The German Data Protection Conference (DSK) has issued an expert opinion on the state of surveillance laws in the United States.

Needed: Schrems-proof mascara, the next level waterproof for all the “Cry and Pray” that will ensue.

Key points:
  • Compliance with FISA is mandatory for US providers: When the United States has issued a directive to an electronic communication service provider that is authorized by its annual certification to the FISA Court under section 702, the provider must either (1) comply; or (2) challenge the directive in the FISA Court.
  • Not complying with FISA carries significant consequences for US providers: Whether the provider (unsuccessfully) challenges the directive or simply refuses to comply, it faces the specter of contempt proceedings (designed to compel its compliance through escalating fines and other remedies) either way.
  • Metadata is fair game: The FISA Court has authorized the collection of both metadata and content of communications pursuant to section 702 under at least some circumstances. Collection of other forms of data may be permissible also, depending on how the law is interpreted.
  • FISA applies to both data in transit and at rest.
  • The definition of the term “electronic communications service provider” (and with it, the scope of FISA 702 applicability) is unclear and full of uncertainties.
  • Banks, airlines, hotels and shipping companies may well meet at least some of the definitions in at least some circumstances, as providers of electronic communications services (ECS) or remote computing services (RCS).
  • Once you’re in (FISA 702) you’re in. Once a business meets the definition of an “electronic communications service provider,” the question is whether the communications or data being sought are (1) within the scope of the authorized directive; and (2) not subject to the relevant minimization requirements accompanying the government’s certification. Therefore, even if only a small activity causes a business to be in scope for 702, the business’ data is fair game.
  • You do not need to provide services to the public to be in scope for 702. US courts have already held that a company meets the ECS definition if it provides e-mail service to its employees. Likewise, a travel agency that provides its agents with computer terminals running an electronic reservation system was also held to be an ECS.
  • Not everyone is a remote computing services provider. The key is whether the company is providing to the public opportunities to store or process data. Thus, a company that provides services to an affiliated company without making those services available on the open market would not meet the public part of the definition; and a company providing nothing more than a mechanism for customers to exchange messages with the company is not providing “storage or processing services.”
  • FISA 702 doesn’t cover all companies, but it covers many more that we might think.
  • If you are not subject to FISA 702, but use a service provider who is, the government can get at your data.
Extraterritorial Scope:
  • If the data is stored by U.S. companies (including EU subsidiaries thereof) outside the United States, it may well fall within the auspices of section 702. Also, in scope is data of a non-US person outside of the US with a US company as its ECS.
  • Data of a U.S. subsidiary of an EU company could well be subject to the section 702 regime, again because the definition in § 1881(b)(4) includes “agents” of qualifying ECS providers. Insofar as the data is at rest on U.S. servers or transiting through U.S. infrastructure, it can be subject to collection under section 702, regardless of where the company is that owns the servers and/or the infrastructure. It is not clear whether a parent or affiliated entity would be in scope because it is not an “agent”.
  • If the data is stored exclusively by non-U.S. persons outside the United States, it may not fall under section 702 at all — and may instead be subject to EO 12,333.
  • Invoking GDPR compliance is not a way to avoid compliance with FISA 702.
Other Laws and Redress:
  • For other laws, other than the CLOUD Act, there is generally a presumption against extraterritorial application. In general, U.S. courts do not have the power to issue coercive relief against entities outside of their “personal” jurisdiction. So U.S. subsidiaries would be subject to such relief, but parent companies with no presence in the United States would arguably not be. In cases in which there is no U.S. subsidiary, it’s not clear how the U.S. government could obtain any coercive process in U.S. courts against a company with no contacts with the United States.
  • There is limited redress to EU individuals: There are a number of oversight and accountability measures designed to ensure that U.S. authorities comply with the statutory and constitutional limits on these powers, and formidable corrective powers for cases in which they do not, but it is not always the case that those measures can be invoked by the data subjects themselves. Also, the U.S. government usually takes the position that all “non-U.S. persons” lack Fourth Amendment rights, but there are numerous statutory and non-statutory remedies that are theoretically available to EU/EEA data subjects in at least some of these contexts — including claims that the relevant U.S. authorities have exceeded their statutory authority.