Standard Contractual Clauses Supplementary Measures

Legal Background

Under Chapter 5 (Arts. 44-50) of the European Union’s General Data Protection Regulation, there must be a lawful basis for every transfer of the personal data of EU subjects from the EU to a non-EU country. Of particular relevance here are Art. 45, which permits transfers on the basis of an EU Commission decision that the privacy laws of the importing country provide adequate protection, and Art. 46, which permits transfers that are “subject to appropriate safeguards.” Appropriate safeguards include the EU’s approved Standard Contractual Clauses (SCCs), a new version of which was issued on June 4, 2021.[1] Although the EU does not view U.S. privacy law as adequate, the EU and United States negotiated the Privacy Shield, a set of voluntary protections that U.S. companies could subscribe to that allowed them to receive EU data transfers under Art. 45. Then, in its July 2020 decision in Data Protection Commissioner v. Facebook Ireland Ltd. (Schrems II), the Court of Justice for the European Union (CJEU), the EU’s supreme court, invalidated the Privacy Shield as a lawful basis for transfer.[2] The decision allowed continued use of the SCCs as a lawful basis for EU-to-U.S. data transfers, subject to the parties taking “supplementary measures” to enhance data privacy. These supplementary measures are the subject of this memo.

U.S. Intelligence Activities Identified in Schrems II

The Schrems II decision (so-called after Max Schrems, the privacy activist who filed the original complaint) found that, even when the SCCs are used, the privacy of EU data subjects is threatened by the intelligence-gathering activities of the U.S. federal government. The CJEU specifically cited the threats posed by Section 702 of the Foreign Intelligence Surveillance Act[3] (FISA) and Executive Order 12333[4] (EO 1233), as limited by President Obama’s Presidential Policy Directive 28[5] (PPD 28).

Section 702, added to FISA in 2008, allows the attorney general and director of national intelligence to obtain broad authorization to collect information concerning “non-U.S. persons” (neither citizens nor permanent resident aliens) who are located outside the United States — EU citizens, for example. Such programmatic approval comes from the special Foreign Intelligence Surveillance Court (FISC) and does not require the court to review individual surveillance targets. The government may compel the assistance of broadly defined “electronic communication service providers,” which may result in the collection of data from U.S. facilities. Although service providers may challenge government directives before the FISC, individual targets have no way to know of — let alone challenge — the surveillance unless and until it is used against them in a criminal prosecution. Thus, as Schrems II observed, the government could acquire data concerning an EU citizen residing in the EU that was transferred to the United States upon its arrival at a U.S. facility, all without meaningful judicial redress.

EO 12333, which applies to all U.S. foreign intelligence activities, gives the National Security Agency broad authority to collect and analyze “signals intelligence” outside the United States. Its privacy protections do not apply to non-U.S. persons, and it creates no enforceable rights against the U.S. government. President Obama’s PPD 28 puts some limits on “bulk” collection of data, gathered without the use of specific identifiers, selection terms or other “discriminants.” Like EO 12333, it creates no judicially enforceable rights in favor of private persons.

Schrems II held that the Privacy Shield provided inadequate privacy protection because this surveillance and intelligence-gathering regime violated several provisions of the EU Charter of Fundamental Rights. Arts. 7 and 8 of the Charter provide that the protection of personal data is a fundamental right. Art. 52 provides that any abrogation of this right must be “subject to the principle of proportionality,” that is, limited to what is necessary to protect the rights and freedom of others. Art. 47 requires that anyone whose privacy rights have been violated must have access to a fair public hearing before “an independent and impartial tribunal previously established by law.” Evaluating the U.S. intelligence-gathering regime against these standards, Schrems II found (1) that the lack of pre-surveillance limits fails to ensure that the data collection is proportionate to the legitimate needs being pursued and (2) that the post-surveillance judicial redress for individuals is insufficient. There has been some debate about this point, but the decision appears to find that U.S. law is per se inadequate in protecting the rights of EU data subjects.

A final point is that Schrems II focused solely on intelligence gathering by the U.S. government under FISA and related executive orders. There was no mention of law enforcement search warrant practices at the state or federal level. There is no reason to believe that such longstanding practices would raise the concerns cited in Schrems II, given the probable cause and particularity requirements imposed by the Fourth Amendment and the opportunities of the subject to learn about the search through the warrant process or criminal discovery, and to contest it in court through a motion to suppress. Moreover, it is difficult to imagine circumstances outside of FISA in which a law enforcement agency could obtain personal data on an EU subject through a warrantless search.

Supplementary Measures

As noted above, Schrems II allowed the continued use of the SCCs as a basis for transfer, subject to unspecified supplementary measures intended to remedy the problems it had identified. Although the decision gave no practical guidance on such measures, on June 18, 2021, the European Data Protection Board adopted Recommendations that gave examples of supplemental steps that might be taken.[6] A key point under the Recommendations is that the data exporter bears responsibility for determining whether and what supplementary measures must be taken and for ensuring their adequacy. The importer’s duty is to assist the exporter in assessing the need for and designing supplementary measures and to follow the exporter’s instructions in implementing them. In the large majority of cases, but not all, the exporter will be the data controller. Under the GDPR, the controller is the party that determines the purposes and means of processing (collecting or using in any way) the data, and a processor is any party that performs processing at the direction of the controller.

A critical initial step is “to assess if there is anything in the law and/or practices in force of the [importing] country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer.”[7] This assessment involves consideration of both the law and the practicalities of its enforcement. If called upon to express an opinion about the law, a U.S. company could say little beyond pointing out that, as written, the FISA regime makes every data transfer to the United States vulnerable to government intelligence gathering. Moreover, as Schrems II observed, the FISA regime provides no opportunities for a data subject to raise a judicial objection unless and until a prosecution ensues and FISA evidence is introduced.

It would seem impossible for a U.S. company to do anything more than speculate about the practical possibility of enforcement in any particular context. There is no case law, from FISC (whose opinions are automatically classified) or any other court, that sheds light on enforcement practices. The government publishes aggregate statistics; they show large numbers of targeted persons (over 200,000 in 2019) but give no indication of who those persons might be.[8] Large private data-intensive companies (Apple, Google, etc.) now publish their own statistics about government FISA inquiries, but these are also purely aggregate. Depending on its products (munitions, for example), a company might conclude that its customers are especially vulnerable to FISA surveillance. But there would no basis for a U.S. company to decide that its customers are unlikely to be surveillance targets. Thus, the assessment would presumably always conclude that U.S. laws and/or practices “may impinge on the effectiveness of the appropriate safeguards.”

That conclusion leads to the question of what supplementary measures are required. This is a determination to be made by the data exporter, with the importer following instructions and otherwise assisting. The EDPB Recommendations contain discussions and examples of possible measures, with a focus on technical measures. These include (1) pseudonymizing the data so that it can “no longer be attributed to a specific subject,” (2) encrypting the data so that neither the recipient nor government authorities can decrypt it, or (3) splitting the data between two or more independent processers in different jurisdictions in such a way that no individual processor can “reconstruct the personal data in whole or in part.”[9] But the EDPB recognizes that there are some situations where no technical measures will be effective; for example, where the exporter transfers the data to a cloud service provider that needs the data in unencrypted form in order to perform the specified processing. “In those cases where no supplementary measure is suitable, you must avoid, suspend or terminate the transfer to avoid compromising the level of protection of the personal data.”[10]

Summary

The Schrems II found that FISA and the U.S. intelligence-gathering regime poses a serious threat to the fundamental rights of EU data subjects. Although it struck down the Privacy Shield, the CJEU permitted data transfers to the United States under the SCCs to continue, with unspecified supplementary measures. The EDPB has recently undertaken to provide more specific guidance. The U.S. data importer, even if the merely the processor, may have to play an active role in the initial task of assessment. In almost all cases, this assessment is likely to lead to the conclusion that the FISA regime poses a material threat. The next step is for the controller to design and implement specific protective measures. These measures are likely to be technical, including encryption. If technical measures will be ineffective, the transfer must be abandoned.

[1] At the time of publication, the Implementing Decision and text of the clauses were available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en. Robinson Bradshaw has created an annotated version of the SCCs with extensive explanatory comments.

[2] Case C-311/18, ECLI:EU:C:2020:559 (July 16, 2020), available at https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=en.

[3] 50 U.S.C. § 1881a.

[4] 46 Fed. Reg. 59,941 (Dec. 4, 1981).

[5] Available at https://obamawhitehouse.archives.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activities. 

[6] EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, available at https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf.

[7] Id. at 4 (emphasis in original).

[8] See Office of the Director of National Intelligence, Statistical Transparency Report (2019), available at https://www.intel.gov/assets/documents/702%20Documents/statistical-transparency-report/2020_ASTR_for_CY2019_FINALOCR.pdf.

[9] Id. at 28-36.

[10] Id. at 4.