Section 702’s Lapse: The Sunset That Doesn’t Matter
Under European Union law, the liability risk borne by a U.S.-controlled provider for European data is real, live, and continuous, and it is substantially independent of Section 702’s operational status in a U.S. legal context.
On June 12, 2026, the authority that the intelligence community claims is the backbone of commercial infrastructure foreign signals collection expired.[1] The instinct, in Washington and in the press, was to ask what the lapse does to American collection. That is the wrong question to ask for any U.S.-parent telecommunications or cloud provider operating infrastructure on European soil.
For that company, the more consequential exposure runs the other way across the Atlantic—and it does not move with Section 702’s statutory clock at all. Under European Union law, the liability risk borne by a U.S.-controlled provider for European data is real, live, and continuous, and it is substantially independent of Section 702’s operational legal status in a U.S. legal context.
I. The European exposure is anchored in primary law, not in § 702’s vital signs
When the Court of Justice of the European Union (CJEU) struck down the Privacy Shield in Schrems II, Section 702 was fully operative and statutorily healthy.[2] The defect the Court identified was structural: collection it regarded as disproportionate, paired with the absence of redress essentially equivalent to Article 47 of the EU Charter of Fundamental Rights.[3]
Nothing in that holding depended on whether Section 702's authorizing statute was freshly reauthorized, mid-lapse, or coasting on extant certifications. A lapse does not cure a structural defect; if anything, a lapse that reduces the volume of collection cuts toward adequacy, not away from it. That is the first counterintuitive point: the event that dominates the American conversation on FISA Section 702 is, for the European analysis, either neutral or faintly helpful to the United States’ privacy and civl liberties adequacy posture.
The second point is jurisdictional in the EU sense.
General Data Protection Regulation (GDPR) liability attaches to the act of transfer and processing, not to the existence of an American compulsion order.[4] A provider can incur exposure under Chapter V of the GDPR for an inadequate transfer even where no Section 702 directive has issued at all. The directive is one trigger among several; suspend it, and the underlying Chapter V obligation remains exactly where it was. This is why the Section 702 lapse cannot relieve the European exposure even in principle—the exposure does not run through the directive. Enforcement of that obligation falls in the first instance to the national Data Protection Authorities (DPAs)—the independent supervisory authorities each EU member state must establish under Article 51 of the GDPR, such as Ireland’s Data Protection Commission, France’s CNIL, and Germany’s federal and state authorities.
DPAs investigate complaints, audit data controllers and processors, order the suspension or prohibition of unlawful third-country transfers, and impose administrative fines of up to 4% of a firm’s global annual turnover. Their role is central to the analysis that follows: it is a DPA, not a U.S. court, that would act against a provider for an unlawful transfer, and Schrems II confirmed that DPAs bear a duty to suspend or prohibit transfers that lack essential equivalence where controllers do not act first.
Third, the live European risk runs through the fragility of the adequacy decision itself—and that fragility is degrading for reasons that have nothing to do with Section 702.
If the EU–U.S. Data Privacy Framework falls, providers lose the safe harbor and revert to standard contractual clauses supplemented by case-by-case measures. The Schrems II Court already signaled that, for transfers exposed to U.S. signals intelligence, such supplementary measures may be legally insufficient, because private contractual terms cannot bind the U.S. government or ensure Article 47 redress.[5] The safe harbor, in other words, is doing real work; its loss would not leave providers with a comfortable fallback.
II. Locating the exposure: the cloud layer is the supportable, Section 702-linked slice
It is tempting to reach for a single headline figure—“U.S. companies control X% of European telecom infrastructure”—but the honest answer is that the infrastructure stack must be disaggregated, because the layers are measured on incommensurable denominators and only one of them is both well-sourced and squarely within the statute’s reach.
The subsea transit layer is the most cited: U.S. hyperscalers control roughly 90% of transatlantic cable capacity. But that is a capacity figure, not a measure of traffic carried, and it concerns the wet pipe rather than the point where data is processed; it belongs in the analysis as context, not as the load-bearing number.[6]
The physical data-center real-estate layer is murkier still, because the published market is sized by revenue and by colocation operator rather than by tenant nationality, so it cannot cleanly isolate U.S.-controlled capacity on EU soil.
The layer that is both reliably quantified and legally on-point is the cloud, or compute, layer—and it is on-point for a precise statutory reason.
Section 702 reaches acquisition from an “electronic communication service provider,” a term that expressly includes “a provider of a remote computing service”—public computer storage or processing by means of an electronic communications system—which is commonly read to encompass the major cloud providers, not merely classic carriers.[7]
That is the doctrinal hinge: the entities that dominate the European cloud layer are the same entities the statute defines as compellable, and the cloud layer is where European personal data is actually stored and processed—which is where Chapter V transfer liability and backdoor-search exposure attach. The pipe can be encrypted in transit; the processing endpoint is the exposure.
On that layer the figure is both supportable and stark.
Three U.S. providers—AWS, Microsoft, and Google—hold roughly 70% of the European cloud market, against about 13–15% for European providers (SAP and Deutsche Telekom each around 2%); by one European Parliament estimate, close to 80% of EU corporate software-and-cloud spending flows to U.S. vendors.[8] Multiple independent sources—a market-research house, an EU institutional briefing, and trade analytics—converge on the ~70% figure, which is why it, rather than the splashier 90% transatlantic-capacity number, is the defensible anchor for the European end of the liability picture. The slice that is exposed is not “all European telecom infrastructure”; it is the cloud-and-compute layer, roughly 70% U.S.-controlled, populated by remote-computing providers the statute already names.
III. Two independent threats to the safe harbor—both unrelated to Section 702
A. The Latombe appeal
The General Court upheld the Data Privacy Framework in September 2025, but in a way that potentially invites reversal. It declined to resolve whether the challenger even had standing, electing instead to reach the merits “in the interest of the administration of justice.”[9] That choice has a cost: by ruling on the merits, the General Court may have made posible an appeal that places adequacy squarely before the Court of Justice as Case C-703/25 P—the very forum that invalidated both prior frameworks the Commission had blessed.[10] The framework is valid law today. The tribunal most likely to unmake it has not yet ruled.
B. The PCLOB quorum collapse and Trump v. Slaughter
The General Court's adequacy decision rests in part on the Privacy and Civil Liberties Oversight Board (PCLOB) as a structural guarantee of independent oversight. That guarantee is presently hollow.
President Trump's firing of three PCLOB members in January 2025 eliminated the Board’s quorum; a district court ordered reinstatement, but the D.C. Circuit stayed that order and the case was deferred pending the Supreme Court’s resolution of the President’s constitutional removal power.[11] The European Commission’s own review flagged the loss of quorum as a significant concern and tied the framework’s continued functioning to the Board’s restoration.[12] The hinge is Trump v. Slaughter, argued December 8, 2025, with a decision expected by the end of the Term.[13] The argument read poorly for the precedent that protects the Board.[14]
IV. The pro- and anti-Humphrey’s Executor arguments, and why they reach the PCLOB
The doctrinal contest in Slaughter is whether Humphrey’s Executor v. United States (1935)—which upheld for-cause protection for FTC commissioners—survives.
The anti-Humphrey’s case, as the Solicitor General frames it in the petitioners’ brief, opens from the Executive Vesting Clause: “the executive Power—all of it—is vested in a President,” who must take care that the laws be faithfully executed, and removal is the President’s “indispensable tool of control,” ranking among his “conclusive and preclusive” powers.[15] The lineage runs from Myers (1926) through Free Enterprise Fund (2010) and Seila Law (2020).
The brief’s sharpest move is not to distinguish Humphrey’s but to expose it.
The 1935 decision rested on the premise that the FTC exercised “quasi-legislative” and “quasi-judicial” power “wholly disconnected from the executive department,” a characterization the Court has since said “has not withstood the test of time.” The government stresses that the modern FTC issues binding rules, adjudicates, investigates, and sues for civil penalties under more than eighty statutes—powers generally viewed as executive in character—so the agency falls within the removal power even on Humphrey’s own logic, and what remains should be overruled outright as a “dead letter.”[16]
The pro-Humphrey’s case, as Slaughter’s brief develops it, rests on four pillars.
First, historical practice across all three branches.
From the Founding—the 1790 Sinking Fund Commission created at Hamilton’s request, the 1887 ICC, the 1913 Federal Reserve—Congress and Presidents of both parties built and operated multimember bodies insulated from at-will removal, so the question is whether they “have not collectively and protractedly labored in error” for 150 years.[17]
Second, Youngstown.
Justice Jackson’s separation-of-powers concurrence identifies the very removal provision upheld in Humphrey’s as the paradigmatic example of a valid statutory limit on presidential power. Jackson wrote, "President Roosevelt's effort to remove a Federal Trade Commissioner was found to be contrary to the policy of Congress and impinging upon an area of congressional control, and so his removal power was cut down accordingly."
Third, function and democratic design.
The multimember, bipartisan, staggered-term structure “helps to prevent arbitrary decision making and abuse of power,” and any remaining concerns are for the political branches, which can weigh agency-specific facts.
Fourth, stare decisis and reliance.
The brief argues the precedent is neither egregiously wrong nor unworkable, and that overruling a 90-year line on which dozens of agencies were built would “profoundly destabilize institutions… inextricably intertwined with the fabric of American governance.”[18] A narrowing fallback survives in both briefs’ framing: even a Court inclined against Humphrey’s could distinguish single-director executive agencies (already covered by Seila Law) from traditional multimember commissions—the line Justice Alito probed at argument.
Two respondent-side amicus briefs sharpen the pillar that matters most for the PCLOB: the agency-specific, functional-historical mode of analysis.
The administrative and constitutional law professors brief asserts a structural reading of the Take Care Clause—that it instructs the President to see that subordinates follow the law, not that he personally control every executive act—and offer the Nixon v. GSA/Morrison balancing test as the proper framework, under which a removal limit stands unless it substantially impedes the President’s constitutional functions. Tellingly, they admit the FTC wields executive power and ask the Court to retire the “quasi” labels altogether—thus conceding the government’s premise while still defending the protection.[19]
The former NCUA members in the Harper–Otsuka brief—themselves removed without cause—urge that any revisiting of Humphrey’s proceed agency by agency on functional and historical grounds rather than by a “one size fits all” rule. In doing so, they invoke Zivotofsky’s weight on historical practice and Madison’s argument in the Decision of 1789 that an officer whose duties “partake of a judiciary quality” could be insulated from at-will removal.[20]
A third brief, joined by former officials, judges, governors, and members of Congress appointed or elected as Republicans, turns the government’s own interpretive method against it.
Their brief argues that Humphrey’s was itself an originalist decision—written by Justice Sutherland, “the intellectual progenitor of originalism”—and notes that the first Trump Administration’s Solicitor General conceded in Seila Law that multimember regulators share “basic structural features” for which a removal restriction is “concomitant.”[21] That agency-specific method is the PCLOB’s best hope: a Board whose entire function is oversight of executive conduct fits the neutrality rationale these amici advance, even though its statutory text is thinner than the FTC’s.
This is not a detour. The PCLOB’s independence is far less well anchored than the FTC’s, because its for-cause protection is inferred from structure and function rather than stated expressly in the statute—precisely the functional reasoning that a broad anti-Humphrey’s holding would likely sweep away.[22]
The outcome therefore maps onto a spectrum.
A clean overruling leaves PCLOB members serving at will, eliminates the Board’s independence as a structural matter, and hands a future “Schrems III” challenger a clean argument that U.S. surveillance oversight is not independent of the executive. A narrow ruling that preserves multimember commissions could, by analogy to the FTC, save the Board, restore its quorum, and revive the EO 14086 review machinery the Data Privacy Framework depends on. The European safe harbor’s durability thus turns, in part, on a U.S. removal-power case about a fired trade commissioner.
V. The provider’s double bind
For the U.S.-controlled provider operating infrastructure on European soil, the two legal systems can pull in opposite directions over the same act.
On the American side, the compelled-assistance and liability-protection architecture of FISA Title VII plausibly shields a provider that complies with a directive, and that immunity may persist during a lapse on the strength of a still-valid FISC certification--although that issue has never been adjudicated by any federal court dealing with FISA Title VII.[23] On the European side, that American immunity is no defense at all: GDPR enforcement does not recognize a U.S. statutory liability bar as an answer to an unlawful third-country transfer. A provider could therefore hold an immunity that is good in Washington and worthless in Brussels for the identical act of production—compelled by a valid certification, yet exposed under GDPR Chapter V. That is the structural bind, and Section 702’s sunset clock touches neither prong of it.
VI. Where the law is genuinely unsettled
Four points in the foregoing sit at the frontier of unadjudicated law or imperfect measurement, and I flag them rather than paper over them.
- Provider immunity during a lapse. Whether Title VII’s liability protection survives the statute’s sunset on the strength of a still-valid FISC certification alone is a textual inference, not a holding. As noted above, to date no federal court has adjudicated it.
- GDPR exposure: lapsed certification versus active authorization. Whether a provider’s European exposure differs when it complies under a lapsed-statute certification rather than an active authorization appears untested on the EU side. The analysis above reasons from the structure of GDPR Chapter V and Schrems II, not from any decided case.
- Enforcement appetite. That EU doctrine permits enforcement against a provider caught in this bind is distinct from whether DPAs are likely to bring it. I have not located a clean post-lapse DPA statement on which to ground a prediction, and “permissible” should not be read as “probable.”
- The infrastructure figures are not commensurable. The ~70% cloud-market share, the ~90% transatlantic-capacity share, and colocation-by-revenue figures measure different things on different denominators and cannot be chained into a single composite “U.S. controls N% of European infrastructure” number. The cloud figure is offered as the defensible anchor precisely because it is multi-sourced and maps onto the statutory ECSP category; the others are context. Market data is also organized around “hyperscaler,” not the statutory ECSP definition, so each percentage requires translation—and “market share” is not “share of traffic actually carried.”
VII. Conclusion
The lapse of Section 702 is materially significant—to American intelligence consumers, and to the unresolved question of provider immunity under U.S. law. For the European liability of a U.S.-controlled provider, it is close to orthogonal. The exposure there is real, live, and continuous, gated not by Title VII’s sunset but by the Court of Justice’s pending review of the Data Privacy Framework and by a removal-power decision in the Slaughter case that may have the effect of eviscerating the PCLOB as an oversight mechanism, an event that would likely be viewed as catastrophic in the eyes of EU privacy advocates and regulators.
[1]Section 702 expired on June 12, 2026, after the House rejected an extension and Senate action stalled; collection authorized under existing FISC certifications continues for the duration of those certifications notwithstanding the statutory lapse. See CBS News, “A key spy authority is expiring” (June 12, 2026); NPR, “FISA 702 is set to lapse. Now what?” (June 12, 2026).
[2]Case C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd & Maximillian Schrems (CJEU Grand Chamber, July 16, 2020) (“Schrems II”). The Court invalidated the Privacy Shield adequacy decision and held that SCCs remain valid only where, after a case-by-case assessment, the data exporter ensures a level of protection essentially equivalent to EU law, if necessary through supplementary measures. See Norton Rose Fulbright analysis.
[3]The Schrems II Court expressly identified surveillance under Section 702 FISA and EO 12333 (read with PPD-28) as failing the EU proportionality principle and found the absence of redress essentially equivalent to Article 47 of the Charter. See EDPS, “Compliance Strategy – Schrems II ruling” (Dec. 10, 2020), slide 5.
[4]GDPR arts. 44–49 (Chapter V) govern transfers to third countries; the substantive standard derives from arts. 7, 8 and 47 of the EU Charter of Fundamental Rights. Absent a valid adequacy decision, supervisory authorities are required to suspend or prohibit transfers that cannot meet essential equivalence. Schrems II, ¶¶ 121–135.
[5]Additional contractual commitments cannot bind the U.S. government and so cannot, on their own, prevent collection or supply Article 47 redress; this is why SCC-plus-supplementary-measures may be legally insufficient for transfers exposed to U.S. signals intelligence. See IAB Europe, Case C-311/18 summary.
[6]Google, Meta, Microsoft, and Amazon collectively control roughly 90% of capacity on the transatlantic route and about 71% of global subsea fibre capacity. This is a capacity figure, not a measure of traffic actually carried, and the four are cloud platforms rather than classic carriers; it is offered here as supporting context, not as the load-bearing number. See ECDPM, Troubled Waters (Mar. 2026). ECDPM also notes that, unlike the U.S. FCC’s granular landing-cable reporting, the EU has no mandatory ownership reporting and “cannot fully account for who owns, funds, or exerts strategic influence over the cables on which its connectivity depends.” Id.
[7]50 U.S.C. § 1881(b)(4) defines an “electronic communication service provider” to include “a telecommunications carrier” (subpara. A), “a provider of electronic communication service” (B), and—critically here—“a provider of a remote computing service, as that term is defined in section 2711 of title 18” (C), plus a residual category for “any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored” (D). See 50 U.S.C. § 1881(b)(4) (Cornell LII). A “remote computing service”—public computer storage or processing by means of an electronic communications system, 18 U.S.C. § 2711—is commonly read to reach major cloud and internet-service providers. Privacy International, Guide to FISA § 1881a. RISAA (Apr. 2024) further amended the ECSP definition; the precise post-RISAA scope of subpara. (E) was litigated before the FISC and remains classified. See CRS R48592, FISA § 702 and RISAA.
[8]Synergy Research Group reports the three U.S. hyperscalers (AWS, Microsoft, Google) hold about 70% of the European cloud market, with European providers steady at roughly 15% (SAP and Deutsche Telekom each about 2%). Synergy Research Group (2025). A European Parliament briefing gives a convergent picture—about 70% U.S. share of the EU cloud market, EU providers down to roughly 13%, and around 80% of EU corporate software-and-cloud spending flowing to U.S. vendors. European Parliament, European Software and Cyber Dependencies (2025).
[9]Case T-553/23, Philippe Latombe v. European Commission (General Court, Sept. 3, 2025). The General Court declined to resolve standing and proceeded to the merits “in the interest of the administration of justice,” upholding the adequacy decision. See IAPP report; Bird & Bird analysis.
[10]The appeal is docketed before the Court of Justice as Case C-703/25 P. The Court of Justice has historically been more skeptical than the General Court of U.S. surveillance adequacy, having invalidated both Safe Harbor (Schrems I) and Privacy Shield (Schrems II). See WilmerHale, “ECJ to Review Challenge to DPF” (Dec. 1, 2025); Recording Law, DPF Guide (2026).
[11]On Jan. 27, 2025, the President fired three PCLOB members, eliminating the Board’s quorum. A district court ordered reinstatement (LeBlanc v. PCLOB, No. 1:25-cv-00542 (D.D.C. May 21, 2025)); the D.C. Circuit stayed that order on July 1, 2025, with the case deferred pending Trump v. Slaughter. See Brennan Center case page; Recording Law, DPF Guide (2026).
[12]The European Commission’s first periodic review flagged the PCLOB’s loss of quorum as a significant concern and stressed that restoring full operational capacity was important to the framework’s continued functioning; the PCLOB cannot conduct the annual EO 14086 compliance reviews the order requires while sub-quorum. See Recording Law, DPF Guide (2026).
[13]Trump v. Slaughter, No. 25-332 (argued Dec. 8, 2025). Questions presented: (1) whether the FTC’s statutory removal protections violate the separation of powers and, if so, whether Humphrey’s Executor v. United States, 295 U.S. 602 (1935), should be overruled; and (2) whether a federal court may prevent removal from public office. See Supreme Court order (Sept. 22, 2025); Ballotpedia case page. A decision is expected by the end of the Term.
[14]At argument, members of the Court signaled hostility to the precedent (Gorsuch: “poorly reasoned”; Roberts: “a dried husk of whatever people used to think it was”), while Alito pressed on how to craft a ruling reserving the status of agencies not before the Court. See Cranfill Sumner, “The End of Humphrey’s Executor?” (Jan. 5, 2026); Ward & Smith analysis (Dec. 16, 2025).
[15]Brief for the Petitioners at 2–12, 21–36, Trump v. Slaughter, No. 25-332 (U.S. filed Oct. 10, 2025) (Sauer, S.G.). The brief argues that Article II vests “all” executive power in the President, that removal is his “indispensable tool of control” ranking among his “conclusive and preclusive” powers (quoting Trump v. United States, 603 U.S. 593, 609 (2024)), and that Humphrey’s Executor’s premise—that the FTC exercised no executive power—“has not withstood the test of time” (quoting Seila Law, 591 U.S. at 216 n.2). Petitioners’ Brief (PDF).
[16] Id. at 33–48 (cataloguing the modern FTC’s rulemaking, adjudicatory, investigative, and civil-penalty authority under more than eighty statutes as “everyone agrees” executive power, and contending that what remains of Humphrey’s Executor should be overruled as a “dead letter”). (Brief for the Petitioners, Trump v. Slaughter, No. 25-332.)
[17]Brief for Respondent Rebecca Kelly Slaughter at 1–4, 12–40, Trump v. Slaughter, No. 25-332 (U.S. filed Nov. 7, 2025) (Agarwal, counsel of record). The brief argues that all three branches have blessed for-cause protections for multimember commissions since the Founding (citing the 1790 Sinking Fund Commission and the 1887 ICC), that Youngstown’s Jackson concurrence identifies the Humphrey’s Executor provision as the paradigmatic valid limit on presidential power (343 U.S. at 637–38 & n.4), and that stare decisis forecloses overruling a 90-year line on which “much of modern governance is based.” Respondent’s Brief (PDF).
[18] Id. at 41–58 (developing the stare decisis and reliance arguments, and quoting the warning that overruling the precedent would “profoundly destabilize institutions” that are “inextricably intertwined with the fabric of American governance”). (Brief for Respondent Slaughter, Trump v. Slaughter, No. 25-332.)
[19]Brief of Administrative and Constitutional Law Professors as Amici Curiae in Support of Respondents at 3–9, Trump v. Slaughter, No. 25-332 (U.S. filed Nov. 12, 2025) (Morrison, counsel of record). The brief argues that the Take Care Clause sits in Article II, Section 3—which concerns the President’s relations with Congress—not Section 2, where his own powers are enumerated, so it is better read to direct the President to ensure subordinates follow the laws rather than to confer illimitable removal; and that Nixon v. GSA and Morrison v. Olson supply the governing test (a law survives unless it substantially impedes the President’s constitutional functions). Law Professors’ Amicus Brief (PDF). Notably, these amici concede the FTC exercises executive power and urge the Court to abandon the “quasi” labels—agreeing with the government on that point while still defending the removal protection.
[20]Brief of Todd Harper and Tanya Otsuka as Amici Curiae in Support of Respondents at 2–16, Trump v. Slaughter, No. 25-332 (U.S. filed Nov. 14, 2025) (Levy, counsel of record). Amici—former NCUA Board members removed without cause, like Slaughter—urge that if the Court revisits Humphrey’s, it apply a functional and historical analysis specific to each agency rather than a “one size fits all” rule, invoking Zivotofsky’s emphasis on historical practice and Madison’s argument during the Decision of 1789 that the Comptroller of the Treasury could be insulated because his duties “partake of a judiciary quality.” Harper/Otsuka Amicus Brief (PDF).
[21]Brief of Former Senior White House Lawyers, Government Officials, Federal Judges, Governors, and Members of Congress Who Were Appointed or Nominated by Republican Presidents, or Who Were Elected as Republicans, as Amici Curiae in Support of Respondents at 1–5, 9–15, 25–31, Trump v. Slaughter, No. 25-332 (U.S. filed Nov. 14, 2025) (Koh & Dellinger, counsel). The brief turns originalism against the government, arguing that Humphrey’s was itself an originalist decision authored by Justice Sutherland—“the intellectual progenitor of originalism”—tracking Madison’s Decision-of-1789 framework on offices that “partake” of other branches’ functions; that the FTC fits a Founding-era tradition of removal-protected economic commissions (Sinking Fund, Mint, First and Second Banks); that the first Trump Administration’s Solicitor General conceded in Seila Law that such bodies share “basic structural features” for which a removal restriction is “concomitant”; and that, post-1935 amendments having given the President more control over the FTC (Chair designation; referral of penalty actions to the Attorney General), the agency’s constitutional character is unchanged. Republican-Appointees’ Amicus Brief (PDF).
[22]Walton, J., reasoned that at-will removal would render the Board “beholden to the very authority it is supposed to oversee.” Notably, the PCLOB’s for-cause protection is inferred from structure and function rather than stated expressly in the statute, making it more vulnerable to a broad anti-Humphrey’s holding than the FTC’s express text. See The Record (May 21, 2025); MeriTalk (May 22, 2025).
[23]The provider-immunity inference rests on the compelled-assistance and liability-protection architecture of FISA Title VII (see 50 U.S.C. § 1881a(h) directives and the related civil-liability bar). Whether that immunity survives a statutory lapse on the strength of a still-valid FISC certification alone is a textual reading, not a holding—no federal court has adjudicated it.
