Data Privacy Framework: an open door for US intelligence services?

A backdoor as big as St. Louis’s Gateway Arch? For its detractors, that is the substance of what the Data Privacy Framework, adopted by the European Union, offers to US intelligence.

The regulation aims to protect European citizens’ personal data from the indiscretions of US-hosted internet services as well as the prying eyes of American intelligence agencies. It replaces the « Privacy Shield » and the « Safe Harbor », both respectively rejected by the Court of Justice of the European Union (CJEU) in the Schrems I and II rulings. Why? The protection of Europeans’ personal data transferred to the United States was not up to scratch.

In Schrems II, the CJEU ruled that the collection and processing of data by US intelligence agencies, permitted under Section 702 of the Foreign Intelligence Surveillance Act (FISA), was disproportionate to the need to respect privacy.

And that is precisely where the problem lies once again. While GDPR has become a model for personal data protection, the Data Privacy Framework (DPF) seems much more flexible when Europeans’ data is transferred to US companies or processed by them or US government agencies.

Is the data collection really « necessary and proportionate »?

Trust is still apparently high on the intelligence front, since the DPF has acknowledged Presidential Executive Order 14086, signed on 3 July 2023 by President Joe Biden, and believes that the issue has been settled. This order strengthens the binding guarantees on the use and collection of personal data by US intelligence authorities. They must ensure that their collection is « necessary and proportionate« . European residents now have an independent appeal mechanism against any data collection that does not respect their rights.

But who decides whether the processing of personal data is « necessary and proportionate »? The United States government. And for the CIA, the NSA or the FBI, Section 702 of FISA, which authorizes the collection of information on non-American citizens in the event of a threat to the country’s security (a vague notion if there ever was one), is entirely « proportionate« .

The appeal mechanism appears to be opaque and rigged in advance, explains None Of Your Business (NOYB), an Austrian Internet privacy association. It stresses that everything happens between national regulatory bodies and the appeal body. For the association, EO 14086 already has the answers to the various scenarios.

Threats to FISA

With the exception of a few NGOs and collectives, foremost among them NOYB, one of whose co-founders is none other than Max Schrems, the man behind the aforementioned rulings, the public is hardly interested in the issue, despite the fact that they are the ones most concerned by these potential violations of privacy or business secrecy.

This is not the case in the United States, however, where FISA might just be on its last legs. The law needs to be reapproved by Congress before the end of 2023 or it will expire. While members of Congress seem unanimously against it, the law does have its supporters. « I sincerely believe it is in our national interest to reauthorize this vital tool given the threats, » says Glenn S. Gerstell. This member of the American Bar Association (ABA), expert on law and national security and specialist on Section 702 is quoted in an ABA Journal article criticizing FISA.

Reforming the controversial article could be an attractive option both for its supporters and for defenders of civil liberties. The latter have Section 702 in their crosshairs. It allows electronic espionage to be carried out on foreign individuals living outside the United States and who are suspected of having information relating to acts of terrorism or cyberattacks.

The excesses of Section 702

Since many people around the world use American mobile telephony, email and messaging services, the United States government can compel those companies to comply. Of course, they did not take issue with the fact that the law allowed electronic surveillance on some 246,000 foreigners in 2022, but with the potential – and existing – infringements of the rights of American citizens.

The main argument for the Section’s critics is that it does not require a search warrant or a court order for each act of surveillance. Never mind the « necessary and proportionate » nature that Joe Biden had promised. The legal authority reviews the intelligence collected and the procedures used once a year to ensure they comply with United States law, especially the Constitution’s 4th Amendment, which protects against unreasonable searches.

This concern does not apply to foreign citizens, but United States citizens who may have communicated with the targets of wiretaps made under Section 702. « They certified to the FISA court that they didn’t need to get a warrant because they were only targeting foreigners, but as soon as they got the information, they searched it for Americans’ communications, » explains Elizabeth Goitein, senior director of the Brennan Center for Justice Liberty and National Security. Simply put, Section 702 can be used by the three-letter agencies (CIA, NSA, FBI) to circumvent the 4th Amendment.

DPF: soon to be a Schrems III ruling?

On July 21, 2023, the Associated Press reported on a legal notice according to which the FBI is said to have illegally obtained information on two senators under Section 702. Now we can see why Democrats and Republicans want to change the law. The most obvious option would be to submit each request for surveillance to a judge for approval.

Section 702’s supporters argue that this would hamper and slow down intelligence operations and call for stricter procedures within the FBI and other agencies for implementing the measure and exploiting the data collected.

Other options for reform are being considered to provide better guarantees to protect the rights of American citizens. There is little doubt that given the stakes for the US intelligence community, a compromise will be found to save the crux of Section 702.

In the light of these debates, the European Commission seems to have been rather light on the guarantees offered to the citizens of EU Member States. Could it not have demanded the same guarantees for its citizens as the United States does for its own? Since it has failed – once again – to do so, it could very well result in a Schrems III ruling.