EU Data Transfer Requirements and U.S. Intelligence Laws: Understanding 'Schrems II' and Its Impact on the EU-U.S. Privacy Shield [March 17, 2021] [open pdf - 1MB]
From the Document: "On July 16, 2020, in 'Data Protection Commissioner v. Facebook Ireland, Ltd. and Maximillian Schrems (Schrems II)', the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield (Privacy Shield), a program developed by the European Union (EU) and the United States to facilitate cross-border transfers of personal data for commercial purposes. The CJEU determined that U.S. surveillance for foreign intelligence purposes does not provide protections necessary under EU law for the transfer of personal data from the EU to the United States. [...] This Report gives an overview of EU law governing international transfers of personal data, including the 'Schrems II' decision, and how it interacts with U.S. surveillance laws. The Report starts by laying out the requirements for international transfers under the EU's principal data protection law, the General Data Protection Regulation (GDPR). It then discusses how the European Commission--the EU's 'executive arm'--has sought to enforce these requirements with respect to personal data transferred to the United States through the Privacy Shield framework and various SCCs [Standard Contractual Clauses]. The Report next reviews the CJEU's 'Schrems II' decision and its impact on data transfers. After taking a closer look at the U.S. surveillance laws at issue in 'Schrems II'--including Section 702 of FISA [U.S. Foreign Intelligence Surveillance Act], E.O. [Executive Order]12333, and PPD [Presidential Policy Directive]-28--the Report closes by briefly discussing some considerations for Congress."
CRS Report for Congress, R46724
Congressional Research Service: https://crsreports.congress.gov/