The enactment of the USA FREEDOM Act was news unto itself. However, the impact that the surveillance reform legislation may have on cross-border data transfers could turn out to be newsworthy as well. In this post, we summarize some important elements of the legislation and explore the USA FREEDOM Act’s potential to influence more than government surveillance practices.
The USA FREEDOM Act reforms some practices associated with U.S. government surveillance and reinstates certain government surveillance provisions that had expired with the sunset of the USA PATRIOT Act on June 1. Notably, the law will put an end to the government’s bulk collection of telephony metadata under Section 215 of the USA PATRIOT Act. Where such records are sought in connection with an authorized investigation to protect against international terrorism, U.S. government agencies must now meet a higher standard to obtain judicial approval. Applications for the collection of such data must now show that there are reasonable grounds to believe that the records are relevant to such an investigation and establish reasonable, articulable suspicion that the specific selection terms associated with the request are connected to entities engaged in international terrorism. Intelligence agencies will no longer collect call detail records directly. Instead, the agencies will be required to request access from service providers in the private sector.
The USA FREEDOM Act also reforms Foreign Intelligence Surveillance Court (FISC) operations by requiring the court to make important decisions, orders and opinions public “to the greatest extent practicable.” The court must also appoint no fewer than five individuals to serve as amicus curiae, i.e., friends of the court, to provide the court with advice on technologies, legal arguments regarding privacy and civil liberties and other issues presented to the FISC. The USA FREEDOM Act also provides persons subject to nondisclosure requirements, aka “gag orders,” associated with surveillance requests with more opportunities to issue public reports regarding those requests.
Some privacy advocates hailed the passage of the USA FREEDOM Act as the “most significant U.S. national security reform measure in the last generation.” Others have claimed that the law did not go far enough, noting in particular that the law does not affect PRISM or other surveillance programs conducted under Section 702 of the Foreign Intelligence Surveillance Act (FISA). Regardless of one’s views on the merits of the legislation, however, enactment of the USA FREEDOM Act does appear to have the potential to benefit U.S. industry.
As the nature and scope of U.S. government surveillance practices increasingly came to light in the past few years, U.S. electronic communications service providers were sometimes—and often unfairly—criticized for their involvement with surveillance under the USA PATRIOT Act and FISA. That criticism has had a dramatic impact, especially outside the U.S. In the EU, the revelations led in part to a full-blown review and renegotiation of the EU-U.S. Safe Harbor agreement, which enables compliant data flows between the EU and certified companies in the U.S. This ongoing review and renegotiation has created substantial uncertainty for those companies that rely on Safe Harbor to facilitate the EU-U.S. data transfers essential to their day-to-day operations.
Reports of U.S. government surveillance also were used to support efforts in Latin America, Europe and Russia to establish data-localization laws. Some European stakeholders, including politicians, have positioned EU privacy rules as a competitive advantage for European service providers. Several service providers outside the U.S. now promise that data will never be sent to U.S.-based sub-processors or data centers. Some analysts even projected that the U.S. digital-services sector would lose billions of dollars as a result of overseas customers moving their data to local service providers believed to be outside the reach of the U.S. surveillance apparatus.
Electronic communications service providers faced these difficulties in spite of the fact that other countries, including many in the EU, engage in surveillance similar to that conducted in the U.S. under FISA and the USA PATRIOT Act and in many cases with more expansive and unchecked government power. But now that the U.S. government has shown its willingness to evaluate and reform its surveillance practices, the path to finalizing the Safe Harbor negotiations may become more clear. For example, U.S. service providers can point to the reforms in the USA FREEDOM Act when addressing concerns about government access to data. And the European Court of Justice may refer to the USA FREEDOM Act in a positive light when ruling on the validity of Safe Harbor in the Schrems v. Irish Data Protection Commissioner case.
The public attention to the USA FREEDOM Act demonstrates that government surveillance continues to be an important issue. And the frameworks for government access to data are likely to evolve in coming years as Congress looks to update the Electronic Communications Privacy Act and to provide foreign nationals with greater access to judicial redress. In light of current and forthcoming developments, now is a good time for organizations to review and assess their policies and procedures for evaluating and responding to government requests and to consider how these developments may influence the international data privacy landscape.