1. Schrems II requires parties relying on the SCCs to implement additional measures ensuring that transferred personal data is adequately protected.
The Schrems II decision did not affirmatively invalidate the SCCs, but also made clear that the SCCs alone, without additional measures, often do not sufficiently protect transferred personal data. The Court of Justice of the European Union (“CJEU”) noted that “depending on the prevailing position in a particular third country, the adoption of supplementary measures by the controller” may be necessary “in order to ensure compliance with” the level of protection required under the laws of the European Union (“E.U.”). The decision notes that the GDPR “states that ‘the possibility for the controller… to use standard data-protection clauses adopted by the Commission… should [not] prevent [it]… from adding other clauses or additional safeguards’ and states, in particular, that the controller ‘should be encouraged to provide additional safeguards… that supplement’” the SCCs.
With respect to personal data transferred to the United States, the CJEU found that data subjects have no actionable rights against U.S. authorities with respect to certain surveillance programs, FISA 702 and Executive Order 12333, such that data subjects lack enforceable rights and judicial redress under U.S. law.
Given that public authorities engage in lawful surveillance under E.U. law, additional safeguards implemented to match the level of protection required by E.U. law should not require eliminating the possibility that transferred personal data might be subject to collection by U.S. intelligence or law enforcement agencies. After all, Sections 5(d)(i) of the SCCs affirmatively permits sharing personal data pursuant to law enforcement requests.
No specific additional safeguards are required for any particular transfer, as the CJEU clarified that parties must identify additional safeguards on a case-by-case basis. Given that uncertainty, to address the CJEU’s concerns regarding data subjects’ lack of enforceable rights and judicial redress, parties should consider implementing supplemental measures such as those listed below to establish arguments that transferred personal data remains adequately protected:
- enhanced notice requirements under which the data importer must notify the data exporter, and the data subject to the extent practical and permitted by law, of law enforcement or surveillance requests;
- contractual commitments to challenge law enforcement or surveillance requests and disclose only the minimum amount of personal data required by law;
- publishing transparency reports describing FISA requests to the extent permitted by federal law (i.e., delaying reporting by 6 months from the request date and reporting in bands of 500); and
- enhanced encryption requirements.
2. European Regulatory Guidance
Many European Data Protection Authorities (“DPAs”), such as those in France and Spain, have acknowledged the Schrems II decision, but offered little substantive guidance regarding what parties should do to protect transferred personal data. Other DPAs, such as Norway’s DPA, have suggested that organizations should stop transferring personal data until DPAs can identify adequate safeguards. The Berlin DPA has taken an even more extreme view in that it has interpreted the Schrems II ruling to mean that no data may be transferred to the U.S., even using SCCs that include additional safeguards. Similarly, proceedings in Ireland could lead to a prohibition on data transfers from Ireland to the U.S.
In September 2020, the Baden-Württemberg, Germany DPA proposed edits to the SCCs that increase data exporter obligations with respect to law enforcement requests for personal data. The draft included revised SCCs that require the data importer to inform both the data exporter and the data subject (if feasible) of a request. Moreover, the draft rules would require data importers to take legal action against responding to surveillance requests, but the draft SCCs would allow data importers to disclose personal data pursuant to a legally binding order. Therefore, although those draft rules set forth some of the most restrictive of proposed safeguards following Schrems II, the proposal does not create an affirmative requirement to obtain data exporter consent for personal data disclosures to law enforcement.
3. The U.S. Department of Commerce
On September 28, the Department of Commerce released a white paper outlining privacy safeguards regulating and establishing oversight of U.S. intelligence agencies’ use of personal data. The white paper does not bear directly on whether law enforcement agencies will treat personal data differently if the personal data has been transferred from the E.U. to the U.S. However, the white paper emphasizes that U.S. intelligence agencies share personal information with E.U. Member States, including information relating to foreign operatives, suggesting that the agencies remain committed to collecting the personal data of E.U. citizens, even after the Schrems II decision.
The white paper also states that companies transferring personal data to the E.U. under the SCCs may argue that U.S. law, at least in 2020, satisfies many of the CJEU’s concerns. The Schrems II court evaluated an E.U. Commission decision from 2016 that described U.S. law as in force at that time, instead of evaluating current U.S. law. The white paper therefore points out that the Schrems II court did not consider several safeguards privacy safeguards currently in place with respect to FISA 702 requests and U.S. government access to personal data under 12333.
As such, the white paper suggests that companies may argue that transferring personal data from the E.U. to the U.S. under the SCCs may be permissible following Schrems II. Since that decision did not consider many U.S. privacy safeguards, data transfer to the U.S. under the SCCs should not require as many additional safeguards to ensure adequate protections as the CJEU may suggest.
Although the white paper may not be a sea change for E.U. regulators’ understanding of data transfer, the white paper cuts against regulators’ potential argument that transfers under the SCCs are impermissible without significant additional protective measures.
We note, in conclusion, that the law of personal data transfer after Schrems II remains fluid and many European regulators have not issued substantive or final guidance (including the European Data Protection Board (“EDPB”)). Given that lack of guidance requiring any specific compliance solutions, companies should be cautious about implementing any specific additional protection safeguards that create significant legal or operational burdens.