UPDATE 2014-02-21: according to this (.pdf) declassified document “Recall from OVSC1100, the Overview of Signals Intelligence Authorities, that we learned that in addition to E.O. 12333, NSA may perform SIGINT functions under various FISA authorities to include NSA FISA, FBI FISA, FISA Amendments Act (FAA) Section 702, 704, and 705(b). While there are specific rules governing when and how these authorities may be applied, each of these authorities has the potential to provide a valuable and unique complement to our E.O. 12333 collection resources. Similarly, the BR and PR/TT Bulk Metadata Programs provide analysts with another opportunity to gain unique collection on a target. By leveraging as many of these various collection authorities available to them as permitted, analysts can fill existing knowledge gaps on their target. (…) One prime example of how an analyst leveraged several of these collection authorities to close crucial knowledge ga ps on a target occurred in Fall 2009, when a CT analyst pieced together information obtained from E.O. 12333, FAA 702, and BR FISA authorities to reveal a terrorist plot on the New York subway system, which was subsequently disrupted by the FBI.”
UPDATE 2014-01-{23,24}: in the U.S., the Privacy & Civil Liberties Oversight Board (PCLOB), an ‘independent federal privacy watchdog’ has found the telephony metadata collection under Section 215 to be illegal in their new report (.pdf, Jan 23). NY Times reported about it here, WaPo here, Ars Technica here, FAS here.
UPDATE 2014-01-17: DNI declassified 24 FISC orders approving NSA’s collection, use of telephony metadata under FISA Section 501, commonly referred to as ‘Section 215’, as does the EU-US Working Group report. Journalist Marcy Wheeler (@emptywheel) notes: “Of particular note, though, they seem to be withholding the BR 09-15 primary order, which was right in the middle of PATRIOT reauthorization, when NSA kept disseminating results in violation of Reggie Walton’s orders.”

UPDATE 2013-12-16: a partially declassified list of EU participants to the Working Group can be found here (.pdf).
UPDATE 2013-12-09: here is an excerpt from Viviane Reding’s speech (.doc) during the Civil Liberties Committee hearing of December 9th on Data Protection and U.S. Surveillance European Parliament/Strasbourg (original emphasis):

[…]

Let’s be honest. Some questions were not answered. The report is clear on this point. We know little about the use of some US legal bases on data collection (such as executive orders), the existence of other surveillance programmes, as well as limitations applicable to these programmes.

Many questions were answered. They are the raw material, the basis, of the recommendations that the Commission has made.

I would draw three main conclusions from the discussions.

First, the U.S. confirmed that these programmes exist and that their scope is broad. We had long discussions about the purpose of the surveillance programmes, and the conditions under which data can be collected and processed under U.S. law.

Second, the conditions and safeguards which apply are discriminatory. They protect EU citizens only to a limited extent. Whilst there are procedures regarding the targeting and minimisation of data collection for U.S. citizens, these procedures do not apply to EU citizens, even when they have no connection with terrorism, crime or any other unlawful or dangerous activity. In addition, while U.S. citizens benefit from constitutional protections, these do not apply to EU citizens not residing in the U.S.

Third, while some judicial oversight exists, it is of little added value from the perspective of a European. The orders of the Foreign Intelligence Surveillance Court, the FISA Court, are secret and companies providing assistance are required to maintain secrecy. There are no avenues (judicial or administrative), for either EU or U.S. data subjects to be informed whether their personal data is being collected or further processed. There are no opportunities for individuals to obtain access, rectification or erasure of data, or administrative or judicial redress.

While there are oversight mechanisms by the three branches of the U.S. Government, it is clear that they have loopholes. You are aware of the internal U.S. debates on this point.

In any case, there is no judicial oversight at all on the collection of foreign intelligence outside the U.S., which is conducted under the sole competence of the Executive Branch.

[…]

In addition, the following four steps for rebuilding trust in EU-US data flows “stand out” (for details, see the original document):

1. a swift adoption of the EU Data Protection Reform.
2. we must make Safe Harbour safer.
3. we have to agree strong data protection rules in the law enforcement context.
4. we must ensure that European concerns are addressed in the ongoing U.S. reform process.

 
============ ORIGINAL POST IS BELOW THIS LINE ============

The EU co-chairs of the ad hoc EU-US Working Group on Data Protection presented (.pdf, Nov 27) their findings in a report. The Working Group was established “to establish the facts about US surveillance programmes and their impact on fundamental rights in the EU and personal data of EU citizens” (p.2).

Summary of main findings (cited from p.26/27; original emphasis):

1. Under US law, a number of legal bases allow large-scale collection and processing, for foreign intelligence purposes, including counter-terrorism, of personal data that has been transferred to the US or is processed by US companies. The US has confirmed the existence and the main elements of certain aspects of these programmes, under which data collection and processing is done with a basis in US law that lays down specific conditions and safeguards. Other elements remain unclear, including the number of EU citizens affected by these surveillance programmes and the geographical scope of surveillance programmes under Section 702.
2. There are differences in the safeguards applicable to EU data subjects compared to US data subjects, namely:
   • i. Collection of data pertaining to US persons is, in principle, not authorised under Section 702. Where it is authorised, data of US persons is considered to be “foreign intelligence” only if necessary to the specified purpose. This necessity requirement does not apply to data of EU citizens which is considered to be “foreign intelligence” if it relates to the purposes pursued. This results in lower threshold being applied for the collection of personal data of EU citizens.
   • ii. The targeting and minimisation procedures approved by FISC under Section 702 are aimed at reducing the collection, retention and dissemination of personal data of or concerning US persons. These procedures do not impose specific requirements or restrictions with regard to the collection, processing or retention of personal data of individuals in the EU, even when they have no connection with terrorism, crime or any other unlawful or dangerous activity. Oversight of the surveillance programmes aims primarily at protecting US persons.
   • iii. Under both Section 215 and Section 702, US persons benefit from constitutional protections (respectively, First and Fourth Amendments) that do not apply to EU citizens not residing in the US.
3. Moreover, under US surveillance programmes, different levels of data protection safeguards apply to different types of data (meta-data vs. content data) and different stages of data processing (initial acquisition vs. further processing/analysis).
4. A lack of clarity remains as to the use of other available legal bases, the existence of other surveillance programmes as well as limitative conditions applicable to these programmes. This is especially relevant regarding Executive Order 12333.
5. Since the orders of the FISC are classified and companies are required to maintain secrecy with regard to the assistance they are required to provide, there are no avenues, judicial or administrative, for either EU or US data subjects to be informed of whether their personal data is being collected or further processed. There are no opportunities for individuals to obtain access, rectification or erasure of data, or administrative or judicial redress. 
6. Various layers of oversight by the three branches of Government apply to activities on the base of Section 215 and Section 702. There is judicial oversight for activities that imply a capacity to compel information, including FISC orders for the collection under Section 215 and annual certifications that provide the basis for collection under Section 702. There is no judicial approval of individual selectors to query the data collected under Section 215 or tasked for collection under Section 702. The FISC operates ex parte and in camera. Its orders and opinions are classified, unless they are declassified. There is no judicial oversight of the collection of foreign intelligence outside the US under Executive Order 12333, which are conducted under the sole competence of the Executive Branch.”

For my own purposes I keep my notes here (emphasis is mine):

1. AIM AND SETTING UP OF THE WORKING GROUP

p.2: “Given the central position of US information and communications technology companies in the EU market, the transatlantic routing of electronic data flows, and the volume of data flows across the Atlantic, significant numbers of individuals in the EU are potentially affected by the US programmes.”

p.3: “The report is based on information provided by the US during the meetings of the ad hoc EU-US working group, as well as on publicly available documents, including classified documents disclosed in the press but not confirmed by the US. (…) The US was provided with an opportunity to comment on possible inaccuracies in the draft. The final report has been prepared under the sole responsibility of the EU-co chairs.”

p.3: “The scope of the discussions was also limited by operational necessities and the need to protect classified information, particularly information related to sources and methods. The US authorities dedicated substantial time and efforts to responding to the questions asked by the EU side on the legal and oversight framework in which their Signal Intelligence capabilities operate.”

2. THE LEGAL FRAMEWORK

p.4: “Two legal authorities that serve as bases for the collection of personal data by US intelligence agencies are: Section 702 of the Foreign Intelligence Surveillance Act of 1978 (FISA) (as amended by the 2008 FISA Amendments Act, 50 U.S.C. § 1881a); and Section 215 of the USA PATRIOT Act 2001 (which also amended FISA, 50 U.S.C. 1861). The FISA Court has a role in authorising and overseeing intelligence collection under both legal authorities.”

p.5: “The US further clarified that not all intelligence collection relies on these provisions of FISA; there are other provisions that may be used for intelligence collection. The Group’s attention was also drawn to Executive Order 12333, issued by the US President in 1981 and amended most recently in 2008, which sets out certain powers and functions of the intelligence agencies, including the collection of foreign intelligence information. No judicial oversight is provided for intelligence collection under Executive Order 12333, but activities commenced pursuant to the Order must not violate the US constitution or applicable statutory law.“

2.1. Section 702 FISA (50 U.S.C. § 1881a)

p.5: “Section 702 FISA provides a legal basis for the collection of “foreign intelligence information” regarding persons who are “reasonably believed to be located outside the United States. (…) Under Section 702, information is obtained “from or with the assistance of an electronic communication service provider”.

p.5: “The US confirmed that it is under Section 702 that the National Security Agency (NSA) maintains a database known as PRISM. This allows collection of electronically stored data, including content data, by means of directives addressed to the main US internet service providers and technology companies providing online services, including, according to classified documents disclosed in the press but not confirmed by the US, Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Apple, Skype and YouTube.“

p.6: “The US also confirmed that Section 702 provides the legal basis for so-called “upstream collection“; this is understood to be the interception of Internet communications by the NSA as they transit through the US (e.g. through cables, at transmission points).”

p.6: “Section 702 does not require the government to identify particular targets or give the Foreign Intelligence Surveillance Court (hereafter ‘FISC’) Court a rationale for individual targeting. Section 702 states that a specific warrant for each target is not necessary.

The US stated that no blanket or bulk collection of data is carried out under Section 702, because collection of data takes place only for a specified foreign intelligence purpose.“

p.10: “Declassified FISC opinions confirm that US intelligence agencies have recourse to methods of collection under Section 702 that have a wide reach, such as the PRISM collection of data from internet service providers or through the “upstream collection” of data that transits through the US.”

The EU asked for specific clarifications on the issue of collection of or access to data not located or not exclusively located in the US; data stored or otherwise processed in the cloud; data processed by subsidiaries of US companies located in the EU; and data from Internet transmission cables outside the US. The US declined to reply on the grounds that the questions pertained to methods of intelligence collection.“

2.2. Section 215 US Patriot Act (50 U.S.C. § 1861)

p.10/11: “Section 215 of the USA-Patriot Act 2001 (…) permits the Federal Bureau of Investigation (FBI) to make an application for a court order requiring a business or another entity to produce “tangible things”, such as books, records or documents, where the information sought is relevant for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities.

The US confirmed that this provision serves as the basis for a programme of intelligence collection via orders obtained by the FBI from the FISC directing certain telecommunications service providers to provide specified non-content telephony “meta-data”. For that programme, the information is stored by the NSA and queried only for counter-terrorism purposes.

That programme is limited to the collection of call detail records, or telephony “meta-data” maintained by specified telecommunications service providers. These records cover information such as telephone numbers dialled and the numbers from which calls are made, as well as the date, time and duration of calls, but do not include the content of the calls, the names, address or financial information of any subscriber or customer, or any cell site location information. According to the explanations provided by the US, this means that the intelligence agencies cannot, through this programme, listen to or record telephone conversations.

(…) The US also explained that, although the collection is broad in scope, the further processing of the meta-data acquired under this programme is limited to the purpose of investigation of international terrorism. It was stated that the bulk records may not be accessed or queried by intelligence agencies for any other purpose.”   

2.3 Executive Order 12333

p.12: “The US indicated that Executive Order 12333 serves as the basis for other surveillance programmes, the scope of which is at the discretion of the President. (…)”

p.12: “(…) The EU requested information in particular with regard to the application of Executive Order 12333 to bulk data collection, its impact on individuals in the EU and any applicable safeguards. The US explained that the part that covers signals intelligence annexed to the relevant regulation setting forth procedures under 12333 is classified, as are the supplementary procedures on data analysis, but that the focus of these procedures is on protecting information of US persons. (…)”

p.12: “The US confirmed that judicial approval is not required under Executive Order 12333 and that there is no judicial oversight of its use, except in limited circumstances such as when information is used in a legal proceeding. Executive oversight is exercised under Executive Order 12333 by the Inspector-Generals of each agency (…) The US was unable to provide any quantitative information with regard to the use or impact on EU citizens of Executive Order 12333. (…)”

p.13: “The US further confirmed that in the US there are other legal bases for intelligence collection where the data of non-US persons may be acquired but did not go into details as to the legal authorities and procedures applicable.“

3. COLLECTION AND FURTHER PROCESSING OF DATA

p.13: “(…) the US stated that the collection of personal information based on Section 702 FISA and Section 215 Patriot Act is subject to a number of procedural safeguards and limitative conditions. Under both legal authorities, according to the US, privacy is protected by a multi-layered system of controls on what is collected and on the use of what is collected, and these controls are based on the nature and intrusiveness of the collection.”

p.13: “It appeared from the discussions that there is a significant difference in interpretation between the EU and the US of a fundamental concept relating to the processing of personal data by security agencies. For the EU, data acquisition is synonymous with data collection and is a form of processing of personal data. Data protection rights and obligations are already applicable at that stage. Any subsequent operation carried out on the data collected, such as storage or consultation by human eyes, constitutes further processing. As the US explained, under US law, the initial acquisition of personal data does not always constitute processing of personal data; data is “processed” only when it is analysed by means of human intervention. This means that while certain safeguards arise at that moment of acquisition, additional data protection safeguards arise at the time of processing.“

3.1. Section 702 FISA

3.1.1. Certification and authorization procedure

p.14: “Section 702 does not require individual judicial orders or warrants authorizing collection against each target. Instead, the FISC approves annual certifications submitted in writing by the Attorney General and the Director of National Intelligence. Both the certifications and the FISC’s orders are secret, unless declassified under US law. The certifications, which are renewable, identify categories of foreign intelligence information sought to be acquired. They are therefore critical documents for a correct understanding of the scope and reach of collection pursuant to Section 702.

The EU requested, but did not receive, further information regarding how the certifications or categories of foreign intelligence purposes are defined and is therefore not in a position to assess their scope. The US explained that the specific purpose of acquisition is set out in the certification, but was not in a position to provide members of the Group with examples because the certifications are classified. (…) The FISC does not scrutinise the substance of the attestation or the need to acquire data against the purpose of the acquisition, e.g. whether it is consistent with the purpose or proportionate, and in this regard cannot substitute the determination made by the Attorney General and the Director of National Intelligence. Section 702 expressly specifies that certifications are not required to identify the specific facilities, places, premises, or property to which an acquisition of data will be directed or in which it will be conducted.

On the basis of FISC-approved certifications, data is collected by means of directives addressed to electronic communications services providers to provide any and all assistance necessary. On the question of whether data is “pushed” by the companies or “pulled” by the NSA directly from their infrastructure, the US explained that the technical modalities depend on the provider and the system they have in place; providers are supplied with a written directive, respond to it and are therefore informed of a request for data. (…)”

p.15: “According to the US, under Section 702, once communications from specific targets that are assessed to possess, or that are likely to communicate, foreign intelligence information have been acquired, the communications may be queried. This is achieved by tasking selectors that are used by the targeted individual, such as a telephone number or an email address. The US explained that there are no random searches of data collected under Section 702, but only targeted queries. Query terms include names, email addresses, telephone numbers, or keywords. When query terms are used to search databases, there is no requirement of reasonable suspicion neither of unlawful activity nor of a specific investigation. The applicable criterion is that the query terms should be reasonably believed to be used to return foreign intelligence information. The US confirmed that it is possible to perform full-text searches of communications collected, and access both content information and metadata with respect to communications collected.

(…) There is no judicial scrutiny of the selectors tasked, e.g. their reasonableness or their use. The EU requested further information on the criteria on the basis of which selectors are defined and chosen, as well as examples of selectors, but no further clarifications were provided.“

p.16: “Finally, the FISC review does not include review of potential measures to protect the personal information of non-US persons outside the US.”

3.1.2. Quantitative indicators

p.17: “(…) The US did not discuss the specific number of certification or selectors. Additionally, the US was unable to quantify the number of individuals in the EU affected by the programmes.

The US confirmed that 1.6% of all global internet traffic is “acquired” and 0.025% of it is selected for review; hence 0.0004% of all global internet traffic is looked at by NSA analysts. The vast majority of global internet traffic consists of high-volume streaming and downloads such as television series, films and sports1. Communications data makes up a very small part of global internet traffic. The US did not confirm whether these figures included “upstream” data collection.”

3.1.3. Retention Periods

p.17: “The US side explained that “unreviewed data” collected under Section 702 is generally retained for five years, although data collected via upstream collection is retained for two years.”

p.18: “The EU asked what happens to “non-responsive” information (i.e. data collected that does not respond to query on the basis of a query term). The US responded that it is not “collecting” non-responsive information. According to the US, information that is not reviewed pursuant to a query made to that database normally will “age off of the system”. It remains unclear whether and when such data is deleted.“

3.1.4. Onward transfers and sharing of information

(…)

3.1.5. Effectiveness and added value

(…)

3.1.6. Transparency and remedies ex-post

(…)

3.1.7. Overarching limits on strategic surveillance of data flows

p.19: “The EU asked whether surveillance of communications of people with no identified link to serious crime or matters of state security is limited, for example in terms of quantitative limits on the percentage of communications that can be subject to surveillance. The US stated that no such limits exist under US law.“

3.2. Section 215 US Patriot Act

(…)

3.2.1. Authorization procedure

(…)

3.2.2. Quantitative indicators

p.20: “The US explained that only a very small fraction of the telephony meta-data collected and retained under the Section 215-authorised programme is further reviewed, because the vast majority of the data will never be responsive to a terrorism-related query. It was further explained that in 2012 less than 300 unique identifiers were approved as meeting the “reasonable, articulable suspicion” standard and were queried. According to the US, the same identifier can be queried more than once, can generate multiple responsive records, and can be used to obtain second and third-tier contacts of the identifier (known as “hops”). The actual number of queries can be higher than 300 because multiple queries may be performed using the same identifier. The number of persons affected by searches on the basis of these identifiers, up to third-tier contacts, remains therefore unclear.”

3.2.3. Retention periods

p.21: “The US explained that, in principle, data collected under Section 215 is retained for five years, with the exception for data that are responsive to authorized queries. In regard to data that are responsive to authorized queries, the data may be retained pursuant to the procedures of the agency holding the information, e.g. the NSA or another agency such as the FBI with whom NSA shared the data.”

3.2.4. Onward transfers and sharing of information

p.22: “According to the US, the orders for the production of telephony meta-data, among other requirements, prohibit the sharing of the raw data and permit NSA to share with other agencies only data that are responsive to authorized queries for counterterrorism queries.”

4. OVERSIGHT AND REDRESS MECHANISMS

4.1. Executive oversight

p.23: “Once the data is collected, a number of executive oversight mechanisms and reporting procedures apply. There are internal audits and oversight controls (e.g. the NSA employs more than 300 personnel who support compliance efforts). Each of the 17 agencies that form the intelligence community, including the Office of the Director of National Intelligence has a General Counsel and an Inspector General. The independence of certain Inspectors General is protected by a statute and who can review the operation of the programmes, compel the production of documents, carry out on-site inspections and address Congress when needed. Regular reporting is done by the executive branch and submitted to the FISC and Congress.

As an example, the NSA Inspector-General in a letter of September 2013 to Congress referred to twelve compliance incidents related to surveillance under Executive Order 12333.In this context, the US drew the Group’s attention to the fact that since 1 January 2003 nine individuals have been investigated in relation to the acquisition of data related to non-US persons for personal interests. The US explained that these employees either retired, resigned or were disciplined.”

4.2. Congressional oversight

(…)

4.3. Judicial oversight: FISC role and limitations

(…)

EOF