Startups just regained a reliable method for transatlantic data transfer, but it’s already under threat from European policymakers and privacy activists. Congress has a chance to fix that as it weighs whether to renew a controversial Internet spying authority this year.
At the heart of the effort seeking to stanch EU-U.S. data flows is not necessarily commercial practices of U.S businesses, but broad Internet spying programs, including those enabled by Section 702 of the Foreign Intelligence Surveillance Act. Congress is currently debating whether to reauthorize that program, and lawmakers should consider putting privacy concerns to bed so startups can confidently serve EU customers without the threat of impending disruption.
Section 702 of the Foreign Intelligence Surveillance Act is a sweeping spying power that the U.S. government uses to collect Internet communications en masse. Section 702 consists of two collection programs: upstream, where the National Security Agency collects information from Internet infrastructure, like cloud companies and Internet service providers, and downstream where multiple intelligence agencies collect information directly from companies that service the account of a surveillance target. The programs are only supposed to target the communications of non-US persons located abroad, but sometimes Americans’ communications are collected and queried as well.
The legal authorization for the program expires at the end of this year, meaning it is up to Congress to decide whether to reauthorize the program, and with what reforms. The Biden administration has been a strong advocate of Section 702 reauthorization, arguing that it is a critical safeguard against time-sensitive threats to U.S. national security. However, U.S. and European privacy advocates have expressed concern over how it impacts civil liberties and operates outside of typical judicial checks like obtaining a warrant. Citing past FBI and NSA abuses, many critics are wary of the expansive abilities and routine misuse of Section 702, and suggest strong reforms are needed.
While debates over government surveillance programs like 702 are often dominated by intelligence community officials and privacy advocates, startups are also a key stakeholder because U.S. surveillance threatens the data transfer agreements U.S. companies rely on to serve customers abroad. For example, U.S. surveillance practices were at the heart of a decision by Europe’s top court called Schrems II to invalidate the U.S.- EU Privacy Shield Framework that was relied upon overwhelmingly by startups to serve EU customers. Privacy Shield was itself a replacement of an earlier data transfer pact called Safe Harbor, which was invalidated for similar reasons. Following the Schrems II decision, startups faced increased costs and lost customers as they scrambled to find new legal methods, like standard contractual clauses, to transfer data across the Atlantic. Earlier this year, a decision by the Irish data protection enforcer took aim at that method of transfer as well—and U.S. surveillance practices factored heavily, with Section 702 mentioned nearly 70 times.
Earlier this summer, a new pact to transfer data across the Atlantic called the EU-U.S. Data Privacy Framework (DPF) was completed, enabling legal data transfers for companies who self-certify to the program. More than 2,500 companies are already using the framework, demonstrating its importance to the transatlantic digital trade. As part of the DPF, the Biden administration issued an executive order amending certain intelligence processes and establishing new redress mechanisms for EU citizens that allege misuse of their data by U.S. agencies.
However, some European policymakers and activists say that the changes made as part of the DPF don’t go far enough. This is because they provide post-facto redress, but there have been no changes to the underlying surveillance programs they take issue with, like those enabled by Section 702. These critics are already challenging the DPF or have announced their plans to do so imminently, meaning the threat Section 702 poses to startups’ success abroad is still hanging out there.
As lawmakers debate reauthorizing and reforming Section 702, they have many national security, privacy, and legal questions to consider, but they shouldn’t forget that this is also a business issue to the many startups across the country that have clients and users in Europe. Agreements like the DPF lower barriers for startups to compete in markets abroad, expanding their businesses and, in turn, spurring job growth back home. Despite the changes that the U.S. government undertook as part of the new framework, it’s already under threat, and Congress should consider shoring up the agreement by addressing privacy concerns related to Section 702 as they debate reauthorization this year.