[This is a guest post by our Associate Consultant Carey Lening. In it she discusses the Department of Commerce’s rosy view of privacy in the post-Schrems world. It highlights the need for Data Controllers to adopt a “trust but verify” posture on Standard Contractual Clauses and poses some questions regarding the ‘on the ground’ practicalities of the Dept of Commerce’s position.]

The Department of Commerce’s Rosy View and Reality

Late last month, the US Department of Commerce released a whitepaper summarizing why, despite the CJEU ruling in Schrems II, that it was still perfectly reasonable for businesses to continue transferring EU data to the US. They offered a variety of creative arguments, most of which will only give a false sense of optimism to the business community, and none of which address the CJEU’s larger objections.

Rather than touch on the entire 23-page document, I thought I’d highlight some of the key points, and offer some rebuttals to the Commerce Department’s analysis.

Most U.S. companies do not deal in data that is of any interest to U.S. intelligence agencies, and have no grounds to believe they do. They are not engaged in data transfers that present the type of risks to privacy that appear to have concerned the ECJ in Schrems II.[1]

First off, I always find arguments like these, which boil down to ‘you’re too boring for us to care,’ to be as weak as “if you’re innocent, you have nothing to hide.” Like that specious claim, which almost always leads to peril for anyone who abides by it, the whitepaper offers some facial reassurances, that the “overwhelming majority of companies have never received orders to disclose data” from the US Government. But the reality is, that doesn’t really matter when you take a step back and realize that most firms are using AWS, Azure or Google to host or process their information in the cloud or various communication providers to connect to the internet.[2]

Since the USA PATRIOT Act came into force in 2001 (later replaced by the USA FREEDOM ACT of 2015), the rise in requests for personal data have ballooned. For example, in Oct. 2018, a FISA Court judge concluded that the FBI’s warrantless requests and “incidental” collection of US citizen data under Section 702 of FISA, violated both the statute and the Fourth Amendment.[3]

Although the court only looked at the legality of the impact on US citizen data, it offered insight into the volume of data collected overall. Notably, the court found that the FBI was conducting millions of backdoor searches, many of which amounted to little more than fishing expeditions or idle curiosity by personnel. It also found that in 2017 alone, over 3.1 million queries were performed, on a single system. All of this, with little or no oversight or rights of redress for foreign data subjects.[4]

Guess what? Those firms do get data requests. All the time.

Companies transferring data from the EU that have received orders authorized by FISA 702 requiring the disclosure of data to U.S. intelligence agencies for foreign intelligence purposes may consider the applicability of the “public interest” derogation in Article 49 of the GDPR as a basis for those transfers.[5]

 I nearly spit out my coffee when I read this. While sharing information “in the spirit of reciprocity for international cooperation” may qualify as a public interest, it’s laughable to assume that the US Government’s practice of hoovering up personal data is done solely with the purpose of “international cooperation.”

The European Data Protection Board has issued strong guidance on Article 49 derogations. And while a public interest derogation can be assumed in cases where an international agreement or convention between the EU and US exist,[6] such agreements impose pesky limits and obligations on intelligence gathering (like accountability and data minimization). Who wants to go through all that red tape when you can just send a warrantless request to Google?

Oversight and Redress Considerations

Finally, the whitepaper spends a great deal of time legally whinging about how the CJEU unfairly got it wrong when it complained that there was little in the way of oversight or redress for EU citizens.

As the CJEU noted in Schrems II

 Section 702 of the FISA does not indicate any limitations on the power it confers to implement surveillance programmes for the purposes of foreign intelligence or the existence of guarantees for non-US persons potentially targeted by those programmes.

 … neither Section 702 of the FISA, nor E.O. 12333, read in conjunction with PPD‑28, correlates to the minimum safeguards resulting, under EU law, from the principle of proportionality, with the consequence that the surveillance programmes based on those provisions cannot be regarded as limited to what is strictly necessary.

The whitepaper countered that oversight and rights of redress do exist, but didn’t discuss the practical challenges of enforcement. With regard to oversight, the whitepaper noted that the FISA Court must “approve a written certification submitted by the Attorney General and Director of National Intelligence jointly authorizing the collection activities for up to one year.” Mind you, that’s not on a per-case basis — it’s for a whole year for all 702 collection activities.

Similarly, the whitepaper noted that legislation exists allowing any person subject to FISA surveillance whose “communications are used or disclosed unlawfully,” a right to seek compensatory and punitive damages and attorneys’ fees.[7] However, the cases where defendants receive notice of such evidence being used against them are rare, and challenges are rarer still. Of the handful of cases that are publicly available, only two involved foreign nationals, with the remaining five cases targeting US citizens.[8]

There’s more to unpack here, of course, but I might need a stiffer substance than coffee in order to get through it.

Related Castlebridge Posts


[1] Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II p. 2

[2] See for example, this 2020 IDG study which found that 92% of organizations are at least partially in the cloud already.

[3] Memorandum and Order, United States Foreign Intelligence Surveillance Court, https://www.intelligence.gov/assets/documents/702%20Documents/declassified/2018_Cert_FISC_Opin_18Oct18.pdf

[4] And let’s not forget the whole 2013 LOVEINT debacle.

[5] Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II p. 3

[6] For example, the Agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences, OJ L 336, 10.12.2016, p. 3–13. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:22016A1210(01)

[7] See: 50 U.S.C. § 1810 (2018) (Foreign Intelligence Surveillance Act), 18 U.S.C. § 2712 (2018) (Electronic Communications Privacy Act), 5 U.S.C. § 702 (2018) (Administrative Procedures Act).

[8] See: “Criminal cases challenging FISA surveillance,” Civil Rights Litigation Clearinghouse, https://www.clearinghouse.net/results.php?searchSpecialCollection=55