The approval of the USA Freedom Act by the US Senate on June 2, 2015 came one day after some of the provisions of the Patriot Act had expired, forcing the National Security Agency (NSA) to discontinue bulk collection of communications metadata. Data retention requirements are still in place, but the new act puts an end to the era of bulk data collection, which has damaged the reputation of some US companies.
The US still has some way to go to regain international trust in privacy matters
Despite attempts to amend the bill at the last minute, the newly approved Freedom Act is not a mere extension of the expired provisions of the Patriot Act; rather it reintroduces a much more reasonable and sensible form of data retention requirements, which telcos and Internet companies should welcome. The bulk collection is over; public bodies will only be able to issue requests for metadata related to specific individual persons or accounts, and will require a court order for that (something they did not need before). Crucially, the NSA will no longer be allowed to store this information on its own servers; this information will now sit on companies' servers.
Many privacy advocates have argued that the bill does not go far enough, in that it still retains provisions allowing the monitoring of "lone wolf" suspects (i.e. potential attackers not linked to foreign terror groups), despite the US authorities admitting these powers have never been used. The act also continues to allow investigators to monitor travel and business records of individuals, something law officers say is more effective than bulk collection. Nonetheless, it should be seen as a promising change in direction compared to the privacy-invasive policies that have become a point of concern for users and businesses, both within the US and abroad.
Tech companies in the US have faced pressure from EU regulators which have sought tighter measures on data protection; these include the intention to review the Safe Harbor agreement, which allows US businesses to transfer European customers' data in an almost self-regulatory regime. This could still happen once EU institutions have agreed on the long-awaited data protection reform; however, US legislators can minimize the risk of business-unfriendly regulation from the EU if they continue on the path they have taken this week.
Current Status and Future Developments in Data Protection, TE0007-000812 (August 2014)
Data Protection Tracker: 1Q15, TE0007-000867 (January 2015)
Luca Schiavoni, Senior Analyst, Regulation