If you have a strange sense of humor (like I do), you may be amused (like I am) at how a few simple lines from the Court of Justice of the European Union’s Schrems II decision have created an entire cottage industry – employing lawyers, consultants, security experts, etc. – aimed at satisfying the court’s “additional safeguards” requirements for standard contractual clauses.
A brief background refresher (or introduction): at the same time the CJEU’s Schrems II decision shot down the Privacy Shield as a valid mechanism for cross-border data transfers (on which more than 5,000 U.S. companies relied to conduct trans-Atlantic trade), the CJEU approved standard contractual clauses (SCCs) for such purposes. So while the world of commerce and industry – which depends upon international data flows – mourned the death of the Privacy Shield, it celebrated the survival of the SCCs.
However, the CJEU’s endorsement of the SCCs came with an important caveat: companies relying upon the SCCs must verify, on a case-by-case basis, whether the laws of the country receiving personal data from the EU ensure “adequate protection,” and if not, put in place “additional safeguards.”
The United States was inevitably a particular target of the CJEU in its Schrems II opinion – and as the Irish Data Protection Commission commented, “the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.”
That’s where Transfer Impact Assessments (TIAs) come in. TIAs are a means by which a controller can ensure that it’s performed the verification procedure required under Schrems II and, if necessary, seen that “additional safeguards” are put in place.
My cynical side sees the TIAs as Kabuki: “OK, we have to do this assessment post-Schrems II. Please respond to our questionnaire promptly so we can get on to doing business.”
It can be difficult, however, to respond to TIA questionnaires without raising red flags for the controller. Typical TIA questions (and honest answers):
- “Are you subject to Section 702 of the Foreign Intelligence Surveillance Act (FISA)?” The Schrems II decision refers to FISA, which authorizes U.S. surveillance programs, numerous times – and not favorably. So as a company responding to a TIA questionnaire, you’d like to be able to say: “not me!” The problem is that the scope of Section 702 is so broad that, if a company is conducting business online, it likely falls under Section 702. Professor Peter Swire has made this point in Congressional testimony and elsewhere. So the answer is most likely “yes.”
- “Could the government surveillance laws to which your company is subject be used to access personal data?” Well yeah – if the company is subject to the law, the law could be used for the purpose for which the law was enacted.
- “Have you implemented appropriate technical and organizational measures to ensure that bulk and indiscriminate processing of personal data by or on behalf of public authorities in transit is made impossible?” Yes, this is an actual TIA question. It’s asking: have you made it “impossible” for your own government, in pursuit of national interests, to access data you may be processing? An honest answer is probably along the lines of: We encrypt data in transit, but . . . define “impossible.”
Fortunately the European Data Protection Board (EDPB) has provided recommendations for assessing the laws and practices of recipient countries under the SCCs, and has acknowledged that the “practical experience” of the data importer (processor) may be taken into account. The U.S. Commerce Department also released a helpful white paper pointing out that the concerns about national security access to personal data highlighted by Schrems II as processed by commercial U.S. companies are “unlikely to arise because the data they handle is of no interest to the U.S. intelligence community.” Furthermore, companies whose EU-US transfers of personal data involve “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.”
The irony is that, while the United States may not regard privacy as a fundamental human right, as the EU does, U.S. practices with regard to national security surveillance are unusually fair and transparent by global standards. In fact Professor Swire (cited earlier) calls the United States “the global benchmark for transparent principles, procedures and oversight for national security.”