Section 702 of the Foreign Intelligence Surveillance Act permits the US government to obtain the contents of data, communications, and associated non-content metadata—usually in real time—from electronic communications service providers.
Section 702 will expire on Dec. 31, 2023 unless Congress quickly acts to renew it. The provision raises compliance considerations for companies, and extends a broader reach than some realize in terms of the type of data that may be implicated.
Targeted individuals must be non-US citizens who are reasonably believed to be located outside the US. US citizens are not directly subject to Section 702, as a warrant would be required to obtain their data under Fourth Amendment protections.
However, US data is unintentionally and indirectly swept in, especially if you ask a Section 702 critic. Section 702’s authority is limited to national security, specifically to protect against international terrorism or clandestine intelligence activities.
Many companies do not believe they hold relevant national security data or that they are subject to Section 702. However, the definition of an electronic communications service provider is broad. Even US businesses that provide email systems for their personnel fall into this category. Any companies that host user data, content, or communications would certainly be covered by Section 702.
While Section 702 has been disparaged over the years, it came under more intense fire with the Schrems II decision that invalidated the Privacy Shield, in large part due to Section 702’s breadth as a US surveillance law.
The decision rationalized that EU data that transfers to the US is not adequately protected, given the US government’s ease of obtaining access to such data. Section 702 critics also allege the FBI overreaches and exceeds even state privacy expectations affecting US citizens.
The Privacy and Civil Liberties Oversight Board, an independent agency in the executive branch, has held hearings on Section 702 renewal. At a public forum in January, proponents, including National Security Agency director Paul Nakasone, argued that Section 702 provides “exquisite foreign intelligence” and “specific invaluable insights that protect our nation,” allowing the government to obtain intelligence information that cannot be procured in alternative ways.
Opponents, such as the Electronic Frontier Foundation, condemn the PCLOB’s selective review approach as well as the alleged backdoor loophole of Section 702 that indirectly affects US citizens. Such a loophole occurs when the FBI obtains foreign intelligence communications that also involved a US citizen and searches the communication for data on domestic crimes.
It is unclear how many such US communications are swept in incidentally, and the Director of National Intelligence’s office has stated they will not be providing this information publicly. The Office of the Director of National Security indicates that with only 0.001% of the world’s population targeted in 2016 under Section 702, it is “unlikely that the average U.S. person would be in contact with a foreigner” who is targeted under Section 702.
How likely is a US citizen to communicate with such a target? Even so, the Center for Democracy and Technology urges Congress to review Section 702 with a critical eye to “strengthen civil rights and liberties” that may lead to additional Section 702 limitations.
The debate in Congress reveals perhaps more scrutiny from some Republicans, in part given that data obtained via FISA implicated the Trump campaign in 2016. With a Republican-led House, it is uncertain if the administration will garner enough votes for the renewal.
Opening up and declassifying information about the successes of Section 702 in terms of counterterrorism as well as other areas, such as weapons proliferation, cybersecurity, and protection of US troops abroad, would lead to more bipartisan support.
Despite opponents’ position that there is not enough oversight, however, companies that receive Section 702 data requests can challenge Section 702 orders if they don’t meet the requirements of Section 702 or are otherwise unlawful.
Once the government has obtained data through Section 702 surveillance, the data can only be further queried if it is reasonably likely to return foreign intelligence information or if there is evidence of a crime in the case of the FBI, with Attorney General approval. There are rules to limit access, sharing, and deletion of data, and the pending renewal review may add further restrictions.
If Section 702 is renewed, and with new or changed limitations, companies should be aware of their obligations, and internal stakeholders must be prepared to respond swiftly to orders. Teams should be trained to limit dissemination of any Section 702 order within the company and work with counsel to ensure they respond to the order and provide the information securely so as not to tip off a target, while balancing privacy interests for US citizens and for customers abroad.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
Chiara Portner is a member of Hopkins & Carley’s corporate practice, advising private and public company clients on commercial, IP, and technology-based transactions, and privacy and data protection compliance.
Write for Us: Author Guidelines
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.