IPOL | Policy Department for Citizens’ Rights and Constitutional Affairs
3 US PRIVACY AND SURVEILLANCE LAWS KEY FINDINGS A US Congressional Research Service review found a “patchwork” of federal data protection laws which “primarily regulate certain industries and subcategories of data.” The rather limited protections accorded to “US persons” by the Fourth Amendment are largely non-existent in relation to non-US individuals outside the USA, while “privacy torts” are too limited to even compare to EU data protection concepts. Several broad federal privacy bills have been introduced to Congress since 2019. While such legislation would clearly offer very significant improvement in protection of personal data, as currently drafted, none of them achieve “essential equivalence” to the GDPR. Consumer privacy bills have been passed or introduced in dozens of the individual states. California’s Privacy Rights Act (CPRA) which will enter into force in 2023) is closest to the GDPR, but still falls short of “essential equivalence” in scope and exceptions. Nor is it likely any other US state will adopt a law going beyond the CPRA. The Foreign Intelligence Surveillance Act (FISA) regulates US national security and foreign intelligence-related electronic surveillance. Outside the US, electronic surveillance activities of the US intelligence community targeting non-US persons are generally governed by Executive Order 12333. Presidential Policy Directive 28 (PPD-28) contains limits on the use of signals intelligence collected in “bulk” by the intelligence community. The CJEU invalidated the Privacy Shield adequacy decision because FISA s.702 and E.O. 12333, even as limited by PPD-28, are too permissive to meet the GDPR’s standards of necessity and proportionality and do not provide EU data subjects with effective judicial redress.
3.1 US privacy laws 3.1.1
Introduction
As explained in a US Congressional Research Service paper111 of 2019: Despite the increased interest in data protection, the legal paradigms governing the security and privacy of personal data are complex and technical, and lack uniformity at the federal level. The
111
In this section, as indicated in the quotes and footnote references, we draw extensively on the US Congressional Research Service report, Data Protection Law: An Overview, 25 March 2019 (hereafter: “CRS Data Protection Report”, at https://fas.org/sgp/crs/misc/R45631.pdf). We have done this because the CRS overviews can be regarded as fair summaries of this very complex area of US federal and state law, without any “European” bias. The US government has stated: “There is a wealth of public information about privacy protections in U.S. law concerning government access to data for national security purposes, including information not recorded in Decision 2016/1250, new developments that have occurred since 2016, and information the ECJ neither considered nor addressed.” Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II, White Paper, September 2020, at: https://www.commerce.gov/sites/default/files/2020-09/SCCsWhitePaperFORMATTEDFINAL508COMPLIANT.P DF See also Chris Hoofnagle, New Challenges to Data Protection - Country Report: United States, study for the European Commission, 2010, at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1639161 We have updated the information and added our own observations as appropriate.
66
PE 694.678
