Surveillance

The Schrems II judgment fundamentally changed international data transfer law. The CJEU found that US surveillance practices under FISA 702 and EO 12333 do not meet EU standards for data protection—specifically, they lack proportionality, independent oversight, and effective judicial remedies for EU citizens. Privacy Shield was invalidated because its reliance on US self-certification could not overcome these structural deficiencies. Standard Contractual Clauses (SCCs) remain a valid transfer mechanism, but exporters must now conduct Transfer Impact Assessments (TIAs) to verify that destination country law does not prevent SCCs from being effective. If the assessment reveals inadequate protection, transfers must stop or additional supplementary measures must be implemented. The ruling affects any transfer to countries without EU adequacy decisions, requiring organizations to assess surveillance laws globally. The EU-US Data Privacy Framework (2023) attempts to address Schrems II concerns, but its durability is uncertain.

The USA PATRIOT Act, passed after September 11, 2001, dramatically expanded US surveillance capabilities. Key provisions include Section 215, which authorized the FBI to obtain ‘any tangible things’ relevant to terrorism investigations including business records, until the USA FREEDOM Act restricted bulk collection. The law enabled National Security Letters (NSLs) demanding records from communications providers without court approval. It facilitated information sharing between foreign intelligence and domestic law enforcement. ‘Sneak and peek’ searches allow delayed notification of search warrants. Roving wiretaps can follow targets across devices without new court orders. While some provisions have sunset dates requiring reauthorization, the framework fundamentally changed US surveillance law. For international organizations, the Patriot Act exemplifies the broad access authorities that create tension with data protection regimes like GDPR.

The Investigatory Powers Act 2016, nicknamed the ‘Snoopers’ Charter’, consolidates and expands UK surveillance powers. Intelligence agencies (GCHQ, MI5, MI6) can conduct bulk interception of communications, retain bulk datasets, and hack devices (equipment interference). ISPs must retain ‘internet connection records’ showing which websites users visit for 12 months. The law requires communications providers to assist authorities in removing encryption where feasible and maintain permanent interception capabilities. Warrants for targeted interception require judicial approval, but bulk powers have less oversight. The law applies to both domestic and foreign communications accessible from UK territory. While the UK has strong data protection through UK GDPR, the IPA creates significant surveillance exposure, particularly for communications transiting UK infrastructure or stored with UK-accessible providers.

FISA Section 702 authorizes intelligence agencies to conduct surveillance targeting non-US persons reasonably believed to be located outside the US for foreign intelligence purposes. Unlike traditional FISA, Section 702 does not require individual court orders for each target. The FISA Court approves annual targeting and minimization procedures, but not individual targets. Major tech companies including Google, Microsoft, Facebook, and Apple must comply with directives to provide access to communications. The PRISM program operates under Section 702 authority. For EU data protection, Section 702 is problematic because it enables bulk collection of Europeans’ data with no meaningful judicial oversight or individual rights. The Schrems II ruling cited Section 702 as a key reason for invalidating the EU-US Privacy Shield. Recent reauthorizations have expanded some authorities while adding limited safeguards.

Executive Order 12333, signed by President Reagan in 1981 and amended multiple times since, authorizes US intelligence agencies to conduct signals intelligence collection outside US borders. This includes intercepting communications transiting international fiber optic cables (upstream collection) and accessing data stored in foreign datacenters. Unlike FISA, which involves judicial oversight, EO 12333 collection is governed primarily by executive branch policies with limited external review. The order was central to Schrems II because it enables bulk collection of European communications without individualized suspicion or meaningful redress. For data sovereignty, EO 12333 is particularly concerning because data need not be held by a US company—any data traversing US infrastructure or accessible from US territory may be subject to collection. PPD-28 and EO 14086 have added some safeguards for allied nations’ citizens, but fundamental collection authorities remain intact.

The CLOUD Act allows US law enforcement to compel US-based technology companies to provide data stored on their servers regardless of physical location. Storing data in an EU datacenter operated by Microsoft, Amazon, or Google does not shield it from US government access. The law was passed in response to the Microsoft Ireland case where Microsoft refused to hand over emails stored in Ireland. It creates legal conflicts with GDPR: US companies face an impossible choice between complying with US law (disclose data) or EU law (protect data). For humanitarian organizations and enterprises handling sensitive data, CLOUD Act exposure is a critical sovereignty concern. Mitigations include using non-US providers, client-side encryption with self-managed keys, and zero-knowledge architectures. The EU-US Data Privacy Framework does not eliminate CLOUD Act powers; US companies remain subject to disclosure orders.