In mid-January, President Donald Trump signed the renewal of Section 702 of the Foreign Intelligence Surveillance Act (FISA) following overwhelming consensus in the Senate (65-34) and House of Representatives (256-164).
The law allows the National Security Agency (NSA) to collect information on non-Americans–“international terrorists, weapons proliferators, and other important foreign intelligence targets”–in other countries that are suspected of illegal activity. It’s not clear just how much data is collected on non-Americans in these circumstances, which may also include American citizens that would be involved in these communications. After passage, the controversial act won’t come up for renewal again until December 2023.
As a result, the move has rankled privacy advocates in Europe and once again shined a light on the future integrity of Privacy Shield, the data transfer agreement between the EU and the U.S. The agreement was reached in 2016 and allows companies like Microsoft, Slack, and Airbnb to transfer user data across the Atlantic legally. Data of Europeans transferred to the U.S. may be targeted by surveillance, which has been a sensitive issue for European authorities. Now, FISA’s provisions do little to ease concerns that Europeans won’t be caught up in surveillance operations.
The EU has championed Privacy Shield as a privacy-protecting mechanism but it has come under criticism from digital rights groups and legal experts who say it does not go far enough to protect Europeans from data privacy abuses.
The agreement underwent its first annual review in September of last year, carried out by the European Commission (the EU’s executive arm) and the U.S. government, including the State and Commerce departments and the FTC. Despite a lot of scrutiny from privacy advocates and data protection lawyers, it passed the review, but with some caveats.
Most tellingly, the European Commission raised concerns over Section 702 before the renewal vote. Among its recommendations was enshrining in FISA the protections of the Presidential Policy Directive-28 (PPD-28), which recognizes the privacy rights of people in other countries. In the review, the Commission said that the U.S. had a “unique opportunity for strengthening the privacy protections” in FISA.
“Any further reforms, both in terms of substantive limitations and in terms of procedural safeguards, should be implemented in the spirit of PPD-28 and thus provide protection irrespective of nationality or country of residence,” said the review.
The renewal of Section 702 shows that Europe’s concerns and considerations were not taken on board by the U.S., according to Maria Tzanou, a European law lecturer at Keele University in the UK.
“The only concern in the U.S. has been the protection of U.S. persons from NSA spying and surveillance and while there was some effort to address this in the amended FISA bill, there was nothing there to address Europeans’ and the Commission’s concerns,” she explained.
So, were the apprehensions of Europe simply ignored? A spokesperson for the European Commission said it was following the “process closely” before deciding on how to respond.
“Generally, we have always made the point that for the Commission (and the Privacy Shield) it is crucial that there is no lowering of any personal data protection standards in the FISA re-authorization,” said the spokesperson in a statement but did not comment further on Europe’s next steps.
What options does the EU have at its disposal? If the U.S. is not complying with the agreement, then the EU can move to suspend or repeal Privacy Shield, though that is considered an extreme option that would require a new deal to be reached and the EU has never made any threat to do so. Tzanou disagrees that the FISA renewal amounts to such a severe case of non-compliance.
“It should be recalled that Privacy Shield is based on, what is now, the older version of the Section 702 of FISA. In fact, the Commission accepted there the commitments given by the U.S. authorities as guaranteeing adequate protection,” she said. “My research, however, shows that these ‘commitments’ were nothing more than a mere description of Section 702 of FISA and how this worked, with no significant additional safeguards besides mentioning PPD-28, [whose] legal status and enforceability has been dubious.”
Nevertheless, FISA’s renewal is a “missed opportunity to address the Commission’s concerns and comply with what [was] requested in its review of Privacy Shield,” she added.
The blame doesn’t lie entirely on the feet of U.S. lawmakers, said Joe McNamee, executive director of Brussels-based digital rights group EDRi. The European Commission itself has been criticized frequently for not being harder on Privacy Shield protections while it was being negotiated.
“It seems fairly clear at this stage that the Commission appears unable to draw the obvious consequences from the extensive failings of the Privacy Shield framework. As a result, it is not surprising that the U.S. does not seem constrained by the Commission’s concerns,” to not surveil Europeans, McNamee told The Daily Dot.
Emboldened by these supposed shortcomings, privacy and civil rights groups are trying to take the Privacy Shield pact to the European courts in a bid to have it overturned, with varying results. In November, one such group, Digital Rights Ireland, had its attempted case against Privacy Shield ruled as inadmissible with the General Court of the European Union stating that agreement remains valid.
But could the renewal of FISA, among other issues, cause these cases to gather steam again?
“Yes, this might be the case … the renewal does show that the U.S. are more interested in their surveillance laws rather than protecting people’s privacy, especially when we are talking about non-Americans,” said Tzanou.
If a case makes it to court, Privacy Shield may be in serious trouble. The pact, after all, was introduced as a replacement to its predecessor Safe Harbor, which was in place between 2000 and 2015. Safe Harbor allowed companies to transfer data between Europe and the U.S. with relative ease. However a case taken by Austrian lawyer Max Schrems—inspired by the spying revelations of Edward Snowden—led to the agreement being struck down and the negotiating of what would become Privacy Shield.
For opponents and privacy advocates, the U.S.’s attitudes to the pact shows that it is not being taken seriously—for example, it has yet to appoint a permanent ombudsperson to oversee surveillance complaints made by Europeans.
“It also shows that they are not interested in engaging much with the Privacy Shield requirements and what the Commission says,” said Tzanou, “besides doing the minimum possible.”