UK: Part 1: Getting To Grips With US Government Requests For Data

Last Updated: 20 July 2016
Article by Yuli Takatsuki and Phil Lee

This article was first published in the Privacy Laws & Business International Report, October 2015. www.privacylaws.com

Under the new USA Freedom Act, intelligence agencies must now be more specific when requesting data from private companies. Yuli Takatsuki and Phil Lee report from California.

There are few topics that provoke greater consternation and debate within privacy and data protection circles than the US government's power to access ordinary citizens' electronic communications data in the name of foreign intelligence and national security. In 2013, Edward Snowden's release of NSA material revealing the PRISM surveillance program blew the debate wide open and has been called the most significant leak in US constitutional history. Although much of the information about government surveillance and data collection programs remain classified, what has become apparent is that US government agencies have been pushing their statutory powers to the limit for many years with little to no judicial oversight or executive accountability.

Despite the intense public spotlight that has been shone on these activities, there is still limited knowledge, even amongst lawyers, about the legal mechanisms supporting these disclosure requests. It's not surprising when you delve into the topic and discover the myriad of complex, overlapping legal instruments, rules and executive orders that govern this area of law. This article assumes only a modest task – to provide a very brief introduction to the key legal provisions under which such requests are made – hopefully a starting point for companies that one day receive such a request on their doorstep.

This article is the first of a two-part series. We focus in this first article on the legal powers governing the gathering of US intelligence. The second part – due to be published in the next edition of Privacy Laws & Business – will look at the equivalent provisions in the area of US law enforcement.

1.The Foreign Intelligence Surveillance Act (FISA) & the FISA Amendments Act

FISA was originally enacted in 1978 to govern how the US government can collect foreign intelligence information for the purposes of safeguarding national security.

The Act created the Foreign Intelligence Surveillance Court (the FISA Court) which consists of 11 federal district court judges who are responsible for reviewing US government applications for access to personal data, electronic surveillance and other types of intelligence gathering. Hearings in the FISA Court are off-limits to the general public, rulings are generally classified, and applications for court orders are routinely made ex parte. In addition, companies that are the subject of such orders are prohibited from disclosing any information about the government requests through so-called "gag orders".

Originally, collection of intelligence under FISA had been limited to specific and identified agents of foreign powers. However, over the decades and most notably after 9/11, the US government have stepped up efforts to enhance its ability to gather more widespread intelligence.

This led in 2008 to the FISA Amendments Act. The most controversial provision is section 702, which governs the acquisition by the US government of foreign intelligence information1 with the assistance of electronic communications service providers. It permits the Attorney General (AG) and Director of National Intelligence (DNI) to authorize the "targeting" of non-US persons (i.e. persons "reasonably believed to be located outside the United States") to obtain foreign intelligence information without any need for an individualized court order. US Persons, on the other hand, are protected by the Fourth Amendment and the government is thus required under sections 703-704 to obtain an approved warrant from the FISA Court before such information is collected. In such a case, the government must demonstrate probable cause before the court will issue an order compelling the disclosure.

Collection of data relating to a non-US person, however, does not require a judicial order. Instead, the FISA Court approves annual "certifications" submitted by the AG and DNI that identify categories of foreign actors and foreign intelligence that may be appropriately targeted. Court review is then limited to the procedures for targeting (i.e. ensuring that non-US persons are being targeted) and minimization (i.e. ensuring that the government does not retain or disseminate material that it was not allowed to collect) rather than the legitimacy of the information collection itself. Once the certification is approved, the government can determine in each case whether the information it seeks falls within the targeting and minimization procedures without further court assessment.

Critics consider section 702 to be particularly intrusive as data collection under this provision can capture not just metadata records, but also the content of communications (including emails, web browsing history, photos/videos/texts, instant messages etc.), as well as authorizing digital surveillance in the form of wiretaps and interceptions of digital communications. The European Parliament has noted that the definition of "foreign intelligence information" under the Act is of such generality that "...from the perspective of non-Americans, it appears that any data of assistance to US foreign policy is eligible, including political surveillance over ordinary lawful democratic activities".2

Theoretically, an electronic communications provider who is served with a section 702 order can challenge it. However, in reality, the scope for challenge is very limited and the FISA Court may only grant such a challenge where the request for information has been "unlawful" (a high threshold given the wide discretion the AG and DNI are afforded under the Act). The actual persons whose records are targeted have no right to appear before the FISA Court and targeted persons will generally have no way of knowing their records are the subject of government scrutiny as the intelligence programs are classified.

There is a sunset clause attached to section 702 but it is currently not due to expire until 2017.

2. Executive Order (EO) 12333

Executive orders are issued by the President of the United States and generally instruct government officers and agencies how to conduct and manage their operations.

EO 12333 (commonly referred to as "Twelve-Triple-Three") was signed by Ronald Reagan in 1981 and sets down the legal baseline for what the intelligence community can do and how it operates. It allows the AG to authorize the collection of information outside of the US, including the content of communications data and related metadata, for the purposes of any foreign intelligence investigation. No warrant or court approval is required where the collection takes place outside of the US. Where intelligence collection is within the US, a specific domestic instrument (like FISA) will need to be relied upon, in addition to EO 12333, to legitimize the collection.

There is not a great deal of public information about the application of EO 12333 by the US government but its language is broad and its powers potentially wide-reaching. It is described as a type of 'catch-all' power that may legitimise government surveillance practices that would otherwise not fall within other legal instruments.

3.The USA PATRIOT Act ("Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act")

Although no longer in force, the USA PATRIOT Act is worth mentioning for its controversial section 215 (known as the "business records" provision) which laid the foundations for the reforms that followed. The Act was adopted in October 2001, six weeks after 9/11. Many opponents have criticised the USA PATRIOT Act for massively expanding the access of law enforcement agencies to business records and permitting the dragnet collection of millions of users' phone and internet records on a daily basis. Even the Congressman who introduced the Act to the House of Representatives, Jim Sensenbrenner, later criticised the intelligence community's "expansive use" of the Act describing its practices as going "far beyond what Congress envisioned or intended to authorize".

Section 215 allowed US government agencies to obtain court orders requiring a business to hand over records or any other "tangible thing" (including books, records, papers, documents, and other items) that was deemed "relevant" to an international terrorism or clandestine intelligence investigation. There were few limits to the government's access and even US persons could fall under its scope (provided that the order did not infringe on any First-Amendment protected activities).

It is said that government agencies were able to obtain records relating to a whole geographic region or entire communications service provider under section 215. In May 2015, however, the collection by the NSA of Verizon's business records relating to the metadata of millions of phone calls was held by the Court of Appeal for the Second Circuit to exceed the scope of the Act. This bulk collection of huge tranches of communications data had been justified by intelligence agencies as the only way to get enough data to allow them to sift through it to find 'connections' (described as the "haystack approach" by critics). The Court held that the government had been over-liberal in its interpretation of "relevance", stating "such an expansive concept of 'relevance' is unprecedented and unwarranted... The statutes to which the government points have never been interpreted to authorize anything approaching the breadth of the sweeping surveillance at issue here".

The USA PATRIOT Act contained a sunset clause which meant it was due to expire in June 2015.

4. The USA FREEDOM Act of 2015 ("Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015")

With this heated background, the seeds had been sown for the enactment of the USA FREEDOM Act. In June 2015, the Senate failed to vote for an extension of the USA PATRIOT Act and so controversial section 215 lapsed. The Senate instead adopted the USA FREEDOM Act, generally considered less invasive and more palatable than the USA PATRIOT Act. The legislation is to remain in effect until December 15, 2019.

The USA FREEDOM Act has modified section 215 so that intelligence agencies must now ask private companies for specific and more focused data relating to an individual allegedly connected to a terrorist group or foreign nation. Although it is not clear how it has been applied in practice, it is said to make the bulk collection of records no longer viable. At the heart of the Act lies the concept of a "specific selection term" – a term that government agencies must now use to limit the scope of records sought and which "specifically identifies an individual account, address or personal device, or any other specific identifier" and "to the greatest extent reasonably practicable" limits "the scope of tangible things sought consistent with the purpose for seeking the tangible things".

The Act also introduced reforms to the FISA Court procedures. Firstly, a special court advocate (amicus curae) who represents public and privacy interests must now be appointed in cases that involve a novel or significant construction of the law. Secondly, all judgments involving a significant construction or interpretation of law must be declassified and made available to the general public (unless the publication would threaten national security, in which case an unclassified summary must be published). To add further transparency, the Act allows companies that are the subject of disclosure orders to publicly report the number of orders they have received (in bands), as well as certain other information such as the number of customer selectors targeted.

Further, the amendments allow the recipient of a business records order to bring a judicial challenge not just to the production part of the order, but also to any prohibition on disclosure contained in it. It has removed a requirement that a judge considering a petition to modify or set aside a nondisclosure order treat as conclusive a certification by the AG or FBI Director that disclosure may endanger national security or interfere with diplomatic relations.

There is no doubt that these represent significant reforms for the data subject – but do they go far enough? The Act was hailed by some as representing a momentous victory for civil liberties but it has been slammed by equally many others for failing to alter the fundamentals. US government agencies can still compel the disclosure of a large amount of electronic communications data without the knowledge of the data subject, without court oversight in most cases, and without a clearly articulated legal standard for 'relevance'. The Act also does nothing to limit the government's right to access the content of communications under s.702 of the FISA Amendments Act and Executive Order 12333.

Is there any protection for non-US persons?

Currently, there is little protection for non-US persons who become the target of such orders. In most cases, the decision whether to release the data to the government agency will lie in the hands of the business that holds the records. Many US tech companies have published statements on their websites explaining how they handle such requests. For example, Google says it will always review a government request for data to ensure it satisfies legal requirements – generally speaking, the request must be made in writing, signed by an authorized official of the requesting agency and must be issued under an appropriate law. If they believe a request is overly broad, they say they will "seek to narrow it". Microsoft3, Yahoo4, Apple5 and Facebook6 follow similar approaches. However, a successful challenge to such an order is likely to be rare. Aside from this thin layer of protection, there is very little any non-US subject can do.

There is a small glimmer of light for EU citizens. Currently, there appears to be a great level of interest and dialogue at the European parliamentary level about these issues. So far, this has manifested itself in a number of concrete ways:

  • Firstly, there are certain provisions included in some drafts of the General Data Protection Regulation which impose restrictions on handing over EU personal data in this context. For example, Article 43a of the European Parliament draft prohibits companies from complying with third country government requests for EU personal data unless they have "prior authorisation" from a EU data protection authorities and the request accords with an existing mutual legal assistance treaty or international agreement. However, it isn't clear whether this provision will survive the trialogue debates, or how such a requirement would work in practice without bringing international law enforcement to a grinding standstill.
  • Negotiations for an "EU-US Umbrella Agreement" were finalised in early September 2015, which puts in place a legal framework for the exchange of personal data between law enforcement authorities. It sets out key principles – e.g. that the data must only be shared for the purposes of investigating crime, onward transfer to a third country must be subject to prior consent from the original law enforcement body etc. Most significantly, it provides EU citizens with the right to seek judicial redress before US courts for privacy breaches, which was not possible before.
  • The European Court of Justice published its landmark ruling in the Max Schrems case on 6th October 2015, holding that the Safe Harbour Framework was not a valid mechanism for cross-border transfers of EU personal data to the US. The Court held that the transfer of data under the Framework constituted a disproportionate interference with the right to respect for private life as it enabled US public authorities to have access to the content of electronic communications on a wide and generalised basis, without any objective criterion being laid down for determining the limits of the access. It is not yet clear what the wider practical impact of the judgment will be; however, it is no doubt a huge blow to the main legal mechanism in place legitimising such data transfers. The European Commission has said it will issue clear guidance in the coming weeks.

Given the breadth of statutory power given to US government agencies under FISA, EO 12333 and the USA FREEDOM Act, it is not yet clear whether these developments will lead to fundamental changes in the short-to-medium term. However, the continuing public spotlight and ongoing political and legislative debate surrounding these issues will no doubt help in securing greater accountability and legal safeguards for future citizens. Non-US citizens should consider too the foreign intelligence practices carried out by governments in their own jurisdiction. The spotlight may be on the US at the moment, but mass data collection by governments in the name of national security is a practice that pervades government agencies the world over.

US intelligence gathering – comparison table

What kind of data is covered?

Threshold requirement

Court order required?

s.702 FISA Amendments Act

Metadata and actual content of communications through compelled assistance of electronic communications providers.

To obtain foreign intelligence information.

No (for non-US persons) – only annual 'certifications' approving targeting and minimization procedures required.

Yes (for US persons)

EO 12333

Metadata and content of communications outside of the USA

For the purposes of a foreign intelligence investigation

No

s.215 USA PATRIOT Act (expired)

Records or other tangible thing (telephone metadata only)

Relevant to international terrorism or a clandestine intelligence investigation

No (for non US persons) - individualised court orders not required but court approval needed for program generally and criterion for ongoing collection.

s.215 USA FREEDOM Act of 2015

Records or other tangible thing (telephone metadata only)

Relates to individual allegedly connected to an international terrorist group or foreign power. Government agency must include a "specific selection term" in request.

No (for non-US persons) - individualised court orders not required but court approval needed for program and criteria for ongoing collection.

Footnotes

1 "Foreign intelligence information" is defined as information that relates to the ability of the USA to protect against attack, sabotage, international terrorism, international proliferation of weapons of mass destruction, clandestine intelligence activities, and any information with respect to a foreign power or foreign territory relating to national defense, national security, or the conduct of foreign affairs.

2 "The US surveillance programmes and their impact on EU citizens' fundamental rights", Directorate-General for Internal Policies of the European Parliament, PE 474.405 (p.19)

3 http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/pppfaqs/

4 https://transparency.yahoo.com/law-enforcement-guidelines/us/index.htm

5 http://www.apple.com/privacy/government-information-requests/

6 https://www.facebook.com/safety/groups/law/guidelines/

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Phil Lee
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.