Privacy Post-Schrems II - Fourth of a Four-Part Series on Compliance with EU Privacy Laws Using Standard Contractual Clauses
October 20, 2020
In the first two installments in this blog series, we introduced standard contractual clauses (“SCCs”) and briefed the main U.S. surveillance legal considerations SCCs require in light of the Schrems II case, being Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) and Executive Order 12333 (“EO 12333”). The Court of Justice of the European Union (the “CJEU”) in the Schrems II case ruled that SCCs ensured “adequate” levels of protection for personal data transfers in compliance with EU privacy law. However, it also ruled that Section 702 of FISA and EO 123333 did not ensure “adequate” levels of protection because they did not adhere to the principle of “proportionality” according to EU law.1 According to Article 52 of the Charter of the Fundamental Rights of the European Union (the “Charter”), this principle states that “limitations [on the exercise of the rights and freedoms recognised by the Charter] may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.”
In the final two installments in this blog series, we are more focused on practical applications and considerations as to how SCCs can resolve certain limitations of Section 702 of FISA and EO 12333 addressed in the Schrems II case, ultimately resolving the imbalance of “proportionality” and authorizing personal data transfers from the EU to the U.S. In our third installment, we explained how broader SCCs can apply to multiple laws and regulations, including Section 702 of FISA and EO 12333. Now in this fourth and final installment, we are turning to how certain SCCs with ad hoc contractual clauses can address certain issues specific to Section 702 of FISA and EO 12333.
Initially, we note that in addition to SCCs, ad hoc contractual clauses authorized by EU supervisory authorities can also be an option for compliant personal data transfers outside of the EU. While a majority of organizations rely on SCCs for data transfers, “[o]nly a very small minority of organisations rely on ad-hoc, specific, DPA-approved contracts . . . .”2 However, additional contractual provisions can be useful in providing sufficient safeguards when supplemented with SCCs, examples being additional internal processes and increased transparency.3 Thus, these ad hoc contractual clauses could be written to supplement SCCs to address specific issues such as Section 702 of FISA and EO 12333.
A “directive” under Section 702 of FISA, however, applies only to “electronic communication service providers,”4 defined as “communication service providers who ha[ve] access to wire or electronic communications either as such communications are transmitted or as such communications are stored . . . .”5 Given these limited definitions, the U.S. government has stated that “the overwhelming majority of companies have never received orders to disclose data under FISA 702 . . . .”6 If an organization does receive a Section 702 directive requiring its cooperation, it could challenge whether it is an “electronic communication service provider” as defined in the statute to avoid such requirements. SCCs that can be modified to implement this action as a requirement could include general SCCs concerning confidentiality of data or specific SCCs concerning notifications about legally binding requests for disclosure of personal data by a law enforcement agency.7 Even if an organization is deemed to fit within that definition though, Section 702 of FISA also contains various provisions regarding challenging and appealing Section 702 directives.8 Regardless, additional safeguards like these actions could also be implemented in the above-referenced modified SCCs.
On the other hand, EO 12333 is “a general directive organizing U.S. intelligence activities,”9 rather than being a U.S. statute. When a U.S. intelligence agency seeks to obtain an organization’s data outside the U.S. pursuant to EO 12333, it can do so unilaterally through its own surveillance actions and without notice to the organization.10 As for cooperation by the organization, the U.S. government has admitted that “[u]nlike FISA 702, . . . EO 12333 does not authorize the U.S. government to require any company or person to disclose data.”11 Instead, it cites to asking an organization to cooperate voluntarily with an intelligence agency’s data collection efforts.12 Thus, SCCs concerning confidentiality of data could be implemented to prohibit organizations from cooperating voluntarily with government entities like U.S. intelligence agencies that obtain data pursuant to EO 12333.13
SCCs with ad hoc contractual clauses are another excellent tool for organizations to ensure compliant data transfers in the wake of the Schrems II ruling moving forward. These issues are based on factors such as the type of organization involved, the type of data being transferred, and the specific laws and regulations implicated. While this last installment focused on some possible remedial measures concerning Section 702 of FISA and EO 12333, Jackson Kelly is currently available to help you with all of the safeguards you need to implement to comply with a multitude of privacy and cybersecurity laws as they constantly continue to proliferate and change.
1 Paragraph 184, the Schrems II case.
2 Centre for Information Policy Leadership (CIPL). (2020). A Path Forward for International Data Transfers under the GDPR after the CJEU Schrems II Decision [White paper]. Hunter Andrews Kurth. https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/cipl_white_paper_gdpr_transfers_post_schrems_ii__24_september_2020__2_.pdf.
4 50 U.S.C. § 1881(b)(4); 50 U.S.C. § 1881a(i).
5 50 U.S.C. § 1881(b)(4).
6 U.S. Department of Commerce, U.S. Department of Justice, and Office of the Director of National Intelligence. (2020). Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II [White paper]. https://www.commerce.gov/sites/default/files/2020-09/SCCsWhitePaperFORMATTEDFINAL508COMPLIANT.PDF.
7 Clause 5(b), Appendix 2, Clause 4, Annex Set I, Commission Decision 2001/497/EC of 15 June 2001; Clause II(h)(iii), Annex A, Clause 4, Annex Set II, Commission Decision 2004/915/EC of 27 December 2004; Clauses 5(c), (d)(i) of Annex, Commission Decision 2010/87/EU of 5 February 2010.
8 See 50 U.S.C. § 1881a(i)(4).
9 U.S. Department of Commerce, U.S. Department of Justice, and Office of the Director of National Intelligence. (2020). Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II [White paper]. https://www.commerce.gov/sites/default/files/2020-09/SCCsWhitePaperFORMATTEDFINAL508COMPLIANT.PDF.
13 Clause 5(b), Appendix 2, Clause 4, Annex Set I, Commission Decision 2001/497/EC of 15 June 2001; Clause II(h)(iii), Annex A, Clause 4, Annex Set II, Commission Decision 2004/915/EC of 27 December 2004; Clauses 5(c) of Annex, Commission Decision 2010/87/EU of 5 February 2010.