Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) has been a looming presence in the European privacy landscape since Edward Snowden first leaked the PRISM files in 2013. Surveillance authorized under FISA 702 was a key part of the Schrems I and Schrems II judgments that invalidated the Safe Harbor and Privacy Shield cross-border data transfer regimes respectively (for background, see our article here). It still causes concern among EU lawmakers working on the new EU-U.S. data transfer framework – last month, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs reiterated the EU Parliament’s request to the European Commission “not to adopt any new adequacy decision in relation to the U.S., unless meaningful reforms were introduced, in particular for national security and intelligence purposes.”
That call for reform may sound like wishful thinking, but FISA 702 contained a “sunset” clause when it was first adopted in 2008, and the next sunset is scheduled for 31 December 2023.
The last reauthorization in 2017–2018 was not a smooth process. Lawmakers pushing for reform and a tweet from President Donald Trump on the morning of the vote threatened to scupper the reauthorization bill. It did, however, have the support of the Republican House Speaker and his Democratic counterpart, and that cross-party support was what ultimately pushed the bill through the House with 65 Democrats joining 191 Republicans in voting for it. Cross-party support also pushed through a cloture motion that narrowly prevented the bill falling to a filibuster in the Senate.
This year, the House Republican leadership will be reluctant to move the bill and whip support for it if the majority of Republican members oppose it. The bill will have its opponents in the Republican party, particularly among those that are increasingly mistrustful of national security institutions. Some of those reservations relate directly to FISA, such as the Crossfire Hurricane investigation and botched applications in the FISA court for surveillance on a then-advisor to Donald Trump’s presidential campaign, Carter Page. While not directly related to section 702, similar concerns had already led some to vote against the bill in the last reauthorization round. Others, such as the Mar-a-Lago search, represent a more general concern around partisan bias in national security investigations.
Could FISA 702 simply lapse? This would not be without precedent: three terrorism-related provisions of FISA lapsed in March 2020. Fear of terrorism does not appear to have the same effect on lawmakers as it did in the years post 9/11. That said, the data-gathering options under FISA 702 may not have a reasonable substitute for surveillance activities inside the United States, as other FISA data-collection processes involve lengthy court procedures at an individual level. It seems a stretch to imagine that FISA 702 will simply disappear.
What seems more likely is a push to introduce additional safeguards in its application. From the responses to the Privacy and Civil Liberties Oversight Board’s request for comments on the efficacy of Section 702 in September 2022, privacy concerns are likely to play a major role in the discussions this year. While this was also the case with previous reauthorizations, the privacy landscape in the United States has changed in the last five years. A number of U.S. State legislatures have either passed or are contemplating comprehensive state privacy laws. Safeguards to mollify European critics are already being introduced under Executive Order 14086, and questions may well be raised as to why similar safeguards are not being extended to Americans as well.
While the introduction of privacy safeguards in the current reauthorization process may pacify the critics of FISA 702 in the United States, it seems unlikely to address the concerns in Europe unless those safeguards are hardwired into the use of FISA 702 itself. Given the current concerns around partisan deployment of data gathering by national authorities, a more likely outcome seems to be the ring-fencing of Americans’ privacy rights, without necessarily extending the same to non-U.S. persons. Key criticism has related to the collection of U.S. persons’ data as part of foreign intelligence efforts in violation protections against search and seizure under the Fourth Amendment to the Constitution.
For European critics, changes that only safeguard rights of U.S. individuals may simply not go far enough in addressing the concerns with sharing data with recipients in the United States. However, a lot will depend on what those safeguards are and how they apply. While it may not create the right environment for an adequacy decision, clearer safeguards around the power of U.S. national authorities to collect data under FISA 702 will certainly be helpful in moving adequacy discussions forward in the long term. In the short term, it may give European data exporters some additional material to consider when conducting their risk assessments for international transfers of data to recipients in the United States.