"For data controllers that fall within the scope of the U.S. Foreign Intelligence Surveillance Act (FISA), a transfer of personal data from the Union is not possible under [the] SCCs, due to the high risk of mass surveillance; only a comprehensive reform of surveillances practices in the U.S. can sustainably address this problem and provide legal certainty to businesses and data subjects," said the European Parliament Committee on Civil Liberties, Justice and Home Affairs in a draft Schrems II resolution.

The draft resolution makes clear that no solution is possible, not even a comprehensive U.S. federal data protection law, without the revision of the U.S. surveillance laws. It also urges caution regarding a possible "Privacy Shield 2.0" arrangement and warns the UK and other states currently enjoying an adequacy declaration.

About the US

• Neither the California Consumer Privacy Act (CCPA) in the U.S nor any of the federal proposals so far meet the requirements of the General Data Protection Regulation (GDPR) for an adequate level of protection. The U.S. should adopt a national-level strong comprehensive federal data protection and privacy act that meets those requirements.
• Such consumer data protection and privacy legislation will not by itself remedy the fundamental issues found by the court on mass surveillance by U.S. intelligence services and the insufficient access to remedy.
• The U.S. should reconsider modifications to section 702 of the FISA Act, Executive Order 12333 and Presidential Policy Directive 28, particularly with regard to granting the same level of protection between EU and U.S. citizens.
• The European Commission (EC) should take all the necessary measures to ensure that any further arrangement with the U.S. fully complies with GDPR, with the EU Charter, and every aspect of the European Court of Justice (ECJ) judgement.
• The EC should not adopt any new adequacy decision in relation to the U.S., unless meaningful reforms in laws and practices in the area of access to information by public authorities are introduced, in particular for national security and intelligence purposes.

About Schrems II Supplemental Measures

• The EC should publish further guidance on international data transfers for companies, in particular for Small and Mid-sized Enterprises (SMEs), including on the additional safeguards required for transfers using Standard Contractual Clauses (SCCs).
• EC should take into account all relevant recommendations re: the new SCCs.
• There should be a toolbox of supplementary measures, e.g. security certification and encryption safeguards, that are accepted by regulators.
• EU SMEs have limited bargaining power and legal capacity to conduct transfer assessment. The EC and European Data Protection Board should thoroughly examine the necessity and feasibility of any required supplementary measures, especially for SMEs.