Section 702, the Supreme Court, the European Parliament, and Congress
Privacy Plus+
Privacy, Technology and Perspective
“One ‘Dog that Didn’t Bark,’ Another Dog that Did, and Another that may Never Stop Barking:” Section 702, the Supreme Court, the European Parliament, and Congress. This week, let’s consider something that didn’t happen, which might have had a real impact on the continuing problem with cross-border data transfers:
Remember when Sherlock Holmes solved the case by noticing something that didn’t happen (“the dog that didn’t bark”)? Something that didn’t happen this week might have had a real impact on the continuing problem with cross-border data transfers: the Supreme Court didn’t agree to hear Wikipedia’s challenge to Section 702 of the National Security Act. At almost the same time, a EU parliamentary committee did reject the latest EU-US diplomatic try at balancing their views. And the stage is set for congressional argument later this year.
Context: Balancing privacy and security. By 1947, Europe’s bloody history finally led it to declare personal privacy an individual “fundamental right,” elevating personal rights as against governmental ones. But the U.S. has never viewed privacy as a “fundamental right” (except in a few states), and its famous constitutional protections from government overreach don’t apply to citizens of other countries.
U.S. surveillance of non-U.S. citizens has led to increasing, intense anger in Europe, especially after Edward Snowden’s 2013 revelations about just how much U.S. and certain allies’ intelligence agencies have been doing (especially after 9/11). The 2018 General Data Protection Regulation (GDPR) now prohibits the transfer of Europeans’ personal data to any country which lacks what European authorities view as an “adequate level of protection” for personal privacy, at least without complex safeguards or sharply limited exceptions.
U.S. surveillance is mostly authorized by Section 702 of the National Security Act, which allows U.S. intelligence agencies to conduct warrantless surveillance of foreign citizens and governments. You can read the National Security Agency’s interpretation of the Act here:
…and the ACLU’s interpretation of it here:
Court Challenges to Section 702: On Tuesday of this week, the U.S. Supreme Court “didn’t bark.” It refused to hear Wikimedia’s appeal of its case challenging the NSA’s broad claims of “state secrets” immunity from review. Our view: To us, this seems unfortunate. A Court decision might have set guideposts for further discussions here and abroad. As American lawyers see it, the Court has merely left intact the Fourth Circuit’s divided opinion without substantive comment.
Diplomatic Challenges to the Cross-Border Transfer Problem: There have been at least three diplomatic efforts to resolve the tension. The first, the “Safe Harbor” principles of 1998-2000, was invalidated by the European Court of Justice in 2015 in Schrems I. The second, the “Privacy Shield” mechanism of 2016, was invalidated by the same body in 2020, in Schrems II. The third proposed agreement -- establishing a “EU-US Data Privacy Framework” (EU-US DPF), which was signed by the President in October 2022 -- is pending.
The EU-US PDF would further limit U.S. use of bulk surveillance on non-U.S. citizens and create a redress method for Europeans. You can read about it here:
Things were looking up from the diplomatic side, as the European Commission gave its preliminary approval in December 2022. But then – while the U.S. Supreme Court was behaving as the “dog that wouldn’t bark” – a parliamentary committee of the EU “did bark loudly,” rejecting the proposal as not sufficiently complying with the requirements of the GDPR. You can read the committee’s report here:
https://www.europarl.europa.eu/doceo/document/LIBE-RD-740749_EN.pdf
We are hopeful that this is merely a snag on the way to EU approval and an inevitable court challenge in Schrems III.
The Congressional Challenge of Section 702: Section 702 is due to be renewed by the end of this year.
Unsurprisingly, the NSA strongly favors its renewal, as you can read here:
Our views: Correct legal interpretation aside, we wonder if:
· European authorities may read more into the Court’s silence than the Court may have intended; and/or
· They may stand up to privacy absolutists, and nevertheless interpret the GDPR in a way that allows for diplomatic resolution of security needs; and/or
· The U.S. Congress – which would seem to find agreement difficult on the color of an orange – may let Section 702 expire.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.