The United States Department of Commerce issued recently a white paper addressing international data transfers pursuant to Standard Contractual Clauses (SCCs) following the Court of Justice of the European Union’s (CJEU) invalidation of the Privacy Shield this past July. See Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, Case C-311/18 (Schrems II).
Recall that one of the reasons the CJEU found the Privacy Shield invalid was because U.S surveillance laws provide the government with access to personal data that is inconsistent with the privacy protections of the GDPR. This decision disrupted the transfer of personal data from the E.U. to the U.S. pursuant to the Privacy Shield and was a major blow to companies conducting such transfers.
The CJEU’s decision, however, left intact other mechanisms for international transfers—transfers pursuant to SCCs and Binding Corporate Rules. Before any such transfer can take place, however, the court said that an individualized analysis of the transfer must occur that considers the circumstances of the transfer together with any supplemental measures established by the transferring companies to ensure GDPR-like protections. In other words, the CJEU’s decision left companies relying on SCCs for international transfers of data responsible for determining whether such transfer will provide privacy protections that meet E.U. standards.
Importantly, the Department’s white paper addresses some of the issues with government access to data that the CJEU found problematic. For instance, the Department noted that, “[a]s a practical matter, for many companies the issues of national security data access that appear to have concerned the CJEU in Schrems II are unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” The white paper then discusses in depth Executive Order 12333 and Section 702 of the Foreign Intelligence Surveillance Act, two sources of U.S. law granting government access to data that concerned the CJEU, but that the Department says were not fully analyzed in the CJEU’s decision.
Overall, the Department’s white paper provides useful material to companies relying on SCCs. It discusses the relevant law and has a number of citations to source documents that provide additional relevant information. The guidance also suggests ways that companies can strengthen their SCCs to demonstrate that an individual assessment of privacy protections has occurred.
Prior to Schrems II, most of our clients relied on the Privacy Shield to establish compliance with the GDPR when transferring data from the E.U. to the U.S. We are now seeing more clients express an interest in using SCCs due to the confusion caused by the CJEU.