Authorities in the US have three ways of overcoming commercial data transfer difficulties created by the Schrems II ruling from the Court of Justice of the European Union (CJEU), according to the Congressional Research Service.

The court determined last July that companies moving personal data from the EU to other jurisdictions have to provide the same level of protection given by the EU’s General Data Protection Regulation (GDPR).

The case was brought by Austrian privacy activist Max Schrems whose concerns included US law allowed the country’s intelligence agencies access to data transferred to the United States.

“Transatlantic data flows are an integral part of the $5.5trn (€4.62trn) US-European economic relationship,” the Congressional Research Service wrote in a report assessing options for the way forward.

Before Schrems II, many businesses and organisations relied on Privacy Shield to make international data transfers: the programme had 5,380 participants around the time of the ruling. 

After discussing the issues involved and their implications, the Congressional Research Service highlighted a series of actions open to the US:

  • Executive Action – the President could issue an executive order which limits bulk intelligence collections and provides additional redress mechanisms, such as an executive office or tribunal with power to adjudicate complaints and issue binding decisions on the intelligence community.

  • Diplomacy – US and EU officials could negotiate a diplomatic solution, for example a new framework to replace Privacy Shield and a new adequacy determination by the European Commission. 

  • Legislation – Congress might legislate to amend the Foreign Intelligence Surveillance Act (FISA) to prohibit bulk intelligence collections and require court approval for each target of surveillance. It could create a cause of action to allow foreign subjects to bring complaints before a tribunal if they believe intelligence agencies have collected or used their data in an unlawful way.

The Congressional Research Service also noted: “While not directly addressing the issues raised in Schrems II, some commentators have also maintained that the United States’ adoption of a comprehensive federal data protection law applicable to commercial entities could facilitate transatlantic data transfers.

“Assuming the surveillance concerns are also addressed, a comprehensive data protection law could result in the EC determining that the United States provides an ‘adequate level of protection’ under Article 45 of the GDPR.

“Such a determination would mean that data exporters would no longer need to rely on international executive agreements such as Privacy Shield or on mechanisms such as SCCs [Standard Contractual Clauses] in order to transfer data to the United States.”

PrivSec Global, a live streaming event, is currently taking place, featuring more than 200 speakers and 64 sessions on privacy, data protection and cyber-security.