Key Takeaways
- Particularly in view of the extensive U.S. surveillance reforms since 2013 ... the U.S. legal
framework for foreign intelligence collection provides clearer limits, stronger safeguards and
more rigorous independent oversight than the equivalent laws of almost all other countries. - To address the challenges posed by the Schrems II ruling, the Trump Administration is exploring all options at its disposal and remains committed to working with the European Commission to negotiate a solution that satisfies the ECJ’s requirements while protecting the interests of the United States.
Most Companies Are Not Engaged in Worrisome Schrems II Transfers
Most U.S. companies do not deal in data that is of any interest to U.S. intelligence agencies, and have no grounds to believe they do. They are not engaged in data transfers that present the type of risks to privacy that appear to have concerned the ECJ in Schrems II.
- U.S. government commitments and public policies restrict intelligence collection to what is required for foreign intelligence purposes and expressly prohibit the collection of information for the purpose of obtaining a commercial advantage.
- Companies whose EU operations involve ordinary commercial products or services, and whose EU-U.S. transfers of personal data involve ordinary commercial information like employee, customer or sales records, would have no basis to believe U.S. intelligence agencies would seek to collect that data.
- The overwhelming majority of companies have never received orders to disclose data under Foreign Intelligence Surveillance Act (FISA) 702 and have never otherwise provided personal data to U.S. intelligence agencies
Companies Should Consider Post-2016 Developments in US Law Concerning Government Access
There is a wealth of public information about privacy protections in U.S. law concerning government access to data for national security purposes, including information not recorded in Decision 2016/1250, new developments that have occurred since 2016 and information the ECJ neither considered nor addressed. Companies may wish to take this information into account in any assessment of U.S. law post- Schrems II.
Schrems II was not a ruling on whether privacy protections in U.S. law per se, as of either 2016 or 2020, are consistent with EU law. The ECJ ruled only on the validity of Decision 2016/1250,11 and the ECJ’s assessment of U.S. law accordingly relied primarily on the limited findings about U.S law recorded by the Commission in 2016 in Decision 2016/1250. By contrast, companies using Standard Contract Clauses (SCCs) today to transfer data to the United States may consider all currently available information about U.S. law, including:
- Information not recorded in Decision 2016/1250
- New developments that have occurred since 2016
FISC Supervision
- The Foreign Intelligence Surveillance Court (FISC) is actively involved in supervising whether individuals are properly targeted under FISA 702. It reviews the reasons for targeting specific people and the basis for the assessment that the surveillance will procure the requisite information (which the government is required to keep).
- The FISC can and does enforce compliance with FISA 702 targeting requirements, including by imposing remedial action. Moreover, the FISC has made clear that its review of FISA 702 targeting procedures is not confined to the procedures as written, but also includes how the government implements those procedures.
- The rigor and effectiveness of the FISC’s supervision of whether individuals are properly targeted is demonstrated in:
- Decisions, orders, and memorandum opinions of the FISC discussing its supervisory role over the propriety of individual targeting under FISA 702
- Semi-annual joint assessments that the Department of Justice and the Office of the Director of National Intelligence (ODNI) provide to the FISC.
Individual Redress for Violations of FISA 702
Several U.S. statutes authorize individuals of any nationality (including EU citizens) to seek redress in U.S. courts through civil lawsuits for violations of FISA, including violations of Section 702
The FISA statute itself empowers a person who has been subject to FISA surveillance, and whose communications are used or disclosed unlawfully, to seek compensatory damages, punitive damages and attorneys' fees against the individual who committed the violation.
The Electronic Communications Privacy Act provides a separate cause of action for compensatory damages and attorneys' fees against the government for willful violations of various FISA provisions.
Individuals may also challenge unlawful government access to personal data, including under FISA,
and see an order enjoining such access, through civil actions under the Administrative Procedure Act (APA).
Numerous additional privacy safeguards have been added to FISA 702 since Decision 2016/1250 was issued in July 2016. These include:
- April 26, 2017: The FISC issued an order terminating the legal authority to conduct acquisition of so called “about” collection under FISA 702 and limiting collection only to communications to or from a tasked selector, NOT communications that merely contained the selector in the text of the communication.
- In early 2018, the U.S. Congress passed, and the president signed into law, additional privacy protections and safeguards relating to FISA 702 through amendments to FISA and other statutes. These amendments included:
- Requiring that with each annual FISA 702 certification, the government must submit and the FISC must approve querying procedures, in addition to targeting procedures and minimization procedures
- Requiring additional steps including notification to Congress before the government may resume acquisition of “about” collection under FISA 702
- Amending the enabling statute for the Privacy and Civil Liberties Oversight Board (PCLOB) to allow it to better exercise its advisory and oversight functions;
- Adding the FBI and NSA to the list of agencies required to maintain their own privacy and civil liberties officers, instead of being subject only to their parent department-level officers, to advise their agencies on privacy issues and ensure there are adequate procedures to receive, investigate and redress complaints from individuals who allege that the agency violated their privacy or civil liberties
- Extending whistleblower protections to contract employees at intelligence agencies
- Imposing several additional disclosure and reporting requirements on the government,
including to provide annual good faith estimates of the number of FISA 702 targets