paper addresses concerns raised by the EU Court of Justice (ECJ) when it invalidated the EU-U.S. Privacy Shield framework (Privacy Shield) and imposed certain conditions on the use of Standard Contractual Clauses (SCCs).
According to the Department of Commerce, companies may use the guidance in the white paper to support arguments that SCCs provide a valid legal basis for importing personal information into the U.S. However, the white paper is not intended to interpret EU law or guide companies on what position to take before European courts or regulators.
Background
On July 16, the ECJ delivered its landmark judgment in the Schrems 2.0 case[2] invalidating the Privacy Shield. The ECJ cited lack of safeguards to prevent potential broad disclosure of data to the U.S. intelligence services and public authorities as its principal basis for invalidating the Privacy Shield. The ECJ, however, expressly upheld the validity of SCCs under the condition that companies verify that the parties involved in the transfer can effectively provide the level of protection required by EU law. To verify the level of protection for a specific transfer, companies must assess the safeguards offered by the data importer as well as the level of protection granted under the laws and practices of the host country’s government. For transfers to the U.S. this would involve assessing the U.S. legal framework, including access by intelligence services to data stored in the U.S. or in transit into the U.S. The white paper addresses this issue by detailing the safeguards in place under U.S. law to limit the collection of data by the U.S. intelligence services.
U.S. Collection of Data Is Limited and Is Shared with EU Authorities
The white paper emphasizes that U.S. law governing the practice of U.S. intelligence services is relevant to only a small subset of companies which process personal information. The white paper notes that the vast majority of companies operating in the U.S. have never been asked to disclose information to the U.S. government for intelligence purposes, and that the data they transfer is ordinary commercial information such as employee, customer, or sales data that would not be of interest to U.S. intelligence.
In addition, the white paper states that the information disclosed by companies to the U.S. intelligence services may also serve EU public interests. The U.S. frequently shares with authorities in the EU intelligence information that is used for security and intelligence purposes in the EU.
Safeguards for Collection of Data by U.S. Government
The white paper describes a number of safeguards to limit the collection of data by the U.S. intelligence services. The safeguards are subject to continuous developments, and have been strengthened since the adoption of the Privacy Shield decision in 2016. The white paper includes the following safeguards:
- Review of Targeting Assessments. The white paper indicates that any decision to collect information about an individual under Section 702 of the Foreign Intelligence Surveillance Act (FISA 702) needs to be documented in a “Targeting Assessment” which identifies the reasons justifying the collection. The Targeting Assessments are subject to review by independent attorneys at the DoJ. If these attorneys identify any violation of applicable law, they must report these violations to the Foreign Intelligence Surveillance Court (FISC).
- Individual Redress. According to the white paper, U.S. law allows EU citizens to seek redress before U.S. courts if they have been unlawfully targeted by the U.S. intelligence services. EU citizens may file civil lawsuits allowed under several U.S. statutes[3] to obtain redress.
- Termination of “About” Collection. In the past, the U.S. government was able to collect not only communications to and from the specific target, but also any communication “about” that target sent by other parties. In 2017, the FISC indicated that collection under FISA 702 should be limited to communications to and from the specific target, which narrows the scope of collection available to the U.S. government under FISA 702.
Further, the white paper emphasized that there are numerous legal safeguards that the ECJ did not consider in Schrems 2.0. For example, the ECJ did not assess the FISC’s ability to review targeting assessments following a referral from the DoJ nor the bases for individual redress mentioned in the white paper. The DoC considers that companies transferring data to the U.S. using SCCs may include these safeguards in their assessment.
Next Steps
The white paper provides a new perspective on Schrems 2.0 that may be helpful for companies transferring personal data to the U.S. However, it remains to be seen whether EU regulators will give any credence to the white paper arguments. The EDPB is expected to offer additional guidance regarding how companies should complete their assessments supporting use of the SCCs and what supplemental measures should be considered. Such guidance may clarify the extent to which the information provided by the U.S. government in the white paper may be relied upon in companies’ assessments prior to the use of SCCs.
[1] The white paper is available at https://www.commerce.gov/sites/default/files/2020-09/SCCsWhitePaperFORMATTEDFINAL508COMPLIANT.PDF.
[2] For the full analysis of the Schrems 2.0 judgment, please see the Wilson Sonsini alert: “ECJ Invalidates EU-U.S. Privacy Shield and Upholds the Standard Contractual Clauses”.
[3] The white paper cites, in particular, Section 1810 of the Foreign Intelligence Surveillance Act, Section 2712 of the Electronic Communications Privacy Act, and Section 702 of the Administrative Procedure Act.