Glossary · US Surveillance Law FISA 702 (Foreign Intelligence Surveillance Act, Section 702)
US surveillance law that authorizes mass collection of non-US persons' communications data from US-domiciled providers. Together with the CLOUD Act, the structural reason EU-US data transfers keep collapsing under Schrems-line challenges.
## What FISA 702 actually is
Section 702 of the **Foreign Intelligence Surveillance Act** (FISA) is a US law, enacted in 2008 and reauthorized periodically (most recently 2024), that authorizes the **US Director of National Intelligence and Attorney General** to compel US-domiciled electronic communications providers to hand over the communications of **non-US persons reasonably believed to be located outside the US**.
The collected data is used for foreign intelligence purposes and may be queried by the FBI, CIA, NSA, and other US agencies.
## Why FISA 702 is structurally important
The fundamental property of FISA 702 is that:
1. It applies to **all US-domiciled electronic communications service providers** — including major tech firms (Google, Microsoft, Meta, Apple, etc.)
2. It targets **non-US persons** — i.e., everyone outside the United States, including EU citizens and EU businesses
3. It operates with **no probable cause** standard for non-US targets
4. It operates with **minimal judicial oversight** (the FISA court approves broad targeting programs, not individual surveillance)
5. It provides **no effective remedy** for affected non-US persons
This is the structural reason why EU-US data transfers keep being invalidated.
## The "PRISM" and "Upstream" programs
FISA 702 authorizes two main collection programs:
### PRISM
Direct collection from US providers. The NSA sends a "selector" (email address, phone number, etc.) and the provider hands over communications matching that selector. Revealed by Edward Snowden in 2013.
### Upstream
Collection from internet backbone infrastructure. Allows collection of communications transiting US territory (including communications between two non-US parties that touch US infrastructure).
Both programs are operated under FISA 702.
## How FISA 702 collides with GDPR
European Court of Justice (CJEU) jurisprudence — particularly [Schrems I](/en/glossary/schrems-i/) (2015) and [Schrems II](/en/glossary/schrems-ii/) (2020) — has held that:
1. EU personal data may only be transferred to non-EU jurisdictions that provide **essentially equivalent protection** to GDPR
2. US law under FISA 702 does **not** provide such protection because:
- It allows bulk collection without individual probable cause
- It targets non-US persons without proportionality limits
- It provides no effective judicial remedy for non-US persons
3. Therefore, any EU-US data transfer mechanism that relies on US legal protections is structurally vulnerable
This is why **Safe Harbor → Privacy Shield → EU-US DPF** is a chain of successive frameworks each invalidated or threatened on the same underlying issue.
## EO 14086 and the Data Privacy Framework
In 2022, President Biden signed **Executive Order 14086** establishing:
- New limits on US signals intelligence (proportionality, individual targeting)
- A two-layer redress mechanism for non-US persons (Civil Liberties Protection Officer + Data Protection Review Court)
- Updated US procedures for FISA 702 surveillance
The European Commission used EO 14086 as the basis for adopting the **[EU-US Data Privacy Framework](/en/glossary/data-privacy-framework/)** adequacy decision in July 2023.
Critics argue EO 14086 does not fully address Schrems II concerns because:
- It is an executive order (revocable by future administration)
- The "Data Protection Review Court" sits within the executive branch (not truly independent)
- Bulk collection authority remains intact
- The fundamental imbalance between US national security and non-US person rights is unchanged
Schrems and noyb have indicated they will challenge the EU-US DPF on FISA 702 grounds. CJEU consideration is anticipated 2026-2028.
## Why FISA 702 matters for European businesses
### 1. Affects every US-domiciled SaaS
If you use Google Workspace, Microsoft 365, AWS, Slack, or essentially any US-domiciled SaaS, your data sits within FISA 702 reach.
### 2. Cannot be solved by contracts
No SCC, BCR, or other contractual mechanism can override US surveillance law obligations of US providers. The provider may be legally compelled to hand over data and may be subject to non-disclosure orders.
### 3. EU operations don't help
US providers' EU regions and EU subsidiaries are still controlled by US parent companies, which are subject to FISA 702 (and CLOUD Act). EU regions help with latency and data residency but not jurisdiction.
### 4. Drives demand for genuinely European alternatives
The structural FISA 702 issue is the principal reason European businesses cannot achieve true GDPR compliance with US providers, and the principal demand driver for EU alternatives.
## FISA 702 vs CLOUD Act
These two laws are complementary:
| | FISA 702 | CLOUD Act |
|--|----------|-----------|
| Purpose | Foreign intelligence collection | Criminal evidence collection |
| Targets | Non-US persons abroad | Anyone (including persons in EU) |
| Process | Mass programs, broad targeting | Specific warrants and subpoenas |
| Reach | Communications providers | Any service provider holding data |
| Notice to affected party | Generally no | Often subject to gag orders |
| Effective EU person remedy | Minimal (DPRC under DPF) | Minimal |
Both are blockers to true GDPR adequacy of US providers.
## What 2026-2027 brings
- **CJEU consideration** of new Schrems-line challenges to EU-US DPF
- **FISA reauthorization fights** in US Congress
- **Continued state-sponsored surveillance escalation** affecting threat landscape
- **Continued European sovereign cloud build-out** as the structural answer
- **No fundamental US surveillance reform** is anticipated
## Practical implications
For European tech buyers:
- **For sensitive workloads** (legal, health, financial, public-sector): treat US providers as structurally exposed regardless of contractual mechanism
- **For general workloads**: weigh FISA 702 exposure against other factors
- **For long-term strategy**: assume EU-US DPF may be invalidated and plan accordingly
- **EU-resident alternatives** sidestep FISA 702 entirely
For European policy professionals:
- FISA 702 reform in the US is unlikely in the foreseeable future
- The structural problem will persist absent US legislative change
- European answer is sovereign infrastructure, not contractual fixes
Was this helpful?
Thanks for your feedback!