Expert opinion on US surveillance laws highlights FISA risk for data transfers to the US
Germany’s Data Protection Conference (DSK) recently made public an expert opinion on Section 702 of the US Foreign Intelligence Surveillance Act (FISA), which came under close scrutiny in the July 16, 2020 decision of the Court of Justice of the European Union (Schrems II). The Schrems II decision invalidated the EU-US Privacy Shield and held that transfers of personal data from the EEA made pursuant to standard contractual clauses (SCC) must be subject to an assessment of whether the SCC offer adequate safeguards to transferred data, given the circumstances of the transfer.
Key findings of the expert opinion
Although the opinion embraces a broad interpretation of FISA Section 702’s application, it is unlikely to have an impact on many of the assessments carried out consistent with the Recommendations of the EU data protection supervisory authorities (the EDPB), which permit exporters to consider how Section 702 is applied in practice in the US, and not simply consider the text of the statute per se.
Stephen I. Vladeck, a professor at the University of Texas School of Law and expert in US national security law, states in the opinion that the scope of companies to which Section 702 potentially applies is broader than commonly thought.
Section 702 permits the US government to conduct targeted surveillance of foreign (ie, non-US) persons located outside the US in order to acquire “foreign intelligence information.” Under Section 702, the US Attorney General and Director of National Intelligence may issue directives compelling US electronic communication service providers (ECSPs) to provide such information. Vladeck suggests that the definition of ECSPs and particularly of electronic communication services (ECSs), one type of ECSP, could encompass virtually any company, which would then be compelled to comply with a Section 702 directive insofar as it holds “foreign intelligence information.”
An ECS is defined as any service which provides to users the ability to send or receive wire or electronic communications. As Vladeck writes, this would include companies that provide, for example, internal communication systems (eg, corporate email or messaging systems) or computer terminals running an electronic reservations system. Unlike for remote computing services (RCS – another type of ECSP, defined as the provision to the public of computer storage or processing services by means of an electronic communications system), an ECS need not provide services to the public; giving any users – such as the company’s own employees – the ability to send or receive communications is sufficient. This is consistent with both the US Department of Justice’s published guidance as well as our interpretation, particularly in light of the broad definition and courts’ willingness to apply it in a number of contexts.
Thus, companies from industries as disparate as hospitality, transportation, shipping, and banking could be considered ECSPs and required to comply with a government request for information that otherwise meets the Section 702 requirements. Crucially, Vladeck notes that although a business may qualify as an ECSP based upon only a small quantity of activity, even if that activity is unrelated to its primary function, such a distinction would not matter in the context of Section 702’s applicability – once a company meets the definition of an ECSP, it would need to provide all communications or data being sought that are within the scope of an authorized directive.
The DSK’s overview
The DSK, an informal body consisting of all German data protection authorities for both the non-public and public sectors, also published on overview of what it considers the key findings of the expert opinion (in German only); the overview focuses on findings similar to those set out above. In addition to noting the findings summarized above, the DSK mentions Vladeck’s assessment that legal redress against access to or retention of EU/EEA data subjects’ data is not always available.
The DSK also notes that the German data protection supervisory authorities are currently assessing the consequences resulting from the findings of the opinion and concludes that although the expert opinion has no directly binding effect for the assessment of individual cases, the supervisory authorities will take it into account in their activities.
For many companies, the broad interpretation in the expert opinion will have minimal practical effect, because the Schrems II decision and the Recommendations make clear that a transfer assessment must ultimately consider not just the initial transfer, but also all onward transfers. Given the plethora of cloud-based services, it is relatively uncommon for data never to be hosted or stored by an RCS. The outcome of the assessment is therefore more likely to turn on whether transferred data could be considered foreign intelligence information, and the actual risk of a Section 702 directive being issued in the circumstances.
The wider impact of the DSK’s foray into the intricacies of FISA remains to be seen. But it should be stressed that the final say of whether an international data transfer is legal will be given by the courts, and not by those among the German data protection authorities who have already proclaimed that the time has come for “Europe's new era of digital autonomy.”
When carrying out transfer impact assessments, companies exporting data to the US should pay close attention to the broad scope of FISA Section 702 and – in line with the EDPB’s recommendations – focus on the law to be applied in practice to the transferred data and/or to data importer, and whether it will prevent the importer from fulfilling its obligations under the chosen transfer tool.
To learn more about this development, contact our data privacy team via PrivacyGroup@dlapiper.com.