Privacy Post-Schrems II - Second of a Four-Part Series on Compliance with EU Privacy Laws Using Standard Contractual Clauses
October 14, 2020
As discussed in the first installment in this blog series, the Schrems II case gave new significance to the use of standard contractual clauses (“SCCs”) for personal data transfers from EU countries to countries outside of the European Union (the “EU”) or the European Economic Area, including the United States. However, the “adequacy” of the appropriate safeguards in SCCs depends heavily on the third country’s privacy laws and international commitments. The Court of Justice of the European Union (the “CJEU”) in the Schrems II case invalided the EU-U.S. Privacy Shield Framework (the “Privacy Shield”). Specifically, the CJEU ruled that the U.S. laws and directives supporting the foundation of the Privacy Shield, such as the Foreign Intelligence Surveillance Act (“FISA”) and Executive Order 12333 (“EO 12333”), failed to provide an “adequate” level of protection for EU citizens’ data. This second installment will brief these main U.S. surveillance legal considerations now required for SCCs.
U.S. Surveillance Law Introduction
The Executive Branch has inherent power from the Constitution to conduct foreign affairs, including protecting national security. Courts have ruled that this power includes the President being able to “constitutionally authorize warrantless wiretaps for the purpose of gathering foreign intelligence.”1 Congress also has enacted various laws supplementing the Executive Branch’s foreign intelligence efforts, mainly beginning with the National Security Act of 1947. Further, the President can delegate or instruct federal agencies to implement his authority by executing presidential directives, such as executive orders, even though they are subject to judicial review.
The Foreign Intelligence Surveillance Act
Signed into law in 1978, FISA did not grant the Executive Branch additional foreign surveillance powers. Instead, FISA created legal requirements and procedures for specific types of foreign intelligence gathering. Determining whether a specific foreign surveillance gathering is subject to FISA depends on: 1) whether the surveillance is against a U.S. person; and 2) whether the foreign intelligence is gathered inside or outside of the U.S. These criteria matter because FISA applies to foreign surveillance that involves either a U.S. citizen or intelligence gathering within the U.S. Jurisdiction for foreign surveillance outside of FISA is covered by federal agencies like the National Security Agency and presidential directives like EO 12333, which we will discuss in more detail below.
The portion of FISA which concerned the CJEU in the Schrems II case is Section 702, a provision in the FISA Amendments Act of 2008. Rather than being determined on a case by case basis, a Section 702 certification is written based on specific criteria determined annually by the attorney general and Director of National Intelligence, pending review and approval by the FISA Court. The U.S. government then furnishes selectors/data points such as email addresses to a U.S.-based company to initiate collection of foreign intelligence. The two main programs created pursuant to Section 702 are PRISM and Upstream. Although foreign surveillance pursuant to Section 702 is broad, only certain entities are subject to Section 702. Thus, when determining whether your personal data transfers would be subject to FISA, including Section 702, it is important to consider these criteria first.
Executive Order 12333
An executive order pertinent to the Schrems II case is EO 12333. Originally issued in 1981, EO 12333 intended to, among other things, “enhance human and technical collection techniques [of the U.S. government], especially those undertaken abroad, and the acquisition of significant foreign intelligence. . . .”2 In addition to the President, these specified intelligence efforts supported the National Security Council and the Homeland Security Council. EO 12333 not only detailed the collection of foreign intelligence and techniques to carry it out but also explained the procedural aspects of collecting this information and the various roles Executive Branch departments and agencies play. Although the Executive Branch’s authority to obtain foreign intelligence does not originate from EO 12333, this executive order is currently viewed as a foundational benchmark.
Considering FISA and EO 12333 for SCCs
When the CJEU invalidated the EU-U.S. Privacy Shield Framework in the Schrems II case, it cited to Section 702 of FISA and EO 12333 as being the main U.S. laws and presidential directives which provided “inadequate” protections for EU citizens. Thus, SCCs now must include provisions that address and hopefully resolve these “inadequate” protections as stated by the CJEU. Drafting appropriate contractual language to protect your business is always vital, but it is even more important in the current global regulatory climate to enable your business to safeguard the personal data that it comes into contact with in its daily operations. While future blog posts will analyze these remedial SCC provisions and how they apply to Section 702 of FISA and EO 12333, Jackson Kelly is currently available to help with your SCC needs and any others you may have in privacy and cybersecurity law.
1 United States v. Brown, 484 F.2d 418, 426 (5th Cir. 1973) (citations omitted).
2 Federal Executive Order No. 12333, 46 Fed. Reg. 59,941, 59,949 (Dec. 4, 1981).