No CRS summary available for this bill.
This section establishes the short title of the Act as the “Government Surveillance Reform Act of 2026” and sets forth the table of contents.
This section amends the Foreign Intelligence Surveillance Act of 1978 (FISA) by (1) adding definitions in section 101 (50 U.S.C. 1801) for "Foreign Intelligence Surveillance Court" (i.e., the court established under section 103(a)), "Foreign Intelligence Surveillance Court of Review" (i.e., the court established under section 103(b)), and "appropriate committees of Congress" (i.e., congressional intelligence committees, Senate Judiciary Committee, and House Judiciary Committee); (2) adding in section 701(b) of Title VII (50 U.S.C. 1881) a definition of "covered person" (i.e., a U.S. person or a person known or believed to be located in the United States at the time of the query, acquisition, communication, or creation of information); and (3) making conforming amendments throughout FISA to replace descriptive references (e.g., "the court established under section 103(a)") with these new defined terms.
This section amends Section 702(f) of the Foreign Intelligence Surveillance Act of 1978 (FISA) (50 U.S.C. 1881a(f)), which authorizes warrantless acquisition of foreign intelligence information targeting non-U.S. persons reasonably believed to be located abroad, to impose new limitations on querying such information for data relating to U.S. persons and persons located in the United States. Specifically, the section (1) requires acquisitions to comply with new limitations and requirements in subsection (f); (2) revises the definition of "query" to mean the use of one or more terms, manual or automated, to retrieve any Section 702-acquired information including from subsets thereof; defines "covered information" as communications content or information requiring a probable cause warrant for domestic law enforcement purposes; and defines "covered query" as one using a term associated with one or more covered persons (i.e., U.S. persons or persons located in the United States) or conducted for a significant purpose of retrieving such persons' information; and (3) prohibits federal officers or employees from accessing covered information returned by a covered query absent exceptions for concurrent FISA orders or warrants covering the query period, emergencies involving imminent threats of death or serious bodily harm (with notice to the Foreign Intelligence Surveillance Court (FISC) and congressional committees within 14 days), case-by-case consent, or defensive cybersecurity purposes (with similar notice); requires all queries to have a significant foreign intelligence purpose reasonably likely to retrieve such information (absent specified exceptions); renders non-compliant or subsequently denied emergency queries inadmissible as evidence with annual Attorney General compliance assessments; and mandates documentation for all queries and covered information access. (Thus, the changes restrict "backdoor searches" of incidentally collected U.S. person data without judicial authorization in most cases.)
This section revises restrictions under FISA section 706(a)(2) (50 U.S.C. 1881e(a)(2)) on using information acquired under section 702 (i.e., warrantless surveillance targeting non-U.S. persons reasonably believed abroad, which may incidentally acquire U.S. person communications)—deemed electronic surveillance information under section 1806—in any criminal, civil, or administrative proceeding (previously, only criminal proceedings) against covered persons (previously, only United States persons). (Thus, such information may not be used as evidence against a covered person unless the FBI obtains a Foreign Intelligence Surveillance Court order under section 1881a(f)(2) or the Attorney General determines the proceeding affects national security; Attorney General determinations are not judicially reviewable.)
This section establishes a prohibition under Section 702 of the Foreign Intelligence Surveillance Act (FISA) (50 U.S.C. 1881a) on intentionally targeting any person reasonably believed to be located outside the United States if a significant purpose of the acquisition is to obtain communications of one or more particular, known covered persons (i.e., United States persons and persons located in the United States), unless (1) there is a reasonable belief of an emergency involving an imminent threat of death or serious bodily harm to such covered persons, the information is sought to assist them, and a description of the targeting is provided to the Foreign Intelligence Surveillance Court (FISC) and appropriate congressional committees not later than 14 days after the targeting; or (2) the covered persons (or a legally authorized third party, if they are incapable of consenting) have provided consent. (Section 702 authorizes warrantless acquisitions of foreign intelligence information from non-United States persons reasonably believed to be abroad, subject to targeting and minimization procedures approved by the FISC.) The section also revises targeting procedures in subsections (d)(1), (h)(2)(A)(i), and (j)(2)(B) to incorporate this prohibition (i.e., limiting acquisitions to non-United States persons abroad and, except as provided in new subsection (b)(6), precluding a significant purpose of acquiring information of particular, known covered persons).
This section establishes in a new section 710 of FISA Title VII (50 U.S.C. 1881 et seq.) data retention limits for information collected pursuant to section 702 (i.e., warrantless electronic surveillance targeting non-U.S. persons located abroad reasonably believed to possess foreign intelligence information). It directs the Attorney General to develop, and intelligence community elements to implement, procedures requiring destruction within five years of collection of "covered information"—defined to include (1) any evaluated information pertaining to a covered person, including encrypted communications to or from such a person, that is not specifically known to contain foreign intelligence information; and (2) any unevaluated information unless reasonably determined not to pertain to or communicate with a covered person. Exceptions allow retention if the Attorney General determines in writing that the information is subject to a preservation obligation in pending administrative, civil, or criminal litigation (requiring segregation, limited use, and destruction once no longer needed) or is being used in a proceeding or investigation consistent with section 706(a). This section also makes a conforming change to the FISA table of contents.
This section revises FISA Section 702(i)(1) (50 U.S.C. 1881a(i)(1)), which authorizes the Attorney General to direct electronic communication service providers (e.g., telecommunications and internet companies) to furnish technical assistance for foreign intelligence surveillance targeting non-U.S. persons reasonably believed to be abroad, by (1) prohibiting such directives unless they demonstrate the assistance is necessary, narrowly tailored to the surveillance at issue, and would not pose an undue burden on the provider or its non-target customers; and (2) conditioning provider compliance on the Foreign Intelligence Surveillance Court explicitly approving the manner or method of assistance and issuing a delivered order describing it. (Thus, all demands for provider assistance under Section 702 are now subject to prior court supervision and approval.)
This section revises Section 702 of the Foreign Intelligence Surveillance Act of 1978 (FISA)—in subsections (b)(4), (d)(1)(B), (h)(2)(A)(i)(II), and (j)(2)(B)(ii)—the prohibition on intentionally acquiring communications as to which the sender and all intended recipients are known or believed (previously, known) at the time of acquisition or communication (previously, acquisition) to be located in the United States. (Thus, the prohibition applies to a broader set of potentially domestic communications, including those believed—but not definitively known—to be entirely U.S.-based and evaluated at the time of communication.)
This section requires the Attorney General to submit to the appropriate congressional committees, not less frequently than annually, a report on the number of sensitive queries (i.e., queries of data acquired under FISA Section 702 using identifiers such as U.S. person identifiers, approved under specified procedures) conducted in the prior year, disaggregated by the relevant subclause of 50 U.S.C. 1881a(f)(3)(D)(ii).
This section revises the definition of "electronic communication service provider" (ECSP) in §§701(b)(4) and 801(6) of the Foreign Intelligence Surveillance Act (FISA), which identifies entities subject to government directives to assist in acquiring foreign intelligence information under FISA §702 (i.e., warrantless electronic surveillance targeting non-U.S. persons abroad), as follows: (1) strikes "custodian" from the description of an officer, employee, or agent of covered entities; (2) strikes the subparagraph covering any other service provider with access to equipment used to transmit or store communications (excluding public accommodations, dwellings, community facilities, or food service establishments); (3) adjusts punctuation and cross-references accordingly; and (4) redesignates subparagraphs. This section further renders null and void any §702 directive issued, between April 20, 2024, and enactment, to an entity qualifying as an ECSP under the prior broader definition but not under the revised definition.
This section repeals expanded querying requirements for persons traveling to the United States in Section 702(f)(6) of the Foreign Intelligence Surveillance Act of 1978 (FISA), as added by section 101, and redesignates paragraph (7) as paragraph (6). (Section 702 authorizes targeting of non-U.S. persons reasonably believed to be located outside the United States to acquire foreign intelligence information, and subsection (f) governs querying procedures for data acquired under the program.)
This section extends the authorities under Section 702 of the Foreign Intelligence Surveillance Act of 1978 (FISA)—which authorizes warrantless electronic surveillance targeting non-U.S. persons reasonably believed to be located outside the United States to acquire foreign intelligence information—through April 20, 2030 (from two years after the date of enactment of the Reforming Intelligence and Securing America Act). The section makes conforming amendments to sunset provisions in notes to 50 U.S.C. §§ 1881–1881g and 18 U.S.C. 2511 (which excludes Section 702 surveillance from prohibitions on unlawful interceptions), and to notes to 50 U.S.C. § 1801, including by adding references to the Government Surveillance Reform Act of 2026.
This section prohibits federal law enforcement agencies from obtaining, in exchange for anything of value (i.e., purchasing, receiving via services for consideration, or similar), covered personal data—personal data relating to covered persons (U.S. persons or individuals reasonably believed located in the U.S.)—if directly or indirectly obtained from or derived from data held by covered organizations (non-governmental entities that are not individuals, or their agents). It defines related terms, including biometric information (e.g., fingerprints, voice prints, iris scans, facial geometry, gait), personal data (data or unique identifiers linked or linkable to individuals or associated devices, including certain anonymized data), electronic device (as "computer" under 18 U.S.C. §1030(e)), and lawfully obtained public data (publicly available data obtained and transferred compliantly, with attestations). Exceptions include (1) covered personal data within larger compilations including non-covered persons, if the agency cannot reasonably exclude it and minimizes its use per procedures in subsection (f); and (2) data from congressional whistleblower programs. (As background, 18 U.S.C. §2702 generally bars electronic communication service and remote computing service providers—e.g., email and cloud storage—from divulging communication contents or subscriber records absent exceptions; this addition targets circumvention via data brokers.)
This section strikes §§703-705 of FISA Title VII (50 U.S.C. 1881b-1881d), which previously authorized warrant-based acquisitions of foreign intelligence information targeting U.S. persons, and inserts a new §703 requiring court authorization for federal government acquisitions targeting covered persons (i.e., U.S. persons or persons located inside the United States). Specifically, new §703(a) prohibits intentional targeting of covered persons to acquire foreign intelligence information consisting of communications content, location information, web browsing or search history, or information acquired under circumstances implicating a reasonable expectation of privacy or requiring a warrant if sought for domestic law enforcement purposes, absent (1) a FISA Title I or III order or emergency authorization (50 U.S.C. 1805, 1824) with required minimization procedures or (2) a Federal Rules of Criminal Procedure warrant with comparable limitations. New §703(b) similarly prohibits targeting covered persons via pen register or trap and trace devices (or equivalents requiring such an order domestically) absent (1) a FISA Title IV order or emergency authorization (50 U.S.C. 1842-1846) with minimization procedures or (2) an order under 18 U.S.C. §3123 (authorizing ex parte court orders for pen registers/trap and trace upon certification of relevance to a criminal investigation). New §703(c) bars use or dissemination of information from emergency acquisitions if a subsequent FISA application is denied (with limited exceptions for threats of death or serious injury); §703(d) applies these requirements regardless of acquisition location. This section also makes conforming amendments to FISA §§601, 603, and 706 (50 U.S.C. 1871, 1873, 1881e) to eliminate references to repealed provisions and former reporting/sunset requirements, and updates the FISA table of contents.
This section revises application requirements under the Foreign Intelligence Surveillance Act of 1978 by inserting, in sections 104(a)(12), 303(a)(10), and 402(c)(4)—in the matter preceding subparagraph (A)—the requirement that such applications fairly reflect all information (in addition to apprising relevant parties of all information). (Thus, it standardizes disclosure obligations across applications for electronic surveillance orders, physical search orders, and pen register or trap-and-trace orders.) It also makes technical corrections, including punctuation changes in sections 104(a) and 303(a) and redesignation of subparagraphs (E) and (F) as (C) and (D) in section 502(b)(2).
This section adds a new Title IX to the Foreign Intelligence Surveillance Act of 1978 (FISA) establishing "accuracy procedures"—specific procedures adopted by the Attorney General to ensure FISA applications (including renewals) for electronic surveillance, physical searches, or other court orders are accurate and complete, including requirements that applications reflect all information questioning accuracy or assessments, address confidential human source reliability, maintain complete documentation files, disclose any intelligence community prior relationship with targets, include pre-application review of factual assertions before targeting U.S. persons, and provide for annual compliance audits reported to the Attorney General. It requires all FISA applications to include (1) a description of the employed accuracy procedures and (2) a certification that the applicant has reviewed supporting documentation, contrary information, and source reliability data; further requires FISA judges to find that described procedures meet the statutory definition before issuing orders. The Attorney General must issue these procedures within 180 days of enactment and repeals a prior temporary accuracy procedures requirement under the Reforming Intelligence and Securing America Act (P.L. 118-49).
This section amends the definitions section of the Foreign Intelligence Surveillance Act of 1978 (FISA) by adding subsection (t) to specify that, for the Act's notification provisions, information or evidence is derived from FISA-authorized electronic surveillance, physical searches, pen register or trap and trace devices, production of tangible things, or acquisitions if the government would not have originally possessed it absent such activities—regardless of attenuation, inevitable discovery, or rederivation through other means. (As background, FISA's notification provisions generally require the government to inform targets of surveillance or searches after the fact, subject to certain exceptions.) The section further requires the Attorney General and Director of National Intelligence to publish, within 90 days of enactment, policies and guidance applying the new definition to the intelligence community and federal law enforcement agencies, with any subsequent modifications also published.
This section sunsets title V of the Foreign Intelligence Surveillance Act of 1978 (FISA)—which authorizes Federal Bureau of Investigation (FBI) applications for Foreign Intelligence Surveillance Court (FISC) orders requiring production of tangible things (e.g., business records) relevant to foreign intelligence investigations (i.e., Section 215 authority)—as in effect on March 14, 2020, 180 days after enactment. (Thus, only subsequent versions of title V remain in effect after that date.)
This section requires the Attorney General to maintain, in files associated with FISA Title I applications or orders, (1) all written communications with the Foreign Intelligence Surveillance Court (FISC), including identities of involved court employees; and (2) summaries of any oral communications with the FISC relating to such applications or orders, similarly including identities of involved court employees. (Thus, the Department of Justice must document both written and oral interactions with the FISC, a specialized Article III court that authorizes electronic surveillance for foreign intelligence purposes.)
This section expands the Foreign Intelligence Surveillance Court's (FISC) authority to appoint amici curiae with expertise in privacy and civil liberties or technical matters—including cybersecurity and cryptography—to assist in reviewing surveillance applications. (As background, the FISC, comprising 11 district judges designated by the Chief Justice, authorizes electronic surveillance for foreign intelligence purposes under FISA (50 U.S.C. §1801 et seq.); amici provide an independent perspective on novel legal, constitutional, or technical issues previously considered only at the court's discretion.) Specifically, it (1) requires privacy/civil liberties amici for applications involving novel/significant law, constitutional concerns, sensitive investigative matters (newly defined to include U.S. public officials, political/religious organizations, news media, or similarly sensitive domestic targets), new programs/technology, programmatic reauthorizations, or other privacy issues unless the court finds otherwise in writing; (2) requires technical amici for new/existing technology approvals or material technical issues unless similarly excepted; (3) mandates that designated amici include at least one with legal expertise and one with technical expertise; (4) requires quarterly notifications to the Attorney General and congressional committees of all appointments and exception findings; and (5) adjusts Section 702 surveillance recertification timing to ensure amicus review. The section further authorizes appointed amici to proactively seek leave to raise novel/significant privacy/civil liberties issues or other matters affecting surveillance legality, regardless of whether requested by the court.
This section revises declassification requirements for decisions, orders, and opinions of the Foreign Intelligence Surveillance Court (FISC) and Foreign Intelligence Surveillance Court of Review (FISCR)—which authorize surveillance under the Foreign Intelligence Surveillance Act of 1978 (FISA)—as follows: (1) expands the scope of covered decisions to include, in addition to those with a significant or novel construction or interpretation of any provision of law or term, any that involve a sensitive investigative matter (as defined in 50 U.S.C. 1803(i)(12)) or are nominated for review by a court-appointed amicus curiae; (2) applies the requirements to decisions issued before, on, or after enactment; and (3) requires completion of the declassification review and public release within 180 days after issuance by the FISC or FISCR (from 180 days after commencement of the review). (Thus, declassification of qualifying decisions must occur more promptly and covers a broader set of FISC/FISCR rulings.)
This section establishes jurisdiction in the Foreign Intelligence Surveillance Court (FISC) and Foreign Intelligence Surveillance Court of Review (FISCOR) over ancillary claims related to their proceedings—including claims for access to court records, files, and proceedings under the Constitution, statutes, common law, or other authority—with requirements for written statements of reasons upon deciding such claims. It further provides for FISCOR review of FISC decisions on such claims and Supreme Court certiorari review of FISCOR decisions. The section also (1) expands FISC en banc review authority to include government or party requests under the new ancillary claims provision; (2) broadens Supreme Court review authority in subsection (k)(1) to all of 28 USC 1254 (from paragraph (2)); and (3) makes technical corrections by removing outdated references to section 501(f) in subsections (a)(2)(A) and (e).
This section establishes grounds for injury in fact in civil actions by a U.S. person or person located in the U.S. challenging the acquisition, copying, querying, retention, access, or use of information under FISA or executive authority. Such injury exists if the person (1) regularly communicates foreign intelligence information with non-U.S. persons located outside the U.S. and takes (or is taking) objectively reasonable measures to avoid that government conduct, or (2) has a reasonable basis—defined as a concrete injury from a good-faith belief—to believe their rights have been, are being, or imminently will be violated by a federal actor through such conduct. The section further directs that FISA section 106(f) procedures apply when the state secrets privilege is asserted against claims by such persons plausibly alleging injury in fact and a violation of the Constitution or U.S. laws.
This section adds a new section 1002 to Title X of the Foreign Intelligence Surveillance Act of 1978 (FISA) requiring heads of covered agencies—Federal Bureau of Investigation (FBI), Central Intelligence Agency (CIA), National Security Agency (NSA), and National Counterterrorism Center (NCTC)—to establish accountability procedures for willful, knowing, reckless, or negligent covered violations (i.e., inappropriate collection, use, querying, or dissemination of communications or information of U.S. persons under FISA, the Government Surveillance Reform Act of 2026, or Executive Order 12333). The procedures must include centralized tracking of incidents and escalating consequences determined by an internal investigative entity within 60 days of investigation conclusion, specifically: (1) for a first reckless or negligent violation, suspension of access to relevant information or datasets for at least 90 days and documentation in the employee's personnel file; (2) for a second reckless or negligent violation, suspension of access for at least 180 days and reassignment; (3) for a third reckless or negligent violation, termination of security clearance and reassignment or termination (with a presumption of termination, absent written justification to congressional committees); (4) for a first willful or knowing violation, suspension of access for at least 180 days and reassignment; and (5) for a second willful or knowing violation, termination of security clearance and reassignment or termination (with a presumption of termination, absent written justification). This section further requires each covered agency to submit to congressional committees, within 180 days of enactment, an unclassified report (with possible classified annex) detailing the new procedures and any actions taken; and it amends the FISA table of contents accordingly. This section repeals paragraph (4) of FISA section 702(f) (50 U.S.C. 1881a(f)), redesignates paragraph (6) as paragraph (4), and applies these changes 180 days after enactment. (Thus, it deconflicts the new procedures with prior accountability requirements under the Reforming Intelligence and Securing America Act (RISAA).)
This section revises the savings clause in the federal wiretap statute (18 U.S.C. §2511(2)(f)) to exempt U.S. government acquisition of foreign intelligence from international or foreign communications—or foreign activities on foreign systems using non-electronic surveillance—from wiretap and FISA procedures (including 47 U.S.C. §605), while deeming those procedures the exclusive means for (A) electronic surveillance under FISA, (B) interception of wire, oral, or electronic communications within the United States or from a domestic system, or (C) such interception where the sender and all intended recipients are located in the United States. (Thus, the government may use other federal authorities for foreign intelligence surveillance outside those domestic categories.) It further revises FISA section 112 (50 U.S.C. §1812) to establish the same exclusivity—with exceptions only for express statutory authorizations outside amendments to the wiretap chapters or FISA—and to make FISA and title IV of this Act the exclusive means for acquiring location information of one or more persons in the United States for foreign intelligence purposes.
This section defines, for purposes of this title, the terms congressional intelligence committees, intelligence, intelligence community, and foreign intelligence as having the meanings given those terms in the National Security Act of 1947; and the terms electronic surveillance, person, State, United States, and United States person as having the meanings given those terms in section 101 of the Foreign Intelligence Surveillance Act of 1978 (FISA).
This section establishes restrictions on federal officers and employees querying or accessing "covered information" (i.e., communications content or information requiring a probable cause warrant for domestic law enforcement purposes) acquired for foreign intelligence purposes outside the Foreign Intelligence Surveillance Act (FISA) (50 U.S.C. 1801 et seq.) using a "covered query" (i.e., a query via terms associated with or for a significant purpose of retrieving information of one or more U.S. persons or persons located in the U.S.). It prohibits such access except under four exceptions: (1) concurrent FISA order, emergency authorization, or criminal warrant covering the query period and complied with fully; (2) reasonable belief of an emergency involving imminent death or serious bodily harm, with notice to congressional intelligence committees within 14 days; (3) case-by-case consent from the covered person or authorized third party; or (4) solely for defensive cybersecurity (e.g., protecting a covered person from cyber attack), with notice to committees within 14 days. The section further provides that if information is accessed under an emergency exception but subsequent FISA authorization is denied, or if accessed in violation of the section, such information and derivative evidence are suppressed in all U.S., state, or local proceedings (with limited Attorney General-approved exceptions to prevent death or serious harm); the Attorney General must assess compliance annually. It requires all queries of such information to have a significant foreign intelligence purpose (with exceptions mirroring certain FISA section 702(f)(2)(B) allowances) and mandates electronic documentation for each covered query, including each term used. The section does not apply to information collected pursuant to FISA.
This section prohibits any federal officer or employee from intentionally targeting any person—regardless of location—to acquire foreign intelligence information if a significant purpose is to obtain communications of a particular known U.S. person or person located in the United States, unless (1) there is a reasonable belief of an emergency involving imminent death or serious bodily harm to that person, the information is to assist them, and Congress is notified within 14 days; or (2) the covered person (or an authorized third party) consents. The prohibition does not apply to acquisitions authorized under the Foreign Intelligence Surveillance Act of 1978 or pursuant to a criminal warrant with required minimization procedures.
This section prohibits elements of the intelligence community from acquiring datasets that include covered data—defined as data, derived data, or unique identifiers linked or reasonably linkable to a covered person or an electronic device linked to one or more covered persons in a household, including anonymized data that can be reidentified, but excluding data publicly available through government records or widely distributed media, voluntarily disclosed by the covered person, or specific communications or transactions with non-covered persons—subject to eight exceptions. The exceptions authorize acquisition of covered data that is (1) collected pursuant to a Foreign Intelligence Surveillance Act court order or emergency authorization, subject to applicable minimization requirements; (2) employment-related for intelligence community employees or applicants, with use limited to that purpose and data destroyed when no longer needed; (3) for compliance with statutory or constitutional collection limits, with similar use and destruction limits; (4) necessary to address an imminent threat of death or serious bodily harm before FISA authorization can be obtained, with data destroyed when no longer needed and Congress notified within 14 days; (5) consented to on a case-by-case basis by each linked covered person (or authorized third party), with use limited to consented purposes and data destroyed when no longer needed; (6) nonsegregable from a larger dataset prior to acquisition, subject to minimization procedures; or (7) obtainable via national security letter under specified statutes—including section 1114 of the Right to Financial Privacy Act (12 U.S.C. 3414)—if the data holder is outside the United States, compelled production is infeasible, acquisition complies with national security letter limits, and required records are maintained for each covered person or linked data instance. This section further directs the Attorney General to issue minimization procedures requiring intelligence community elements to exhaust reasonable means to exclude or delete non-excepted covered data from datasets prior to acquisition and retention.
This section prohibits any federal officer or employee from intentionally acquiring, for foreign intelligence purposes, any communication known at the time of acquisition or communication to have a sender and all intended recipients located in the United States—regardless of whether the acquisition occurs inside or outside the United States—except (1) as authorized under FISA Title I (50 U.S.C. 1805, requiring a Foreign Intelligence Surveillance Court order for electronic surveillance targeting foreign powers or agents) or Title III (50 U.S.C. 1824, for physical searches); or (2) in an emergency involving an imminent threat of death or serious bodily harm, if a description of the acquisition is provided to the congressional intelligence committees within 14 days.
This section requires each head of an intelligence community element to develop and implement procedures governing retention of information acquired for foreign intelligence purposes other than under the Foreign Intelligence Surveillance Act of 1978 (FISA; 50 U.S.C. 1801 et seq.), regardless of whether acquired inside or outside the United States. The procedures must ensure destruction within five years of covered information—i.e., (1) evaluated information pertaining to a covered person, including encrypted communications to or from such person, not specifically known to contain foreign intelligence information; or (2) unevaluated information, unless reasonably determined not to contain information pertaining to a covered person—unless the Attorney General determines in writing that (A) the information is subject to a preservation obligation for pending administrative, civil, or criminal litigation, in which case it must be segregated, retained and used solely for that purpose, and destroyed when no longer required; or (B) the information is being used in a proceeding consistent with section 706(a) of FISA (50 U.S.C. 1881e(a)).
This section requires the Director of National Intelligence to make publicly available on an internet website each annual report to congressional intelligence committees on violations of law or executive order relating to intelligence activities by intelligence community personnel, with redactions to protect sources and methods, including reports submitted prior to enactment within 180 days of enactment. It further requires the Attorney General, in consultation with the Director of National Intelligence, to submit to the Senate and House Judiciary Committees a version of the report addressing only violations of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.). (As background, the annual reports cover violations determined by intelligence community directors, heads, or general counsel; referred to the Department of Justice; or substantiated by inspectors general.)
This section directs the Inspector General of the Department of Justice (DOJ IG) and the Inspector General of each intelligence community element (IC IG) to initiate, not later than one year after enactment, an audit of a sample of applications for court orders under the Foreign Intelligence Surveillance Act of 1978 (FISA) and directives issued under FISA section 702(i) (i.e., targeting non-U.S. persons reasonably believed to be located outside the United States for foreign intelligence purposes). For each audit, the relevant IG must (1) assess safeguards ensuring the scrupulous accuracy of assertions in applications, full inclusion of information required by specified recent amendments, and any other potential risks or violations; (2) for the DOJ IG, evaluate the accuracy and completeness of information provided by DOJ under new FISA section 603(f); and (3) issue recommendations to address deficiencies. Each IG must submit a report on findings, recommendations, and any remediations to the Attorney General, Director of National Intelligence, Privacy and Civil Liberties Oversight Board, congressional intelligence committees, Foreign Intelligence Surveillance Court, and any amicus curiae appointed in relevant proceedings; IC IGs must publicly release an unclassified version of their reports on their websites. The Attorney General and heads of IC elements must ensure full cooperation with the audits.
This section (1) extends whistleblower protections under the National Security Act for intelligence community members to include communications with the Privacy and Civil Liberties Oversight Board (PCLOB); and (2) revises the maximum pay rate for PCLOB staff to the highest rate paid by any intelligence community element for a comparable position, based on salary information from the Director of National Intelligence (from prior unspecified limitations). (As background, the PCLOB is an independent executive agency that reviews counterterrorism policies to ensure they balance national security with privacy and civil liberties.)
This section requires the government official providing a certification under 18 U.S.C. 2511(2)(a)(ii)(B)—which immunizes providers of wire or electronic communication services (and related persons) from civil or criminal liability for assisting law enforcement or intelligence activities—to submit the certification to the appropriate committees of Congress (as defined in FISA §101) within 30 days after providing it to the recipient. For certifications pursuant to ongoing assistance programs in effect on the date of enactment, submission to the committees is required within 90 days after enactment.
This section revises the Stored Communications Act to require a warrant for governmental access to location information, web browsing records, or search query records held in electronic storage by electronic communication service providers for 180 days or less (previously, warrants required only for contents of wire or electronic communications), and inserts similar warrant requirements into disclosure rules for such records under subsection (c)(1). It defines in 18 U.S.C. 2711 (1) location information as information derived from radio signals revealing the approximate or actual geographic location of a customer, subscriber, user, or device; (2) web browsing record as a record revealing an online service provider's identity, domain name, URL, IP address, or network traffic exchanged with a customer, subscriber, user, or device (excluding certain records maintained by known services about known users); and (3) search query record as a query term or instruction submitted to an online service provider (e.g., search engine, voice assistant) and any response provided. (Thus, these records receive warrant protection equivalent to communication contents while allowing a single record to constitute multiple record types.) This section further revises tracking device authorities to require a warrant issued under the Federal Rules of Criminal Procedure for installation or direction of installation by governmental entities (previously, a warrant or other court order), except in emergencies meeting wiretap exigency standards where a warrant application must be submitted within 48 hours, use terminates without a warrant, and unlawfully obtained information is inadmissible.
This section, titled the "Email Privacy Act," amends 18 U.S.C. §2702, which prohibits electronic communications service (ECS) and remote computing service (RCS) providers from voluntarily disclosing communication contents in electronic storage or customer records except as specified, and 18 U.S.C. §2703, which governs required disclosures to governmental entities, as follows: (1) In §2702, replaces "divulge" with "disclose" throughout; expands prohibitions to cover communications "stored, held, or maintained" by the provider (previously limited to those in electronic storage or carried/maintained on the service); and broadens voluntary disclosure exceptions to permit providers to disclose contents to originators, addressees, intended recipients, subscribers or customers on whose behalf the provider stores/holds/maintains the communication, or their agents (previously to addressees/intended recipients or agents thereof, or subscribers for RCS only) and with consent of such persons (previously originator/addressee/intended recipient or RCS subscriber). (2) In §2703, requires governmental entities to obtain warrants issued by courts of competent jurisdiction to access stored communication contents, with warrants optionally specifying a compliance date (otherwise requiring prompt response); limits access to contents over 180 days old to warrants, specified court orders, customer consent, or other authorizations (striking prior exception); expands record disclosure mechanisms to include administrative subpoenas authorized by federal or state statute; adds a provision permitting providers to notify subscribers/customers of warrants, court orders, or subpoenas (subject to §2705 delay authority); and includes rules of construction preserving governmental access to provider employees' communications or public advertisements/promotions and Congress's subpoena power. (Thus, ECS/RCS providers, such as email services, gain explicit authority to share account contents with account owners upon request, while governmental entities must generally secure warrants for all stored electronic communications contents regardless of age.)
This section defines "online service provider" in 18 U.S.C. 2711(a) to include a provider of electronic communication service, remote computing service, or interactive computer service (as defined in 47 U.S.C. 230(f), i.e., online platforms such as social media sites immune from liability for user-generated content). It amends 18 U.S.C. 2703 to substitute "online service provider" for "provider of electronic communication service" in subsection (a) (contents of communications in electronic storage for 180 days or less, which currently requires a warrant) and for "provider of electronic communication service or remote computing service" in subsections (c)(1) and (c)(2) (subscriber records, currently obtainable via subpoena or court order) and (g) (delayed notice requirements). (Thus, it extends Stored Communications Act warrant and disclosure requirements to interactive computer services.)
This section revises the standards for authorizing pen registers and trap and trace devices (i.e., surveillance tools that capture non-content metadata such as numbers dialed or received from wire and electronic communications) under 18 U.S.C. ch. 206, as follows: (1) in section 3122(b), replaces the certification standard for government attorney applications with a requirement for specific and articulable facts showing reasonable grounds to believe the information sought is relevant and material to an ongoing criminal investigation (previously, certification of relevance); and (2) in section 3123(a)(1), changes court approval from mandatory ("shall enter an order") to discretionary ("may enter an order") and requires the same heightened certification of relevance and materiality.
This section limits subpoenas for certain subscriber information under Section 2703(c)(2) of the Stored Communications Act (18 U.S.C. § 2703(c)(2)) to circumstances in which the governmental entity identifies the subscriber's name, address, temporarily assigned network address, or account identifier (such as a user name). (Thus, such subpoenas may not be used without specifying at least one of those identifiers.)
This section directs the Attorney General to issue and publicly release, not later than 180 days after enactment, minimization procedures applicable to voluntary disclosures of communications contents or customer records to federal agencies under exceptions in the Stored Communications Act (i.e., 18 U.S.C. §2702(b)(5), (b)(8), (c)(3), or (c)(4)). (As background, those exceptions generally permit disclosures necessarily incident to service provision or rights protection, of inadvertently obtained crime-related contents, or of specified non-content records such as basic subscriber information.) The procedures must (1) limit acquisition, use, and dissemination to information necessary for the disclosure's purpose; (2) remove personally identifiable information (PII) to the greatest extent possible before acquisition; (3) mask any non-removable PII before use or dissemination, consistent with the purpose; and (4) prohibit retention of such information by the recipient agency (or any agency to which further disclosed) after completion of the relevant investigation or action.
This section requires a governmental entity to obtain a court order before compelling a covered organization (i.e., data broker) that is not an online service provider to disclose covered personal data if a court order would be required for a comparable disclosure of customer or subscriber records by an online service provider. Courts may issue such orders only on the same basis and subject to the same limitations as for online service providers, applying the most stringent standard under federal statute or the Constitution. (As background, this extends Stored Communications Act requirements—generally warrants for communications content in electronic storage for 180 days or less, or warrants/subpoenas/court orders for longer-held content or remote computing service data—to covered personal data held by data brokers.)
This section defines "intermediary or ancillary service provider" in 18 U.S.C. §2711 (i.e., an entity or facilities owner or operator that directly or indirectly delivers, transmits, stores, or processes communications or covered personal data for, or on behalf of, an online service provider) and adds a prohibition in 18 U.S.C. §2702(a) preventing such providers from knowingly disclosing (1) the contents of a communication while in electronic storage to any person or entity or (2) records or other information pertaining to subscribers, customers, recipients, or senders associated with the online service provider to a governmental entity. (As background, §2702 generally prohibits electronic communication service providers and remote computing service providers from voluntarily disclosing stored communications or customer records absent legal process; thus, this extends those protections to infrastructure providers such as cloud services or content delivery networks.)
This section establishes annual reporting requirements for judges and the Administrative Office of the United States Courts (AOUSC) on surveillance authorities, including (1) disclosure of stored wire or electronic communications and related customer records under 18 U.S.C. §2703, (2) pen registers and trap and trace devices under 18 U.S.C. §3126, and (3) voluntary disclosures by providers under 18 U.S.C. §2702(d). (As background, these provisions of the Electronic Communications Privacy Act govern law enforcement access to electronic communications content and metadata from service providers.) Judges must report to AOUSC by January each year on applications received, types of records or devices sought, grant/deny/modify outcomes, statutory subsections, offenses investigated, providers served, and requesting agencies; AOUSC must publish aggregated numbers, summaries, and analyses by June each year on its website and in its §2519(3) wiretap report (with a conforming amendment to §2519(3) requiring website publication). Not later than 180 days after enactment of the Government Surveillance Reform Act of 2026, AOUSC must publish machine-readable reporting formats developed in consultation with specified entities (e.g., National Institute of Standards and Technology, National Center for State Courts) and may issue related regulations. (Thus, the changes enhance public transparency on criminal surveillance orders previously reported only in aggregate form.)
This section amends the Stored Communications Act (SCA), which prohibits electronic communication service (ECS) and remote computing service (RCS) providers from voluntarily disclosing stored communication contents or customer records to governmental entities (with exceptions), to distinguish between federal and nonfederal (state or local) governmental entities. Specifically, it (1) adds SCA §2702(h) prohibiting voluntary disclosures of communication contents or customer records to state or local governmental entities, with exceptions for consent, service rendition or provider rights protection, inadvertent discovery of apparent criminal activity reported to state or local law enforcement, and good-faith belief in an emergency involving danger of death or serious physical injury; (2) limits SCA §2703, governing compelled disclosures, to federal departments and agencies only by revising the section heading to "Required disclosure of customer communications or records to Federal departments and agencies" and adding §2703(p) to define "governmental entity" as excluding state or local departments or agencies; and (3) adds SCA §2703A establishing parallel compelled disclosure procedures for state or local governmental entities, requiring warrants for ECS contents in electronic storage for 180 days or less and authorizing court orders, subpoenas, or equivalents for older ECS contents, RCS contents, or customer records.
This section prohibits federal investigative or law enforcement officers from accessing covered vehicle data from noncommercial vehicles without a warrant issued under Federal Rule of Criminal Procedure 41, subject to exceptions for consent and emergencies, and bars use of data obtained in violation of the prohibition as evidence. Covered vehicle data includes all onboard and telematics data generated by, processed by, or stored on a noncommercial vehicle (i.e., diagnostic data, entertainment system data, navigation data, images or data from onboard sensors or cameras—including for automated or autonomous driving features—internet access data, and communications to or from vehicle occupants; also includes event data recorder data), excluding manufacturer-installed automotive software, data subject to the Wiretap Act or specified FISA provisions, and externally collected data such as speed or geolocation for traffic, law enforcement, or toll purposes. Consent requires prior affirmative, express, and voluntary agreement from the vehicle operator (or owner/lessee if operator cannot be located), with no objection from any passenger 14 years of age or older; must be in writing (or recorded if oral at request); excludes those in unlawful possession; and for non-owners, applies only to data from lawful use. (Thus, generic privacy policies or terms of service do not qualify.) Emergencies permit access by specified high-level DOJ officials or officers if there is immediate danger of death or serious injury, warrant grounds exist, and a warrant application is filed within 48 hours.
This section expands the annual report required from the Director of the Administrative Office of the United States Courts on Foreign Intelligence Surveillance Act (FISA) applications, orders, and court activities—submitted to congressional intelligence and judiciary committees (subject to declassification review) and published online (with exceptions)—to include the following: (1) the number of certifications by the Foreign Intelligence Surveillance Court (FISC) pursuant to section 103(j); (2) the number of petitions to certify a question made by an amicus curiae pursuant to section 103(i)(7)(A); (3) the number of en banc hearings or rehearings by the FISC pursuant to section 103(a)(2), disaggregated by clause (i) or (ii); and (4) the number of times amici curiae have been appointed pursuant to section 103(i)(2). (Thus, the report provides additional transparency into specific FISC procedural mechanisms.)
This section expands the annual public reports required from the Director of National Intelligence on Foreign Intelligence Surveillance Act (FISA) orders and section 702 acquisitions—targeting non-U.S. persons abroad for foreign intelligence purposes, which may incidentally acquire U.S. persons' communications—to include (1) a description of the subject matter of each certification under section 702(h); (2) statistics on the number of persons and identifiers targeted under section 702(a), disaggregated by certification; (3) the total number of directives issued under section 702(i)(1), disaggregated by type of electronic communication service provider; (4) the total number of disseminated intelligence reports derived from section 702 collection containing U.S. persons' identities (regardless of masking), disaggregated between masked and openly included identities, with comparable figures for reports from acquisitions outside FISA authorities; (5) the number of queries of section 702 data for communications of or concerning covered persons (i.e., U.S. persons), disaggregated between those requiring a warrant and those not under section 302 of the Government Surveillance Reform Act of 2026; and (6) the number of criminal proceedings in which information from non-FISA foreign intelligence acquisitions was used as evidence or otherwise disclosed. The section further repeals the prior exemption of the Federal Bureau of Investigation from certain of these reporting requirements and makes conforming amendments to cross-references.
This section establishes an annual reporting requirement under FISA for the Attorney General on the accuracy and completeness of Federal Bureau of Investigation (FBI) applications for court orders submitted to the Foreign Intelligence Surveillance Court (FISC). In April each year, subject to declassification review, the Attorney General must submit the report to the appropriate congressional committees and publish it on the Department of Justice website, covering the preceding calendar year with (1) a summary of all such reviews; (2) the total number of applications reviewed; (3) the total number of material errors or omissions identified; (4) the total number of nonmaterial errors or omissions identified; (5) the total number of instances in which facts in an application were unsupported by file documentation at the time of review; and (6) an explanation for any increase or decrease in errors under (3) and (4), including any remedial actions taken by the Department if errors increased. (Thus, the provision enhances congressional and public oversight of potential inaccuracies in FISA applications used for foreign intelligence surveillance.) This section further directs the Department of Justice Inspector General, in addition to audits required under sec. 501 of the Government Surveillance Reform Act of 2026, to periodically assess these reports and report any identified risks, as determined by the Inspector General, to the appropriate congressional committees.
This section revises semiannual transparency reporting requirements under FISA §604 (50 U.S.C. 1874) for recipients of nondisclosure orders accompanying FISA surveillance orders or directives (i.e., under traditional FISA §105 for electronic surveillance, pen register/trap-and-trace §402, or §702 for targeting non-U.S. persons abroad) or national security letters (NSLs). (As background, these reports allow telecommunications and technology companies to publicly disclose aggregate volumes of compelled disclosures in broad bands to promote transparency while protecting national security.) Specifically, the section (1) replaces prior aggregation options using bands of 500 or 1,000 with a single structure using bands of 200 starting at 1–200 for the first 1,000 national security letters received or customer selectors targeted, orders/directives received for content or noncontents, or customer selectors targeted thereby (precise numbers required above 1,000); (2) requires disaggregation of content and noncontents orders/directives by issuing authority (i.e., §105, §402, or §702); and (3) authorizes an additional semiannual report disclosing whether the recipient was or was not required to comply with any such order, directive, or NSL under specified provisions (i.e., §§105, 402, 702, and NSL authorities listed in §603(f)(3)) in the prior 180 days. (Thus, the changes enable more precise and differentiated public reporting of surveillance demands once volumes exceed 1,000.)
This section requires the Privacy and Civil Liberties Oversight Board to publicly release and submit to the appropriate congressional committees, not later than one year after enactment, a report on the use of (1) activities and expression protected by the First Amendment and (2) race, ethnicity, national origin, and religious affiliation in applications for orders under the Foreign Intelligence Surveillance Act of 1978 and related investigations. The Board may submit a classified annex to the committees.
This section directs the Director of National Intelligence to publish, not later than 90 days after enactment, a good faith estimate of either (1) the number of United States persons whose communications are collected under Section 702 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1881a), or (2) the number of communications collected under such section to which a party is a person located in the United States at the time of communication. (As background, Section 702 authorizes joint authorizations by the Attorney General and Director of National Intelligence for up to one year to target non-U.S. persons reasonably believed to be located outside the United States to acquire foreign intelligence information, subject to limitations prohibiting intentional targeting of U.S. persons or persons known to be in the United States.)
This section requires judges to assess compliance with FISA emergency electronic surveillance order requirements (50 U.S.C. 1805(e)(6)) not less frequently than annually (previously required without specified frequency) and directs inclusion of such annual assessments in the Attorney General's semiannual reports to Congress, intelligence committees, and other officials (50 U.S.C. 1808(a)(2)). It makes parallel changes for emergency physical search order requirements (50 U.S.C. 1824(e)(6) and 1826). (As background, FISA emergency provisions authorize the Attorney General to direct electronic surveillance targeting foreign powers or agents or to conduct physical searches prior to court approval, provided the court approves the action and assesses compliance within 24 hours.)
This section provides a rule of construction stating that nothing in this Act or its amendments modifies the authorities or affects the procedures for acquiring records by any state or local law enforcement department or agency, as such authorities and procedures existed the day before enactment.
This section declares the provisions of the Act and its amendments severable, such that if any provision or amendment, or its application to any person or circumstance, is held unconstitutional, the remainder of the Act and its amendments, and the application of the invalidated provision or amendment to other persons or circumstances, remain in effect.
This section authorizes the Attorney General, in coordination with the Director of National Intelligence as appropriate, to delay implementation of a provision of this Act or an amendment made by this Act for up to one year upon a showing to the appropriate congressional committees that the delay is necessary (1) to develop and implement technical systems needed for compliance or (2) to hire or train personnel needed for compliance.