Recently, the Data Protection Conference of Germany requested Professor Stephen I. Vladeck to provide an expert opinion on the scope of FISA Section 702’s application. In particular, the Data Protection Conference seemed interested in FISA Section 702 having an extraterritorial application. In his testimony, Professor Vladek stated that if an EU company has a U.S. subsidiary or legal presence in the United States, the data held by the company could be subject to a FISA Section 702 directive. Determining whether a law has extraterritorial reach is complicated, and for FISA 702, would in part involve an analysis of whether Congress intended for the law to have extraterritorial application. For more information on FISA 702, please consult our online resource guide.
In this post, I will look into one specific aspect: if we assume that FISA 702 was intended to be extraterritorial in scope, what would happen if the U.S. government went to the Foreign Intelligence Surveillance Court to enforce a directive issued to a non-U.S. company?
For a U.S. court to have power over an entity, that entity must have certain “minimum contacts” with the forum state. This standard was originally created by the Supreme Court in a domestic context, involving whether a court in one state had jurisdiction over a company incorporated in a different state. Based on my research, I have found that U.S. courts apply this “minimum contacts” analysis to cases involving non-U.S. entities.
The foundational case for the minimum contacts test is a familiar one to American law students, who study it during their first year. In International Shoe v. Washington, 326 U.S. 310 (1945), the Supreme Court held that the State of Washington had personal jurisdiction over a Delaware company because the company established “continuous and systematic” contacts that do not offend “traditional notions of fair play and substantial justice” by regularly shipping, selling, and advertising their products in the state of Washington. This decision created the “minimum contacts” test that has been expanded upon by subsequent Supreme Court decisions.
The minimum contacts test balances several factors to determine whether personal jurisdiction over a defendant is proper. This includes whether an entity “purposefully directed” activities to the forum, “purposefully availed” themselves of the “privileges and benefits” of the forum, if the litigation was “related to” the entity’s activity, and whether it meets the due process considerations of “fair play and substantial justice.” Burger King Corp. v. Rudzewicz, 471 U.S. 462, 475 (1985); Hanson v. Denckla, 357 U.S. 235, 253 (1958); World-Wide Volkswagen Corp. v. Woodson, 444 U.S. 286, 297 (1980); Helicopteros Nacionales de Colombia, S.A. v. Hall, 466 U.S. 408, 414 (1984); International Shoe v. Washington, 326 U.S. 310, 324 (1945).
Many cases since then have found a non-U.S. entity’s activities to satisfy the minimum contacts test. In one case involving a non-U.S. hotel company, the United States Court of Appeals for the Third Circuit found that mailing spa brochures to a couple’s home in Pennsylvania and making phone calls to schedule the treatment satisfied the minimum contacts test. O’Connor v. Sandy Lane Hotel Co., 496 F.3d 312, 323 (3d Cir. 2007). A more recent case found that a U.S. court had personal jurisdiction over a foreign car manufacturer because of its relationship through its subsidiary in New Jersey, which “markets, distributes, sells, and warrants new vehicles” on behalf of the manufacturer. Rickman v. BMW of N. Am. LLC, 538 F. Supp. 3d 429, 433 (D.N.J. 2021).
The U.S. is not alone in extending the reach of its laws and jurisdiction outside its territory. Note that the GDPR also has an extraterritorial application, as provided in Article 3, which applies the Regulation to processing by entities “not established in the Union” under certain circumstances that bear some resemblance to those covered by the minimum contacts test. As explained in Recital 23 of GDPR, “In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.”
Determining whether FISA Section 702 has an extraterritorial application is a complex analysis. However, there are existing frameworks to guide us through this issue. Our Senior Project Director, Alex Joel, discussed FISA Section 702 and extraterritoriality during a LinkedIn Live hosted by the IAPP. You can access it here.