In March, the Supreme Court issued its decision in Federal Bureau of Investigation v. Fazaga, No. 20-828, holding that the state secrets privilege—and its dismissal remedy—applies to cases that may also be subject to the judicial review procedures set forth in the Foreign Intelligence Surveillance Act (“FISA”). In so holding, the Court reversed the Ninth Circuit’s 2020 ruling that FISA displaces the state secrets privilege in cases involving electronic surveillance.
Continue Reading Supreme Court Holds FISA Does Not Displace the State Secrets Privilege
FISA
EDPB Adopts Finalized Recommendations on Supplemental Transfer Tools to Ensure GDPR-Compliant Data Transfers
On June 21, 2021, the European Data Protection Board (“EDPB”) published its finalized recommendations on measures that supplement transfer tools to ensure compliance with the General Data Protection Regulation (“GDPR”), where organizations transfer personal data from the European Economic Area (“EEA“) to a country outside the EEA (“third country”) (see here). While the final version retains much of the language of the draft version released in November 2020 (see here), it includes several notable updates.
Continue Reading EDPB Adopts Finalized Recommendations on Supplemental Transfer Tools to Ensure GDPR-Compliant Data Transfers
U.S. Government Issues White Paper on Privacy Safeguards Following Schrems II
In the wake of the Court of Justice of the European Union’s (“ECJ”) Schrems II decision invalidating the EU-U.S. Privacy Shield (“Privacy Shield”) but upholding the validity of standard contractual clauses (“SCCs”), the U.S. government has released a White Paper entitled “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II.” The Schrems II ruling requires companies relying on SCCs “to verify, on a case-by-case basis,” whether the level of protections afforded by the SCCs are respected and observed in the recipient country. According to the cover letter accompanying the White Paper, it “outlines the robust limits and safeguards in the United States pertaining to government access to data” as part of “an effort to assist organizations in assessing whether their transfers offer appropriate data protection in accordance with the ECJ’s ruling.”
The cover letter emphasizes that while the White Paper is intended to help companies make the case that they can transfer personal data from the EU to the United States in compliance with EU law, it does not “eliminate the urgent need for clarity from European authorities or the onerous compliance burdens generated by the Schrems II decision.” It concludes by citing the importance of the “$7.1 trillion transatlantic economic relationship” and stating that “the Trump Administration is exploring all options at its disposal and remains committed to working with the European Commission to negotiate a solution that satisfies the ECJ’s requirements while protecting the interests of the United States.”
Continue Reading U.S. Government Issues White Paper on Privacy Safeguards Following Schrems II
First Annual Privacy Shield Review Will Comprehensively Assess the Framework
The first annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) is scheduled to occur in September 2017 in Washington, D.C. The first review is particularly important for the nascent framework, as regulators in both the U.S. and the EU are expected to closely scrutinize the operation of the first year of the Privacy Shield, address concerns that have been raised, and seek to ensure that the Privacy Shield is well positioned to continue operating as a valid legal basis for transfers of personal data from the EU to the U.S.
Under the Privacy Shield, an “Annual Joint Review” is conducted by the U.S. Department of Commerce (“Commerce”) and the European Commission (“Commission”), with participation by the FTC, EU data protection authorities and representatives of the Article 29 Working Party, and “other departments and agencies involved in the implementation of the Privacy Shield,” including the U.S. Intelligence Community and the Privacy Shield Ombudsperson for matters pertaining to national security. Regulators have also indicated that they plan to solicit and incorporate feedback and comments from other Privacy Shield stakeholders as part of the review process, including from self-certified companies and other interested organizations.
Although this is the first annual review, it is important to note that the Privacy Shield has already been the subject of intense public scrutiny. The draft text of the framework was released in February, several months prior to the final release in July, and a number of stakeholders took the opportunity to comment on the text, leading to several revisions designed to improve and strengthen the Privacy Shield.
Continue Reading First Annual Privacy Shield Review Will Comprehensively Assess the Framework
A Public Advocate for Privacy
Since 1979, the United States Government has made at least 35,651 applications to the Foreign Intelligence Surveillance Court (FISC) for authority to conduct electronic surveillance and physical searches of individuals.[1] Of those requests, only 12 have been denied; 532 requests have been formally modified. According to one judge on…
Justice Department Allows More Transparency on Government Demands for Customer Information in National Security Investigations
By Jim Garland, David Fagan, and Alex Berengaut
On January 27, 2014, the Attorney General and Director of National Intelligence announced that the U.S. government will allow Internet companies and telecommunications providers to disclose more information about government demands for customer data in national security investigations. The government’s new transparency policy addresses legal demands served under two distinct statutory authorities. First, under the Foreign Intelligence Surveillance Act (“FISA”), the government can apply to the U.S. Foreign Intelligence Surveillance Court (“FISC”) for orders compelling providers to disclose both the contents of their customers’ communications as well as non-content “metadata” relating to such communications. Second, under the National Security Letter (“NSL”) statute, the FBI can compel companies to disclose certain non-content information about their customers.
Under the new policy announced on January 27, technology companies now have two options for reporting on the number of FISA orders and NSLs they receive: Continue Reading Justice Department Allows More Transparency on Government Demands for Customer Information in National Security Investigations
Supreme Court Nixes FISA Surveillance Suit on Standing Grounds
This week, in a 5-4 decision in Clapper et al. v. Amnesty International USA et al., the United States Supreme Court rejected two theories of Article III standing presented by a group of attorneys, human rights, labor, legal, and media organizations who sought a declaration that surveillance under section 1881a of the Foreign Intelligence Surveillance Act (“FISA”) is unconstitutional as well as an injunction against section 1881a-authorized surveillance.
These respondents argued first that, because their work requires them to engage in sensitive and/or privileged communications with individuals located abroad who are likely targets of surveillance, there was an objectively reasonable likelihood that their communications would be acquired under section 1881a at some point in the future, thus causing them injury. (Section 1881a, which was added by the FISA Amendments Act of 2008, authorizes, under certain circumstances, the government surveillance of individuals who are not “United States persons” and are reasonably believed to be located outside the United States). Second, the respondents maintained that the risk of surveillance under section 1881a is so substantial that they had been forced to take costly and burdensome measures to protect the confidentiality of their communications that constitute present injury and are fairly traceable to section 1881a.
The Supreme Court rejected each of these arguments holding (1) that respondents’ “highly attenuated chain of possibilities” and theory of future injury was too speculative to satisfy the well-established Article III standing requirement that threatened injury be “certainly impending” and, moreover, that they could not establish that the injury was fairly traceable to section 1881a; and (2) that the respondents “cannot manufacture standing by choosing to make expenditures based on hypothetical future harm that is not certainly impending.”Continue Reading Supreme Court Nixes FISA Surveillance Suit on Standing Grounds
Supreme Court Hears Oral Argument on Standing Issue in Challenge to FISA Amendments Act of 2008
By Alex Berengaut
On Monday, October 29, the Supreme Court heard oral argument in Clapper v. Amnesty International (No. 11-1025), a challenge brought by the American Civil Liberties Union (ACLU) against the FISA Amendments Act (FAA) of 2008. The FAA amended the Foreign Intelligence Surveillance Act (FISA) of 1978 by…