On July 16, 2020, the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield (colloquially known as the “Schrems II” decision), due to concerns about U.S. governmental access to data using intelligence authorities, like the Foreign Intelligence Surveillance Act's Section 702, Presidential Policy Directive 28 and Executive Order 12333. Also of concern was the lack of adequate redress for EU citizens.

Of particular focus for the CJEU was the bulk collection of data without regard to the principle of “proportionality” and the failure to limit collection to what is “strictly necessary.” Interestingly, however, only a small sliver of U.S. companies actually handle the types of data to which these collection authorities would be targeted: telecoms, internet service providers and communications providers, as well as companies carrying or hosting large volumes of traffic and content, such as search engines, web hosting services, cloud providers and social media platforms.

But "Schrems II" also considered standard contractual clauses mandatory contractual requirements that, if followed, “offer sufficient safeguards on data protection for the data to be transferred internationally.” And while the CJEU explicitly invalidated the Privacy Shield, it was less clear about the fate of SCCs, even though U.S. surveillance authorities come into play under either transfer mechanism. 

The day after "Schrems II," the European Data Protection Board clarified that while it still considers SCCs valid, an exporter must undertake a fact-specific assessment to determine whether the country to which data is sent offers adequate protection, taking into consideration “the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country.” In short, cross-Atlantic data-sharing relationships based upon SCCs will now be more heavily scrutinized.

Which brings us to the million-dollar question: What steps can an organization take to address the concerns raised by the CJEU?

For years now, initially pursuant to an agreement with the U.S. Department of Justice and later Section 604 of the 2015 USA Freedom Act, a number of tech companies have published statistics about the production orders received from national security and law enforcement authorities. Providers are allowed to disclose aggregated statistics about the number of requests received pursuant to various criminal and national security authorities, but given the non-disclosure orders that generally accompany FISA and National Security Letters, disclosures are limited to a preset number of data points and the use of general ranges of numbers (“bands”).

In 2010, Google began publishing its “Transparency Report,” providing aggregated six-month breakdowns of “United States national security requests for user information,” including a breakdown of the number of FISA requests for content and metadata, as well as the number of NSLs received in that same period, along with the number of accounts impacted. Likewise, Apple began publishing its own “Transparency Report” in 2013. Even relatively new players to the tech space, such as 23andMe, whose business model focuses on the human genome, began publishing a quarterly “Transparency Report” in 2015. 

While the details and format of each report vary, the key takeaway is that this model offers a way for data importers to clarify the extent and impact of national security access requests on their businesses (the below being merely two of a number of options).

January–June 2019
* Note: As per U.S. government transparency requirements, and taking into account non-disclosure limitations accompanying FISA and NSL requests, reporting is in bands of 500 (e.g., 0-499, 500-999, etc.)
Total criminal process requests Total FISA non-content (metadata) requests Total FISA content requests Total National Security Letter (NSL) requests
Number received Number of customer accounts affected Number received Number of customer selectors targeted Number received Number of customer selectors targeted Number received Number of customer accounts affected
253 285 0-499 0-499 0-499 0-499 0-499 0-499
 
January–June 2019
* Note: As per U.S. government transparency requirements, and taking into account non-disclosure limitations accompanying FISA and NSL requests, reporting is in bands of 250 (e.g., 0-249, 250-500, etc.)
Total criminal process requests Total national security requests received FISA (content and non-content) and NSLs
Number received Number of customer accounts affected Number received Number of customer selectors targeted Number received
253 285 0 0 0

There are even more options for transparency when it comes to criminal law enforcement access requests. A useful guide for sorting through all the options is the Transparency Reporting Toolkit, a joint initiative by New America’s Open Technology Institute and Harvard’s Berkman Klein Center for Internet & Society.

And for companies that have never received any FISA or NSL requests, they may wish to take a page from 23andMe’s Transparency Report: “[a]s of May 15, 2020, 23andMe has not received or been notified of a National Security Letter, an order under the Foreign Intelligence Surveillance Act, or any other classified request for user information pursuant to the national security laws of the United States or any other country.” Such a declaration further bolsters the proposition that reliance on SCCs can ensure adequate protection for EU citizen data, despite the existence of EO 12333, PPD 28 and FISA Section 702.

It should be borne in mind that the CJEU’s concerns were heavily focused on bulk access by national security authorities, explicitly citing FISA Section 702 and programs like PRISM and UPSTREAM, and Executive Order 12333 (Section 1.7 of which sets forth the authorities/responsibilities of various intelligence agencies, such as the National Security Agency’s authority to collect signals intelligence “SIGINT”); these programs having been revealed through the 2013 Snowden leaks. But as noted above, only a small number of companies handle the types of data of interest in these programs, such as telecoms and communications providers.

Moreover, other bulk intelligence collection programs that made headlines because of Snowden no longer even exist. For example, in the Freedom Act, Congress curtailed the government’s use of Section 215 (of the USA Patriot Act) for bulk collection of domestic telephone data from phone carriers. Even more recently, Section 215 sunset when Congress failed to act.

In other words, some of the bulk collection authorities of concern no longer exist, and to the extent others remain, such as FISA 702, the vast majority of businesses in the U.S. are at low, if any, risk of receiving requests. An even smaller sliver of companies carries the types of traffic targeted by programs like NSA’s signals intelligence collection. And it is this reality that companies need to emphasize and document when negotiating SCCs with EU partners.

Conversely, to the extent a company has received production orders from governmental authorities seeking information on a particular employee or customer, the fact that such orders are targeted to individuals, likely issued by a court, makes them of little concern to EU regulators. Even Schrems’ own advocacy group, NOYB, conceded that “laws that allow common law enforcement access to data in individualized cases and subject to the approval of a judge will be compliant with EU law.”

Transparency can also address the CJEU’s redress concerns.

Interestingly, some of the national security authorities of concern actually offer options for challenging access requests (although admittedly limited). For example, Section 702 of FISA allows an “electronic communications service provider” to file a petition with the FISA Court to modify or set aside the government’s production order.

Perhaps more cogently, Section 803 of the Implementing Recommendations of the 9/11 Commission Act explicitly mandates that intelligence agencies have privacy and civil liberties officers whose duties include ensuring “adequate procedures to receive, investigate, respond to, and redress complaints from individuals ... ."

To enhance public knowledge of this mechanism, these offices have more recently undergone a transformation to increase transparency. For example, the Director of National Intelligence’s Civil Liberties and Privacy Office was renamed the Office of Civil Liberties, Privacy and Transparency in October 2015, a trend followed by other agencies. Likewise, each office regularly publishes a report highlighting its activities during the prior period to include redress requests. Unfortunately, redress isn’t utilized as much as one would expect, as evidenced by the recent report of the NSA (zero complaints; zero redress requests), and the Department of Defense (three privacy complaints; zero for redress). But this evidences a need for greater publicity of the options, not a lack of redress.

Indeed, given that EU citizens have few if any redress options with their own national security authorities — by EU Treaty, “national security remains the sole responsibility of each member state” — and potentially outside the reach of data protection authorities, U.S. redress in the national security context may actually be more accommodating than those available to EU citizens.  

In the longer term, there are changes that certainly need to be made to fully address the concerns raised by the CJEU. But in the shorter term, it’s incumbent on U.S. companies to distill fact from fiction and transparently demonstrate the true interaction and impact of their engagement with U.S. national security agencies, which will vary widely by company and the types of data/customers they have. 

After all, the last time the EU saw wide-spread transparency relating to data access by U.S. government agencies it was the direct result of the Snowden leaks, causing mass uproar in the EU and eventually leading to the invalidation of Safe Harbor and later the Privacy Shield. 

In the second installment of this two-part series, which can be found in the October 2020 edition of The Privacy Advisor, we’ll dig further into how transparency can address redress concerns, as well as ways for companies to use transparency to proactively demonstrate compliance with EU General Data Protection Regulation rights and begin rewriting the narrative.

Photo by Nik Shuliahin on Unsplash