The regulatory issues surrounding data protection will continue to fuel an intense debate between Europe and the United States in 2024. The extension of the FISA Act—a law allowing American intelligence agencies to access personal data of non-U.S. citizens living outside the United States—is a new illustration of this.
During this period of uncertainty regarding the extension of the FISA Act, Oodrive addresses the issues raised by this highly strategic text, which contradicts European data protection legislation.
What is the FISA (Foreign Intelligence Surveillance Act)?
What does the FISA Act contain? Enacted in the United States since 1978, FISA focuses on both physical and electronic surveillance of foreign individuals and entities.
The text was amended in 2008 to include Section 702, which allows American intelligence agencies to collect, use, and share foreign personal data stored on servers managed by U.S.-based cloud service providers—a situation some describe as “mass surveillance.”
Electronic communication providers, including cloud services, are required to comply and provide the requested data when asked.
Practical Implications of FISA
Under FISA, U.S. federal intelligence agencies are authorized to retrieve foreign personal data, including that of European citizens. Data access requests made by American agencies are not limited to servers on U.S. soil but extend to all servers managed by U.S.-based cloud service providers.
The Extension of the FISA Act: Sources of Concern
Section 702 of the FISA Act has faced significant criticism, as it authorizes extensive surveillance of non-U.S. individuals outside U.S. borders without judicial oversight.
The FISA Act contradicts European personal data protection rules and is also criticized in the U.S. for authorizing the surveillance of American citizens.
Although Section 702 was set to expire on December 31, 2023, the U.S. Congress, unable to agree on reform methods, extended it until April 19, 2024.
Consequences of Extending the FISA Act
The FISA Act poses a threat to data protection. In Europe, personal data protection is governed by the GDPR, one of the strictest legislations globally.
However, there is no GDPR equivalent in the U.S. While some guarantees exist for American citizens’ data, they do not apply to European citizens, who lack guarantees regarding the handling of their sensitive data by U.S. authorities. The Cloud Act and the FISA Act are incompatible with the GDPR.
The extension of the FISA Act also contradicts the European cloud certification project (EUCS), whose stricter versions would require cloud service providers to demonstrate immunity to non-European laws.
Potential Hardening of the FISA Act: A Threat to Digital Sovereignty
European concerns about the FISA Act could worsen with the proposed FISA Reform and Reauthorization Act (FRRA) and its Section 504, which would extend the scope of the law and potentially toughen it.
If passed, this article could extend data communication obligations to equipment manufacturers, beyond cloud operators, further undermining European digital sovereignty ambitions.
How Can Europe Protect Its Sensitive Data from the FISA Act?
SecNumCloud, a Data Protection Guarantee Against the FISA Act. The extension of the FISA Act heightens European concerns about data protection, highlighting the French SecNumCloud standard, a qualification issued by ANSSI. This text is currently the most stringent European standard for cloud trust and serves as a model for developing a European cloud certification (EUCS project).
Stringent and protective regarding security, the French SecNumCloud qualification counters the effects of the FISA Act. In its most recent version (3.2), the SecNumCloud standard imposes the exclusive application of European law on cloud providers and excludes any extraterritorial American law, effectively shielding against the FISA Act. However, the passage of Section 504 could challenge this exclusion.
Accelerating the Creation of a Stringent and Protective European Cloud Certification
Reactions to the extension of the FISA Act and its potential hardening with the possible passage of Article 504 also underscore the necessity for an agreement on the European cloud certification project (EUCS).
Philippe Latombe, MP for Vendée, asserts that the European cloud standard must include an immunity clause to extraterritorial rules to protect European data from U.S. interference. The European cloud certification project is currently still under discussion among the various EU member states.
Key Points to Remember About the Extension of the FISA (Foreign Intelligence Surveillance Act)
- The FISA Act, extended until April 2024, requires cloud service providers to transmit data concerning non-U.S. citizens living outside the United States to American intelligence agencies when requested.
- The FISA Act is not compatible with the European General Data Protection Regulation (GDPR) and poses a threat to data protection.
- The extension of the FISA Act highlights the necessity for European states to progress on the European cloud certification project (EUCS). The European text, aligned with the SecNumCloud qualification, should include stringent data protection through immunity from non-European legislation.
