PRISM, FISA 702 & US Surveillance of Cloud Data

On 6 June 2013, The Guardian and The Washington Post published the first in a series of stories based on classified documents leaked by Edward Snowden, a former NSA contractor. The disclosures revealed the existence of PRISM, an NSA programme that collected internet communications directly from the servers of major US technology companies. According to the leaked slides, PRISM's participating providers included Microsoft (since 2007), Yahoo (2008), Google (2009), Facebook (2009), Apple (2012), and others.

PRISM operated under the authority of Section 702 of the Foreign Intelligence Surveillance Act, as amended by the FISA Amendments Act of 2008. The programme allowed the NSA to issue directives to US electronic communication service providers compelling them to provide access to communications of non-US persons reasonably believed to be located outside the United States, for foreign intelligence purposes. The directives were authorised by the Foreign Intelligence Surveillance Court (FISC) through annual certifications rather than individual warrants.

The scale was staggering. The NSA's own internal documents, reported by The Guardian, described PRISM as the "number one source of raw intelligence used for NSA analytic reports." A companion programme, UPSTREAM, intercepted communications flowing through the physical fibre-optic cables that carry internet traffic, collecting data in transit. Together, these programmes gave the NSA access to both stored data (PRISM) and data in motion (UPSTREAM).

The technology companies initially denied knowledge of PRISM, but subsequent reporting and declassified documents showed they had received and complied with Section 702 directives. In the years that followed, companies including Google, Microsoft, and Apple began publishing transparency reports detailing the volume of government data requests they received — a practice that has since become industry standard.

Section 702 of FISA (50 U.S.C. § 1881a) authorises the Attorney General and the Director of National Intelligence to jointly authorise surveillance targeting non-US persons reasonably believed to be located outside the United States, for the purpose of acquiring "foreign intelligence information." Unlike traditional FISA surveillance, Section 702 does not require individualised court orders for each target. Instead, the FISC approves annual certifications that define broad categories of foreign intelligence to be collected, along with targeting and minimisation procedures.

The targeting procedures are meant to ensure that surveillance is directed at non-US persons outside the US, and the minimisation procedures govern the handling, retention, and dissemination of any US-person information incidentally collected. However, critics have long argued that these safeguards are structurally inadequate:

• No proportionality requirement: Unlike EU law, FISA 702 does not require that surveillance be "strictly necessary" — the standard the CJEU applied in Schrems II. Any non-US person located outside the US whose communications might contain foreign intelligence information can be targeted.
• Incidental collection: When a targeted non-US person communicates with Americans or Europeans not themselves targeted, those communications are also collected. The NSA can then query this incidentally collected data — including using US-person identifiers — a practice known as "backdoor searches" that has been extensively documented by the Privacy and Civil Liberties Oversight Board (PCLOB).
• FISC secrecy: The FISC operates almost entirely in secret. Providers who receive Section 702 directives cannot publicly disclose the specific directives and have limited ability to challenge them. The court's opinions interpreting FISA are generally classified.

Section 702 was set to expire on 19 April 2024. After contentious debate, Congress passed the Reforming Intelligence and Securing America Act (RISA) (H.R. 7888), which President Biden signed into law on 20 April 2024. The Act reauthorised Section 702 for two years, until April 2026.

Privacy advocates had pushed for significant reforms, including a warrant requirement for querying communications of US persons collected under Section 702. This proposal was narrowly defeated in the House. The final legislation included some modest reforms — additional oversight provisions, restrictions on purchases of commercially available data about Americans, and enhanced penalties for misuse — but preserved the core structure of warrantless surveillance of non-US persons.

More controversially, RISA expanded the definition of "electronic communication service provider" (ECSP) in FISA. The new definition encompasses any service provider that has access to equipment used to transmit or store wire or electronic communications. Critics, including Senator Ron Wyden, warned that this expansion could potentially compel a much wider range of entities — data centres, co-location facilities, managed service providers, and even building landlords — to assist with surveillance. The intelligence community argued the expansion was narrowly targeted at closing a specific collection gap.

For European organisations, the 2024 reauthorisation confirmed that the fundamental dynamic has not changed: US law continues to authorise broad surveillance of non-US persons' data held by US providers, without the proportionality and necessity safeguards that EU fundamental rights law requires. The European Parliament's May 2023 resolution on the Data Privacy Framework specifically cited FISA 702 as evidence that the DPF "fails to create actual equivalence in the level of protection."

While FISA Section 702 governs the compelled collection of data from providers, Executive Order 12333, signed by President Reagan in 1981 and amended multiple times since, provides the legal framework for intelligence collection conducted outside the United States — including the tapping of undersea cables, satellite communications, and other infrastructure. Unlike FISA, EO 12333 has virtually no statutory constraints when applied to non-US persons abroad.

The Snowden documents revealed that the NSA conducted extensive bulk collection under EO 12333 authority, including the MUSCULAR programme — a joint NSA-GCHQ operation that intercepted data flowing between Google's and Yahoo's data centres over unencrypted internal links. A now-famous Washington Post sketch from the leaked documents showed the point at which the NSA tapped Google's infrastructure, with a handwritten "SSL added and removed here" annotation indicating where encryption was stripped.

In response, Google, Microsoft, and other companies accelerated the encryption of data in transit between their data centres. However, EO 12333 collection continues — and because it does not involve compulsory process to US companies, it operates outside the transparency reporting frameworks that companies have adopted. The CJEU explicitly cited EO 12333 in Schrems II as a reason US law fails to provide adequate protection, noting that the executive order "does not grant data subjects actionable rights before the courts against the US authorities."

Executive Order 14086, signed by President Biden in October 2022 as the foundation for the EU-US Data Privacy Framework, introduced proportionality language for signals intelligence collection and created the Data Protection Review Court. However, as an executive order, it can be amended or revoked by any future president without Congressional approval — a structural vulnerability that privacy advocates and the European Parliament have repeatedly highlighted.