In response to the July 16, 2020 Schrems II ruling from the European Court of Justice, the US Department of Commerce has issued a formal “Standard Contractual Clauses” White Paper to help organizations assess whether their transfers offer appropriate data protection in accordance with the ECJ’s ruling outlining the robust limits and safeguards in the United States for government access to data.

Government data access safeguards post-Schrems II

 Following the Schrems II ruling, organizations that use EU-approved data transfer mechanisms like Standard Contractual Clauses and Binding Corporate Rules must now verify, on a case-by-case basis, whether foreign legal protections concerning government access to personal data meet EU standards.

Like European nations and other countries, the materials explain that the United States conducts intelligence gathering activities to ensure that national security and foreign policy decision makers have access to timely, accurate, and insightful information on the threats posed by terrorists, criminals, cyber hackers, and other malicious actors. Particularly in view of the extensive U.S. surveillance reforms since 2013, however, and as detailed more fully in the White Paper, the U.S. legal framework for foreign intelligence collection provides clearer limits, stronger safeguards, and more rigorous independent oversight than the equivalent laws of almost all other countries.

The White Paper notes that most companies “do not deal in data that is of any interest to U.S. intelligence agencies, and have no grounds to believe they do.”  Even so, Commerce warned that its materials are not intended to be used as guidance, and has called for European authorities to clarify how to handle compliance issues stemming from the decision.

For more on Schrems II, visit our Schrems II Resource Hub.

Further Information

To access the Commerce Department’s Standard Contractual Clauses White Paper, click on the link here.  Deputy Assistant Secretary James Sullivan also published a brief cover letter discussing the Schrems II decision, which may be found here. We will continue to monitor this legal development, and update our clients as appropriate. 

If you have any questions about this or any other privacy law, please do not hesitate to reach out to Brian Hengesbaugh and Harry Valetk.


Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.


Harry is a partner based in New York. He advises global organizations on privacy and data security compliance requirements. His practice is focused on delivering commercially practical advice on designing security, privacy, and technologically compliant solutions.