German DSK expert opinion on FISA 702 is wider than we think | Fox Rothschild LLP

The German Data Protection Conference (DSK) has published a expert opinion on the state of surveillance laws in the United States.

Needed: Schrems-proof mascara, the next level of waterproofness for all the “Cry and Pray” that will ensue.

Key points:
  • FISA compliance is mandatory for US providers: where the United States has issued a directive to an electronic communications service provider that is authorized by its annual certification with the FISA court under the section 702, the supplier must either (1) comply with it; or (2) challenge the direction in FISA court.
  • Failure to comply with FISA carries significant consequences for US suppliers: whether the supplier (unsuccessfully) challenges the directive or simply refuses to comply, they face the specter of contempt proceedings (designed to compel them to comply through escalating fines and other remedies) in both cases.
  • Metadata is fair game: The FISA court has authorized the collection of metadata and communications content pursuant to Section 702 in at least some circumstances. The collection of other forms of data may also be permitted, depending on the interpretation of the law.
  • FISA applies to both data in transit and at rest.
  • The definition of the term “electronic communications service provider” (and with it, the scope of FISA 702) is unclear and fraught with uncertainty.
  • Banks, airlines, hotels and shipping companies may very well meet at least some of the definitions in at least some circumstances, as providers of electronic communications services (ECS) or remote computing services (RCS) .
  • Once you are there (FISA 702), there you are. Once a company meets the definition of an “electronic communications service provider”, the question is whether the communications or data sought are (1) within the scope of the authorized directive; and (2) not subject to relevant minimization requirements accompanying government certification. Therefore, even if only a small activity makes a company fall within the scope of 702, company data is fair game.
  • You do not need to provide services to the public to be within the scope of 702. US courts have previously held that a business meets the ECS definition if it provides email service to its employees. Similarly, a travel agency that provides its agents with computer terminals running an electronic reservation system has also been qualified as an SCE.
  • Not everyone is a remote IT service provider. The key is whether the company provides opportunities for the public to store or process data. Thus, a company that provides services to an affiliate without making those services available in the open market would not meet the public part of the definition; and a business that provides no more than a mechanism for customers to exchange messages with the business does not provide “storage or processing services.”
  • FISA 702 doesn’t cover every business, but it does cover a lot more than we might think.
  • If you are not subject to FISA 702, but use a service provider that is, the government can access your data.
Extraterritorial scope:
  • If the data is stored by US companies (including their European subsidiaries) outside of the US, it may very well fall under the auspices of Section 702. Also, data of a non-US person is affected. outside the United States with an American company. like its ECS.
  • Data from a US subsidiary of an EU company may well be subject to the Section 702 regime, again because the definition in § 1881(b)(4) includes “agents” of qualifying ECS ​​providers. . To the extent the data is at rest on US servers or transits through US infrastructure, it may be subject to Section 702 collection regardless of the location of the company owning the data. servers and/or infrastructure. It is not clear whether a parent company or an affiliated entity would be targeted because it is not an “agent”.
  • If the data is stored exclusively by non-US persons outside of the United States, it may not fall under Section 702 at all – and instead may be subject to EO 12.333.
  • Invoking GDPR compliance is not a way to avoid FISA 702 compliance.
Other Laws and Remedies:
  • For other statutes, other than the CLOUD Act, there is generally a presumption against extraterritorial application. In general, US courts do not have the power to issue coercive measures against entities outside of their “personal” jurisdiction. Thus, U.S. subsidiaries would be subject to such relief, but parent companies without a U.S. presence arguably would not. In cases where there is no U.S. subsidiary, it is unclear how the U.S. government could obtain coercive process in U.S. courts against a company with no U.S. contact.
  • There is limited recourse for EU citizens: there are a number of control and accountability measures designed to ensure that US authorities respect the statutory and constitutional limits on these powers, and formidable remedial powers for cases where they don’t, but that’s not the case. always the case that these measures can be invoked by the data subjects themselves. Additionally, the US government generally considers that not all “non-US persons” have Fourth Amendment rights, but there are numerous statutory and non-statutory remedies that are theoretically available to EU/EEA data subjects. in at least some of these contexts – including allegations that relevant US authorities exceeded their statutory authority.

[View source.]

James R. Rhodes