CISA — The biggest threat to the future of transatlantic data sharing

“Flat earth night” by NASA/Goddard Space Flight CenterScientific Visualization Studio

This article was co-authored by Access Policy Analyst Estelle Massé

The U.S Senate is poised to vote on the Cybersecurity Information Sharing Act (CISA), a privacy-invading surveillance bill masquerading as a cybersecurity bill. While there are many, many problems with this legislation, one of the most egregious is how it relates to the recent European court decision on “Safe Harbor” — and how it enables the collection of even more of our private data.

Two weeks ago, the Court of Justice of the European Union (CJEU) invalidated the “Safe Harbor” agreement, which provided a process for U.S. companies to transfer data from the E.U. after self-certifying their compliance with European data protection rules. This allowed companies to operate across the Atlantic without building separate infrastructure. The court ended Safe Harbor largely out of concern with the scope of U.S. surveillance practices impacting Europeans.

Companies are now trying to figure out how to conduct business while protecting their users’ rights. CISA would make the problem even worse. It would increase the breadth of U.S. spying and further cement the corporate-intelligence relationship, thus making it much harder for the U.S. and E.U. to come to a new agreement on how to handle data. The U.S. government should provide assurance to the E.U. by rejecting CISA and passing new surveillance protections. There are both practical and moral reasons for this. Without a new data transfer agreement, companies will have to navigate a complicated regulatory environment for transferring data. But this new agreement will not be possible if the U.S. introduces new surveillance measures via CISA. More importantly, surveillance reform would provide much-needed human rights protections for non-U.S. persons.

CISA would require the Department of Homeland Security (DHS) to deliver “cyber threat” indicators to intelligence and law enforcement agencies in near real-time. Companies would be granted broad legal immunity for supplying those indicators, which could include personal information. That means massive repositories of personal information, including data transferred from Europe, would be turned over to spying agencies. The latest version of the bill requires agencies give notice to U.S. persons when their information is improperly shared, but a last minute change removed the benefit for non-U.S. persons. To make matters worse, those agencies would have broad discretion over how to use information for non-cybersecurity purposes — all without a warrant.

In its ruling, the CJEU made clear that mass access to personal data by law enforcement and intelligence authorities violate the essence of the E.U. right of privacy. The court then found that E.U. citizens do not have rights in the U.S. in cases of abuses or violations of their right to privacy, consequently, the (un)Safe Harbor was at last declared invalid.

Congress has alternative legislation that would be better for privacy and better for security. To start, the Senate should approve the Judicial Redress Act, already approved by the House of Representatives. The Bill would extend a limited set of privacy protections to individuals from certified countries (including, presumably E.U. Member States). It would grant limited rights to to non-U.S. citizens in cases when their personal information transferred for law enforcement purposes has been misused under certain sections of the U.S. Privacy Act of 1974. However, the bill does not allow people to initiate legal claims against companies for privacy breaches that take place in the U.S. With large exceptions and limited geographic reach, this bill would be just a first step in protecting the rights of non-U.S. persons.

Congress should also reform FISA Amendments Act Section 702, which is set to sunset at the end of 2017, to bring elements of the National Security Agency’s spying in line with international human rights standards. The CJEU based its decision on two programs operated under 702 — PRISM and Upstream — which most egregiously affect non-U.S. persons. The NSA uses PRISM to obtain internet communications from U.S. tech companies and Upstream to query data entering the U.S. through fiber optic cables. In addition, we need substantial reform and declassification of Executive Order 12333, a secret law that authorizes the NSA to collect and store all communications — content as well as metadata — provided that such collection occurs outside the United States.

The E.U. is negotiating a new transatlantic data transfer agreement with those reforms in mind. Adopting CISA would not only harm a U.S. economy that heavily relies on transatlantic data transfer, but it would also violate the privacy of millions of people around the world. Some U.S. companies coming to terms with last week’s ruling are now speaking up in opposition to CISA and unchecked international surveillance. They likely want to protect their customers and the threat to their international business. However, we all benefit from the U.S. Senate rejecting CISA.

Access defends and extends the digital rights of users at risk around the world. By combining innovative policy, user engagement, and direct technical support, we fight for open and secure communications for all.