EU Closely Watching Foreign Surveillance Renewal Debates

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

The surveillance bill passed by the House Jan.11 maintains basic privacy rights that make it acceptable to those in the European Union concerned about the protection of data transferred to the U.S., a European Commission spokesman told Bloomberg Law.

The bill, which passed on a 256-164 vote, would extend for six years, until 2023, Section 702 of the Foreign Intelligence Surveillance Act. FISA allows the National Security Agency to conduct surveillance on foreigners abroad suspected of being national security threats. The collected data is often used by U.S. law enforcement agencies, such as the FBI, and is sometimes shared with international intelligence partners. The law is set to expire Jan. 19 unless Congress reauthorizes it.

The FISA reauthorization process has the attention of EU officials that oversee the EU-U.S. Privacy Shield data transfer program. The Privacy Shield is relied on by 2,616 U.S. companies, including CA Technologies, Tesla Inc., and Ralph Lauren Corp., to legally transfer EU citizens data from the EU to the U.S. Tens of thousands of EU companies also rely on the program to send data to U.S. companies that have self-certified to the U.S. Commerce Department their compliance with EU-approved privacy principles.

The commission, the EU’s executive arm, wants to ensure that “that there is no lowering of any personal data protection standards in the FISA re-authorisation,” commission spokesman Christian Wigand told Bloomberg Law.

The House bill, the FISA Amendments Reauthorization Act, doesn’t strip away privacy and civil liberties oversight protections, former U.S. officials said. It maintains the status quo and, if approved by the Senate, is unlikely to upend the Privacy Shield program, they said.

But gaining Senate approval may not come easily. Sens. Rand Paul (R-Ky.), Ron Wyden (D-Ore.), John Tester (D-Mont.), and Steve Daines (R-Mont.) said Jan. 10 that the House bill doesn’t do enough to protect the privacy of U.S. citizens.

Paul issued a statement Jan. 11 reiterating he will do all he can to try to add more privacy protections, including filibustering. A successful filibuster could force the bill to be withdrawn from consideration in the Senate. It takes 60 votes to break a filibuster and allow an obstructed bill to move forward to a vote.

The House failed to pass an amendment that would have quelled some of the concerns raised by the senators. The amendment, offered by Rep. Justin Amash (R-Mich.), would, among other things, have required a warrant for intelligence and law enforcement agency searches that include U.S. citizens.

Status Quo

The House bill keeps the FISA status quo because it “reauthorizes what was in effect when the commission approved the Privacy Shield,” Cameron Kerry, data privacy partner at Sidley Austin LLP in Boston and former general counsel and acting secretary at Commerce, told Bloomberg Law Jan. 11.

The commission would have liked further privacy changes to FISA, such as enshrining within the legislation former President Barack Obama’s presidential policy directive PPD-28 that recognizes the privacy interests of people outside the U.S. and limits bulk collection of data, Kerry said. The directive remains in place under the Trump administration.

But other privacy oversight concerns are more likely to impact the Privacy Shield during its next annual review in the fall.

That review will likely focus on a fully functioning Privacy and Civil Liberties Oversight Board (PCLOB), which now has only one member, and on ensuring that President Donald Trump appoints, and the Senate confirms, a privacy ombudsman as required by the Privacy Shield agreement, Kerry said.

The U.S. could push back if the EU threatened the continuing operation of the Privacy Shield.

From a practical standpoint, the U.S. government should consider the EU’s concerns, Matthew Heiman, fellow at the National Security Institute at George Mason University and former attorney adviser in the Department of Justice’s National Security Division, told Bloomberg Law.

But, the U.S. should make clear the benefits of intelligence collection and how it leads to actionable information to limit national security threats for EU countries, Heiman said. The White House should make it clear that they “could hold back the intelligence gathered” if the EU threatens the Privacy Shield, he said.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bloomberglaw.com

To contact the editor responsible for this story: Donald Aplin at daplin@bloomberglaw.com

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security