In Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), the Supreme Court recently held that individuals claiming injury from the federal government’s right to conduct electronic surveillance under the Foreign Intelligence Surveillance Act (FISA), 50 U.S.C. § 1881a, lacked standing to pursue their claims. In reaching its holding, the Court made statements that should prove useful for data breach defendants trying to defeat claims based on a plaintiff’s lack of standing.

nell have both committed to negotiating a long-term bipartisan compromise can be passed early next year. It’s unclear whether NDAA will have enough votes to pass if a FISA 702 extension is included.The government seems to be sensitive to the impact of removing or limiting liability protection provisions has on carriers and we expect the Executive branch will seek to keep liability protection and immunity provisions intact as much as possible. But the concern about the legislation expiring continues. DOJ says expiration would result in “a self-inflicted national security calamity.”For now, current 702 Directives issued before the end of the year would remain in effect, but Directives could not be renewed from January 2024 onwards unless or until Section 702 is reauthorized. It remains to be seen whether Congress and the Executive branch can find an appropriate compromise and ensure that our country is protected from the foreign threats FISA Section 702 was intended to help prevent. See 50 U.S.C. §1881a(i)(1)(A) defining an ECSP as: (A) a telecommunications carrier, as that term is defined in section 153 of title 47; (B) a provider of electronic communication service, as that term is defined in section 2510 of title 18; (C) a provider of a remote computing service, as that term is defined in section 2711 of title 18; (D) any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored; or (E) an officer, employee, or agent of an entity described in subparagraph (A), (B), (C), (D). FBI, “FBI Releases Results of OIA FISA Query Audit,” (May 11, 2023), https://www.fbi.gov/news/press-releases/fbi-releases-results-of-oia-fisa-query-audit.E.g., Brennan Center for Justice, “FISA Section 702 Backdoor Searches: Myths and Facts,” (Nov. 28, 2023) https://www.brennancenter.org/our-work/research-reports/fisa-section-702-backdoor-searches-myths-and-facts. DOJ, “Assistant Attorney General Matthew G.

The DPA further concluded that Standard Contract Clauses offered an insufficient level of protection here because the data stored by Google was subject to surveillance by U.S. intelligence agencies. The DPA found that encryption technologies controlled by Google are insufficient because Google “is subject to 50 U.S.C. § 1881a (“FISA 702) [and] has a direct obligation with regard to the imported data that is in [its] possession, custody or control to grant access to or release them. This obligation can expressly also apply to the cryptographic key without which the data cannot be read.

Although Google Analytics has a functionality that anonymizes IP Addresses of website users, the website operator here failed to activate that feature. Furthermore, the Austrian DPA also found that the Standard Contractual Clauses (“SCCs”) between Google and the website operator failed to provide an adequate level of protection under the GDPR because: (1) Google is qualified as a provider of electronic communications services within the meaning of 50 US Code § 1881 (b) (4) and is therefore subject to surveillance by US intelligence services in accordance with 50 US Code § 1881a (“FISA 702”); and (2) Google’s additional technical safeguards were insufficient as they did not eliminate the possibility of surveillance of, and access to, European personal data by U.S. intelligence agencies. Notably, the Austrian DPA found that the violation was attributable to the website operator rather than Google, as Chapter V of the GDPR applies to the data exporter rather than the data importer – though the Austrian DPA did state that it will issue a separate decision on whether Google LLC violated Articles 5 et seqq.

Previously certified under the late EU-U.S. Privacy Shield framework, Mailchimp had to pivot to offer its European customers an alternative transfer mechanism, i.e. the SCCs. While their general validity was left untouched by the Schrems II decision, the CJEU argued that it may be required for companies relying on the SCCs to assess whether additional safeguards should be implemented on top of the SCCs in order to effectively protect personal data.As expressly mentioned in the Schrems II decision, transfers to cloud service providers in the United States would require such additional safeguards, due to the broad investigative powers of U.S. authorities, e.g., under Section 702 (50 U.S.C. § 1881a) of the Foreign Intelligence Surveillance Act (Cloud Services Act).Until now, it had seemed that the EU supervisory authorities had granted companies an unofficial grace period to adjust to the amended legal situation, especially as new templates for SCCs taking into consideration the Schrems II decision are expected to be finalized in the coming weeks.The action of the Bavarian Data Protection Authority shows that this restraint might have come to an end. In a recent press release concerning this investigation, the authority commented that the case was exemplary for their enforcement of the requirements of the Schrems II decision, which had already been taken up with a high degree of intensity even without publicly perceived investigations or sanctions.

While the six-stage process is straightforward, the EDPB emphasized that transfers should be individually assessed, and the analysis needs to be documented in line with the accountability principle under the GDPR. Also, data exporters may be asked to produce their documented analyses to supervisory authorities – and possibly commercial partners – to address potential questions.The UglyThe EDPB notes that, as a general rule, transfers to U.S. entities subject to section 702 of the Foreign Intelligence Surveillance Act (FISA) (50 U.S.C. § 1881a) and Executive Order 12.333 can only be made in a manner compatible with the GDPR if technical measures are in place to preclude the disclosure of personal data to U.S. security authorities (page 14). According to the EDPB, this essentially requires that any data transferred to U.S. entities subject to these laws is unreadable by those entities in the absence of encryption keys or additional data to which such recipients must be denied access.The use cases set out by the EDPB are of concern, as these flag two very common sets of data transfers as examples of scenarios where the EDPB is unable to identify suitable technical measures to prevent access by foreign intelligence services, namely:Data processing in the clear by cloud service providers (i.e., unencrypted processing) (i.e., the business offering of most SaaS providers)Remote access and use of data in the clear from a third country for business purposes, such as processing through human resource tools implemented at a group lev

Mr. Muhtorov moved to suppress that FISA-acquired evidence earlier in these proceedings, which motion I denied based on a determination, after an extensive in camera review of the classified materials submitted to the FISA Court, that there was probable cause to believe the target was an agent as described and therefore lawfully subject to those searches.The matter is before me on a renewed Motion to Suppress, precipitated by the government’s supplemental disclosure, nearly two years after Mr. Muhtorov’s arrest, that some of the FISA-acquired evidence it intends to use against him in this case was derived from surveillance conducted under § 702 of the FISA Amendments Act of 2008 (“FAA”). Section 702, codified at 50 U.S.C. § 1881a, establishes procedures for the warrantless surveillance of targeted persons overseas “to acquire foreign intelligence information.” Because communications to and from a target under § 702 are swept up without reference to who is sending them and without any determination of probable cause, the FAA results in the “incidental” interception, collection, and retention of communications from unconsenting U.S. persons including, in this case, Mr. Muhtorov.

Targeting and minimization procedures govern, respectively, who may be targeted for surveillance and how intercepted communications are to be retained and disseminated.In brief, targeting procedures must be “reasonably designed” to “ensure that any acquisition authorized under [the certification] is limited to targeting persons reasonably believed to be located outside the United States” and to “prevent the intentional acquisition of any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States.” 50 U.S.C. § 1881a(d)(1). Among other requirements, minimization procedures must be “reasonably designed” “to minimize the acquisition and retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.”

A government directive then compels the communications service provider to give it communications sent to or from that selector (i.e., the government “tasks” the selector).11 Id. at 33; 50 U.S.C. § 1881a(h). This type of surveillance, which intercepts “to/from” communications, can result in the interception of communications with U.S. persons if the target happens to communicate with such a person.

In 2013, the United States Supreme Court attempted to provide guidance on standing questions in the digital age in the case of Clapper v. Amnesty International. In Clapper, the plaintiffs challenged the constitutionality of section 702 of 50 U.S.C. § 1881a, the Foreign Intelligence Surveillance Act (“FISA”). Section 702 was added by the FISA Amendments of 2008 and permits the Attorney General and the Director of National Intelligence to conduct warrantless wiretapping of telephone and email communications of certain persons located outside the United States.