Congress debating controversial spying power that can impact startups’ competitiveness

With a pending expiration in mid-April, lawmakers appear poised to reauthorize an Internet surveillance law that, without needed reforms, could drain the limited resources startup founders depend on, erode user trust online, and further complicate the already fractured digital trade landscape. Section 702 of the Foreign Intelligence Surveillance Act is the U.S. government’s primary authority to compel American companies to hand over foreign communications without an individualized warrant. The law has long threatened transatlantic data flows, creating uncertainty for startups that rely on moving data between the U.S. and Europe. Lawmakers had proposed amendments to modify some of the more problematic provisions before its April sunset, but reform efforts face an uphill battle, further complicated by the current conflict with Iran.

The European Union’s highest court has ruled twice—in Schrems I and Schrems II— that U.S. surveillance laws gave European citizens no meaningful way to protect their personal data from American government access. As a result, the court struck down the agreements that allowed companies to freely move data between the U.S. and Europe. This left startups scrambling to set up separate, expensive data storage systems in Europe just to keep doing business there — a burden Engine has documented extensively. As Mikel Carmenes Cavia—the co-founder of Onfleet, an American logistics startup with EU customers—explained shortly after, the ruling was “catastrophic” for their company and forced the company to, “make major investments in building out a cloud environment within the EU.”

Since 2014, the European Courts and U.S. lawmakers have volleyed changes meant to address privacy concerns and restore trust in U.S. Internet companies; Congress would pass a bill meant to assuage EU concerns, but EU courts would deem the changes insufficient to address the underlying violations of Europeans’ privacy rights. The latest of these is the EU-U.S. Data Privacy Framework, which created a special court designed to give Europeans a legal avenue to challenge U.S. government surveillance of their data. But another looming challenge may center on Trump’s firing of independent commissioners—as EU privacy advocate Max Schrems argues the court isn’t truly independent if they can be fired at will.

An entirely new problem for startups opened in 2024 when Congress passed the Reforming Intelligence and Securing America Act (RISAA), which expanded Section 702’s reach. Prior to RISAA, the government’s authority to compel surveillance assistance applied to traditional telcos, Internet service providers, and major platforms like Google or Microsoft. That changed after an unnamed service provider successfully challenged a Section 702 directive in the Foreign Intelligence Surveillance Court (FISC), arguing it did not qualify as an Electronic Communication Service Provider (ECSP). Congress responded with what critics have dubbed the ‘Make Everyone a Spy’ provision in RISAA, expanding the ECSP definition to cover any service provider with access to equipment used to transmit or store electronic communications.This enlarged scope sweeps in companies that were never the intended target of the law. Startups in SaaS, IoT, and tech in general now could conceivably fit the ECSP definition in Section 702, and startups are not equipped to bear that weight. Unlike large tech companies with dedicated legal and compliance teams, most founders have no roadmap for what comes next. Complying and granting access to data often requires engineering time and resources that a small company cannot spare. Challenging an order means a startup has to face litigation in the Foreign Intelligence Surveillance Court, which is expensive, slow, and requires specialized national security counsel that most founders have never thought about. And when a company receives a Section 702 directive, it almost always comes with a mandatory non-disclosure order, meaning the founder cannot tell their investors, board, or customers. 

Startups are also susceptible to the major reputational risk that comes from receiving and complying government requests for user data. For any startup, even the rumor of involvement in government surveillance can be fatal, and some have taken the extreme step of shuttering operations instead of complying. For example, when encrypted email service Lavabit was confronted with an FBI demand (unrelated to Section 702) for the service's private SSL keys—which would have compromised all 400,000 users—and accompanying gag order, founder Ladar Levison shuttered the company overnight. 

As the April 20 expiration date nears, the divide over Section 702 reform has reached its peak. On one side is Speaker Mike Johnson and his allies, pushing for an 18-month reauthorization with no amendments attached. Johnson has the backing of the White House and Pentagon and is leaning heavily on the Iran War as justification—arguing that any delay would be a self-inflicted national security calamity. However, the path to the floor is far from clear. Many Republican members have said signaled their opposition to a reauthorization without amendments, and some members have sought to attach unrelated provisions in exchange for their support.Reform advocates are pushing the bipartisan Security And Freedom Enhancement (SAFE) Act which would roll back the RISAA definitional expansion and mandate warrants before the government can query communications involving Americans. Narrowing the ECSP definition would ensure that the law does not scope-in every tech company whose product happens to touch a wire. Policymakers should reform the law to address these issues and insulate startups from the negative consequences of the program they were never meant to be a part of.