Congress Foreign Relations & International Law Surveillance & Privacy

The FISA Reauthorization Should Codify Safeguards for Non-U.S. Persons

Cameron Kerry
Tuesday, October 31, 2023, 7:20 PM
Here’s how the U.S. should codify protections of foreign nationals’ data in the reauthorization of the FISA.
The National Security Agency (Creative Time Reports, https://flic.kr/p/jSK1YY; CC BY-SA 2.0, https://creativecommons.org/licenses/by-sa/2.0/)

Published by The Lawfare Institute
in Cooperation With
Brookings

When the news stories broke about the leaks by Edward Snowden in the summer of 2013, I was serving my first days as the acting secretary at the Department of Commerce, where the functions include sustaining the free flow of information across borders. The second day’s stories in the Washington Post and the Guardian were about the PRISM program—the collection of information from international electronic communications traffic conducted under Section 702 of the Foreign Intelligence Surveillance Act (FISA). I knew right away our work on data flows was in trouble.

For the third time since then, Title VII of the FISA, which includes Section 702, is up for congressional reauthorization, or it will expire on Dec. 31 of this year. The FISA was enacted in 1978 in reaction to congressional investigations and litigation about U.S. government surveillance of Americans. It establishes safeguards for “U.S. persons,” those inside U.S. boundaries as well as U.S. citizens and resident aliens outside those boundaries. Section 702, by its terms “targeting certain persons outside the United States other than United States persons,” was added to the FISA as a new Title VII in 2008 in the wake of President George W. Bush’s controversial warrantless President’s Terrorist Surveillance Program, to provide legal authority, oversight, and safeguards for surveillance of non-U.S. persons in light of the significant expansion of the reach of communication technology. It was reauthorized in 2015 and again in 2018.   

The current reauthorization debate focuses primarily on increasing protections for U.S. persons whose information is incidentally captured in the communications collected under Section 702. Some additional protections for the use and dissemination of this information are in order, something advocated on both sides of the spectrum for different reasons.

In this piece, though, I focus instead on safeguards for non-U.S. persons to codify changes in U.S. surveillance law and practices that began with the response to the Snowden leaks in 2013. I previously advocated in Lawfare for the codification of President Biden’s Executive Order 14086, which placed more precise boundaries on the meaning of “foreign intelligence” under the FISA and added predicates and procedures for collection as well as a novel administrative review process for non-U.S. persons in certain countries. The Privacy and Civil Liberties Oversight Board, as well as a coalition of advocacy groups, have made similar recommendations. In this article, I provide a road map for carrying out these suggestions.

The International Reaction to Section 702

Those second-day news stories about the PRISM program reported that the National Security Agency (NSA) was “tapping directly into the central servers of nine leading U.S. Internet companies,” accompanied by an NSA slide containing the logo of each company mentioned. The reporting about direct access to the servers of these companies was inaccurate and was clarified a few days later. Even so, I knew from my engagement with European counterparts that the story would feed a perception abroad that the NSA had a fire hose gathering all emails, text messages, and other electronic communications to the United States. Sure enough, the story set off a firestorm abroad that soon jeopardized transatlantic data flows.

Such perceptions of the reach of U.S. surveillance and the scope of collection under Section 702 are vastly exaggerated. But it is correct that the Fourth Amendment does not protect foreign nationals outside the borders of the United States. The FISA’s protection of these non-U.S. persons is only a by-product of the safeguards in place to protect U.S. persons—which require the government to define the legitimate purposes of foreign intelligence surveillance, mandate meaningful procedural steps in the surveillance approval process, detail specifications for data minimization and retention, and differentiate between U.S. and non-U.S. persons only once collected information is queried. This difference in safeguards undermines trust in the U.S. rule of law, American companies, and the stability of data flows between the European Union and the United States.

These doubts are obvious from the two decisions by the Court of Justice of the European Union (CJEU) that have invalidated decisions by the European Commission to allow such data flows under frameworks deemed “adequate” under EU data protection laws. On the basis of a record that contained only a bare allegation on the heels of the Snowden leaks that U.S. surveillance was “mass and undifferentiated,” the first judgment faulted the commission’s first adequacy decision for failing to consider U.S. surveillance safeguards and assess whether they provided EU residents with protections essentially equivalent to those under EU law. 

The second case, decided in 2020, presented a new adequacy decision that was based on the commission’s review of U.S. surveillance law. The case also followed significant changes that had been made to U.S. law and surveillance procedures in response to the Snowden affair. President Obama issued Presidential Policy Directive 28 (PPD-28) in 2014, which explicitly extended safeguards and remedies to non-U.S. persons. In 2015, Congress amended the FISA to codify many of the procedures adopted in the wake of the Snowden stories and PPD-28 to declassify FISA Court opinions and provide for reports on surveillance by the attorney general, director of national intelligence, and providers of communications. The CJEU, however, found that the FISA goes beyond “what is necessary in a democratic society,” while providing little description as to the meaning behind the “in a democratic society” benchmark. 

Since then, the U.S. has done even more to extend protection to non-U.S. persons. President Biden’s 2022 Executive Order 14086 extends protections provided to American citizens to non-U.S. persons by treating their data “in the same manner that [they would] comparable information concerning United States persons.” This order enabled a new Data Privacy Framework arrived at a year ago. The U.S. commitments for protections of personal information and remedies for both the commercial sector and government access provided the foundation for a European Commission decision on July 10, 2023, deeming U.S. safeguards “adequate” for purposes of EU data protection law. 

In a previous Lawfare piece, I described the substance of the procedures required by Executive Order 14086 and the ways they push the limits of what is possible under U.S. constitutional separation of powers, as well as existing legislation to meet the standards set out by the CJEU. I also noted that taking these limits into account in future CJEU litigation would require judges to appreciate differences in legal systems and governance among democratic societies, and I expressed concern that European civil law judges might experience cognitive dissonance in the face of the organic patchwork of laws in the United States compared with the more logically ordered legal architecture in Europe. Indeed, in the second CJEU case, the court’s advocate general (roughly equivalent to the U.S. solicitor general’s role as the “tenth justice” of the Supreme Court) dismissed PPD-28 and its predecessor Executive Order 12333 as “internal administrative directives” that can be changed by the president and lack “the ‘quality of law.’” 

These views are misplaced. Executive orders bind executive branch agencies and have had the force of law throughout American history. And, while they are subject to political changes, they can be enduring. PPD-28 remained in place despite Donald Trump’s broad pledge to undo “illegal and overreaching executive orders,” and the substance of Executive Order 12333 has lasted 40 years. Nevertheless, in the inevitable third CJEU case there is risk that the court may be unable to make the necessary conceptual leaps, leaving uncertainty about the stability of the Data Privacy Framework.

Giving “the Quality of Law” to Protection of non-U.S. persons

Congress has the opportunity to address this jeopardy in the reauthorization of the FISA. Codification of certain safeguards adopted in Executive Order 14086 would obviate doubts about the durability or force of the changes to intelligence community practices made by the executive order. Furthermore, incorporating the safeguards into law would advance emerging norms on government access in a digitized world that functions on instantaneous transmission of terabytes of rich information. It is in the interest of the U.S. and other open and democratic societies and economies that this transmission be trusted and safe everywhere.  

In fact, the U.S. has been the global leader in establishing protections for the data of people outside its borders. PPD-28 was the first time any nation has done so expressly. Subsequently, a few other countries have moved toward this norm: The German Constitutional Court has interpreted Germany’s constitution as applying to subjects of surveillance outside the country, and the Netherlands provides the same protections to everyone. The U.S. has been in the vanguard when it comes to transparency about its intelligence collection, a process precipitated by the Snowden revelations and then formalized in PPD-28 and 2015 amendments to the FISA and reinforced by Executive Order 14086. The U.S. was also a significant actor in developing the 2022 Organization for Economic Cooperation and Development (OECD) Declaration on Government Access to Personal Data Held by Private Sector Entities, a set of principles and safeguards agreed to by the 38 OECD member states. 

Thus, rather than a concession to Europeans, updating Section 702 would affirm a U.S strength. As the U.S. seeks to build a new rules-based international order in concert with democratic allies, codification of norms on government access to information worldwide would underscore U.S. leadership and draw a strong contrast with China’s surveillance state.

It would not be the first time Congress has acted to update norms for foreign intelligence surveillance for the modern era. As noted above, Section 702 originated as a response to the global reach of surveillance and post-Sept. 11 overreach, and then Congress expanded oversight and transparency (Title VI) to codify post-Snowden practices. Codifying aspects of Executive Order 14086 would be a similar update. A few key steps would do much to embed essential aspects of the executive order in the statute.

First and foremost, in line with the recent recommendation of the PCLOB that “Congress should codify the twelve legitimate objectives for signals intelligence collection under Executive Order 14086,” incorporating these objectives into the definition of “foreign intelligence information” (18 U.S.C. § 1801) would have a broad effect on the operation of Section 702. This term shapes the scope of authority to acquire intelligence (50 U.S.C.§ 1802(a)(1)); the showing required to obtain court authorization (50 U.S.C.§ 1804(a)); the objectives of minimization procedures that the attorney general is required to adopt (50 U.S.C.§ 1801(h); and Foreign Intelligence Surveillance Court (FISC) oversight of minimization (50 U.S.C. § 1881a(h),(j)). The effect of these provisions would be reinforced by adding the acquisition of foreign intelligence information to the requirements for targeting procedures under Section 702 (50 U.S.C. § 1881a(d)(1)). In its 2023 report, the PCLOB submits that codification of the overarching purposes in Executive Order 14086 would reinforce FISC and PCLOB oversight by providing explicit authority to review compliance with regard to non-U.S. persons.  

In addition to the purposes, the definition of foreign intelligence information should incorporate the more specific objectives that Section 2(c)(ii)(B) of the executive order applies to “bulk collection.” Moreover, Executive Order 14086 contains a reservation of authority for the president to add to the list based on “new national security imperatives,” such as emerging threats; these will be disclosed unless that presents a national security risk. Since this reservation involves the exercise of presidential national security authority, Congress’s power to legislate may be limited, but it could add a provision for reporting undisclosed changes to congressional intelligence committees, as done elsewhere in the FISA. A coalition of privacy and civil liberties groups has called for “reasonable limits on the scope of surveillance” as part of reauthorization. Those limits should avoid tinkering with the language of Executive Order 14086. That language has been fully litigated in the interagency process that led up to the executive order and subsequently reflected in the internal regulations and procedures of the intelligence community and law enforcement agencies. 

It has also been reviewed at length by the European Commission and required review by the European Council and European Data Protection Board prior to adoption of the commission’s adequacy decision. More than 2,500 U.S. and EU companies have certified their compliance with the framework. An untold number of others conduct EU-U.S. data transfers on the basis of contract clauses, or “binding corporate rules,” that, under EU data protection laws, require assessments of the risk that the data will be subject to U.S. surveillance. While the executive order would remain binding on federal agencies as long as it remains in effect, significant variance from the executive order language could introduce some uncertainty into these data transfer arrangements. That would significantly undermine the benefits of codification, and Congress should be mindful of this pitfall.

Second, reauthorization should incorporate the other most significant language in the executive order, the declaration that signals intelligence activities shall be conducted only to the extent and in a manner that is proportionate to the validated intelligence priority for which they have been authorized, with the aim of achieving a proper balance between the importance of the validated intelligence priority being advanced and the impact on the privacy and civil liberties of all persons, regardless of their nationality or wherever they might reside.

This language contains two essential elements of the executive order that are fundamental to the Data Privacy Framework. The first is making explicit the “necessary and proportionate” framing that the CJEU found lacking in the FISA. This framing may be implicit in the Fourth Amendment standard of “reasonableness” as it is articulated in the text of the amendment and interpreted by courts, but the CJEU has not recognized it as such and, until the executive order, the U.S. was reluctant to adopt such language. The second is making explicitly clear that FISA safeguards extend to non-U.S. persons. Section 702 contains a set of five “limitations” designed to protect U.S. persons, including consistency with the Fourth Amendment (50 U.S.C. § 1881(b)); the executive order language above would fit into this list as a sixth item filling in where the Fourth Amendment does not apply.

Finally, there are other provisions of Section 702 where safeguards are focused entirely on U.S. persons that could be updated to conform with the changes above. Title VII contains its own provisions for adoption of minimization procedures by the attorney general (50 U.S.C. §§ 1881a(c)(1), 1881b (c)(3)(c), 1881c (c)(1)(c)), which cross-reference the underlying FISA definition of “minimization procedures” (50 U.S.C. § 1801(h)). The latter provides that data minimization procedures should be designed to minimize information “concerning unconsenting United States persons[.]” This definition should add that procedures should take into account “the privacy and civil liberties of all persons, regardless of their nationality or wherever they might reside” as provided in Executive Order 14086, or, at a minimum, such language should be introduced into the Title VII cross-references.

In addition, the underlying data retention provision of the FISA limits retention of foreign intelligence information to five years unless one of several exceptions applies (50 U.S.C. § 1813). The exceptions include when “all parties to the communication are reasonably believed to be non-United States persons” (50 U.S.C. § 1813 (b)(3)(B)(iv)). In a fast-moving digital age in which the volume of data is exploding exponentially and quickly becomes obsolete, five years is an extraordinarily long time for retention that may increase the volume of data to analyze without adding utility. This period could be shortened, especially since the additional exceptions that include needed decryption and ongoing assessment needs are broad enough to cover articulable needs for further retention. In any event, the blanket exception for non-U.S. persons should be eliminated to align with the principle in Executive Order 14086 that intelligence officials “shall not disseminate personal information collected through signals intelligence solely because of a person’s nationality or country of residence.”

Updating Surveillance Law for the 21st Century

Comprehensive independent assessments by the special review board appointed by President Obama in 2013, the PCLOB in 2014 and again in 2023, and the President’s Intelligence Oversight Board in 2023 have all concluded that Section 702 has provided valuable and actionable intelligence but also made recommendations to strengthen protections for U.S. persons. As current PCLOB member Travis LeBlanc said on the Lawfare Podcast, “We’ve heard a number of examples where … [Section 702] literally saved lives.” Their assessments are consistent with my own observation as a recipient of foreign intelligence reports of the kind obtained under Section 702. This time around, though, FISA safeguards should broaden to reflect the experience and understanding acquired since 2013 and the interconnected world of 2023.

In 2026, the United States will celebrate its semiquincentennial—the 250th anniversary of the Declaration of Independence on July 4, 1776. That founding document was written to address “a candid world” with “a decent respect to the opinions of mankind.” The Bill of Rights, which is displayed alongside the Declaration in the rotunda of the National Archives, established protection of “persons, houses, papers, and effects” against government power. Codifying respect for humankind and universal democratic rights into laws on collection of foreign intelligence would be an affirmation of the nation’s long-standing democratic values as it prepares for the significant milestone of its 250th. 


Cameron F. Kerry is the Ann R. and Andrew H. Tisch Distinguished Visiting Fellow in Governance Studies at the Brookings Institution, and is Senior Counsel at Sidley Austin. He previously served as general counsel and acting secretary of the Department of Commerce.

Subscribe to Lawfare