Executive Summary

In the July 2020 Schrems II case, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield. Over 5,300 companies relied on the Privacy Shield to facilitate transatlantic data transfers between the United States and Europe for services including social media, messaging, cloud services, and email. The CJEU found that U.S. surveillance authorities—specifically Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333 (EO 12333)—do not provide an adequate level of protection for the personal data of European Union (EU) citizens, and that the United States lacks any mechanism to provide effective redress for EU citizens whose data is transferred to the United States. The decision has created ambiguity around the future of trade between businesses in the United States and the EU.

This report puts forth recommendations for measures that the U.S. government can implement without the need for congressional action. We do not suggest that every measure we recommend is strictly required by the Schrems II decision, nor can we forecast that if all of the recommendations we set forth here are adopted, this would fully satisfy the CJEU. Rather, we seek to outline a package of reforms that address the Schrems II decision, that increase privacy safeguards for both U.S. persons and non-U.S. persons, and that should be achievable in the near term.

Reforms to Collection and Targeting

Reforms that would address collection and targeting practices under Section 702 and EO 12333 would limit the risk of intrusion on the privacy rights of both U.S. and non-U.S. persons, and would likely be the most effective means of protecting those rights. The U.S. government should:

• Build upon Presidential Policy Directive 28 (PPD-28) by applying the six-category use limits for bulk data in PPD-28 to restrict the permitted purposes for bulk collection.
• Adopt binding rules to ensure that bulk collection is only conducted when it meets the principles of necessity and proportionality under international human rights law.
• Commit in its Section 702 targeting procedures to following the definition of foreign intelligence information under FISA that applies to U.S. persons, namely that information must be “necessary to” the United States’ ability to protect against threats, rather than the broader “relates to” standard that applies for foreign intelligence information regarding non-U.S. persons.
• Strengthen and narrow the standard for targeting under Section 702 from the current standard, which only requires that the targeting will be “reasonably likely to return” foreign intelligence information related to one of the 702 certifications.
• Commit through an executive order or directive that it will not reinstate “about” collection under Section 702, ensuring that the National Security Agency only collects communications that are “to” or “from” a target.
• Remove the term “foreign persons” from the definition of foreign intelligence under EO 12333 to ensure that collection is limited to information regarding foreign governments, organizations, and terrorists rather than any foreign individual.
• Strengthen the standard for surveillance targeting under EO 12333 by, at a minimum, incorporating the Section 702 targeting standard of “reasonably likely to lead” to foreign intelligence.
• Require the government to seek and create procedures for FISA Court post hoc review of targeting decisions under Section 702, as part of the annual recertification of the program. These new procedures should be incorporated into the Section 702 targeting procedures.

Minimization Reforms

Minimization is the broad term that covers how the intelligence agencies may access, use, retain, and share collected data. The U.S. government should:

• Adopt more robust and transparent limits on how collected information regarding specific individuals—regardless of nationality—may be used.
• Raise the bar for queries seeking information about residents of other countries by extending the documentation requirement (for a statement of facts supporting the query term) to cover all queries seeking information about any specific person—regardless of that person’s nationality or location—under both Section 702 and EO 12333.
• Lower the default time period for retention of data under both Section 702 and EO 12333 to three years, and examine and narrow the exceptions to default retention rules, such as the exception for encrypted communications.
• Require that when intelligence agency personnel actually review collected information and do not affirmatively assess it to qualify as foreign intelligence information, they must purge that data rather than waiting until expiration of the default retention period.

Improving Transparency

Greater transparency for the rules governing U.S. surveillance is needed and will benefit U.S. and non-U.S. persons alike. The U.S. government should:

• Disclose the categories that are the subjects of the Section 702 certifications approved by the FISA Court, thereby outlining the scope of permitted 702 surveillance.

Creating Meaningful Redress

Targets of U.S. surveillance under Section 702 and EO 12333, including EU citizens, lack a mechanism through which they can seek redress in U.S. courts. The CJEU in Schrems II emphasized that effective judicial redress requires that individuals are entitled to hearings before an independent and impartial tribunal. The U.S. government should:

• Provide a mechanism for independent judicial redress or standing to bring challenges to surveillance practices in U.S. courts. Proposals for administrative solutions may be worth considering and could be a helpful first step to show good faith in negotiations. But in order to fully meet the redress standard set forth by the CJEU, legislation will be needed.