A Historical Primer for This Week’s Judicial and Congressional Actions on Section 215 Bulk Collection

The past week has seen two significant events concerning Section 215 of the USA PATRIOT Act—the most contentious legal issue in the wake of the Edward Snowden revelations. On May 7, the Second Circuit ruled that “the telephone metadata program exceeds the scope of what Congress has authorized and therefore violates” Section 215. On May 13, the House of Representatives approved the USA FREEDOM Act by 338-88, which, if enacted, would limit by statute collection of domestic telephone metadata and other records under Section 215.

Section 215 was an initially little-used authority created in the USA PATRIOT Act, passed in the weeks after the attacks of September 11, 2001. In a 2004 law review article, I explained how the new law expanded the scope of permissible domestic intelligence-gathering activities under the Foreign Intelligence Surveillance Act of 1978 (FISA). The original FISA had focused on electronic surveillance and had not created a FISA mechanism for the government to get business records for foreign intelligence purposes. After the Oklahoma City and 1993 World Trade Center bombings, Congress authorized the use of FISA orders for travel records only.

Section 215 contained two statutory changes that greatly expanded this power. First, the type of records subject to the order went far beyond travel records. Under Section 215, the search can extend to “any tangible things (including books, records, papers, documents, and other items).” Second, the legal standard changed for obtaining the order. Previously, a FISA application had to show “specific and articulable facts giving reason to believe that the person to whom the records pertain is a foreign power or an agent of a foreign power.” The USA PATRIOT Act eliminated the need for any particularized showing. Instead, the order could issue merely upon “a statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant to an authorized investigation.”

When Section 215 came up for reauthorization in 2005, the biggest debate concerned its possible use for library records, along with the law’s “gag rule” that the librarians (or others receiving an order) could not reveal the order existed. Congress made modest changes on both issues at that time, but its basic powers for broad searches remained intact.

Section 215 became far more famous on June 6, 2013, as the subject of the first Glenn Greenwald story in The Guardian based on the Snowden revelations. The Guardian released a Top Secret order of the Foreign Intelligence Surveillance Court that required a major phone company to provide the National Security Agency on an “ongoing, daily basis” all call detail records or “telephony metadata” between the United States and abroad or “wholly within the United States, including local telephone calls.”

In the wake of these revelations, two major reports have been issued based on highly classified briefings about the actual workings of the telephony metadata program. I was one of five members of President Obama’s Review Group on Intelligence and Communications Technology, which included a former Deputy Director of the CIA and the former top counter-terrorism advisor to two Presidents. Based on a case-by-case review of the fruits of the Section 215 orders, our most widely-quoted finding was that “the information contributed to terrorist investigations by the use of section 215 telephony metadata was not essential to preventing attacks and could readily have been obtained in a timely manner using conventional section 215 orders.” The Privacy and Civil Liberties Oversight Board issued a separate 234-page report, in which the majority was highly critical of the telephone records program as a matter of both policy and statutory interpretation.

The two reports helped spur proposed legislation to end bulk collection programs under Section 215. The 2014 version of the USA FREEDOM Act received Obama administration support, passed the House with a bipartisan vote of 303-121 and fell painfully short in the Senate when supporters got 58 of the 60 votes needed to break a filibuster. (Among many other supporters, the five members of the Review Group supported the bill.)

That brings us to this month’s events. On May 7, the Second Circuit overruled a district court opinion, and disagreed with earlier opinions in the Foreign Intelligence Surveillance Court, which had previously upheld the telephone metadata program as consistent with the statute. The core holding of the Second Circuit turned on the meaning of what is “relevant to an authorized investigation.” The unanimous panel wrote: “The government takes the position that the metadata collected—a vast amount of which does not contain directly ‘relevant’ information, as the government concedes—are nevertheless ‘relevant’ because they may allow the NSA, at some unknown time in the future, utilizing its ability to sift through the trove of irrelevant data it has collected up to that point, to identify information that is relevant. We agree with appellants that such an expansive concept of ‘relevance’ is unprecedented and unwarranted.”

In short, the Second Circuit took no position on the constitutionality of Section 215 under the Fourth Amendment. Nor did it make a general holding about what sorts of records can be required under a Section 215 order. Instead, it held specifically that the scope of the current telephone metadata program was too broad to be authorized by the statute.

Six days later, on May 13, this year’s version of the USA FREEDOM Act passed the House of Representatives with 35 votes more than last year. This year’s legislative debate is shaped by a crucial fact—Section 215 sunsets on May 31, so orders under that law cannot be issued after that date.

In Congress, the disappearance of the legal authority is highly significant. Majority Leader Mitch McConnell (R-KY) has been supporting a “clean reauthorization” approach to extend the May 31 deadline, but most observers believe he does not have the votes to do so, especially in the face of a threatened filibuster by Sen. Ron Wyden (D-OR) and others. Some who oppose the telephone metadata program are tempted to let the program expire, even though there could be mounting pressure over time to provide expired powers back to the intelligence agencies. The broad coalition of those who favor NSA reform, however, believe the best path is to enact the USA FREEDOM Act, including coalitions of privacy and advocacy groups, trade associations and Internet companies.

The focus now turns to the Senate, which appears to have three choices: let Section 215 (and some other surveillance authorities such as the “lone wolf” provision) expire; try to pass an extension of the May 31 deadline, or else consider the USA FREEDOM Act as passed by the House. If the last option happens, then we will have enactment of substantial reform to NSA practices. The bulk collection under Section 215 and other legal authorities will end, while the government will retain the power to go to the telephone companies to gain access to the call detail records for specific subscribers. The bill contains new transparency provisions about the number and type of government surveillance requests and requires the Attorney General to declassify, to the greatest extent practicable, opinions of the Foreign Intelligence Surveillance Court.

Proponents of greater NSA reform will continue to push for greater privacy protections. Others will push for retaining or even expanding surveillance authorities in order to protect national security. This week’s events, however, appear potentially important in the long term. A federal appellate court has said that the telephone metadata program lacks a statutory basis. The House of Representatives has passed bipartisan reform, and the May 31 deadline means that current bulk collection programs lose their legal authority in the coming weeks unless Congress acts. We should all stay tuned.

Image credit: Connections, Nikki Rosato, 2009

Written By

Peter Swire, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»