Congress Again Approaches Deadline for Extending FISA 702 Authorities, Creating Uncertainty for Communications Providers

For the second time in three years, Section 702 of the Foreign Intelligence Surveillance Act (FISA) is poised to expire. Section 702 authorizes U.S. intelligence agencies to obtain the communications of non-U.S. persons who are reasonably believed to be outside the U.S. to obtain “foreign intelligence information.” 50 U.S.C. §1881a(i). The foreign intelligence information currently authorized by the Foreign Intelligence Surveillance Court (FISC) for collection is focused on specific categories: counterterrorism, foreign governments, countering proliferation, and international counternarcotics. The FISC plays an important role in reviewing certifications made to it by both the Attorney General and the Director of National Intelligence and regularly reviews agency compliance.

The law requires “electronic communication service providers” to assist the government in obtaining target communications upon receipt of a directive from the Attorney General or the Director of National Intelligence, which is considered compulsory legal process. Without additional action by Congress, the Section 702 authorities will expire April 30, 2026. Section 702’s expiration (or potential changes to the statute) would impact communications and remote computing services providers.

Over the years, Section 702 has been one of the most controversial and technically challenging provisions of U.S. surveillance law. A recent report from the Privacy and Civil Liberties Oversight Board (PCLOB) found that Section 702 “remains highly valuable,” and recent reforms within the Federal Bureau of Investigation (FBI) have reportedly reduced the frequency of incidents in which FBI personnel queried information about U.S. persons that had been collected incidentally. Nevertheless, significant concerns remain across key stakeholder groups, placing the reauthorization in jeopardy again.

Congress Has a Path Forward, But May Not Reach Consensus in Time

The Trump Administration and some in Congress support a “clean” reauthorization that would extend Section 702 authorities without modifying the underlying requirements or procedures. In the U.S. House of Representatives, Republican holdouts and Democrats voted against a clean 18-month extension of FISA 702 (H.R. 8035) and a five-year extension with certain changes. Opponents of a clean reauthorization continue to seek warrant requirements and other protections for Americans whose data may have been inadvertently collected. With no consensus as of April 17, Congress passed an extension that keeps Section 702 in place until April 30, 2026, while negotiations continue on potential revisions to the law.

In the U.S. Senate, Judiciary Committee Chairman Chuck Grassley and Intelligence Committee Chairman Tom Cotton each support a clean 18-month extension. However, Senator Ron Wyden and Senate Judiciary Committee Ranking Member Dick Durbin are seeking greater protections for U.S. persons and restrictions on the government buying American’s personal data from data brokers. Senator Durbin and Senator Mike Lee previously introduced a FISA reauthorization bill, S. S. 3893, which would make these changes and rewrite parts of the Electronic Communications Privacy Act to expand its applicability to certain service providers.

Even with an extension of Section 702 authorities to  April 30, uncertainty over the outcome of Congress’ deliberations remains.

What Should Providers Think About if Section 702 Expires

What happens to current coverage?

In the past, the U.S. government has sought to obtain extensions or reauthorizations of existing directives in advance of the statute’s expiration date, reasoning that orders valid when issued remain in effect until the order’s expiration, not the expiration of the underlying statute. Because directives can be authorized for up to one year under 50 U.S.C § 1881a(a), a directive approved by the FISC before April 30, 2026, could remain in effect until one year after its issuance, including beyond the statute’s expiration date.

What would reforms mean for providers?

Proposals to reform FISA Section 702 abound—many observers have called for a warrant requirement (a proposal the government has consistently opposed over the years). While ideally, reforms would include immunity for providers when they respond in good faith to lawful requests (as the Stored Communications Act offers), the lack of such protections for companies responding to FISA directives underscores the need for robust oversight and compliance mechanisms for legal and operational teams that respond to government legal process.

***

Wiley’s Privacy, Cyber & Data Governance and Telecommunications, Media, and Technology teams advise providers on responses to compulsory legal process involving national security authorities and have helped companies of all sizes proactively address risks and compliance with evolving government authorities. Please reach out to any of the authors with questions.