The U.S. Department of Commerce (DOC), Department of Justice (DOJ), and the Office of the Director of National Intelligence (ODNI) jointly issued a White Paper containing information about privacy protections under U.S. law for national security access, with a particular focus on the issues raised by the Court of Justice of the European Union (CJEU) in its Schrems II decision.
The White Paper focuses on practical applications of the legal authorities the CJEU examined in Schrems II and discounts mere “theoretical possibilities” that are unlikely to occur. The White Paper also points to various measures relevant to proportionate data collection and individual redress that the CJEU did not take into account and that companies can include in their Schrems II data transfer assessments. The U.S. Government also cites to various materials the CJEU did not consider, much of which can be found at IC on the Record. In particular, the White Paper notes:
- For many companies, the issue of national security access to the personal data they process under the legal authorities examined in Schrems II is unlikely to arise because the data would not be of interest to national security agencies. As the White Paper states, “the overwhelming majority of companies have never received orders to disclose data under [the Foreign Intelligence Surveillance Act] section 702” and companies handling “ordinary commercial information like employee, customer, or sales records, would have no basis to believe U.S. intelligence agencies would seek to collect that data.”
- “The theoretical possibility that a U.S. intelligence agency could unilaterally access data being transferred from the EU without the company’s knowledge is no different than the theoretical possibility that other governments’ intelligence agencies, including those of EU Member States, or a private entity acting illicitly, might access the data.” The White Paper also notes that such access to data could occur anywhere in the world, not just in the U.S.
- GDPR Article 49.1(d)’s “public interest” derogation should be a lawful basis for cross-border transfers for those companies that do disclose information under FISA section 702. To this point, the U.S. Government frequently shares intelligence information, including that collected under FISA section 702, with EU member states to help counter myriad types of significant threats, including in many cases threats and plots in foreign countries. The White Paper provides examples of threats to EU citizens and residents that have been averted as a result of this information sharing. The White Paper notes that “[t]he European Data Protection Board (EDPB) has recognized in this context that sharing data ‘in the spirit of reciprocity for international cooperation’ qualifies as an ‘important public interest’ under Article 49.”
- The CJEU did not take into account the active role the Foreign Intelligence Surveillance Court (FISC) takes in supervising and enforcing compliance with targeting procedures, including:
- Requiring NSA analysts to create a record of their targeting assessments and targeting rationale;
- Having DOJ independent intelligence oversight attorneys review such targeting assessments and rationales as well as the “selectors” used in a given directive (with such selectors having to be sufficiently targeted and not generic) and report noncompliance bask to the FISC;
- Imposing remedial action including modification of programs and termination of the government’s authority to engage in data collection; and
- Receiving semi-annual joint DOJ-ODNI assessments of whether individuals, including foreign nationals, are properly targeted.
- There is individual redress, including for EU citizens, for violations of FISA section 702 through measures not addressed by the CJEU, including FISA provisions allowing private actions for compensatory and punitive damages, and attorney’s fees against individuals who commit violations, 50 U.S.C. § 1810, separate private right of action provisions under the Electronic Communications Privacy Act (ECPA) for FISA violations, 18 U.S.C. § 2712, and private actions to challenge government access to personal data under the Administrative Procedures Act, 5 U.S.C. § 702.
- Additional privacy safeguards have been added to FISA section 702 since the EU Commission’s Privacy Shield adequacy determination in 2016, including the FISC’s order terminating “abouts” collection (collections not just to or from a specific selector, but of communications with the selector in the text of the communication) and 2018 FISA amendments that added: querying procedures (in addition to targeting and minimization procedures), provisions improving oversight by the Privacy and Civil Liberties Oversight Board, privacy and civil liberties officer requirements to additional relevant agencies, expanded whistleblower protections to contractors, transparency requirements including provisions for disclosing the number of section 702 targets, and requirements to notify Congress before “abouts” collections could be used.
- FISA Section 702 provides “essential equivalence” to the laws of the EU since “the FISC’s role in authorizing and supervising FISA section 702 targeting decisions compares favorably with intelligence programs in the EU” which are the responsibility of EU member states and whose similar or more expansive programs have been upheld by the European Court of Human Rights.
- Executive Order 12333 is not a legal authority requiring a company or person to disclose data; FISA section 702 and other statutory authorities serve that purpose.
- Companies are not in a position to assess hypothetical access under EO 12333 to data transmitted over underseas cables, and in fact, any country, including EU member states may be collecting such data outside of its borders; such collection has never been considered by the European Court of Human Rights, which has focused only on domestic intelligence collection.
- There are privacy safeguards for data collected under EO 12333, including Presidential Policy Directive 28 (PPD-28) which limits collection to specific purposes and allows retention or dissemination of personal information only where the handling of comparable information concerning U.S. persons would be permitted, agency procedures under PPD-28 that contain requirements relating to the use of selectors for EO 12333 collections, and the National Intelligence Priorities Framework which creates processes to ensure that targeting and collection are responsible to specific national intelligence priorities, including through a National Signals Intelligence Committee.
The U.S. Government made clear that the White Paper is not intended as guidance for companies about EU law or the positions they should take with EU regulators and courts. Nonetheless, the White Paper provides an array of information that companies relying on Standard Contractual Clauses or Binding Corporate Rules for EU-U.S. transfers of personal data can consider in their internal assessments of whether the transfers are affording EU individuals adequate protections consistent with EU law.