This memorandum describes a series of administrative and legislative reforms to U.S. surveillance law and practice that will advance the rights of non-U.S. persons and of the U.S. persons who communicate with them. It is prepared by the Center for Democracy & Technology (CDT), a 25-year-old 501(c)(3) nonprofit organization working to promote fundamental rights and democratic values by shaping technology policy and architecture. CDT has offices in Washington, D.C. and in Brussels. We consulted with former officials of the U.S. intelligence community, academics, companies, and other civil society organizations to prepare this document. We do not purport to have all the answers: our intelligence surveillance reform agenda is a work in progress, and will be influenced by the reaction we receive to these proposals and by the ideas others share.
In short, the reforms we recommend will:
- Increase transparency about surveillance actually conducted;
- Limit the purposes for which surveillance can be conducted;
- Focus surveillance on legitimate targets;
- Require more timely deletion of information collected unnecessarily; and
- Establish a route to court-ordered redress for unlawful surveillance.
The Court of Justice of the European Union (CJEU) issued a decision in July 2020, known colloquially as the “Schrems II” decision, that struck down the Privacy Shield agreement between the European Union and the United States. Approximately 5,300 U.S. companies relied on the EU-U.S. Privacy Shield as the basis for their compliance with EU law, particularly the GDPR, when transferring personal data from the EU to the United States.
The CJEU found that Section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA) and U.S. Executive Order (EO) 12333 failed to incorporate suitable limitations and safeguards on surveillance and that even with the Privacy Shield agreement, provided inadequate protection to that data.The CJEU ruled that for transfers to continue, U.S. surveillance laws would need to provide essentially equivalent protections as those afforded under the GDPR (Article 45) read in light of the fundamental rights guaranteed in Articles 7, 8 and 47 of the EU Charter of Fundamental Rights.
As a result of this decision and subsequent guidance, the lawfulness of transferring personal information from the EU to the United States is in question even while such dataflows are essential to the operations of many U.S. companies. To promote the rights of Europeans and other non-U.S. persons, and ensure the continued flow of data between the U.S. and Europe, the U.S. should adopt a series of administrative and legislative reforms that address the concerns the CJEU expressed about proportionality of U.S. surveillance, and the right of redress for unlawful surveillance.