|
Background
The Privacy Shield decision (Decision 2016/1250) allowed the transfer of European citizens’ data to the US. On 16 July, the European Court of Justice declared that the Privacy Shield was invalid (Schrems II judgment), arguing that US law relating to intelligence agencies’ access to data did not meet EU legal standards. The European Court of Justice refers to two US laws to support its views:
-Executive Order 12333 organising US intelligence activities
-Section 702 of the Foreign Intelligence Surveillance Act (FISA 702) which can oblige US companies to disclose data if asked by intelligence services
In the same judgment, the European Court of Justice declares that Standard Contractual Clauses (SCCs) are still a valid legal basis to transfer data outside the EU. However, companies need to determine whether the recipient country’s law provides sufficient safeguards for European citizens’ data.
This White Paper intends to provide some elements that these companies could take into consideration in assessing the validity of their SCCs.
Overwhelming majority of companies not asked to disclose data
The US White Paper underlines that “for many companies the issues of national security data access that appear to have concerned in Schrems II are unlikely to arise because the date they handle is of no interest to the US intelligence community”. The document points out that the overwhelming majority of companies have never received orders to disclose data under FISA 702.
In addition, the White Paper stresses that intelligence collection is done only for foreign intelligence purposes, not for the purpose of obtaining a commercial advantage.
Accessing data without the company’s knowledge
Answering the question of whether data could be accessed without the company’s knowledge, the document states that this theoretical possibility equally applies to other government’s intelligence agencies, including those of EU Member States.
Accessing data for the public interest, including to protect Europe
The White Paper further mentions Article 49 of GDPR, which states that data protection rules might be circumvented if the “public interest” is at stake. In Schrems II, the European Court of Justice itself made clear that Article 49 derogations continue to be available for transferring personal data to the United States.
The document gives several examples of FISA 702 data collection that eventually prevented terror attacks in Europe. “[O]ver a quarter of the NSA’s reports concerning international terrorism include information based in whole or in part on section 702 collection, and this percentage has increased every year […]”.
Privacy safeguards in place
The White Paper highlights that there is a strong supervision of data collection in the framework of FISA 702. Many US privacy safeguards were not recorded in the Commission’s Decision 2016/1250 (Privacy Shield). The US government argues that the European Court of Justice based its judgment on the provisions of the Commission’s Decision, hence leaving apart entire segments of US data protection.
The Foreign Intelligence Surveillance Court (“federal court staffed by independent, life-tenured judges”) approves and oversees foreign intelligence surveillance. It supervises whether individuals are properly targeted. Before data collection -absent exigent circumstances- the Court must approve a written certification submitted by the Attorney General and the Director of National Intelligence.
Importantly, in 2017 the Court issued an order terminating “about” collection under FISA 702. “About” collection was a form of FISA 702 collection that acquired communications not to or from a tasked selector (such as an email address, name), but which contained the selector in the text of the communication. “The elimination of “about” collection reduces the potential for collection of personal data of EU (and other non-US) citizens because their communications now may no longer be acquired under FISA 702 solely because a communication contains a reference to a lawfully tasked selector”.
Furthermore, each and every selector tasked for data acquisition is reviewed by independent intelligence oversight attorneys in the Department of Justice.
The White Paper explains that European citizens are entitled to seek redress in the US courts through civil lawsuits for violations of FISA, including violations of Section 702.
EU Member States’ intelligence activities not less intrusive and still approved
The White Paper notes that the European Court of Human Rights regularly reviews the domestic intelligence surveillance programs of Member States and has approved programs that are similar or more expansive than FISA 702.
The White Paper concludes that all of this information may be considered by companies relying on SCC for data transfers.
If you have any questions, please do not hesitate to contact Camille Dornier - Policy Manager: camille.dornier@eurosmart.com
|
