29/09/2020
Summary of the Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S.Data Transfers after Schrems II
The U.S. Government has prepared the White Paper, which outlines the robust limits and safeguards in the United States pertaining to government access to data.
While the White Paper can help organizations make the case that they should be able to send personal data to the United States using EU-approved transfer mechanisms, it is not intended to provide companies with guidance on EU law or what positions to take before EU regulators or courts.
As a reminder, the CJEU has stated that Executive Order 12333 (EO 12333) and Foreign Intelligence Surveillance Act (FISA 702) do not prescribe limitations on the powers of the US intelligence services and do not give enforceable rights before US courts to data subjects, therefore, cannot ensure a level of protection essentially equivalent to that guaranteed by the EU laws.
Below is the assessment of the White Paper following its structure.
Companies Not Disclosing Data to U.S. Intelligence Agencies
• The EO 12333 does not include any authorization to compel private companies to disclose data
• Under FISA 702, an independent court may authorize the government to issue orders requiring companies in the United States to disclose communications data of specific non-U.S. persons located outside the United States to obtain specified types of foreign intelligence information
• Companies whose EU operations involve ordinary commercial products or services, and whose EU-U.S. transfers of personal data involve ordinary commercial information like employee, customer, or sales records, would have no basis to believe U.S. intelligence agencies would seek to collect that data
Companies Relying on the GDPR’s “Public Interest” Derogation
• The U.S. government frequently shares intelligence information with EU Member States to counter a variety of threats, including international terrorism, the proliferation of weapons of mass destruction, and the activities of hostile foreign cyber actors
• In 2014 the U.S. Privacy and Civil Liberties Oversight Board (“PCLOB”), an independent oversight entity, conducted an extensive review of FISA 702, including assessing its efficacy. After reviewing fifty-four cases in which FISA 702 information was used in intelligence matters, the PCLOB found that “approximately forty cases exclusively involved operatives and plots in foreign countries
Companies Relying on Standard Contract Clauses
• It is important to note that Schrems II was not a ruling on whether privacy protections in U.S. law per se, as of either 2016 or 2020, are consistent with EU law. The ECJ ruled only on the validity of Decision 2016/1250,11 and the ECJ’s assessment of U.S. law accordingly relied primarily on the limited findings about U.S law recorded by the Commission in 2016 in Decision 2016/1250.12 By contrast, companies using SCCs today to transfer data to the United States may consider all currently available information about U.S. law, including (1) information not recorded in Decision 2016/1250; and (2) new developments that have occurred since 2016. Below, we identify relevant information for the two sources of U.S. intelligence law for which the ECJ reviewed the Commission’s findings in Decision 2016/1250: FISA 702 and EO 12333, with a particular focus on those issues that appear to have concerned the ECJ in Schrems II
FISA 702 - The Supervisory Role of the FISC over Individual Targeting Decisions
• A review of applicable U.S. law and practice demonstrates that the Foreign Intelligence Surveillance Court (FISC) - the federal court staffed by independent, life -tenured judges whom the FISA statute authorizes to approve and oversee foreign intelligence surveillance FISC is in fact actively involved in supervising whether individuals are properly targeted under FISA 702
• Before the U.S. government may acquire under FISA 702 the communications data of any person (including an EU citizen or resident) the FISC must—absent exigent circumstances—approve a written certification submitted by the Attorney General and the Director of National Intelligence jointly authorizing the collection activities for up to one year. Among other requirements, the certification must be accompanied by and the FISC must approve targeting procedures defining how the government determines which specific persons’ communications may be acquired. The certification also limits the purpose of the surveillance to a specified type of foreign intelligence—for example terrorism or the acquisition of weapons of mass destruction.
• If the FISC approves the certification, the government may issue “directives” to electronic communication service providers in the United States. These directives compel the providers to disclose communications data of specific persons in response to targeted requests based on the tasked selectors. The government must record in every case the reasons a specific person was targeted
• The targeting procedures also now require that when making this assessment, analysts at the NSA must “provide a written explanation of the basis of their assessment, at the time of targeting.” Requiring NSA analysts to record their “targeting rationale” when tasking selectors facilitates the FISC’s supervision of whether individuals are properly targeted by “memorializ[ing] why the analyst is requesting targeting, and provid[ing] a linkage between the user of the facility and the foreign intelligence purpose covered by the certification under which it is being tasked
• Each and every targeting assessment and rationale made by NSA analysts and each and every selector tasked for data acquisition is reviewed by independent intelligence oversight attorneys in the Department of Justice (DOJ) for compliance with the applicable legal standard set forth in the targeting procedures
• The FISC can and does enforce compliance with FISA 702 targeting requirements, including by imposing remedial action. The FISC conducts its own compliance analysis and—in oral hearings or through written responses—can require the government to explain compliance incidents and describe how they have been remedied. If the court is not satisfied, it can terminate the government’s authority to engage in data acquisition, including through binding remedial decisions
• The rigor and effectiveness of the FISC’s supervision of whether individuals are properly targeted is demonstrated in semi-annual joint assessments that DOJ and the Office of the Director of National Intelligence (ODNI) provide to the FISC. DOJ and ODNI conduct onsite reviews at NSA on a bimonthly basis
• The FISC has stated that “[i]t is apparent to the Court that the implementing agencies, as well as [ODNI] and [DOJ], devote substantial resources to their compliance and oversight responsibilities under Section 702. As a general rule, instances of non-compliance are identified promptly and appropriate remedial actions are taken, to include purging information that was improperly obtained or otherwise subject to destruction requirements under applicable procedures.”37 On a separate occasion, the FISC described the government’s oversight of FISA 702 targeting as “robust
Individual Redress for Violations of FISA 702
• The FISA statute itself empowers a person who has been subject to FISA surveillance and whose communications are used or disclosed unlawfully to seek compensatory damages, punitive damages, and attorney’s fees against the individual who committed the violation.
• The Electronic Communications Privacy Act provides a separate cause of action for compensatory damages and attorney’s fees against the government for willful violations of various FISA provisions
• Individuals may also challenge unlawful government access to personal data, including under FISA, through civil actions under the Administrative Procedure Act (“APA”), which allows persons “suffering legal wrong because of” certain government conduct to seek a court order enjoining that conduct
• In 2015, for example, a federal appellate court ruled in a lawsuit brought under the APA that the government’s bulk collection of telephony metadata was not authorized by Section 501 of FISA.44 The U.S. Congress, with the executive branch’s approval, subsequently 13 terminated that program
• In early 2018, additional privacy protections and safeguards relating to FISA 702 through amendments to FISA and other statutes: 1) requiring that with each annual FISA 702 certification, the government must submit and the FISC must approve querying procedures, in addition to targeting procedures and minimization procedures; 2) requiring additional steps including notification to Congress before the government may resume acquisition of “about” collection under FISA 702; 3) amending the enabling statute for the PCLOB to allow it to better exercise its advisory and oversight functions; 4) adding the Federal Bureau of Investigation and NSA to the list of agencies required to maintain their own Privacy and Civil Liberties Officers, instead of being subject only to their parent department-level officers, to advise their agencies on privacy issues and ensure there are adequate procedures to receive, investigate, and redress complaints from individuals who allege that the agency violated their privacy or civil liberties; 5) extending whistleblower protections to contract employees at intelligence agencies; and 6) imposing several additional disclosure and reporting requirements on the government, including to provide annual good faith estimates of the number of FISA 702 targets
Essential Equivalence
• The EU itself has no competence over national security matters, which are the sole responsibility of the EU Member States. Only about half of the Member States as of 2015 required any form of judicial review for intelligence collection of personal data.53 The European Court of Human Rights (“ECtHR”) regularly reviews the domestic intelligence surveillance programs of Member States and has upheld programs that are similar to or more expansive than FISA 702
• Several Member States’ domestic intelligence programs go beyond targeted surveillance to include bulk collection—the EU’s Fundamental Rights Agency found in 2015 that among five Member States with laws regulating untargeted intelligence collection, three allowed for untargeted surveillance domestically, while others appeared not to substantially regulate their surveillance of communications at all.55 The reality is that data transferred to the United States enjoys comparable or greater privacy protections relating to intelligence surveillance than data held within the EU
Executive Order 12333
• EO 12333 is a general organizing directive that (1) assigns the different U.S. intelligence agencies responsibility for different types of overt and clandestine intelligence collection and counterintelligence activities, and (2) places restrictions on certain agencies’ activities
• EO 12333 does not authorize the U.S. government to require any company or person to disclose data. Bulk data collection is permitted only in other contexts, such as clandestine intelligence activities involving overseas access to data—activities in which companies cannot legally be compelled to participate
• The ECJ has never ruled on the lawfulness of a Member State’s overseas access to data for intelligence purposes, and it may not have jurisdiction to do so given restrictions in the EU treaties.62 And while the ECtHR has for decades reviewed EU Member States’ intelligence surveillance programs, those cases have involved only domestic surveillance programs—that is, government access to communications or other data within a state’s territorial jurisdiction
• For example, Presidential Policy Directive 28 (PPD-28) delimits the use of signals intelligence collected in bulk to detecting and countering six types of threats: (1) espionage and other threats from foreign powers; (2) terrorism; (3) threats from weapons of mass destruction; (4) cybersecurity threats; (5) threats to U.S. or allied forces; and (6) transnational criminal threats. PPD-28 also requires each intelligence agency to adopt procedures allowing the retention or dissemination of personal information, regardless of nationality, only if retention or dissemination of “comparable information concerning U.S. persons would be permitted
• The Director of National Intelligence has established National Intelligence Priorities Framework (NIPF) to ensure that data acquisition responds to national intelligence priorities. The robust process the NIPF has created within the Executive Branch applies objective criteria to ensure that targeting and collection, including bulk signals intelligence under EO 12333, are responsive to specific national intelligence priorities
• Intelligence agencies are also required to have internal procedures governing EO 12333 collection that set out requirements for intelligence officers whenever practicable to identify specific selection terms, such as telephone numbers or email addresses, that are expected to collect foreign intelligence responsive to NIPF priorities
• The Central Intelligence Agency’s guidelines issued in 2017 require senior approvals and documentation of privacy protections for any bulk data collection
• In 2013, for example, the NSA Inspector General reported to the Congress that, in the prior decade, there had been twelve substantiated instances of intentional misuse of the NSA’s signals intelligence authorities, including unauthorized queries and taskings against foreign nationals.72 The letter setting out this information identified the enforcement actions (e.g., termination and other disciplinary action) that the NSA had taken against the relevant employees
Conclusion
• This White Paper focuses on the privacy safeguards in current U.S. law relating to intelligence agencies’ access to data that are relevant to the issues that appear to have concerned the ECJ in Schrems II.There are numerous other privacy safeguards in this area of U.S. law, not discussed by the ECJ in its review of Commission Decision 2016/1250 in Schrems II, that ensure that U.S. intelligence agencies’ access to data is based on clear and accessible legal rules, proportionate access to data for legitimate purposes, supervision of compliance with those rules through independent and multi-layered oversight, and effe ctive remedies for violations of rights.
Letter from Deputy Assistant Secretary James Sullivan on the Schrems II Decision can be accessed here, and the White Paper here.
Written by
Stevan Stanojevic
This brief analysis of the White Paper is not intended to be legal advice nor guidance. It does not represent the views of the author. Refer to the White Paper for more information.