US Con­gres­sio­nal Rese­arch Ser­vice: Umgang mit Schrems II

Der US-Con­gres­sio­nal Rese­arch Ser­vice hat einen Bericht mit Datum vom 17. März 2021 zu “EU Data Trans­fer Requi­re­ments and U.S. Intel­li­gence Laws: Under­stan­ding Schrems II and Its Impact on the EU‑U.S. Pri­va­cy Shield” ver­öf­fent­licht (PDF). Der Bericht ent­hält in einem ersten Teil eine Über­sicht über die Rege­lung von Aus­lands­be­kannt­ga­ben in der DSGVO, über das Schrems-II-Urteil des EuGH und den Ent­wurf der Leit­li­ni­en des EDSA zu die­sem Thema.

Inter­es­san­ter sind die fol­gen­den Aus­füh­run­gen zum US-ame­ri­ka­ni­schen Über­wa­chungs­recht, d.h. den FISA, Sec­tion 702 (→ Rz. 109 ff. im Schrems-II-Urteil), die Exe­cu­ti­ve Order 12333 (1981, seit­her geän­dert; Rz. 60 ff. und 165 f.), die vom Oba­ma erlas­se­ne Pre­si­den­ti­al Poli­cy Direc­ti­ve 28 (PPD-28; Rz. 48 und 116).

Im Anschluss fasst der Con­gres­sio­nal Rese­arch Ser­vice zuhan­den des Kon­gres­ses die Hand­lungs­mög­lich­kei­ten des US-Gesetz­ge­bers zusammen:

  • Exe­cu­ti­ve Action. Pure­ly exe­cu­ti­ve action could address some of the intel­li­gence collec­tion con­cerns rai­sed in Schrems II. For instance, the Pre­si­dent could issue an Exe­cu­ti­ve Order that fur­ther limits bulk intel­li­gence collec­tions and that pro­vi­des addi­tio­nal redress mecha­nisms, such as an exe­cu­ti­ve office or tri­bu­nal with the power to adju­di­ca­te com­p­laints and issue bin­ding deci­si­ons on the Intel­li­gence Community.
  • Diplo­ma­cy. U.S. and EU government offi­cials could nego­tia­te a diplo­ma­tic solu­ti­on. For instance, the U.S. exe­cu­ti­ve branch and the EC might agree to a new a frame­work that would replace Pri­va­cy Shield and result in a new ade­quacy deter­mi­na­ti­on by the EC. The U.S. Depart­ment of Com­mer­ce and the EC have alrea­dy initia­ted dis­cus­sions to “eva­lua­te the poten­ti­al for an enhan­ced EU‑U.S. Pri­va­cy Shield frame­work” that would com­ply with Schrems II. Howe­ver, as hap­pen­ed with Pri­va­cy Shield, the CJEU could inva­li­da­te any new ade­quacy deci­si­on if it deter­mi­nes the deci­si­on is incon­si­stent with the GDPR or the Char­ter of Fun­da­men­tal Rights. Alter­na­tively, the United Sta­tes and the EU could enter into a trea­ty gover­ning data trans­fers bet­ween the two juris­dic­tions. While a trea­ty would have supe­ri­or legal for­ce to EU regu­la­ti­ons, such as the GDPR, it would not pre­vail over pri­ma­ry sources of EU law, such as the Char­ter of Fun­da­men­tal Rights.
  • Legis­la­ti­on. Con­gress might adopt sta­tu­to­ry requi­re­ments addres­sing the CJEU’s con­cerns. For instance, it could amend FISA to pro­hi­bit bulk intel­li­gence collec­tions and requi­re court appro­val with respect to each tar­get of sur­veil­lan­ce. It could fur­ther crea­te a cau­se of action that would allow for­eign sub­jects to bring com­p­laints befo­re a tri­bu­nal if they belie­ve intel­li­gence agen­ci­es have collec­ted or used their data in an unlaw­ful way. The­se solu­ti­ons may rai­se com­plex con­sti­tu­tio­nal issu­es, such as sepa­ra­ti­on of powers and Arti­cle III stan­ding con­cerns, both of which are beyond the scope of this Report.

While not direct­ly addres­sing the issu­es rai­sed in Schrems II, some com­men­ta­tors have also main­tai­ned that the United Sta­tes’ adop­ti­on of a com­pre­hen­si­ve federal data pro­tec­tion law app­li­ca­ble to com­mer­cial enti­ties could faci­li­ta­te trans­at­lan­tic data transfers. […]