As general counsel of Twilio, a mid-size cloud computing company, I follow Washington closely. You may be surprised to know that U.S. surveillance programs and oversight can have a big impact on us and our customers.
With one of the most important surveillance laws, Section 702 of the Foreign Intelligence Surveillance Amendments Act, set to expire on Jan. 19, time is running short for Congress to act.
Specifically, Congress needs to determine how U.S. government agencies monitor the activities of non-U.S. citizens outside of the United States through access to electronically-stored data, and Congress needs to do so without undermining U.S. companies’ access to European markets.
{mosads}If Congress merely extends Section 702, or passes H.R. 4478, which was approved by a partisan majority of the House Select Committee on Intelligence, it risks reversing progress that has been made over the last two years to ensure that small and mid-sized U.S. businesses continue to have access to the European Union marketplace.
Every day, U.S. companies rely on transatlantic data transfer agreements — essential tools that permit U.S. companies to lawfully transfer data from the EU for processing and storage in the U.S.
These agreements, which set the rules of the road for these data transfers, protect and advance a trusted data ecosystem in the U.S. and the EU, and are essential to our competitiveness within the EU and elsewhere in the world. Understandably, our law-abiding EU customers want assurance that their data will not be subjected to unfettered or unjustified snooping.
Strong oversight rules that ensure the accountability and propriety of U.S. surveillance are critical to maintaining the trusted data ecosystem necessary for U.S. companies to remain competitive globally.
A key transatlantic data agreement is the EU-U.S.Privacy Shield, which provides an important avenue for more than 2,400 U.S. companies to participate in the EU market and move data to the U.S. from the EU. While many larger companies have the resources to invest in country-by-country data centers to store their EU-based customer data in the EU, that’s a prohibitively expensive solution for most small- and mid-sized U.S. companies. Instead, we rely on mechanisms like Privacy Shield to transfer and store data in the U.S.
So what does Privacy Shield have to do with U.S. surveillance programs?
European courts have ruled that all transatlantic data transfer agreements — like Privacy Shield — must ensure that the rights of Europeans are protected. If data privacy advocates, as well as data privacy authorities (DPAs) in EU member states, do not believe that U.S. surveillance laws meet these standards, they can seek to have Privacy Shield and similar agreements ruled invalid in a European court, thereby choking off the flow of data — the fuel of the new economy — between two of the largest markets in the world.
This is exactly the threat that looms today.
In December, an organization of EU member state DPAs called the Article 29 Working Party (WP29) conducted its first annual assessment of the Privacy Shield and urged the EC to restart negotiations over the agreement. Citing U.S. surveillance policies, including the current Section 702 program, the WP29 has threatened to take action to dismantle the agreement, including a challenge to Privacy Shield in European courts.
Among other things, the WP29 report concluded there was a need for greater assurances to support U.S. government assertions that its collection and access to communications under Section 702 are not “generalized” or “indiscriminate.” In addition, the WP29 report called for additional Section 702 safeguards, including those that would ensure more “precise targeting” and “stricter scrutiny” of individual targets. It also called attention to the need for appropriate oversight and transparency of U.S. surveillance practices.
At best, without additional privacy safeguards, Privacy Shield could be subject to legal challenges. This uncertainty could have a negative effect the private sector, and potentially dampen investment and overall economic growth.
Even worse, Privacy Shield could be struck down by European Courts, leaving thousands of companies grappling with how to prevent loss of profit, productivity, or competitiveness stemming from their inability to lawfully, efficiently and cost-effectively transfer data between the EU and U.S.
Congress’s reauthorization of Section 702 is an opportunity to include additional safeguards and reforms, while continuing to uphold U.S. national security. This includes increasing transparency, improving oversight, heightening the standards to target someone for surveillance, and preventing the program from being used to collect or search for the information of individuals who are not surveillance targets. Many of these reforms are included in the House and Senate versions of the USA Liberty Act, and should be the starting point for Congress on a bipartisan reauthorization and reform of Section 702.
A reauthorization that does not include these reforms needlessly jeopardizes the progress made over the last two years to ensure continued access to the EU marketplace for small and medium-sized U.S. businesses.
That’s why companies such as mine are closely watching the calendar and why we urge Congress to pass a bill that both reauthorizes and reforms Section 702 — now. Doing so advances both our national security and our economic security interests.
Karyn Smith is the general counsel for Twilio, a cloud computing platform headquartered in San Francisco, California.