The July 16 decision by the European Court of Justice (ECJ) in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, Case C-311/18 (“Schrems II”) has created enormous uncertainty about the ability of companies to transfer personal data from the European Union to the United States in a manner consistent with EU law. In addition to invalidating the European Commission’s 2016 adequacy decision for the EU-U.S. Privacy Shield Framework (on which more than 5,300 companies relied to conduct transatlantic trade in compliance with EU data protection rules), the ECJ’s Schrems II ruling requires organizations that use EU-approved data transfer mechanisms like Standard Contractual Clauses and Binding Corporate Rules to now verify, on a case-by-case basis, whether foreign legal protections concerning government access to personal data meet EU standards. Accordingly, in an effort to assist organizations in assessing whether their transfers offer appropriate data protection in accordance with the ECJ’s ruling, the U.S. Government has prepared the attached White Paper, which outlines the robust limits and safeguards in the United States pertaining to government access to data.

Like European nations and other countries, the United States conducts intelligence gathering activities to ensure that national security and foreign policy decision makers have access to timely, accurate, and insightful information on the threats posed by terrorists, criminals, cyber hackers, and other malicious actors. Particularly in view of the extensive U.S. surveillance reforms since 2013, however, and as detailed more fully in the White Paper, the U.S. legal framework for foreign intelligence collection provides clearer limits, stronger safeguards, and more rigorous independent oversight than the equivalent laws of almost all other countries. 

While the White Paper can help organizations make the case that they should be able to send personal data to the United States using EU-approved transfer mechanisms, it is not intended to provide companies with guidance on EU law or what positions to take before EU regulators or courts. Nor does it eliminate the urgent need for clarity from European authorities or the onerous compliance burdens generated by the Schrems II decision. 

The ECJ’s ruling has generated significant legal and operational challenges for organizations around the world at a time when the ability to move, store, and process data seamlessly across borders has never been more crucial. Cross-border data flows have become indispensable to how citizens on both sides of the Atlantic live, work, and communicate. They power the international operations and growth of American and European businesses of every size and in every industry, and underpin the $7.1 trillion transatlantic economic relationship. Most importantly, they enable governments, private companies, and organizations worldwide to leverage the data sharing and collaborative research critical to understanding the COVID-19 virus, mitigating its spread, and expediting the discovery and development of treatments and vaccines. 

To address the challenges posed by the Schrems II ruling, the Trump Administration is exploring all options at its disposal and remains committed to working with the European Commission to negotiate a solution that satisfies the ECJ’s requirements while protecting the interests of the United States. Publication of this White Paper represents an important step by our Government to help maintain the mutually beneficial flows of information that are so vital to our transatlantic partnership.

Sincerely,

James M. Sullivan

Deputy Assistant Secretary for Services

U.S. Department of Commerce