At the end of September, the US Chamber of Commerce published a white paper on transfers of personal data between the EU and the US following the Schrems II ruling invalidating the Privacy Shield.
The purpose of this white paper is to provide European companies with information on the protection of personal data under US law in order to help them make it possible to carry out a case-by-case analysis of the validity of data transfers to the United Statesas requested by the Court of Justice in its ruling.
The American Chamber of Commerce points out that :
- Most US companies are not concerned by data requests from government intelligence agencies, which have no interest in ordinary business data such as employee, customer or sales data;
- Schrems II does not conclude that the protection of privacy under US law does not comply with the RGPD, but that the information known to the European Commission in 2016 on this aspect of US legislation was not sufficient to validate the Privacy Shield.
Consequently, the Chamber of Commerce recommends that European companies using standard contractual clauses take into account all the information available to date on US legislation protecting personal data. To this end, it details the information it considers relevant on the subject concerning the two American laws cited by the Court of Justice in its ruling: the Foreign Intelligence Surveillance Act (FISA) 702 and theExecutive Order 12333.
In conclusion, the Chamber of Commerce points out that there are many other laws which ensure that access to data is proportionate, controlled and guarantees possible remedies in the event of a violation of people's rights.
As this white paper comes from the American Chamber of Commerce, its position is necessarily biased, but it nevertheless gives European companies that process personal data that is transferred to the United States the beginnings of a response, pending a definitive position from the supervisory authorities and the EDPS.