Computer & Communication Industry Association
PublishedJune 4, 2015

What the USA FREEDOM Act does – and why it matters for Europe

On Wednesday, President Obama signed the USA Freedom Act, a legislative package of long-awaited mass surveillance reforms that passed the House and Senate after years of false starts and negotiations.  The USA Freedom Act contains provisions that permanently end the bulk collection of call records and electronic metadata by the NSA and will provide greater transparency and oversight with respect to the conduct of other surveillance measures that are under continued debate.

The USA Freedom Act revises several aspects of the USA PATRIOT Act authorities misinterpreted by the U.S. government and FISA court to allow for bulk collection of metadata.  The PATRIOT Act, which passed in the wake of the September 11 attacks, was controversial long before Edward Snowden revealed just how extensive the scope of the secret mass surveillance programs conducted by the intelligence community really were.  However, his revelations made evident that many of the programs were implemented in sweeping and unanticipated ways. The programs appear to have exceeded the original parameters of both their authorizing statutes and the constraints of the Constitution, and were in excess of what most citizens realized or believed necessary.

In the wake of the Snowden revelations, civil liberties groups and the technology industry united in a series of attempts to begin reforming the government’s array of bulk collection programs and the legal authorities underpinning their use by the intelligence community.  Although prior versions of the USA Freedom Act had passed the House, they suffered last-minute modifications that weakened reform provisions, and subsequently failed in the Senate several times over the last two years.

The Senate’s approval of the Freedom Act this week, and the President’s signing the bill into law, are the result of a hard-fought compromise, bicameral and bipartisan in nature, which succeeded in reining in the surveillance powers of the U.S. government for the first time in a generation.

The specific limitations on mass surveillance and improved transparency and oversight measures found in the USA Freedom Act are as follows:

Limiting Mass Surveillance

  • Ends the bulk collection of substantially all U.S.-based telephone call metadata (the section 215 program), and replaces it with a targeted program that requires court approval of data requests (there is a 6 month transition period)
  • Prohibits bulk collection of records through two additional authorities: the pen register provision, which was used for a prior program to collect bulk metadata from Internet communications; and the FBI’s National Security Letter power, which has also been used similarly
    • The bulk collection prohibition is strengthened by language prohibiting large-scale, indiscriminate collection, such as all records from an entire state, city, or zip code, or those from a Internet domain like “@gmail.com”
  • To the extent European citizens participate in phone or digital communications with a U.S. person or via a U.S. based Internet service, bulk collection of the records associated with those calls or messages is now prohibited
    • The USA Freedom Act does not make changes to the FISA (section 702) authorities used for the PRISM program which allows for the targeted collection of the content of digital communications
    • Nor does it make changes to the authorities that allow the NSA to do bulk “upstream collection” of Internet traffic transiting backbone connections

Transparency and Oversight

  • Creates a panel of amicus curiae at the FISA court to provide guidance on matters of privacy and civil liberties, communications technology, and other technical or legal matters
  • Company transparency reporting: Tech companies will have a range of options for describing how they respond to national security orders, all consistent with national security needs
  • Declassified FISA opinions: All significant constructions or interpretations of law by the FISA court must be made public
    • These include all significant interpretations of the definition of “specific selection term,” the concept at the heart of the ban on bulk collection
  • Government reporting: The Attorney General and the Director of National Intelligence will provide the public with detailed information about how they use these national security authorities

What Remains to Be Done:

The USA Freedom Act is a good step toward what has been a lengthy and politically challenging process to reform U.S. surveillance policies.  However, the Act does not reform the surveillance authorities found in Section 702 of the Foreign Intelligence Surveillance Act, or those operated pursuant to Executive Order 12333, which govern substantially all foreign bulk data collection.

The approved USA Freedom Act sends a strong signal to the rest of the world, that the U.S. is serious and capable of surveillance reform.  In Europe, this may well help conclude two strands of EU-U.S. negotiations on data transfers.  Yesterday, European Commissioner Jourová and U.S. Attorney General Lynch agreed the Riga Statement.  In this document the EU and the U.S. “commit to … conclude the review of the Safe Harbor Framework and negotiations of the “Umbrella” Agreement concerning law enforcement transfers.”  The general expectation is that this may happen in mid-2015.

A stumbling block for the Umbrella negotiations, which the USA Freedom Act does not address, is that non-U.S. citizens currently don’t have legal redress in U.S. courts.  A recently introduced bipartisan Judicial Redress Act would give European citizens and others this right to ensure that the information is accurate and seek judicial recourse when it is not.  CCIA has driven industry’s support for the bill which would extend redress rights to Europeans.

CCIA is a strong supporter of an improved and safer Safe Harbour framework.  More than 3,000 European and U.S. companies participate in this framework for their commercial data transfers, e.g. payroll data, from Europe to the U.S.

In Europe, we must also get our house in order and ensure that we don’t put surveillance laws in place similar to those the U.S. is only now starting to rein-in.

Meanwhile, countries such as France and the United Kingdom, are moving in the opposite direction.  In response to the recent terrorist attacks in Paris, the French government has proposed a controversial bill to boost its surveillance powers.  The bill is similar to the legislation the U.S. is now reforming because it lacks transparency and oversight and would introduce new technologies to massively spy on electronic communications.  French intelligence services could inject source code on Internet service providers’ infrastructure to detect suspicious behaviour in real time.  The scope would bring all French citizens under surveillance and would expand monitoring to include everything from company trade secrets to private pictures and medical records.

As CCIA said in a previous blog post when the law was proposed, “France should look at international attempts at counter-terrorism laws before enacting its own Loi de renseignement. The surveillance authorities found in the USA PATRIOT Act lowered global trust in the U.S. government and is now under reform in the U.S. Congress.”

Keeping surveillance within the boundaries of the law, and in line with citizens’ expectations, is crucial.  If the U.S., EU, and other democracy-promoters don’t get the balance right, we send the wrong signal to third countries.  We risk providing regimes with legitimacy for their draconian security and surveillance laws.