The recent two-year extension of Section 702 of the Foreign Intelligence Surveillance Act (FISA) represents a significant escalation in global cybersecurity tensions, particularly in Europe. Originally enacted to enhance US national security, Section 702 grants American intelligence agencies far-reaching surveillance powers, enabling them to collect, use, and disseminate electronic communications stored by US organisations without a warrant.
While this may serve US interests, its implications for European data privacy are far reaching, especially in the context of existing legislation like GDPR and the Schrems II verdict.
The renewal and expansion of Section 702, which now covers any business with internet-linked infrastructure, pushes Europe closer to a decisive confrontation over cybersecurity sovereignty.
At its core, Section 702 transforms businesses with access to communication transmission or storage into potential proxies of the US government’s surveillance apparatus. This creates a dilemma for European organisations and individuals whose data might be stored or processed by US companies. Under GDPR, transferring personal data outside Europe is permissible only if the receiving country offers an “adequate” level of protection. With its broad surveillance powers under FISA, the US falls short of this standard, rendering such data transfers potentially illegal.
This issue was highlighted by the Court of Justice of the EU (CJEU) in the Schrems II case, which invalidated the Privacy Shield framework, a previous attempt to regulate transatlantic data flows. The recently introduced successor to Privacy Shield, Data Privacy Framework (DPF), and the UK extension to the framework are already under scrutiny, and many argue that it fails to address the core issues raised by Schrems II, particularly the sweeping scope of FISA’s surveillance powers. With the renewal of Section 702, the fragility of the DPF becomes even more apparent. The likelihood of a “Schrems III” challenge looms large, which could once again disrupt the legal mechanisms facilitating data transfers between Europe and the US.
The consequences of FISA’s renewal extend beyond legal challenges; they strike at the heart of trust between European consumers and US tech companies. As businesses and individuals grow increasingly wary of their data being exposed to US surveillance, European companies may reconsider partnerships with American vendors. This could lead to significant disruptions in transatlantic commerce, forcing businesses to seek alternative solutions.
Additionally, European regulatory bodies are likely to respond with stricter controls on data transfers to the US. In a recent statement, European Commission Vice President Věra Jourová indicated that the Commission is closely monitoring the situation, suggesting that further reforms may be necessary. Such measures could complicate cross-border data flows, imposing additional compliance burdens on businesses that operate in both regions.
The renewal of FISA Section 702, therefore, could inadvertently spur a movement towards greater cybersecurity sovereignty in Europe.
Digital sovereignty, the idea that a state should have control over its own data and digital infrastructure, is gaining traction as a response to the perceived overreach of US surveillance laws. By ensuring that data remains within European borders and under the jurisdiction of European laws, countries can better protect their citizens’ privacy and maintain control over their digital assets.
As a result, the value of European cybersecurity vendors is becoming increasingly clear. This shift towards European solutions is not merely about avoiding US surveillance. It represents a broader movement towards asserting control over the digital tools and infrastructures that underpin modern society. In an era where data is as valuable as currency, the ability to safeguard this resource is crucial for both national security and economic stability.
Tools such as Security Information and Event Management (SIEM) and log management are critical to managing data and compliance, but most vendors hail from the US, meaning that European organisations’ security data could potentially be accessed by US intelligence agencies under FISA. This presents a significant risk for companies that must comply with GDPR and other data protection regulations.
However, European vendors such as Logpoint, for example, are not subject to FISA, which means organisations can minimise their exposure to US surveillance and ensure that their data remains secure and compliant with European regulations. Their solutions are designed with EU data protection regulations, such as GDPR, in mind, and with an on-prem solution, itprovides further control over data.
The extension of FISA Section 702 is likely to accelerate Europe’s push for greater cybersecurity sovereignty. As trust in US data protection standards wanes, European organisations and regulators are increasingly motivated to develop and adopt solutions that keep their data within Europe. This movement is not without its challenges—achieving true digital sovereignty will require significant investment in technology and infrastructure. However, the long-term benefits of such a shift, including enhanced data security, regulatory compliance, and independence from foreign surveillance, make it a goal worth pursuing.
The debate over FISA Section 702 is not just about privacy; it is about power. By taking control of their digital futures, European nations can ensure that their citizens’ rights are protected and that their economies remain resilient in the face of external pressures. The renewal of FISA may have been intended to strengthen US national security, but its unintended consequence could be the birth of a more sovereign and secure digital Europe.