Der US-Congressional Research Service hat einen Bericht mit Datum vom 17. März 2021 zu “EU Data Transfer Requirements and U.S. Intelligence Laws: Understanding Schrems II and Its Impact on the EU‑U.S. Privacy Shield” veröffentlicht (PDF). Der Bericht enthält in einem ersten Teil eine Übersicht über die Regelung von Auslandsbekanntgaben in der DSGVO, über das Schrems-II-Urteil des EuGH und den Entwurf der Leitlinien des EDSA zu diesem Thema.
Interessanter sind die folgenden Ausführungen zum US-amerikanischen Überwachungsrecht, d.h. den FISA, Section 702 (→ Rz. 109 ff. im Schrems-II-Urteil), die Executive Order 12333 (1981, seither geändert; Rz. 60 ff. und 165 f.), die vom Obama erlassene Presidential Policy Directive 28 (PPD-28; Rz. 48 und 116).
Im Anschluss fasst der Congressional Research Service zuhanden des Kongresses die Handlungsmöglichkeiten des US-Gesetzgebers zusammen:
- Executive Action. Purely executive action could address some of the intelligence collection concerns raised in Schrems II. For instance, the President could issue an Executive Order that further limits bulk intelligence collections and that provides additional redress mechanisms, such as an executive office or tribunal with the power to adjudicate complaints and issue binding decisions on the Intelligence Community.
- Diplomacy. U.S. and EU government officials could negotiate a diplomatic solution. For instance, the U.S. executive branch and the EC might agree to a new a framework that would replace Privacy Shield and result in a new adequacy determination by the EC. The U.S. Department of Commerce and the EC have already initiated discussions to “evaluate the potential for an enhanced EU‑U.S. Privacy Shield framework” that would comply with Schrems II. However, as happened with Privacy Shield, the CJEU could invalidate any new adequacy decision if it determines the decision is inconsistent with the GDPR or the Charter of Fundamental Rights. Alternatively, the United States and the EU could enter into a treaty governing data transfers between the two jurisdictions. While a treaty would have superior legal force to EU regulations, such as the GDPR, it would not prevail over primary sources of EU law, such as the Charter of Fundamental Rights.
- Legislation. Congress might adopt statutory requirements addressing the CJEU’s concerns. For instance, it could amend FISA to prohibit bulk intelligence collections and require court approval with respect to each target of surveillance. It could further create a cause of action that would allow foreign subjects to bring complaints before a tribunal if they believe intelligence agencies have collected or used their data in an unlawful way. These solutions may raise complex constitutional issues, such as separation of powers and Article III standing concerns, both of which are beyond the scope of this Report.
While not directly addressing the issues raised in Schrems II, some commentators have also maintained that the United States’ adoption of a comprehensive federal data protection law applicable to commercial entities could facilitate transatlantic data transfers. […]