U.S. Outlines Privacy Safeguards for Post-Schrems II Data TransfersSeptember 28, 2020 – Alerts
The U.S. government has published a whitepaper that outlines the robust limits and safeguards in the United States pertaining to government access to data in an effort to assist organizations in assessing whether their transfers offer appropriate data protection in accordance with the European Court of Justice's (ECJ) Schrems II ruling.
- Particularly in view of the extensive U.S. surveillance reforms since 2013 ... the U.S. legal framework for foreign intelligence collection provides clearer limits, stronger safeguards and more rigorous independent oversight than the equivalent laws of almost all other countries.
- To address the challenges posed by the Schrems II ruling, the Trump Administration is exploring all options at its disposal and remains committed to working with the European Commission to negotiate a solution that satisfies the ECJ’s requirements while protecting the interests of the United States.
Most Companies Are Not Engaged in Worrisome Schrems II Transfers
Most U.S. companies do not deal in data that is of any interest to U.S. intelligence agencies, and have no grounds to believe they do. They are not engaged in data transfers that present the type of risks to privacy that appear to have concerned the ECJ in Schrems II.
- U.S. government commitments and public policies restrict intelligence collection to what is required for foreign intelligence purposes and expressly prohibit the collection of information for the purpose of obtaining a commercial advantage.
- Companies whose EU operations involve ordinary commercial products or services, and whose EU-U.S. transfers of personal data involve ordinary commercial information like employee, customer or sales records, would have no basis to believe U.S. intelligence agencies would seek to collect that data.
- The overwhelming majority of companies have never received orders to disclose data under Foreign Intelligence Surveillance Act (FISA) 702 and have never otherwise provided personal data to U.S. intelligence agencies
Companies Should Consider Post-2016 Developments in US Law Concerning Government Access
There is a wealth of public information about privacy protections in U.S. law concerning government access to data for national security purposes, including information not recorded in Decision 2016/1250, new developments that have occurred since 2016 and information the ECJ neither considered nor addressed. Companies may wish to take this information into account in any assessment of U.S. law post-Schrems II.
- Schrems II was not a ruling on whether privacy protections in U.S. law per se, as of either 2016 or 2020, are consistent with EU law. The ECJ ruled only on the validity of Decision 2016/1250,11 and the ECJ’s assessment of U.S. law accordingly relied primarily on the limited findings about U.S law recorded by the Commission in 2016 in Decision 2016/1250. By contrast, companies using Standard Contract Clauses (SCCs) today to transfer data to the United States may consider all currently available information about U.S. law, including:
- Information not recorded in Decision 2016/1250
- New developments that have occurred since 2016
- The Foreign Intelligence Surveillance Court (FISC) is actively involved in supervising whether individuals are properly targeted under FISA 702. It reviews the reasons for targeting specific people and the basis for the assessment that the surveillance will procure the requisite information (which the government is required to keep).
- The FISC can and does enforce compliance with FISA 702 targeting requirements, including by imposing remedial action. Moreover, the FISC has made clear that its review of FISA 702 targeting procedures is not confined to the procedures as written, but also includes how the government implements those procedures.
- The rigor and effectiveness of the FISC’s supervision of whether individuals are properly targeted is demonstrated in:
- Decisions, orders, and memorandum opinions of the FISC discussing its supervisory role over the propriety of individual targeting under FISA 702
- Semi-annual joint assessments that the Department of Justice and the Office of the Director of National Intelligence (ODNI) provide to the FISC.
Individual Redress for Violations of FISA 702
Several U.S. statutes authorize individuals of any nationality (including EU citizens) to seek redress in U.S. courts through civil lawsuits for violations of FISA, including violations of Section 702
- The FISA statute itself empowers a person who has been subject to FISA surveillance, and whose communications are used or disclosed unlawfully, to seek compensatory damages, punitive damages and attorneys' fees against the individual who committed the violation.
- The Electronic Communications Privacy Act provides a separate cause of action for compensatory damages and attorneys' fees against the government for willful violations of various FISA provisions.
- Individuals may also challenge unlawful government access to personal data, including under FISA, and see an order enjoining such access, through civil actions under the Administrative Procedure Act (APA).
Numerous additional privacy safeguards have been added to FISA 702 since Decision 2016/1250 was issued in July 2016. These include:
- April 26, 2017: The FISC issued an order terminating the legal authority to conduct acquisition of so called “about” collection under FISA 702 and limiting collection only to communications to or from a tasked selector, NOT communications that merely contained the selector in the text of the communication.
- In early 2018, the U.S. Congress passed, and the president signed into law, additional privacy protections and safeguards relating to FISA 702 through amendments to FISA and other statutes. These amendments included:
- Requiring that with each annual FISA 702 certification, the government must submit and the FISC must approve querying procedures, in addition to targeting procedures and minimization procedures
- Requiring additional steps including notification to Congress before the government may resume acquisition of “about” collection under FISA 702
- Amending the enabling statute for the Privacy and Civil Liberties Oversight Board (PCLOB) to allow it to better exercise its advisory and oversight functions;
- Adding the FBI and NSA to the list of agencies required to maintain their own privacy and civil liberties officers, instead of being subject only to their parent department-level officers, to advise their agencies on privacy issues and ensure there are adequate procedures to receive, investigate and redress complaints from individuals who allege that the agency violated their privacy or civil liberties
- Extending whistleblower protections to contract employees at intelligence agencies
- Imposing several additional disclosure and reporting requirements on the government, including to provide annual good faith estimates of the number of FISA 702 targets
Executive Order 12333
As companies relying on SCCs make determinations about privacy protections in U.S. law, it is unclear how they would consider any U.S. national security data access other than targeted government requirements for disclosure such as under FISA 702. This is because under EO 12333, there can be no “requirement” for a company to disclose any data to the U.S. government. And the government certainly may not legally require U.S. companies to disclose data transferred under SCCs “in bulk,” which was the aspect of EO 12333 collection about which the ECJ expressed concern in Schrems II. Bulk data collection is permitted only in other contexts, such as clandestine intelligence activities involving overseas access to data — activities in which companies cannot legally be compelled to participate.
Regarding the possibility of the U.S. government unilaterally obtaining access overseas under EO 12333 to data being transferred from the EU, it is unclear how companies using SCCs could assess whether U.S. privacy protections relating to such hypothetical access meet EU legal standards.
- During transfer from the EU to the United States, data is potentially subject to unilateral access by many actors, including the intelligence agencies of many countries, the EU included. Were the lawfulness of data transfers outside the EU to depend on an assessment of intelligence agencies’ clandestine access to data outside a given destination country while in transit, no data transfers could be found lawful under EU standards because intelligence agencies worldwide potentially could access the data as it travels over global network.
- There is no discernable comparator in EU law. The ECJ has never ruled on the lawfulness of a member state’s overseas access to data for intelligence purposes, and it may not have jurisdiction to do so given restrictions in the EU treaties.
There are privacy safeguards applicable to EO 12333 surveillance in current U.S. law and practices left unaddressed by the ECJ in Schrems II that equal or exceed protections afforded in the EU.
- Presidential Policy Directive 28 (PPD 28) is a presidential directive in effect since 2014 that sets binding requirements for signals intelligence activities that afford fundamental privacy safeguards for all people, regardless of nationality or location. For example, NSA’s PPD 28 procedures, for example, highlight privacy concerns raised by the potential acquisition of foreign nationals’ personal data, and require the use of selectors. Separately, the CIA's guidelines issued in 2017 — and thus after the Commission issued Decision 2016/1250 — require senior approvals and documentation of privacy protections for any bulk data collection.
- National Intelligence Priorities Framework (NIPF) sets out separate, objective criteria to ensure that targeting and collection, including bulk signals intelligence under EO 12333, are responsive to specific national intelligence priorities.
These and other restrictions on acquisition of personal data (including the data of EU citizens) under EO 12333 are mandatory requirements for the intelligence agencies and enforced in practice through oversight mechanisms, including investigations undertaken by the Inspector General at each intelligence agency.
Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the GDPR Compliance & International Privacy Practice. For questions about this alert or assistance with cross-border data transfer issues, contact Odia at [email protected] or 215.444.7313.