Unconvincing attempts to whitewash US surveillance won’t help companies navigate post-Schrems II terrain
Companies still scrambling for clarity on EU-US data transfers following the Schrems II ruling will be eyeing with interest the latest guidance: this time from the US Department of Commerce. On 28 September, the DoC issued a formal white paper on Standard Contractual Clauses – a document that unconvincingly attempts to play down the extent of US intelligence services’ access to data.
In the accompanying letter, Deputy Assistant Secretary, James Sullivan, said the ruling “has created enormous uncertainty about the ability of companies to transfer personal data from the European Union to the United States in a manner consistent with EU law.” So far, so obvious.
Pointing out that more than 5,300 companies relied on the now-defunct Privacy Shield arrangement, Sullivan says that the white paper will allow organisations to work out to what extent US intelligence services can access the personal data of European citizens… but not before getting a few digs in first.
Sullivan says that “like European nations” – look! hypocrisy! – “the United States conducts intelligence gathering activities to ensure that national security and foreign policy decision makers have access to timely, accurate, and insightful information on the threats posed by terrorists, criminals, cyber hackers, and other malicious actors.” In other words won’t someone think of the children!
According to Sullivan there are “robust limits and safeguards in the United States pertaining to government access to data.” In fact he says: “In view of the extensive US surveillance reforms since 2013, the US legal framework for foreign intelligence collection provides clearer limits, stronger safeguards, and more rigorous independent oversight than the equivalent laws of almost all other countries.” That’s quite a claim.
And one that doesn’t hold a lot of water in light of the European Court of Justice’s ruling in Schrems II. Sullivan admits that, while the white paper can help organisations make the case that they should be able to send personal data to the United States using Standard Contractual Clauses, “it is not intended to provide companies with guidance on EU law or what positions to take before EU regulators or courts.”
Which is probably just as well, as the white paper’s three key points would give no comfort to anyone concerned with European citizens’ privacy as a principle or data protection law in practice. The hollow assertion of the white paper that “most companies do not deal in data that is of any interest to US intelligence agencies, and have no grounds to believe they do,” does not alter the fact that in the judgement of the CJEU they have too much access, regardless of whether or not the agencies say they “aren’t interested.”
The white paper also notes that “the US government frequently shares intelligence information with EU Member States,” which is likewise completely irrelevant. The third point that “there is a wealth of public information about privacy protections in US law
concerning government access to data for national security purposes,” may be useful, but again rather beside the point.
More than two months after the ruling there is still no clear way forward, and of course case-by-case assessments are onerous for many companies, but attempting to whitewash the US’ surveillance services activities doesn’t change the CJEU ruling or the US laws that motivated it.
This column first appeared in the GDPRtoday Newsletter: sign up here!