Background on Applicable U.S. Surveillance Authorities

In the Schrems II decision, the CJEU found that U.S. surveillance conducted under Section 702 of the Foreign Intelligence Surveillance Act (FISA) and under Executive Order 12333 (EO 12333) does not provide “the minimum safeguards” required under EU law to satisfy the principle of proportionality. As a result, the court found that surveillance conducted under those two authorities “cannot be regarded as limited to what is strictly necessary.”¹

Section 702 authorizes the U.S. government to target non-U.S. persons located outside the United States for foreign intelligence purposes, in order to collect their communications, including the content of phone calls and emails. The government collects this information inside the United States, either by compelling electronic communications service providers to turn over communications to the government (often referred to as “PRISM” collection), or by collecting communications from the internet “backbone” with the compelled assistance of internet service providers (often called “upstream” collection).² Although U.S. persons cannot be targeted under Section 702, their communications may be collected through what the government calls “incidental collection,” if, for example, they are on the other end of an email or phone call with a target. The U.S. government must obtain annual approvals from the FISA Court—a special court that operates in secret to review classified information—for Section 702 surveillance. The FISA Court reviews and approves “certifications,” which cover the categories or topics of surveillance that are authorized, as well as targeting procedures, minimization procedures, and querying procedures.

EO 12333 is an executive order originally issued by President Ronald Reagan that governs most U.S. Intelligence Community activities. It provides a framework for surveillance that is not covered by FISA, as well as for intelligence collection through other methods such as human intelligence and geospatial intelligence. Each component of the Intelligence Community has developed its own set of applicable implementing rules under EO 12333. These procedures, which must be approved by the U.S. attorney general, are also referred to as AG guidelines.³ The lead intelligence agency for conducting signals intelligence, or SIGINT (the type of intelligence collected through surveillance), is the National Security Agency (NSA). Because the NSA sits within the Department of Defense (DoD), DoD’s AG guidelines, found in DoD Manual 5240.01, Procedures Governing the Conduct of DoD Intelligence Activities,⁴ as well as the SIGINT Annex to these procedures,⁵ provide the applicable rules for most surveillance conducted under EO 12333.

In addition, signals intelligence conducted under EO 12333 is governed by Presidential Policy Directive 28 (PPD-28), which was issued by President Barack Obama in January 2014. PPD-28 was designed to provide safeguards for the data and rights of non-U.S. persons. However, the CJEU in Schrems II found that PPD-28 is not sufficient to overcome the privacy threats to EU citizens’ data that it identified from U.S. surveillance conducted under both Section 702 of FISA and EO 12333.