In “Schrems II” (Case C-311/18), the CJEU invalidated Privacy Shield based on the potential interference with data subject rights caused by US government surveillance carried out under Section 702 of FISA and EO 12333. The Court also referred to PRISM and UPSTREAM, two surveillance programs revealed by the Snowden leaks. This article provides a brief overview of these surveillance regimes, as well as links to some useful resources and government and private sector transparency reports.
s702 of FISA
- The Foreign Intelligence Surveillance Act (FISA) was enacted in 1978 to regulate US governmental electronic and physical surveillance of communications for foreign intelligence purposes. It has been amended, strengthened and reformed a number of times, including by the USA Patriot Act of 2001, the FISA Amendments Act of 2008 and the USA FREEDOM Act of 2015.
- FISA authorizes government surveillance through various means: electronic surveillance (50 USC §§ 1801-1813), physical searches (50 USC §§ 1821-1829), pen register and trap and trace surveillance (50 USC §§ 1841-1846), and business record searches (50 USC §§ 1861-1864). All FISA activities are overseen by the Foreign Intelligence Surveillance Court (FISC), which sits in a secure courtroom in Washington D.C. Decisions by the FISC may be appealed to the Foreign Intelligence Surveillance Court of Review (FISC-R).
- FISA was originally intended to govern surveillance activities targeting individuals inside the US. In 2008, however, s702 (50 USC §§ 1881a et seq) was enacted to authorize the acquisition of foreign intelligence information about non-US persons located outside the US. A non-US person is anyone who is not a US citizen or permanent US resident.
- s702 reportedly provides the basis for more than a quarter of US international terrorism intelligence. Although targeted at non-US persons, it is also believed to result in the “incidental” collection of millions of Americans’ communications.
- s702 also operates differently to the “traditional” FISA provisions, which require the government to obtain orders on an individualized basis and demonstrate probable cause. Under s702, the Attorney General (AG) and Director of National Intelligence (DNI) submit written certifications to the FISC that jointly authorize surveillance activities for up to one year. The government does not have to specify which non-US persons will be targeted or demonstrate probable cause. It merely needs to attest that a significant purpose of the activities is to obtain foreign intelligence information and certify that appropriate targeting and minimization procedures will be implemented.
- Once the FISC has approved a certification, the government issues directives to US electronic communications service providers that compel the providers to “immediately provide the government with all information, facilities, or assistance necessary to accomplish the acquisition” of communications. In practice, the government sends the providers “selectors” (such as telephone numbers or email addresses) that are associated with specific “targets” (such as a non-US person, persons, or legal entity). Service providers must comply with these directives in secret and are not allowed to notify their users.
- The term “electronic communications service provider” is defined broadly to include telecommunications carriers (e.g., AT&T, T-Mobile, Verizon), providers of electronic communications services and remote computing services (e.g., Facebook and Google), as well as any other communications service providers that have access to wire or electronic communications (either in transit or in storage). According to expert testimony submitted in Schrems II, which cited guidance issued by the Department of Justice, the definition is so broad that it could capture any company that provides its employees with corporate email or a similar ability to send and receive electronic communications.
EO 12333
- While FISA generally covers surveillance activities inside the US, the government may also conduct surveillance outside the US under the authority of Executive Order 12333(EO 12333). In broad terms, EO 12333 provides the foundational authority by which US intelligence agencies collect foreign “signals intelligence” information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means.
- Unlike FISA, surveillance under EO 12333 does not rely on the compelled assistance of electronic communications service providers. Little is known about how information is actually collected, but the NSA has confirmed it involves exploiting vulnerabilities in telecommunications infrastructure.
- In 2014, President Obama issued Presidential Policy Directive 28 (PPD-28) directing US intelligence agencies to review their policies regarding the treatment of non-US persons in connection with signals intelligence programs. Effectively, PPD-28 imposes restrictions on signals intelligence activities, including those conducted under s702 FISA and EO 12333, regardless of the target’s nationality or location. In Schrems II, the CJEU found that the protections afforded by PPD-28 are not sufficient to ensure an adequate level of protection for personal data under EU law.
PRISM and UPSTREAM
- In 2013, Snowden leaked a number of NSA slides revealing the existence of two secret government surveillance programs: PRISM and UPSTREAM. Both are conducted under s702 of FISA but operate in different ways.
- PRISM involves the direct ‘downstream’ collection of communications by the NSA through the compelled assistance of electronic communications service providers. Effectively, the government sends a selector, such as an email address, to a US-based provider, and the provider is required to provide the government with all communications sent to or from that selector.
- As its name suggests, UPSTREAM involves the indirect ‘upstream’ collection of communications through the compelled assistance of telecommunications providers that provide the backbone of the internet (e.g. AT&T and Verizon). Essentially, the NSA copies and filters the vast quantity of data flowing through the network of cables, switches and routers that make up the Internet. Because the data is obtained without the knowledge or assistance of downstream providers, UPSTREAM has been described as ‘backdoor’ surveillance.
- Again, relatively little is know about how PRISM and UPSTREAM operate. The best source of information is a 2014 report by the Privacy and Civil Liberties Oversight Board. This report played a crucial role in Schrems II: the CJEU’s conclusions regarding US surveillance activities were based largely on the findings of the Irish High Court which, in turn, drew heavily from the PCLOB report. It has also been cited in numerous US cases regarding s702 (see below). Interestingly, the DNI has published a redacted 2016 transcript that provides a rare inside view of surveillance carried out under s702.
Legal challenges to s702
- There have been a number of lawsuits challenging the legality of…
Each Facebook User is Monitored by Thousands of Companies
This article was copublished with Consumer Reports, an independent, nonprofit organization…