FISA

The Foreign Intelligence Surveillance Act (FISA) is a United States law that establishes procedures for physical and electronic surveillance of foreign individuals and entities.

The latter was amended in 2008, in particular with the introduction of Section 702, to give the U.S. government the authority to monitor the electronic communications of foreigners abroad, with the imposed assistance of electronic communication service providers.

They are thus obliged to cooperate with the American authorities and to allow the latter access to the information in their possession:

• Remote computer service providers;
• Electronic communication service providers;
• Telecommunications companies;
• Any other communications service provider that has access to wire or electronic communications, either at the time such communications are transmitted or at the time such communications are stored, and any officer, employee, or agent of any such entity.

Access to information requested by U.S. authorities is not limited to servers located in the United States, but to all servers operated by U.S.-domiciled electronic communication service providers or where only certain operations are outsourced to U.S.-domiciled electronic communication service providers.

FISA does not authorize individual surveillance measures, but surveillance programs (such as PRISM or UPSTREAM) that do not contain information on who to target individually, but on what categories of information to collect from electronic communication service providers.

Along with Executive Order 12333, FISA, and in particular Section 702 thereof, is responsible for the invalidation of the Privacy Shield by the Court of Justice of the European Union (CJEU) in 2020.

In order to limit the risk of use by U.S. authorities of information hosted in whole or in part by electronic communication service providers subject to Section 702 of FISA and thus ensure the confidentiality of information, it is recommended to implement technical security measures allowing the encryption of hosted data for which the decryption key is not held by the provider of said electronic communication service.

In any case, FISA is not compatible with European Union law, and in particular with the GDPR because it does not meet the minimum requirements attached to the principle of proportionality, but also with the Charter of Fundamental Rights of the European Union, which enshrines the right to an effective remedy and access to an impartial tribunal.

Point of legislation

“(a)Authorization
Notwithstanding any other provision of law, following the issuance of an order…the Attorney General and the Director of National Intelligence may jointly authorize, for a period of up to one year from the effective date of the authorization, the targeting of persons reasonably believed to be outside the United States for the purpose of acquiring foreign intelligence.

(b) Limitations
An acquisition authorized under subsection (a)-
(1) may not intentionally target any person who is known at the time of acquisition to be in the United States;
(2) may not intentionally target a person reasonably believed to be outside the United States if the purpose of the acquisition is to target a particular known person reasonably believed to be in the United States;
(3)may not intentionally target a United States person reasonably believed to be located outside the United States;
(4)may not intentionally acquire any communication where the sender and all recipients are known at the time of acquisition to be located in the United States;
(5)may not intentionally acquire communications that contain a reference to a target of an acquisition authorized under subsection (a), but that are not intended for or from that target,[…]; and
(6)shall be conducted in a manner consistent with the Fourth Amendment to the United States Constitution.”

Article 702 a) and (b) the Foreign Intelligence Surveillance Act

Point of jurisprudence

The Court of Justice of the European Union has noted that “Article 702 of FISA does not in any way show the existence of limitations on the authorization it contains for the implementation of surveillance programs for foreign intelligence purposes, nor does it show the existence of guarantees for non-Americans potentially targeted by these programs. In these circumstances, (…) this article is not capable of ensuring a level of protection substantially equivalent to that guaranteed by the Charter, (…), according to which a legal basis that allows interference with fundamental rights must, in order to satisfy the principle of proportionality, itself define the scope of the limitation on the exercise of the right concerned and provide for clear and precise rules governing the scope and application of the measure at issue and imposing minimum requirements.”

Court of Justice of the European Union, July 16, 2020, N° C-311/18

The Bouchara Law firm assists you in particular in :

• Making your organization GDPRcompliant;
• The drafting of data protection policies (privacy policy, computer charter …);
• Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
• Obtaining certifications and adhering to codes of conduct;
• The study of the legal feasibility of the implementation of a new personal data processing;
• The drafting and transmission of your codes of conduct to the CNIL for approval;
• Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
• Drafting and negotiating your data processing agreements (DPA);
• Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
• Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.