Department of Commerce Issues White Paper on E.U.-U.S. Data Transfers Following Schrems II

Hodgson Russ LLP

The United States Department of Commerce issued recently a white paper addressing international data transfers pursuant to Standard Contractual Clauses (SCCs) following the Court of Justice of the European Union’s (CJEU) invalidation of the Privacy Shield this past July. See Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, Case C-311/18 (Schrems II).

Recall that one of the reasons the CJEU found the Privacy Shield invalid was because U.S surveillance laws provide the government with access to personal data that is inconsistent with the privacy protections of the GDPR. This decision disrupted the transfer of personal data from the E.U. to the U.S. pursuant to the Privacy Shield and was a major blow to companies conducting such transfers.

The CJEU’s decision, however, left intact other mechanisms for international transfers—transfers pursuant to SCCs and Binding Corporate Rules. Before any such transfer can take place, however, the court said that an individualized analysis of the transfer must occur that considers the circumstances of the transfer together with any supplemental measures established by the transferring companies to ensure GDPR-like protections. In other words, the CJEU’s decision left companies relying on SCCs for international transfers of data responsible for determining whether such transfer will provide privacy protections that meet E.U. standards.

Importantly, the Department’s white paper addresses some of the issues with government access to data that the CJEU found problematic. For instance, the Department noted that, “[a]s a practical matter, for many companies the issues of national security data access that appear to have concerned the CJEU in Schrems II are unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” The white paper then discusses in depth Executive Order 12333 and Section 702 of the Foreign Intelligence Surveillance Act, two sources of U.S. law granting government access to data that concerned the CJEU, but that the Department says were not fully analyzed in the CJEU’s decision.

Overall, the Department’s white paper provides useful material to companies relying on SCCs. It discusses the relevant law and has a number of citations to source documents that provide additional relevant information. The guidance also suggests ways that companies can strengthen their SCCs to demonstrate that an individual assessment of privacy protections has occurred.

Prior to Schrems II, most of our clients relied on the Privacy Shield to establish compliance with the GDPR when transferring data from the E.U. to the U.S. We are now seeing more clients express an interest in using SCCs due to the confusion caused by the CJEU. 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hodgson Russ LLP | Attorney Advertising

Written by:

Hodgson Russ LLP

Hodgson Russ LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.