Schrems II series of posts: FISA section 702 - a closer look.

The CJEU reminded us in Case C-311/18, also known as 'the Schrems II case' [1.], that if SCCs are used as a transfer mechanism for cross border data transfers to the US, Clause?4, of the SCCs (valid at the time of the judgment of the Court) states the obligations of the data exporter:

‘The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;' ([1.], paragraph 34)

More specific ([1.], paragraph 134):

'the contractual mechanism provided for in Article?46(2)(c) of the GDPR {MD: the SCC's} is based on the responsibility of the controller or his or her subcontractor established in the European Union and, in the alternative, of the competent supervisory authority. It is therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses.'

This is in fact the case-by-case verification mentioned as 'Step 3' in the EDPB Infographic [2.]

The CJEU identifies FISA Section 702 (and Executive Order 12333) as problematic with regards to the required 'adequate level of protection for personal data essentially equivalent to that guaranteed in the European Union by the GDPR':

'on the ground that the interference arising from the surveillance programmes based on Section?702 of the FISA and on E.O.?12333 are not covered by requirements ensuring, subject to the principle of proportionality, a level of protection essentially equivalent to that guaranteed by the second sentence of Article?52(1) of the Charter. It is therefore necessary to examine whether the implementation of those surveillance programmes is subject to such requirements, and it is not necessary to ascertain beforehand whether that third country has complied with conditions essentially equivalent to those laid down in the first sentence of Article?52(1) of the Charter.' ([1.], paragraph 178)

So, 'Step 3', is, in essence, a risk based assessment of the reasonable impact of FISA Section?702 on the specific cross border data transfer, in this case to the US. The EDPB further specifies in their recent Recommendations [3.]:

'The assessment required must be based first and foremost on legislation publicly available.' ([3.], paragraph 30)

Much information is available about FISA and Section 702. [4.] [5.] [6.] It permits the US government to conduct targeted surveillance of foreign persons located outside the United States, with the compelled assistance of electronic communication service providers, to acquire foreign intelligence information.

FISA has, in the context of 'Schrems II', some relevant limitations ([4.], 122 STAT. 2438):

1. no targeting of US citizens
2. may not intentionally acquire any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States;
3. no individuals are targeted, but programs, to monitor groups
4. the Attorney General and the Director of National Intelligence?jointly draft acquisition request (certificates), containing ‘targeting and minimization procedures’, and submit these for approval by the Foreign Intelligence Surveillance Court (FISC), who will approve or deny these requests in 'opinions'.

In other words, FISA has checks and balances in place for targeted surveillance of non US citizens. Communication with a US citizen (sender or recipient) can not be targeted.

Furthermore, in the FISA 2020 Report to Congress, it is stated ([6.], page 2, 3):

'During calendar year 2020, the total number of persons targeted for orders for electronic surveillance was between zero and 499. (...) The FISC received 28 proposed applications for foreign intelligence purposes, of which 16 were granted, 10 were modified, and 2 denied in part. (...) All filed applications identified a "specific selection term". (...) Thirteen final applications did not specifically identify and individual, account, or personal device as the specific selection term.'

This is in agreement with the main key points listed in the 2020 white paper ([7.], page 1):

"Most U.S. companies do not deal in data that is of any interest to U.S. intelligence agencies, and have no grounds to believe they do. They are not engaged in data transfers that present the type of risks to privacy that appear to have concerned the ECJ in Schrems II."

and (ibidem):

"The U.S. government frequently shares intelligence information with EU Member States, including data disclosed by companies in response to FISA 702 orders, to counter threats such as terrorism, weapons proliferation, and hostile foreign cyber 2 activity. Sharing of FISA 702 information undoubtedly serves important EU public interests by protecting the governments and people of the Member States."

In the case-by-case assessments of the cross border data transfers to the US, and the validity of SCCs as a transfer mechanism for these processings, including the transfer itself, FISA Section 702 does not seem to be the alluded high risk after all.

The point here is that, based on this risk based assessment of the the law of the third country of destination, in this case: FISA, an organization could state that FISA as national legislation, does not interfere with the data importer's (processor's) obligations as stated in the SCCs, thus ensuring adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, which do not result in gaps of data protection, requiring supplementary measures.

So, a risk based assessment of FISA, in a case-by-case basis, resulting in the motivated decision that the SCCs are indeed a valid transfer mechanism for the assessed cross border data transfer, without supplementary measures.

This logic be demonstrated in the deliverables of the SURF Taskforce Beyond Privacy Shield (see also my previous post on the purpose of this Taskforce).

More to follow soon!

Notes

[1.] Judgment of the Court, ECLI:EU:C:2020:559

[2.] European Data Protection Board (EDPB), Roadmap: Applying the principle if accountability to data transfers in practice. Ensuring compliance with the level of protection required under EU law of personal data transferred to third countries. Infographic.

[3.] European Data Protection Board (EDPB), Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. Version 2.0 Adopted on 18 June 2021.

[4.] Foreign Intelligence Surveillance Act?(FISA):

[5.] FISA Section 702 Overview. Infographic.

[6.] FISA 2020 Report to Congress.

[7.] Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II. White Paper. September 2020.

#Schrems2 #FISA #GDPR