Government Surveillance, Privacy & Data
FISA 702 Expansion: Impact on the EU-U.S. Data Privacy Framework
CDT has submitted comments to the EU Commission to inform its first annual review of the EU-U.S. Data Privacy Framework (DPF). The DPF enables the transfer of personal data between the EU and the U.S. while ensuring adequate data protection standards. Our submission explains key changes in U.S. laws, regulations and practices and focuses on the April 2024 reauthorization of Section 702 of the Foreign Intelligence Surveillance Act (FISA 702). The reauthorization expanded the scope of FISA 702 so that — with limited exceptions — any company under U.S. jurisdiction that offers a service of any kind and has access to equipment on which communications are stored or transit can be compelled to comply with FISA 702 directives. These changes have introduced a high level of uncertainty about the scope of FISA 702 surveillance, and magnify concerns about the lack of safeguards in FISA 702. This, in turn, raises questions as to whether U.S. surveillance laws provide a level of privacy and data protection essentially equivalent to the protection afforded by EU laws, particularly considering that the lack of guardrails for FISA 702 surveillance was a basis for the CJEU decisions that struck down the adequacy determinations related to the EU-U.S. Privacy Shield and the Safe Harbor agreements.
Background
The EU-U.S. Data Privacy Framework (DPF), adopted by the EU Commission on July 10, 2023, replaces the previous “Privacy Shield” agreement, which was invalidated by the Court of Justice of the European Union (CJEU) in 2020. The invalidation was due to concerns about the incompatibility of U.S. surveillance practices with EU privacy and data protection standards, as well as the lack of effective legal remedies for EU citizens. The new EU-U.S. DPF follows the signing of Executive Order 14086 by President Joe Biden on October 7, 2022, which aims to address the requirements set forth by the CJEU in its Schrems I and Schrems II case law. CDT has expressed concerns that the new framework introduced by the Executive Order may not sufficiently meet EU standards, raising doubts about its potential to withstand a challenge before the CJEU.