Why Schrems II Might Not Be a Problem for EU-U.S. Data Transfers
Editor’s note: This piece is adapted from a longer article available at DataMatters.Sidley.com.
In its July 16 opinion in Data Protection Commissioner v. Facebook Ireland Ltd, Maximillian Schrems, et al.,the Court of Justice of the European Union (CJEU) invalidated the U.S.-EU “Privacy Shield” framework, which authorized the transfer of personal data from the European Economic Area (EEA) to the U.S. The CJEU also imposed onerous new obligations on the use of “standard contractual clauses” (SCCs) as an alternative mechanism for such transfers. Key to the court’s judgment were concerns that national security surveillance conducted by the U.S. under two particular authorities—Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333—could take place without according European data subjects the privacy rights guaranteed in principle in the EU.
In a nutshell, the CJEU appeared to believe these surveillance authorities involved possible bulk collection with insufficient predication and overly broad targeting criteria, and did not provide sufficient individual redress rights. Yet the CJEU’s articulated concerns are inapplicable to the overwhelming bulk of data transfers to the U.S. under SCCs—and nearly all U.S. companies should have no difficulty showing, as the CJEU requires, that U.S. surveillance authorities at issue will not interfere with their ability to comply with SCCs.
The reason why is simple. Surveillance under Section 702 and Executive Order 12333 may not target communications of U.S. persons–including American companies—or persons reasonably believed to be in the U.S. Data transfers pursuant to SCCs between an American company in Europe to its American headquarters in the U.S. are exactly the types of communications that may not be targeted under those authorities.
Neither the U.S. nor the EU has previously taken this view. If the plain text of Section 702 and EO 12333 is so clear, how is it that neither party adopted this interpretation—and that this dramatically consequential reading would mirabile dictu only now surface to help save the future of SCCs? The answer is likely that transfers of corporate EU data to the U.S. have previously been viewed as characteristically EU data, rather than as U.S. person data being communicated by one U.S. person (the data-exporting American company) to another U.S. person (the data-importing American company) located in the U.S. Such communications simply cannot be targeted under the authorities called into question by the CJEU.
Might this same theory apply to foreign companies transferring data pursuant to SCCs to persons located in the U.S.? The answer is, probably yes: so long as there is a U.S. person or person located in the U.S. who is on the receiving side of the SCC transfer, the same prohibitions on targeting should apply. Where American companies (U.S. persons) are on both sides of the SCC transfer, rather than just on the receiving end, the privacy protection against U.S. government surveillance would be at its zenith. EU data protection authorities would undoubtedly find this to be an ironic twist—the more American, the more private.
The EU’s General Data Protection Regulation prohibits transfers of personal data outside the European Economic Area (EEA) to any country whose legal regime for data privacy has not yet been deemed “adequate” by the EU Commission, unless the data exporter implements certain approved mechanisms or invokes certain (relatively narrow) derogations—such as individual consent, “public interest,” necessity for contractual performance, and so on. The Privacy Shield was just such a mechanism approved only for transfers to the U.S., while SCCs were approved for general use to authorize data transfers data to any “non-adequate” country, including the U.S. SCCs can also potentially be used to transfer data to China or Venezuela, or to any other country whose privacy regime has not yet been deemed adequate by the EU, or whose privacy regime really is inadequate.
Over the course of litigation initiated by Austrian privacy activist Maximilian Schrems, the CJEU has essentially adjudicated the U.S. not to have an “adequate” legal framework for data privacy. The highest EU court perceives U.S. intelligence agencies to have the authority to collect excessive data to protect U.S. national security, and also ruled that such agencies suffer from perceived deficits of independent oversight and judicial redress rights and remedies—particularly for non-U.S. persons.
While President Obama’s 2014 President Policy Directive (PPD-28) directed U.S. intelligence agencies to respect the privacy rights of foreign citizens in conducting electronic surveillance, the CJEU dismissed this in Schrems II as a mere executive order. The text of PPD-28, however, is compelling with regard to protecting foreign privacy rights: “All persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and all persons have legitimate privacy interests in the handling of their personal information” and
Departments and agencies shall apply the term "personal information" in a manner that is consistent for U.S. persons and non-U.S. persons. Accordingly, for the purposes of this directive, the term "personal information" shall cover the same types of information covered by "information concerning U.S. persons" under section 2.3 of Executive Order 12333.
And, as the Office of the Director of National Intelligence (ODNI) stated in its 2018 response to the Privacy and Civil Liberties Oversight Board (PCLOB) Report on PPD-28, the Obama directive is still fully in effect and implemented by intelligence community agencies:
PPD-28 remains in full force and effect. As a formal presidential directive, it has the force of law within the Executive Branch, and compliance is mandatory. As described further below, the IC has systematically implemented the requirements of PPD-28 to ensure that U.S. signals intelligence (SIGINT) activities continue to include appropriate safeguards for the personal information of all individuals, regardless of the nationality of the individual to whom the information pertains or where that individual resides. IC elements have prepared and published the policies called for by PPD-28, and have been following those policies in conducting their activities.
The CJEU’s analysis of relevant U.S. laws and facts in Schrems II was not terribly substantial. It does not address the fact that EU intelligence agencies and citizens benefit directly from U.S. intelligence sharing, nor that surveillance laws and practices of EU member states do not necessarily compare favorably to those of the U.S.). But however fallible its reasoning, the CJEU’s judgment is final. Accordingly, unless companies can satisfy the CJEU’s concerns, they will not be allowed to use SCCs to transfer personal data of their customers, employees, business contacts and other individuals from Europe to the U.S.
In order to continue using SCCs to transfer personal data to the U.S., Schrems II obligates the U.S. entity to “certif[y] that it has no reason to believe that the legislation applicable to it prevents it from fulfilling its obligations under the [SCCs] … and undertakes to notify the data controller about any change in the national legislation applicable to it which is likely to have a substantial adverse effect on the warranties and obligations provided by the standard data protection clauses …” The only “national legislation” the CJEU calls into question for interference with fundamental rights guaranteed in the EU is “the interference arising from the surveillance programmes based on Section 702 of the FISA and on E.O. 12333.”
Based on explicit concerns expressed by the CJEU, it seems that the U.S. entities relying on SCCs will face dramatically fewer problems if they are not entities subject to Section 702—that is, they are not an “electronic communication service provider”—or if the data they wish to transfer to a person or entity in the U.S. pursuant to SCCs is not subject to lawful targeting under Section 702. Luckily, the overwhelming bulk of companies transferring data to the U.S. under SCCs are not electronic communications providers within the meaning of Section 702, and they do not transfer data that may be legally targeted for collection under Section 702.
With this in mind, the CJEU’s concerns fall away for any U.S. entities that are not among the relatively small number of Section 702 “electronic communication service providers”—the discrete set of companies in the business of transmitting (or storing) communications for third parties—as opposed to the vast number of companies transferring their own customer, employee or business data from their bases in Europe to their bases in the U.S. Section 702 can only be applied to communications companies and may not be applied to U.S. person data or to data relating to persons located in the U.S., such as the entity at the importing end of the SCC transfer in the U.S. And, of course, Section 702 expressly defines U.S. corporations to be U.S. persons.
The same principle that absolves the overwhelming bulk of American companies from worrying about Section 702 for their SCC transfers is also true for EO 12333. U.S. intelligence agencies cannot use 12333 to avoid the need for a probable cause-type warrant or order to target the content of communications sent by U.S. persons outside the U.S. to U.S. persons located in the U.S.
For nearly all U.S. companies relying on SCCs for their data transfers to the U.S., therefore, the CJEU’s concerns that Section 702 and EO 12333 involve disproportionate data collection that is not “strictly necessary” and “go[es] beyond what is necessary in a democratic society to safeguard” are simply irrelevant. This is not merely an empirical reality, but an outcome directed by the “national legislation” itself. It is exactly what the CJEU would want to see.
Under the FISA statute, only “electronic communication service providers” can be compelled to comply with Section 702, and any “provider receiving a directive … may file a petition to modify or set aside such directive with the Foreign Intelligence Surveillance Court.” The definition of electronic communication service provider under section comprises: telecom carriers, ISPs, email providers, cloud services and “any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored.” While this definition might be broad enough to cover companies that provide their employees with email functionality, that is not what is intended nor the way Section 702 is applied. Rather, based on the legislative purposes for enacting Section 702, the scope of “provider” under this law is widely understood to apply to companies that are actually in the business of providing communication services to others rather than merely for their own corporate use. Significantly, PCLOB’s Section 702 report confirms that “FISA defines electronic communication service providers to include a variety of telephone, Internet service, and other communications providers.” What’s more, text in Section 702 specifically contemplates that the communication services in question are those that are “provid[ed] to the target of the acquisition”—in other words, communications services are provided by a company in the business of providing communication services, rather than just using communication services.
The NSA’s official summary of its various missions and authorities makes equally clear that Section 702 applies to players in the U.S. “hub” for the “world’s telecommunications system.”
Even more importantly, the Foreign Intelligence Surveillance Court (FISC) likewise understands that the U.S. government is authorized to acquire information under Section 702 from, “Internet backbone carrier[s],” “from systems operated by providers of services” and “[t]raditional telephone communications.” The court’s recent 83-page decision approving the government’s 2019 certification to use Section 702 does not mention or provide implicit support for intelligence agencies attempting to target corporate email accounts.
Finally, even Max Schrems knows that communication service providers subject to Section 702 are the discrete set of companies in the business of providing such services. Indeed, the website for his “none of your business” (NOYB) privacy advocacy group identifies only about 10 tech/telecom companies that are covered by Section 702.
In any event, FISA’s Section 702 imposes significant statutory limitations on targeting that protect data transfers to the U.S. under SCCs. Under Section 702, 50 U.S.C. 1881a(b), the U.S. government “may not intentionally target” “any person known at the time of acquisition to be located in the United States” or “a United States person reasonably believed to be located outside the United States.”
SCCs necessarily entail a contract between a data exporter in Europe and a data importer in the U.S. Typically the exporter will be a U.S. corporation—as will be the importer, that will always be a person (i.e., a U.S. company) located in the U.S. Accordingly, SCC data transfers to the U.S. are quintessentially U.S. person to U.S. person communications involving one person who is necessarily located in the U.S.
Thus, SCC transfers are manifestly not the type of foreign communications that Section 702 was enacted to cover. Instead, they are U.S. person communications that the U.S. intelligence community “may not intentionally target” as specified in the statutory block quote above. Importantly, there is no controversy at all about the fact that companies incorporated in the U.S. are “U.S. persons” for purposes of Section 702.
Skeptical readers may question how the NSA, FBI or even the CIA could possibly know—and thus respect—that data transfers from Europe to the U.S. are transmitted pursuant to SCCs, and that such SCCs constitute U.S. person communications involving U.S. persons at one or both ends of the transfer, and certainly involve a person located in the U.S. on the receiving end. The answer is they have to know—that is the nature of their work as intelligence agencies. Moreover, they are legally obligated to try very hard to know what communications they are targeting, collecting and querying. And further, the sufficiency of their knowledge, explanations, research and evaluation about the nature and status of the data transfers they target, collect or query will be carefully evaluated by agency lawyers, inspectors general, congressional committees, the PCLOB and federal judges.
That is, for example, exactly what Judge James Boasberg did in a FISC opinion released in September 2020. The court directly addressed the NSA’s obligation to provide an “explanation,” and “review and evaluat[e] the sufficiency of [its] assessment that the target is a non-U.S. person location outside the U.S.” along with the FBI’s procedures “to research and evaluate whether a target is a U.S. person or in the United States.” It is reasonable to assume that intelligence agencies are particularly good at conducting such research and evaluation.
Indeed, NSA employees working on Section 702 collections receive special training toward this end. The NSA is required to acknowledge and report on incidents where agency personnel exercise “insufficient due diligence and … impac[t] United States persons involved the tasking of facilities where the Government knew or should have known that at least one user of the facility was a United States person.”
Nonetheless, companies transferring data to the U.S. under SCCs should be sure to help the intelligence agencies recognize SCC “scenarios,” and understand SCC data for what they are: communications transferred or received by a U.S. person or both, which are necessarily and inevitably intended for a recipient located in the U.S. Implementing additional measures would help flag and signal that a company’s SCC transfers to the U.S. may not be properly targeted by U.S. intelligence agencies—and if improper, inadvertent or incidental collection does occur, that the intelligence agencies will be held accountable and the company may even take corrective action.
Companies can keep this in mind while conducting their required assessments of their ability to comply with the requirements of SCCs as mandated by Schrems II and the European Data Protection Board (EDPB).In addition, companies could consider adopting other supplemental measures to more readily identify their SCC data transfers as “U.S. Person Communications” to assist U.S. intelligence agencies recognize the traffic as off-limits for 702 and 12322.
One hopes that EU supervisory authorities, the European Data Protection Board, and Max Schrems will acknowledge that SCC data transfers to the U.S. do not pose the “surveillance” problem the CJEU thought. Given there is no empirical evidence that personal data transferred from the EU to the U.S. under SCCs has been the subject of actual surveillance by U.S. intelligence agencies, and that U.S. “national legislation” actually precludes targeting such transfers between U.S. companies, U.S. companies should be able to readily satisfy their self-assessment obligation under Schrems II. Ideally, EU member states could establish a body like PCLOB in the U.S., perhaps even on an ad hoc basis, that could confirm that data transfers under SCCs are simply not surveillance targets that infringe on the privacy rights of EU citizens—neither in practice nor in principle.