In our recent article entitled “Privacy Shield Invalidated – The Battle For Adequate Data Protection Between The US and EU Continues”, we discussed the decision by the Court of Justice for the European Union (ECJ) to invalidate the EU-US Privacy Shield for a second time – known as Schrems II. The ECJ found that the privacy shield, which protects the data of EU citizens, did not provide sufficient protection against the ability of US public authorities to access that data after it has been transferred to the servers of companies based in the US. However, the decision upheld the validity of standard contractual clauses (SCCs) as an effective means of ensuring such protection, but only on a case-by-case basis.
In response, the US government released a paper last week entitled “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II.” The Schrems II ruling requires companies relying on SCCs “to verify, on a case-by-case basis,” whether the level of protection afforded by the SCCs is respected and observed in the recipient country.
However, when the Safe Harbour was initially struck down in the ECJ ruling, there was a grace period for companies to review arrangements, this time there is no such grace period and immediate action from companies is required. The response by the US government outlines the robust limits and safeguards in the United States pertaining to government access to data as part of an effort to assist organizations in assessing whether their transfers offer appropriate data protection in accordance with the ECJ’s ruling.
The paper emphasizes that:
- companies can transfer personal data from the EU to the United States in full compliance with EU law.
- there is an “urgent need for clarity from European authorities or the onerous compliance burdens” generated by the Schrems II
- the “$7.1 trillion transatlantic economic relationship” justifies exploring all options at the US government’s disposal and that it “remains committed to working with the European Commission to negotiate a solution that satisfies the ECJ’s requirements while protecting the interests of the United States.”
- most US companies do not deal with data that is of interest to US intelligence agencies and therefore do not engage in data transfers that present the type of privacy risks that appear to have concerned the ECJ in Schrems II.
- the Schrems II decision’s reliance on the perceived lack of judicial redress is misplaced; US law does “authorize individuals of any nationality (including EU citizens) to seek redress in US courts through civil lawsuits.”
- there is a “theoretical possibility” that a US intelligence agency could access EU data, but this is “no different than the theoretical possibility that other governments’ intelligence agencies, including those of EU Member States, or a private entity acting illicitly, might access the data.”
The paper goes on to state that companies transferring data from the EU that have received orders requiring data disclosure to US intelligence agencies may consider the applicability of the “public interest” derogation in Article 49 of the GDPR as a basis for those transfers.
In support of this position, the paper describes the frequent sharing of intelligence information between the US government and EU member states to counter threats such as terrorism, weapons proliferation, and hostile foreign cyber activity, which undoubtedly serves EU public interests.
The remainder of the paper focuses on relevant US law and practice in light of the Schrems II ruling that reliance on SCCs requires companies to independently assess whether US law ensures adequate data protection under EU law, including by providing additional safeguards where necessary.
This will remain a hot-button issue for a long time to come with no immediate solution in sight.