The U.S. Congressional Research Service has published a report, dated March 17, 2021, on “EU Data Transfer Requirements and U.S. Intelligence Laws: Understanding Schrems II and Its Impact on the EU‑U.S. Privacy Shield” (PDF). The first part of the report contains an overview of the regulation of foreign disclosures in the GDPR, of the Schrems II judgment of the ECJ and the Draft guidelines of the EDSA on this topic.
More interesting are the following comments on U.S. surveillance law, i.e., the FISA, Section 702 (→ para. 109 et seq. in the Schrems II judgment), the Executive Order 12333 (1981, since amended; paras. 60 et seq. and 165 et seq.), Presidential Policy Directive 28 (PPD-28; paras. 48 and 116).
Subsequently, the Congressional Research Service summarizes for the attention of Congress the options for action by U.S. lawmakers:
- Executive Action. Purely executive action could address some of the intelligence collection concerns raised in Schrems II. For instance, the President could issue an Executive Order that further limits bulk intelligence collections and that provides additional redress mechanisms, such as an executive office or tribunal with the power to adjudicate complaints and issue binding decisions on the Intelligence Community.
- Diplomacy. U.S. and EU government officials could negotiate a diplomatic solution. For instance, the U.S. executive branch and the EC might agree to a new a framework that would replace Privacy Shield and result in a new adequacy determination by the EC. The U.S. Department of Commerce and the EC have already initiated discussions to “evaluate the potential for an enhanced EU‑U.S. Privacy Shield framework” that would comply with Schrems II. However, as happened with Privacy Shield, the CJEU could invalidate any new adequacy decision if it determines the decision is inconsistent with the GDPR or the Charter of Fundamental Rights. Alternatively, the United States and the EU could enter into a treaty governing data transfers between the two jurisdictions. While a treaty would have superior legal force to EU regulations, such as the GDPR, it would not prevail over primary sources of EU law, such as the Charter of Fundamental Rights.
- Legislation. Congress might adopt statutory requirements addressing the CJEU’s concerns. For instance, it could amend FISA to prohibit bulk intelligence collections and require court approval with respect to each target of surveillance. It could further create a cause of action that would allow foreign subjects to bring complaints before a tribunal if they believe intelligence agencies have collected or used their data in an unlawful way. These solutions may raise complex constitutional issues, such as separation of powers and Article III standing concerns, both of which are beyond the scope of this Report.
While not directly addressing the issues raised in Schrems II, some commentators have also maintained that the United States’ adoption of a comprehensive federal data protection law applicable to commercial entities could facilitate transatlantic data transfers. […]