News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Supplementing SCCs to solve surveillance shortfalls Related reading: 'Schrems II': Impact on Data Flows with Canada

rss_feed

By invalidating the EU-U.S. Privacy Shield but not rejecting wholesale the use of standard contractual clauses to transfer data to the U.S., the Court of Justice of the European Union in "Schrems II" left open the possibility that such transfers could continue. However, it emphasized that exporters and importers may need to adopt additional safeguards when using SCCs to ensure an adequate level of protection for personal data transferred to the U.S.

Until now, commentators have seemed unsure as to what those safeguards might be or how they can address potentially irredeemable flaws in the U.S. surveillance system. In this piece, we detail a proposed solution consisting of technical measures, supplemental clauses and exit strategies. 

Our solution can work because the CJEU decision was — at its core — based on three essential holdings. First, Section 702 of the Foreign Intelligence Surveillance Act provides no effective limitations on the power of the U.S. government to implement surveillance programs for foreign intelligence gathering and, therefore, fails the test of proportionality. 

Second, neither Section 702 nor the government’s surveillance activities under Executive Order 12333 adequately limit the surveillance to what is strictly necessary as required by the EU General Data Protection Regulation, because they allow for forms of bulk surveillance. 

And third, non-citizens lack adequate judicial redress against the USG under these surveillance authorities.

Although it is impossible to solve the judicial redress issue without U.S. structural reform, such redress only becomes necessary if the data at issue is, in fact, collected by the USG under the relevant surveillance programs. Moreover, where the likelihood of USG acquisition is very low, the transfer should satisfy the essential equivalence standard — for the same reason that Article 32 of the GDPR does not require perfect data security but rather a level of protection that is “appropriate to the risk,” and Article 25 (data protection by design) similarly requires a risk-based approach to GDPR compliance generally. This case-by-case evaluation is the very point of the SCCs as they are designed to be used in jurisdictions that have not achieved an adequacy determination.

Accordingly, the questions remain: What supplemental measures can appropriately reduce the risk of interception under EO 12333 or Section 702 of FISA? In other words, in light of "Schrems II," how can the parties find, prior to any transfer, that there is, in fact, an “adequate level of protection” for personal data in the importing jurisdiction and that the recipient can comply with the standard data protection clauses transferring personal data to that third country?  

The key is found in footnote 2 of the controller-to-processor SCCs, which is that laws that require data to be turned over to governmental entities do not invalidate the SCCs where, in a democratic society, they “constitute a necessary measure to safeguard national security, defense, public security, the prevention, investigation, detection and prosecution of criminal offenses or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others.”

The CJEU found the availability of surveillance and data acquisition under 12333 and Section 702 of FISA fails this test. If the data transferred to the U.S. cannot be obtained under these surveillance programs, then the programs shouldn’t impede the transfer — even without enhanced judicial redress for non-citizens. Indeed, adequate judicial redress for non-U.S. people has not always been available for certain forms of standard criminal process that generally are perceived to satisfy the standard in the footnote — and nothing about the decision suggests that standard criminal process alone would prevent the use of SCCs.

Defeating EO 12333 interceptions

With regard to EO 12333, the chief evil cited in the CJEU opinion was bulk surveillance and specifically the ability of the NSA to access data "in transit" to the U.S. by accessing underwater cables on the floor of the Atlantic and to collect and retain such data before arriving in the U.S. (p. 63).  This issue can be solved through a combination of technical measures and contractual promises. 

First and foremost, EO 12333 allocates surveillance responsibility within the USG and provides it with the authority to conduct its own surveillance activities but provides no mechanism for forcing importers to assist the government. Thus, importers can contractually commit to not voluntarily assist the government in conducting operations under EO 12333. 

Second, interceptions can be defeated through technical measures, like, for example, sufficiently strong encryption such that the USG cannot understand the substance of the data without the key, which it cannot compel importers to produce under 12333. If the USG cannot understand the substance of the data, there is no risk to the data subjects reflected in the data, and this particular safeguard can be considered adequate with respect to 12333. Thus, a commitment to encrypting all data in transmission and not voluntarily assist the government in its conduct of 12333 activities should defeat one of the core deficiencies cited in the CJEU decision. (Other technical measures that defeat the USG’s ability to understand the data without cooperation would also work.)

Surmounting Section 702

The CJEU decision fails to recognize the limited nature of Section 702 surveillance. 

First, not all providers are eligible to receive a “directive” (an order that leads to the USG’s acquisition of data) under 702. Only electronic communication service providers are eligible. Importers that are not ECSPs can, therefore, provide assurances of ineligibility and agree to fight any 702 directive. And even if the data was to be obtainable from the importer’s network provider through the NSA’s Upstream collection under 702, the same technical safeguards that would defeat 12333 surveillance would be effective against 702, particularly if decryption/reidentification required the exporter’s cooperation.

As for importers that are ECSPs (in whole or in part), the government only uses Section 702 where there is a repeated need for multitarget collection without the inefficiency of going to the FISA court for individual surveillance orders via a procedure that has greater judicial oversight.

Indeed, at the time of the Snowden leaks, it was reported that fewer than 10 companies were receiving 702 orders. Even if that number has doubled or tripled, it would be an insignificant percentage of the more than 5,300 companies that may be moving from Privacy Shield to SCCs, much less the entire field of importers who rely on SCCs.  

Thus, nearly all of them could promise that they have received no process under 702, and they can keep making that promise unless and until they receive a directive. Others can promise that the number of affected users under all national security process is published in their transparency reports, which exporters can compare to the number of overall data subjects about whom they collect data to make an accurate risk assessment. Where the chance of 702 collection identified through this reporting is sufficiently low (say, less than 1%, which is far lower than the chance of a data breach), an exporter may be able to justify continued exports.

Exit strategy: The potentially unkeepable promise

Of course, a provider that makes any sort of promise related to Section 702 surveillance as part of a package of supplemental clauses may be unable to keep that promise someday.

However, the SCCs already contemplate that situation, under C2P SCC Clause 5, and controller-to-controller SCC Clause II(c), an importer is required to notify an exporter of its inability to comply with SCCs, enabling the exporter to suspend and terminate the contract. An importer could similarly agree to notify an exporter that it will no longer be able to comply with all of its SCC and supplementary promises, without directly notifying the exporter which specific promise it can no longer keep, and offer the same suspension/termination right. Although explicit notification of the receipt of a directive is legally prohibited, a notification that the importer will no longer be able to comply with a set of promises would not violate non-disclosure restrictions, especially where it could be equally likely that the inability to comply was due to something else, such as a failure with the importer’s service provider.

And because a 702 directive is a demand for the importer’s cooperation — and not some sort of notice to the importer that data already has been acquired — importers can expect to provide their warning to the exporter in advance of any actual disclosure.

Service providers are tricky

The CJEU decision and Article 44 of the GDPR indicate that the assessment of the adequacy of protection must consider the importer’s transfers of data to subprocessors or other service providers (among other third parties).

Notably, under Clauses 4(i) and 11(1) of the C2P SCCs, an importer agrees to flow down its SCC obligations to its subprocessors, who must provide “at least the same level of protection for the personal data and the rights of data subject as the data importer.” C2C SCCs are less proscriptive, but it is hard to argue that an importer provides adequate protection if it passes the data to a U.S.-based service provider without addressing the risks identified in the CJEU decision. Just as supplementary provisions to the SCCs, such as those outlined above, may let importers adequately protect data transferred to the U.S., importers may be able to address onward transfer risks to service providers by doing one or more of the following: (1) using technical safeguards such as encryption to prevent the service provider from processing personal data in a form intelligible to the USG; (2) imposing applicable supplementary safeguards on their service providers, which may vary by service provider (a strict flow-down requirement may be unworkable because, for example, a non-ECSP cannot be expected to flow down a non-ECSP rep to its service providers who are ECSPs); (3) for eligible transfers, relying on a derogation set forth in Article 49 of the GDPR; and/or (4) using service providers located in the European Economic Area or an adequate jurisdiction. 

Option two, which for some importers is the least obtainable, could become easier if supervisory authorities signal support for the solution proposed in this article, thereby hastening its widespread adoption.

Conclusion

The irony of utilizing supplemental clauses to assist in the transfer of data to the U.S. is that EU data is sometimes better protected against the USG when it is imported into the U.S. than when it is kept outside the U.S. When data is outside the U.S. borders and doesn’t pertain to U.S. citizens, U.S. surveillance authorities allow the government to operate in an arguably unrestricted manner to obtain such data subject only to capability limitations. Only when the data is imported by U.S. companies does the mandate of U.S. intelligence agencies become circumscribed by U.S. legal authority, including under EO 12333 and FISA.

Thus, inside the U.S., the USG’s power is curtailed and subject to judicial oversight and the often-effective pushback by U.S. technology companies. Nevertheless, the use of the safeguards described in this article should — to the maximum extent possible without requiring changes to the U.S. judicial redress regime — allow for continued cross-border data transfers.

Photo by Duangphorn Wiriya on Unsplash

An Overview of US Surveillance in Light of "Schrems II"

The purpose of this white paper is not to argue for the validity or invalidity of any particular surveillance mechanism, but rather to provide a neutral, unclassified summary of the law and authorities in this area.

Click to view

GDPR Genius

This interactive tool provides IAPP members ready access to critical EU General Data Protection Regulation resources — enforcement precedent, interpretive guidance, expert analysis and more — all in one location.

View here


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Authors
Headshot Marc Zwillinger Nonmember Contributor
Headshot Mason Weisz Nonmember Contributor
Headshot Kandi Parsons Nonmember Contributor
Tags
Government
Europe
U.S.
Privacy Law
Privacy Operations Management
Privacy Opinion
Surveillance
Transborder Data Flow
9 Comments

If you want to comment on this post, you need to login.

  • comment Andor Demarteau • Aug 19, 2020 
    Whilst this may work against executive order 12333, note encryption on connections on the Internet shouldn't be an extra thing you do because of this surveillance bit, encryption related to data importers and specially service providers will simply not work.
The reason for this is pretty simple: the service providers probably have, to some extend, access to the cryptographic keys the importers are using. This is unless, I doubt company's will invest in this, they use proper HSM's to secure those keys and adopt additional measure.
Also the risk of the government obtaining the data may be low, although since most if not all of this goes in secret I doubt the figures in this article are even close to be direct, it will take only a few impacted data subject for the EU data exporter to be in big enforcement trouble.
As for article 32 GDPR, yes costs and measured approach on security is a factor but so also is state-of-the-art security.
Concluding: whilst technical measures may limit the risk to some degree, any promises made by US importers are worth nothing in light of section 702 specially if gag orders come into play and as long as the data subjects impacted have no legal redress nor can be made aware of their data being scraped, this may simply not work.
For other criminal cases etc. holds that processors are not allowed to pass the data onto law enforcement without permission of the data controller, doing so means they may well breach article 28.10 GDPR.
A final note: let's also have a look at how many of the tech firms that export data from the EU fall under the section 702 mandates, if a large number this may invalidate the arguments in this article as well.
For the final note that data is better protected inside than outside of the US because the US government simply will hack in and crap what they like, I'll say this: "give us the data we take good care of it, if you don't we'll scrape it anyway" seems a ludicrous solutions to satisfy the CJEU tests at best.
  • comment Lewis Barr • Aug 19, 2020 
    Thank you, ZwillGen team, for this excellent analysis and the recommendations.
  • comment Jaipat Jain • Aug 19, 2020 
    Thanks for drawing attention to Article 32.  As to use of SCCs and Section 702, some comments would be in order -
1. SCCs themselves are a product of a larger law.  Footnote 2 - to which reference has been made - articulates a well-recognized exception which originates in Article 52(1) of the European Charter of Fundamental Rights. That article says: “Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.”  In other words, laws that meet the above test are okay.
2. Section 702 is not narrow in the sense it is limited to "electronic communication service providers" because ECSP is a wide and elastic term.  It means any "provider of telecommunication service," any "service which provides to users the ability to send or receive wire or electronic communications," any provider "to the public of computer storage or processing services by means of an electronic communications system," and any "other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such        communications are stored."  The foregoing does not include just the telecom companies but at least also all of the cloud service providers. 
3. SCCs do not save one from the reach of Section 702.
  • comment Sylvia Johnson • Aug 19, 2020 
    Stellar analysis.
  • comment Marc Zwillinger • Aug 20, 2020 
    Thank you all for your comments.  To Jaipat, I would say that there are three separate points about 702 related to your comments.  First, while the universe of companies who could get a 702 directive is broad enough to encompass a variety of companies, it doesn't really matter if they can say they have never gotten one and would stop the import if they can no longer live up to their combined promises.  Second, the theoretical scope of 702 from a book perspective and the use of it in practice are different things.  Third, once you leave the question of whether the whole country is adequate and/or whether the privacy shield program as a whole is adequate, the inquiry turns to whether the specific transfer to the specific importer is permissible.  That assessment seems like it should take into account the practical risk assessment based on who the exporter and importer are.
  • comment Jaipat Jain • Aug 20, 2020 
    Thanks Marc. I agree as to your third point.  As to others one could discuss more offline.  But, briefly, I wonder if a Verizon, ATT, AWS and any of the many others inform their customers if they receive a 702 request, or are obligated to under their contracts with their millions of customers? Second, the distinction between book and practice is, it seems, become suddenly relevant here.  To illustrate - in its ruling, CJEU did not compare EU member nations' practices (which, for some, might be more awful than the practice of the U.S.) with that of the U.S.  Instead, it weighed U.S. book vs EU's professed principles.   Article 8, Protection of personal data, Section 1, for instance says, "Everyone has the right to the protection of personal data concerning him or her." Everyone.  I have not read (and will be happy to) any paper that shows, for instance, that France (by way of example) affords redress rights to a non-France resident or citizen when the French Direction générale de la sécurité extérieure collects personal data outside France of that person.
  • comment Henrik von Kunhardt • Aug 21, 2020 
    Picking up Jaipats remarks concerning non-french nationals redress possibilities, the theoretical answer is fairly simple (reality probably more cumbersome, maybe even having to go up all the way to CJEU) - there is one. GDPR is EU legislation. By rule EU legislation superseeds national law for EU member states. So, at least for EU nationals and any other nationals falling under the applicability of GDPR, redress is open to all natural persons falling within the scoppe of GDPR - in theory. It would definitely be interesting to see if CNIL would be willing to go into oppossition to DGSE...
  • comment Ray Everett • Aug 22, 2020 
    I definitely like this idea. If we're going to be looking at bolstering the risk assessments in this area, the kinds of statements suggested above included in an addendum could address many of the questions and points of added scrutiny that would give greater confidence. If you have an addendum that allows you to periodically seek reconfirmation of no 702 directives, no cooperation with EO 12333, etc., you could incorporate periodic queries into a heightened risk assessment cadence and in so doing demonstrate greater attention to these considerations. Unless and until we see revised SCCs, or some new replacement for PS, this seems as good a solution as I've heard.
  • comment Wayne Sisk • Aug 25, 2020 
    The scope of the number of companies potentially under ECSP I believe was vastly underappreciated - it is NOT just "Communications companies" -    "electronic communication service provider" means:

(A) a telecommunications carrier, as that term is defined in section 3 of the Communications Act of 1934;
(B) a provider of electronic communication service,
(C) a provider of a remote computing service,
(D) any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored; or
(E) an officer, employee, or agent of an entity described in subparagraph (A), (B), (C), or (D).  

(According to 50 USCS § 1881 [Title 50. War and National Defense; Chapter 36. Foreign Intelligence Surveillance; Additional Procedures Regarding Certain Persons outside the United States])

Note "C"  which is also defined: 

 “a remote computing service is provided by an off-site computer that stores or processes data for a customer.”
(Not stores AND processes;  stores OR processes)

And:

A service can only be a "remote computing service" if it is available "to the public." Services are available to the public if they are available to any member of the general population who complies with the requisite procedures and pays any requisite fees. For example, XXX  is a provider to the public: anyone can obtain a XXX account.

This would include most any web present company running virtually any sort of SaaS B2B service (in any class)
Related Stories
'Schrems II': Impact on Data Flows with Canada
1
On July 16, the Court of Justice of the European Union decision  sent a shockwave through the privacy, tech and business communities with its determination that the EU-U.S. Privacy Shield is no longer a valid basis for transferring EU personal data to the U.S. Though focused on the U.S., this decisi...
Read More queue Save This
7 predictions for the road ahead after 'Schrems II'
It's difficult to believe that it has only been a short time since the Court of Justice of the European Union invalidated the European Commission adequacy finding for the EU-U.S. Privacy Shield on July 16, 2020. So much has changed.  In this final note in the series, we provide seven predictions fo...
Read More queue Save This
An Overview of US Surveillance in Light of "Schrems II"

The purpose of this white paper is not to argue for the validity or invalidity of any particular surveillance mechanism, but rather to provide a neutral, unclassified summary of the law and authorities in this area.

Click to view

GDPR Genius

This interactive tool provides IAPP members ready access to critical EU General Data Protection Regulation resources — enforcement precedent, interpretive guidance, expert analysis and more — all in one location.

View here

Related Stories
Tags
Government
Europe
U.S.
Privacy Law
Privacy Operations Management
Privacy Opinion
Surveillance
Transborder Data Flow
Recent Comments