1.8.2016 |
EN |
Official Journal of the European Union |
L 207/1 |
COMMISSION IMPLEMENTING DECISION (EU) 2016/1250
of 12 July 2016
pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield
(notified under document C(2016) 4176)
(Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1), and in particular Article 25(6) thereof,
After consulting the European Data Protection Supervisor (2),
1. INTRODUCTION
(1) |
Directive 95/46/EC sets the rules for transfers of personal data from Member States to third countries to the extent that such transfers fall within its scope. |
(2) |
Article 1 of Directive 95/46/EC and recitals 2 and 10 in its preamble seek to ensure not only effective and complete protection of the fundamental rights and freedoms of natural persons, in particular the fundamental right to respect for private life with regard to the processing of personal data, but also a high level of protection of those fundamental rights and freedoms (3). |
(3) |
The importance of both the fundamental right to respect for private life, guaranteed by Article 7, and the fundamental right to the protection of personal data, guaranteed by Article 8 of the Charter of Fundamental Rights of the European Union, has been emphasised in the case-law of the Court of Justice (4). |
(4) |
Pursuant to Article 25(1) of Directive 95/46/EC Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and the Member State laws implementing other provisions of the Directive are respected prior to the transfer. The Commission may find that a third country ensures such an adequate level of protection by reason of its domestic law or of the international commitments it has entered into in order to protect the rights of individuals. In that case, and without prejudice to compliance with the national provisions adopted pursuant to other provisions of the Directive, personal data may be transferred from the Member States without additional guarantees being necessary. |
(5) |
Pursuant to Article 25(2) of Directive 95/46/EC, the level of data protection afforded by a third country should be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations, including the rules of law, both general and sectoral, in force in the third country in question. |
(6) |
In Commission Decision 2000/520/EC (5), for the purposes of Article 25(2) of Directive 95/46/EC, the ‘Safe Harbour Privacy Principles’, implemented in accordance with the guidance provided by the so-called ‘Frequently Asked Questions’ issued by the U.S. Department of Commerce, were considered to ensure an adequate level of protection for personal data transferred from the Union to organisations established in the United States. |
(7) |
In its Communications COM(2013) 846 final (6) and COM(2013) 847 final of 27 November 2013 (7), the Commission considered that the fundamental basis of the Safe Harbour scheme had to be reviewed and strengthened in the context of a number of factors, including the exponential increase in data flows and their critical importance for the transatlantic economy, the rapid growth of the number of U.S. companies adhering to the Safe Harbour scheme and new information on the scale and scope of certain U.S. intelligence programs which raised questions as to the level of protection it could guarantee. In addition, the Commission identified a number of shortcomings and deficiencies in the Safe Harbour scheme. |
(8) |
Based on evidence gathered by the Commission, including information stemming from the work of the EU-U.S. Privacy Contact Group (8) and the information on U.S. intelligence programs received in the ad hoc EU-U.S. Working Group (9), the Commission formulated 13 recommendations for a review of the Safe Harbour scheme. These recommendations focused on strengthening the substantive privacy principles, increasing the transparency of U.S. self-certified companies' privacy policies, better supervision, monitoring and enforcement by the U.S. authorities of compliance with those principles, the availability of affordable dispute resolution mechanisms, and the need to ensure that use of the national security exception provided in Decision 2000/520/EC is limited to an extent that is strictly necessary and proportionate. |
(9) |
In its judgment of 6 October 2015 in Case C-362/14, Maximillian Schrems v Data Protection Commissioner (10), the Court of Justice of the European Union declared Decision 2000/520/EC invalid. Without examining the content of the Safe Harbour Privacy Principles, the Court considered that the Commission had not stated in that decision that the United States in fact ‘ensured’ an adequate level of protection by reason of its domestic law or its international commitments (11). |
(10) |
In this regard, the Court of Justice explained that, while the term ‘adequate level of protection’ in Article 25(6) of Directive 95/46/EC does not mean a level of protection identical to that guaranteed in the EU legal order, it must be understood as requiring the third country to ensure a level of protection of fundamental rights and freedoms ‘essentially equivalent’ to that guaranteed within the Union by virtue of Directive 95/46/EC read in the light of the Charter of Fundamental Rights. Even though the means to which that third country has recourse, in this connection, may differ from the ones employed within the Union, those means must nevertheless prove, in practice, effective (12). |
(11) |
The Court of Justice criticised the lack of sufficient findings in Decision 2000/520/EC regarding the existence, in the United States, of rules adopted by the State intended to limit any interference with the fundamental rights of the persons whose data is transferred from the Union to the United States, interference which the State entities of that country would be authorised to engage in when they pursue legitimate objectives, such as national security, and the existence of effective legal protection against interference of that kind (13). |
(12) |
In 2014 the Commission had entered into talks with the U.S. authorities in order to discuss the strengthening of the Safe Harbour scheme in line with the 13 recommendations contained in Communication COM(2013) 847 final. After the judgment of the Court of Justice of the European Union in the Schrems case, these talks were intensified, with a view to a possible new adequacy decision which would meet the requirements of Article 25 of Directive 95/46/EC as interpreted by the Court of Justice. The documents which are annexed to this decision and will also be published in the U.S. Federal Register are the result of these discussions. The privacy principles (Annex II), together with the official representations and commitments by various U.S. authorities contained in the documents in Annexes I, III to VII, constitute the ‘EU-U.S. Privacy Shield’. |
(13) |
The Commission has carefully analysed U.S. law and practice, including these official representations and commitments. Based on the findings developed in recitals 136-140, the Commission concludes that the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. Privacy Shield from the Union to self-certified organisations in the United States. |
2. THE ‘EU-U.S. PRIVACY SHIELD’
(14) |
The EU-U.S. Privacy Shield is based on a system of self-certification by which U.S. organisations commit to a set of privacy principles — the EU-U.S. Privacy Shield Framework Principles, including the Supplemental Principles (hereinafter together: ‘the Principles’) — issued by the U.S. Department of Commerce and contained in Annex II to this decision. It applies to both controllers and processors (agents), with the specificity that processors must be contractually bound to act only on instructions from the EU controller and assist the latter in responding to individuals exercising their rights under the Principles (14). |
(15) |
Without prejudice to compliance with the national provisions adopted pursuant to Directive 95/46/EC, the present decision has the effect that transfers from a controller or processor in the Union to organisations in the U.S. that have self-certified their adherence to the Principles with the Department of Commerce and have committed to comply with them are allowed. The Principles apply solely to the processing of personal data by the U.S. organisation in as far as processing by such organisations does not fall within the scope of Union legislation. (15) The Privacy Shield does not affect the application of Union legislation governing the processing of personal data in the Member States (16). |
(16) |
The protection afforded to personal data by the Privacy Shield applies to any EU data subject (17) whose personal data have been transferred from the Union to organisations in the U.S. that have self-certified their adherence to the Principles with the Department of Commerce. |
(17) |
The Principles apply immediately upon certification. One exception relates to the Accountability for Onward Transfer Principle in a case where an organisation self-certifying to the Privacy Shield already has pre-existing commercial relationships with third parties. Given that it may take some time to bring those commercial relationships into conformity with the rules applicable under the Accountability for Onward Transfer Principle, the organisation will be obliged to do so as soon as possible, and in any event no later than nine months from self-certification (provided that this takes places in the first two months following the day when the Privacy Shield becomes effective). During this interim period, the organisation must apply the Notice and Choice Principle (thus allowing the EU data subject an opt-out) and, where personal data is transferred to a third party acting as an agent, must ensure that the latter provides at least the same level of protection as is required by the Principles (18). This transitional period provides a reasonable and appropriate balance between the respect for the fundamental right to data protection and the legitimate needs of businesses to have sufficient time to adapt to the new framework where this also depends on their commercial relationships with third parties. |
(18) |
The system will be administered and monitored by the Department of Commerce based on its commitments set out in the representations from the U.S. Secretary of Commerce (Annex I to this decision). With regard to the enforcement of the Principles, the Federal Trade Commission (FTC) and the Department of Transportation have made representations that are contained in Annex IV and Annex V to this decision. |
2.1. Privacy Principles
(19) |
As part of their self-certification under the EU-U.S. Privacy Shield, organisations have to commit to comply with the Principles (19). |
(20) |
Under the Notice Principle, organisations are obliged to provide information to data subjects on a number of key elements relating to the processing of their personal data (e.g. type of data collected, purpose of processing, right of access and choice, conditions for onward transfers and liability). Further safeguards apply, in particular the requirement for organisations to make public their privacy policies (reflecting the Principles) and to provide links to the Department of Commerce's website (with further details on self-certification, the rights of data subjects and available recourse mechanisms), the Privacy Shield List (referred to in recital 30) and the website of an appropriate alternative dispute settlement provider. |
(21) |
Under the Data Integrity and Purpose Limitation Principle, personal data must be limited to what is relevant for the purpose of the processing, reliable for its intended use, accurate, complete and current. An organisation may not process personal data in a way that is incompatible with the purpose for which it was originally collected or subsequently authorised by the data subject. Organisations must ensure that personal data is reliable for its intended use, accurate, complete and current. |
(22) |
Where a new (changed) purpose is materially different but still compatible with the original purpose, the Choice Principle gives data subjects the right to object (opt out). The Choice Principle does not supersede the express prohibition on incompatible processing (20). Special rules generally allowing for the opt-out ‘at any time’ from the use of personal data apply for direct marketing (21). In the case of sensitive data, organisations must normally obtain the data subject's affirmative express consent (opt in). |
(23) |
Still under the Data Integrity and Purpose Limitation Principle, personal information may be retained in a form identifying or rendering an individual identifiable (and thus in the form of personal data) only for as long as it serves the purpose(s) for which it was initially collected or subsequently authorised. This obligation does not prevent Privacy Shield organisations to continue processing personal information for longer periods, but only for the time and to the extent such processing reasonably serves one of the following specific purposes: archiving in the public interest, journalism, literature and art, scientific and historical research and statistical analysis. Longer retention of personal data for one of these purposes will be subject to the safeguards provided by the Principles. |
(24) |
Under the Security Principle, organisations creating, maintaining, using or disseminating personal data must take ‘reasonable and appropriate’ security measures, taking into account the risks involved in the processing and the nature of the data. In the case of sub-processing, organisations must conclude a contract with the sub-processor guaranteeing the same level of protection as provided by the Principles and take steps to ensure its proper implementation. |
(25) |
Under the Access Principle (22), data subjects have the right, without need for justification and only against a non-excessive fee, to obtain from an organisation confirmation of whether such organisation is processing personal data related to them and have the data communicated within reasonable time. This right may only be restricted in exceptional circumstances; any denial of, or limitation to the right of access has to be necessary and duly justified, with the organisation bearing the burden of demonstrating that these requirements are fulfilled. Data subjects must be able to correct, amend or delete personal information where it is inaccurate or has been processed in violation of the Principles. In areas where companies most likely resort to the automated processing of personal data to take decisions affecting the individual (e.g. credit lending, mortgage offers, employment), U.S. law offers specific protections against adverse decisions (23). These acts typically provide that individuals have the right to be informed of the specific reasons underlying the decision (e.g. the rejection of a credit), to dispute incomplete or inaccurate information (as well as reliance on unlawful factors), and to seek redress. These rules offer protections in the likely rather limited number of cases where automated decisions would be taken by the Privacy Shield organisation itself (24). Nevertheless, given the increasing use of automated processing (including profiling) as a basis for taking decisions affecting individuals in the modern digital economy, this is an area that needs to be closely monitored. In order to facilitate this monitoring, it has been agreed with the U.S. authorities that a dialogue on automated decision-making, including an exchange on the similarities and differences in the EU and U.S. approach in this regard, will be part of the first annual review as well as subsequent reviews as appropriate. |
(26) |
Under the Recourse, Enforcement and Liability Principle (25), participating organisations must provide robust mechanisms to ensure compliance with the other Principles and recourse for EU data subjects whose personal data have been processed in a non-compliant manner, including effective remedies. Once an organisation has voluntarily decided to self-certify (26) under the EU-U.S. Privacy Shield, its effective compliance with the Principles is compulsory. To be allowed to continue to rely on the Privacy Shield to receive personal data from the Union, such organisation must annually re-certify its participation in the framework. Organisations must also take measures to verify (27) that their published privacy policies conform to the Principles and are in fact complied with. This can be done either through a system of self-assessment, which must include internal procedures ensuring that employees receive training on the implementation of the organisation's privacy policies and that compliance is periodically reviewed in an objective manner, or outside compliance reviews, the methods of which may include auditing or random checks. In addition, the organisation must put in place an effective redress mechanism to deal with any complaints (see in this respect also recitals 43) and be subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or another U.S. authorised statutory body that will effectively ensure compliance with the Principles. |
(27) |
Special rules apply for so-called ‘onward transfers’, i.e. transfers of personal data from an organisation to a third party controller or processor, irrespective of whether the latter is located in the United States or a third country outside the United States (and the Union). The purpose of these rules is to ensure that the protections guaranteed to the personal data of EU data subjects will not be undermined, and cannot be circumvented, by passing them on to third parties. This is particularly relevant in more complex processing chains which are typical for today's digital economy. |
(28) |
Under the Accountability for Onward Transfer Principle (28), any onward transfer can only take place (i) for limited and specified purposes, (ii) on the basis of a contract (or comparable arrangement within a corporate group (29)) and (iii) only if that contract provides the same level of protection as the one guaranteed by the Principles, which includes the requirement that the application of the Principles may only be limited to the extent necessary to meet national security, law enforcement and other public interest purposes (30). This should be read in conjunction with the Notice and, in the case of an onward transfer to a third party controller (31), with the Choice Principle, according to which data subjects must be informed (among others) about the type/identity of any third party recipient, the purpose of the onward transfer as well as the choice offered and can object (opt out) or, in the case of sensitive data, have to give ‘affirmative express consent’ (opt in) for onward transfers. In the light of the Data Integrity and Purpose Limitation Principle, the obligation to provide the same level of protection as guaranteed by the Principles presupposes that the third party may only process the personal information transmitted to it for purposes that are not incompatible with the purposes for which it was originally collected or subsequently authorised by the individual. |
(29) |
The obligation to provide the same level of protection as required by the Principles applies to any and all third parties involved in the processing of the data so transferred irrespective of their location (in the U.S. or another third country) as well as when the original third party recipient itself transfers those data to another third party recipient, for example, for sub-processing purposes. In all cases, the contract with the third party recipient must provide that the latter will notify the Privacy Shield organisation if it makes a determination that it can no longer meet this obligation. When such a determination is made, the processing by the third party will cease or other reasonable and appropriate steps have to be taken to remedy the situation (32). Where compliance problems arise in the (sub-) processing chain, the Privacy Shield organisation acting as the controller of the personal data will have to prove that it is not responsible for the event giving rise to the damage, or otherwise face liability, as specified in the Recourse, Enforcement and Liability Principle. Additional protections apply in the case of an onward transfer to a third party agent (33). |
2.2. Transparency, Administration and Oversight of the EU-U.S. Privacy Shield
(30) |
The EU-U.S. Privacy Shield provides for oversight and enforcement mechanisms in order to verify and ensure that U.S. self-certified companies comply with the Principles and that any failure to comply is addressed. These mechanisms are set out in the Principles (Annex II) and the commitments undertaken by the Department of Commerce (Annex I), the FTC (Annex IV) and the Department of Transportation (Annex V). |
(31) |
To ensure the proper application of the EU-U.S. Privacy Shield, interested parties, such as data subjects, data exporters and the national Data Protection Authorities (DPAs), must be able to identify those organisations adhering to the Principles. To this end, the Department of Commerce has undertaken to maintain and make available to the public a list of organisations that have self-certified their adherence to the Principles and fall within the jurisdiction of at least one of the enforcement authorities referred to in Annexes I and II to this decision (‘Privacy Shield List’) (34). The Department of Commerce will update the list on the basis of an organisation's annual re-certification submissions and whenever an organisation withdraws or is removed from the EU-U.S. Privacy Shield. It will also maintain and make available to the public an authoritative record of organisations that have been removed from the list, in each case identifying the reason for such removal. Finally, it will provide a link to the list of Privacy Shield-related FTC enforcement cases maintained on the FTC website. |
(32) |
The Department of Commerce will make both the Privacy Shield List and the re-certification submissions publicly available through a dedicated website. Self-certified organisations must in turn provide the Department's web address for the Privacy Shield List. In addition, if available online, an organisation's privacy policy must include a hyperlink to the Privacy Shield website as well as a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. The Department of Commerce will systematically verify, in the context of an organisation's certification and re-certification to the framework, that its privacy policies conform to the Principles. |
(33) |
Organisations that have persistently failed to comply with the Principles will be removed from the Privacy Shield List and must return or delete the personal data received under the EU-U.S. Privacy Shield. In other cases of removal, such as voluntary withdrawal from participation or failure to recertify, the organisation may retain such data if it affirms to the Department of Commerce on an annual basis its commitment to continue to apply the Principles or provides adequate protection for the personal data by another authorised means (e.g. by using a contract that fully reflects the requirements of the relevant standard contractual clauses approved by the Commission). In this case, an organisation has to identify a contact point within the organisation for all Privacy Shield-related questions. |
(34) |
The Department of Commerce will monitor organisations that are no longer members of the EU-U.S. Privacy Shield, either because they have voluntarily withdrawn or because their certification has lapsed, to verify whether they will return, delete or retain (35) the personal data received previously under the framework. If they retain these data, organisations are obliged to continue to apply the Principles to them. In cases where the Department of Commerce has removed organisations from the framework due to a persistent failure to comply with the Principles, it will ensure that those organisations return or delete the personal data they had received under the framework. |
(35) |
When an organisation leaves the EU-U.S. Privacy Shield for any reason, it must remove all public statements implying that it continues to participate in the EU-U.S. Privacy Shield or is entitled to its benefits, in particular any references to the EU-U.S. Privacy Shield in its published privacy policy. The Department of Commerce will search for and address false claims of participation in the framework, including by former members (36). Any misrepresentation to the general public by an organisation concerning its adherence to the Principles in the form of misleading statements or practices is subject to enforcement action by the FTC, Department of Transportation or other relevant U.S. enforcement authorities; misrepresentations to the Department of Commerce are enforceable under the False Statements Act (18 U.S.C. § 1001) (37). |
(36) |
The Department of Commerce will ex officio monitor any false claims of Privacy Shield participation or the improper use of the Privacy Shield certification mark, and DPAs can refer organisations for review to a dedicated contact point at the Department. When an organisation has withdrawn from the EU-U.S. Privacy Shield, fails to re-certify or is removed from the Privacy Shield List, the Department of Commerce will on an on-going basis verify that it has deleted from its published privacy policy any references to the Privacy Shield that imply its continued participation and, if it continues to make false claims, refer the matter to the FTC, Department of Transportation or other competent authority for possible enforcement action. It will also send questionnaires to organisations whose self-certifications lapse or that have voluntarily withdrawn from the EU-U.S. Privacy Shield to verify whether the organisation will return, delete or continue to apply the Privacy Principles to the personal data that they received while participating in the EU-U.S. Privacy Shield and, if personal data are to be retained, verify who within the organisation will serve as an ongoing contact point for Privacy Shield-related questions. |
(37) |
On an ongoing basis, the Department of Commerce will conduct ex officio compliance reviews (38) of self-certified organisations, including through sending detailed questionnaires. It will also systematically carry out reviews whenever it has received a specific (non-frivolous) complaint, when an organisation does not provide satisfactory responses to its enquiries, or when there is credible evidence suggesting that an organisation may not be complying with the Principles. Where appropriate, the Department of Commerce will also consult with DPAs about such compliance reviews. |
2.3. Redress mechanisms, complaint handling and enforcement
(38) |
The EU-U.S. Privacy Shield, through the Recourse, Enforcement and Liability Principle, requires organisations to provide recourse for individuals who are affected by non-compliance and thus the possibility for EU data subjects to lodge complaints regarding non-compliance by U.S. self-certified companies and to have these complaints resolved, if necessary by a decision providing an effective remedy. |
(39) |
As part of their self-certification, organisations must satisfy the requirements of the Recourse, Enforcement and Liability Principle by providing for effective and readily available independent recourse mechanisms by which each individual's complaints and disputes can be investigated and expeditiously resolved at no cost to the individual. |
(40) |
Organisations may choose independent recourse mechanisms in either the Union or in the United States. This includes the possibility to voluntarily commit to cooperate with the EU DPAs. However, no such choice exists where organisations process human resources data as cooperation with the DPAs is then mandatory. Other alternatives include independent Alternative Dispute Resolution (ADR) or private-sector developed privacy programs that incorporate the Privacy Principles into their rules. The latter must include effective enforcement mechanisms in accordance with the requirements of the Recourse, Enforcement and Liability Principle. Organisations are obliged to remedy any problems of non-compliance. They must also specify that they are subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or any other U.S. authorized statutory body. |
(41) |
Consequently, the Privacy Shield framework provides data subjects with a number of possibilities to enforce their rights, lodge complaints regarding non-compliance by U.S. self-certified companies and to have their complaints resolved, if necessary by a decision providing an effective remedy. Individuals can bring a complaint directly to an organisation, to an independent dispute resolution body designated by the organisation, to national DPAs or to the FTC. |
(42) |
In cases where their complaints have not been resolved by any of these recourse or enforcement mechanisms, individuals also have a right to invoke binding arbitration under the Privacy Shield Panel (Annex 1 of Annex II of this decision). Except for the arbitral panel, which requires certain remedies to be exhausted before it can be invoked, individuals are free to pursue any or all of the redress mechanism of their choice, and are not obliged to choose one mechanism over the other or to follow a specific sequence. However, there is a certain logical order that is advisable to follow, as set out below. |
(43) |
First, EU data subjects may pursue cases of non-compliance with the Principles through direct contacts with the U.S. self-certified company. To facilitate resolution, the organisation must put in place an effective redress mechanism to deal with such complaints. An organisation's privacy policy must therefore clearly inform individuals about a contact point, either within or outside the organisation, that will handle complaints (including any relevant establishment in the Union that can respond to inquiries or complaints) and about the independent complaint handling mechanisms. |
(44) |
Upon receipt of an individual's complaint, directly from the individual or through the Department of Commerce following referral by a DPA, the organisation must provide a response to the EU data subject within a period of 45 days. This response must include an assessment of the merits of the complaint and information as to how the organisation will rectify the problem. Likewise, organisations are required to respond promptly to inquiries and other requests for information from the Department of Commerce or from a DPA (39) (where the organisation has committed to cooperate with the DPA) relating to their adherence to the Principles. Organisations must retain their records on the implementation of their privacy policies and make them available upon request to an independent recourse mechanism or the FTC (or other U.S. authority with jurisdiction to investigate unfair and deceptive practices) in the context of an investigation or a complaint about non-compliance. |
(45) |
Second, individuals can also bring a complaint directly to the independent dispute resolution body (either in the United States or in the Union) designated by an organisation to investigate and resolve individual complaints (unless they are obviously unfounded or frivolous) and to provide appropriate recourse free of charge to the individual. Sanctions and remedies imposed by such a body must be sufficiently rigorous to ensure compliance by organisations with the Principles and should provide for a reversal or correction by the organisation of the effects of non-compliance and, depending on the circumstances, the termination of the further processing of the personal data at stake and/or their deletion, as well as publicity for findings of non-compliance. Independent dispute resolution bodies designated by an organisation will be required to include on their public websites relevant information regarding the EU-U.S. Privacy Shield and the services they provide under it. Each year, they must publish an annual report providing aggregate statistics regarding these services (40). |
(46) |
As part of its compliance review procedures, the Department of Commerce will verify that self-certified U.S. companies have actually registered with the independent recourse mechanisms they claim they are registered with. Both the organisations and the responsible independent recourse mechanisms are required to respond promptly to inquiries and requests by the Department of Commerce for information relating to the Privacy Shield. |
(47) |
In cases where the organisation fails to comply with the ruling of a dispute resolution or self-regulatory body, the latter must notify such non-compliance to the Department of Commerce and the FTC (or other U.S. authority with jurisdiction to investigate unfair and deceptive practices), or a competent court (41). If an organisation refuses to comply with a final determination by any privacy self-regulatory, independent dispute resolution or government body or where such a body determines that an organisation frequently fails to comply with the Principles, this will be considered as a persistent failure to comply with the result that the Department of Commerce, after first providing 30 days' notice and an opportunity to respond to the organization that has failed to comply, will strike the organisation off the list (42). If, after removal from the list, the organisation continues to make the claim of Privacy Shield certification, the Department will refer it to the FTC or other enforcement agency (43). |
(48) |
Third, individuals may also bring their complaints to a national Data Protection Authority. Organisations are obliged to cooperate in the investigation and the resolution of a complaint by a DPA either when it concerns the processing of human resources data collected in the context of an employment relationship or when the respective organisation has voluntarily submitted to the oversight by DPAs. Notably, organisations have to respond to inquiries, comply with the advice given by the DPA, including for remedial or compensatory measures, and provide the DPA with written confirmation that such action has been taken. |
(49) |
The advice of the DPAs will be delivered through an informal panel of DPAs established at Union level (44), which will help to ensure a harmonised and coherent approach to a particular complaint. Advice will be issued after both sides in the dispute have had a reasonable opportunity to comment and to provide any evidence they wish. The panel will deliver advice as quickly as the requirement for due process allows, and as a general rule within 60 days after receiving a complaint. If an organisation fails to comply within 25 days of delivery of the advice and has offered no satisfactory explanation for the delay, the panel will give notice of its intention either to submit the matter to the FTC (or other competent U.S. enforcement authority), or to conclude that the commitment to cooperate has been seriously breached. In the first alternative, this may lead to enforcement action based on Section 5 of the FTC Act (or similar statute). In the second alternative, the panel will inform the Department of Commerce which will consider the organisation's refusal to comply with the advice of the DPA panel as a persistent failure to comply that will lead to the organisation's removal from the Privacy Shield List. |
(50) |
If the DPA to which the complaint has been addressed has taken no or insufficient action to address a complaint, the individual complainant has the possibility to challenge such (in-) action in the national courts of the respective Member State. |
(51) |
Individuals may also bring complaints to DPAs even when the DPA panel has not been designated as an organisation's dispute resolution body. In these cases, the DPA may refer such complaints either to the Department of Commerce or the FTC. In order to facilitate and increase cooperation on matters relating to individual complaints and non-compliance by Privacy Shield organisations, the Department of Commerce will establish a dedicated contact point to act as a liaison and to assist with DPA inquiries regarding an organisation's compliance with the Principles (45). Likewise, the FTC has committed to establish a dedicated point of contact (46) and provide the DPAs with investigatory assistance pursuant to the U.S. SAFE WEB Act (47). |
(52) |
Fourth, the Department of Commerce has committed to receive, review and undertake best efforts to resolve complaints about an organisation's non-compliance with the Principles. To this end, the Department of Commerce provides special procedures for DPAs to refer complaints to a dedicated contact point, track them and follow up with companies to facilitate resolution. In order to expedite the processing of individual complaints, the contact point will liaise directly with the respective DPA on compliance issues and in particular update it on the status of complaints within a period of not more than 90 days following referral. This allows data subjects to bring complaints of non-compliance by U.S. self-certified companies directly to their national DPA and have them channelled to the Department of Commerce as the U.S. authority administering the EU-U.S. Privacy Shield. The Department of Commerce has also committed to provide, in the annual review of the functioning of the EU-U.S. Privacy Shield, a report that analyses in aggregate form the complaints it receives each year (48). |
(53) |
Where, on the basis of its ex officio verifications, complaints or any other information, the Department of Commerce concludes that an organisation has persistently failed to comply with the Privacy Principles it will remove such an organisation from the Privacy Shield list. Refusal to comply with a final determination by any privacy self-regulatory, independent dispute resolution or government body, including a DPA, will be regarded as a persistent failure to comply. |
(54) |
Fifth, a Privacy Shield organisation must be subject to the investigatory and enforcement powers of the U.S. authorities, in particular the Federal Trade Commission (49) that will effectively ensure compliance with the Principles. The FTC will give priority consideration to referrals of non-compliance with the Privacy Principles received from independent dispute resolution or self-regulatory bodies, the Department of Commerce and DPAs (acting on their own initiative or upon complaints) to determine whether Section 5 of the FTC Act has been violated (50). The FTC has committed to create a standardised referral process, to designate a point of contact at the agency for DPA referrals, and to exchange information on referrals. In addition, it will accept complaints directly from individuals and will undertake Privacy Shield investigations on its own initiative, in particular as part of its wider investigations of privacy issues. |
(55) |
The FTC can enforce compliance through administrative orders (‘consent orders’), and it will systematically monitor compliance with such orders. Where organisations fail to comply, the FTC may refer the case to the competent court in order to seek civil penalties and other remedies, including for any injury caused by the unlawful conduct. Alternatively, the FTC may directly seek a preliminary or permanent injunction or other remedies from a federal court. Each consent order issued to a Privacy Shield organisation will have self-reporting provisions (51), and organisations will be required to make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC. Finally, the FTC will maintain an online list of companies subject to FTC or court orders in Privacy Shield cases. |
(56) |
Sixth, as a recourse mechanism of ‘last resort’ in case none of the other available redress avenues has satisfactorily resolved an individual's complaint, the EU data subject may invoke binding arbitration by the ‘Privacy Shield Panel’. Organisations must inform individuals about their possibility, under certain conditions, to invoke binding arbitration and they are obliged to respond once an individual has invoked this option by delivering notice to the concerned organisation (52). |
(57) |
This arbitral panel will consist of a pool of at least 20 arbitrators designated by the Department of Commerce and the Commission based on their independence, integrity, as well as experience in U.S. privacy and Union data protection law. For each individual dispute, the parties will select from this pool a panel of one or three (53) arbitrators. The proceedings will be governed by standard arbitration rules to be agreed between the Department of Commerce and the Commission. These rules will supplement the already concluded framework which contains several features which enhance the accessibility of this mechanism for EU data subjects: (i) in preparing a claim before the panel, the data subject may be assisted by his or her national DPA; (ii) while the arbitration will take place in the United States, EU data subjects may choose to participate through video or telephone conference, to be provided at no cost to the individual; (iii) while the language used in the arbitration will as a rule be English, interpretation at the arbitral hearing and translation will normally (54) be provided upon a reasoned request and at no cost to the data subject; (iv) finally, while each party has to bear its own attorney's fees, if represented by an attorney before the panel, the Department of Commerce will establish a fund supplied with annual contributions by the Privacy Shield organisations, which shall cover the eligible costs of the arbitration procedure, up to maximum amounts, to be determined by the U.S. authorities in consultation with the Commission. |
(58) |
The Privacy Shield Panel will have the authority to impose ‘individual-specific, non-monetary equitable relief’ (55) necessary to remedy non-compliance with the Principles. While the panel will take into account other remedies already obtained by other Privacy Shield mechanisms when making its determination, individuals may still resort to arbitration if they consider these other remedies to be insufficient. This will allow EU data subjects to invoke arbitration in all cases where the action or inaction of the competent U.S. authorities (for instance the FTC) has not satisfactorily resolved their complaints. Arbitration may not be invoked if a DPA has the legal authority to resolve the claim at issue with respect to the U.S. self-certified company, namely in those cases where the organisation is either obliged to cooperate and comply with the advice of the DPAs as regards the processing of human resources data collected in the employment context, or has voluntarily committed to do so. Individuals can enforce the arbitration decision in the U.S. courts under the Federal Arbitration Act, thereby ensuring a legal remedy in case a company fails to comply. |
(59) |
Seventh, where an organisation does not comply with its commitment to respect the Principles and published privacy policy, additional avenues for judicial redress may be available under the law of the U.S. States which provide for legal remedies under tort law and in cases of fraudulent misrepresentation, unfair or deceptive acts or practices, or breach of contract. |
(60) |
In addition, where a DPA, upon receiving a claim by an EU data subject, considers that the transfer of an individual's personal data to an organisation in the United States is carried out in violation of EU data protection law, including when the EU data exporter has reason to believe that the organisation is not complying with the Principles, it can also exercise its powers vis-à-vis the data exporter and, if necessary, order the suspension of the data transfer. |
(61) |
In the light of the information in this section, the Commission considers that the Principles issued by the U.S. Department of Commerce as such ensure a level of protection of personal data that is essentially equivalent to the one guaranteed by the substantive basic principles laid down in Directive 95/46/EC. |
(62) |
In addition, the effective application of the Principles is guaranteed by the transparency obligations, and the administration and compliance review of the Privacy Shield by the Department of Commerce. |
(63) |
Moreover, the Commission considers that, taken as a whole, the oversight, recourse and enforcement mechanisms provided for by the Privacy Shield enable infringements of the Principles by Privacy Shield organisations to be identified and punished in practice and offer legal remedies to the data subject to gain access to personal data relating to him and, eventually, to obtain the rectification or erasure of such data. |
3. ACCESS AND USE OF PERSONAL DATA TRANSFERRED UNDER THE EU-U.S. PRIVACY SHIELD BY U.S. PUBLIC AUTHORITIES
(64) |
As follows from Annex II, Sec. I.5, adherence to the Principles is limited to the extent necessary to meet national security, public interest or law enforcement requirements. |
(65) |
The Commission has assessed the limitations and safeguards available in U.S. law as regards access and use of personal data transferred under the EU-U.S. Privacy Shield by U.S. public authorities for national security, law enforcement and other public interest purposes. In addition, the U.S. government, through its Office of the Director of National Intelligence (ODNI) (56), has provided the Commission with detailed representations and commitments that are contained in Annex VI to this decision. By letter signed by the Secretary of State and attached as Annex III to this decision the U.S. government has also committed to create a new oversight mechanism for national security interference, the Privacy Shield Ombudsperson, who is independent from the Intelligence Community. Finally, a representation from the U.S. Department of Justice, contained in Annex VII to this decision, describes the limitations and safeguards applicable to access and use of data by public authorities for law enforcement and other public interest purposes. In order to enhance transparency and to reflect the legal nature of these commitments, each of the documents listed and annexed to this decision will be published in the U.S. Federal Register. |
(66) |
The findings of the Commission on the limitations on access and use of personal data transferred from the European Union to the United States by U.S. public authorities and the existence of effective legal protection are further elaborated below. |
3.1. Access and use by U.S. public authorities for national security purposes
(67) |
The Commission's analysis shows that U.S. law contains a number of limitations on the access and use of personal data transferred under the EU-U.S. Privacy Shield for national security purposes as well as oversight and redress mechanisms that provide sufficient safeguards for those data to be effectively protected against unlawful interference and the risk of abuse (57). Since 2013, when the Commission issued its two Communications (see recital 7), this legal framework has been significantly strengthened, as described below. |
3.1.1.
(68) |
Under the U.S. Constitution, ensuring national security falls within the President's authority as Commander in Chief, as Chief Executive and, as regards foreign intelligence, to conduct U.S. foreign affairs (58). While Congress has the power to impose limitations, and has done so in various respects, within these boundaries the President may direct the activities of the U.S. Intelligence Community, in particular through Executive Orders or Presidential Directives. This of course also applies in those areas where no Congressional guidance exists. At present, the two central legal instruments in this regard are Executive Order 12333 (‘E.O. 12333’) (59) and Presidential Policy Directive 28. |
(69) |
Presidential Policy Directive 28 (‘PPD-28’), issued on 17 January 2014, imposes a number of limitations for ‘signals intelligence’ operations (60). This presidential directive has binding force for U.S. intelligence authorities (61) and remains effective upon change in the U.S. Administration (62). PPD-28 is of particular importance for non-US persons, including EU data subjects. Among others, it stipulates that:
|
(70) |
PPD-28 directs that signals intelligence may be collected exclusively where there is a foreign intelligence or counterintelligence purpose to support national and departmental missions, and not for any other purpose (e.g. to afford a competitive advantage to U.S. companies). In this regard, the ODNI explains that Intelligence Community elements ‘should require that, wherever practicable, collection should be focused on specific foreign intelligence targets or topics through the use of discriminants (e.g. specific facilities, selection terms and identifiers)’ (63). Furthermore, the representations provide assurance that decisions about intelligence collection are not left to the discretion of individual intelligence agents, but are subject to the policies and procedures that the various U.S. Intelligence Community elements (agencies) are required to put in place to implement PPD-28 (64). Accordingly, the research and determination of appropriate selectors takes place within the overall ‘National Intelligence Priorities Framework’ (NIPF) which ensures that intelligence priorities are set by high-level policymakers and regularly reviewed to remain responsive to actual national security threats and taking into account possible risks, including privacy risks (65). On this basis, agency personnel researches and identifies specific selection terms expected to collect foreign intelligence responsive to the priorities (66). Selection terms, or ‘selectors’, must be regularly reviewed to see if they still provide valuable intelligence in line with the priorities (67). |
(71) |
Furthermore, the requirements stipulated in PPD-28 that intelligence collection shall always (68) be ‘as tailored as feasible’, and that the Intelligence Community shall prioritise the availability of other information and appropriate and feasible alternatives (69), reflect a general rule of prioritisation of targeted over bulk collection. According to the assurance provided by the ODNI, they ensure in particular that bulk collection is neither ‘mass’ nor ‘indiscriminate’, and that the exception does not swallow the rule (70). |
(72) |
While PPD-28 explains that Intelligence Community elements must sometimes collect bulk signals intelligence in certain circumstances, for instance in order to identify and assess new or emerging threats, it directs these elements to prioritise alternatives that would allow the conduct of targeted signals intelligence (71). It follows that bulk collection will only occur where targeted collection via the use of discriminants — i.e. an identifier associated with a specific target (such as the target's e-mail address or phone number) — is not possible ‘due to technical or operational considerations’ (72). This applies both to the manner in which signals intelligence is collected and to what is actually collected (72). |
(73) |
According to the representations from the ODNI, even where the Intelligence Community cannot use specific identifiers to target collection, it will seek to narrow the collection ‘as much as possible’. In order to ensure this, it ‘applies filters and other technical tools to focus the collection on those facilities that are likely to contain communications of foreign intelligence value’ (and thus will be responsive to requirements articulated by U.S. policy-makers pursuant to the process described above in 70). As a consequence, bulk collection will be targeted in at least two ways: First, it will always relate to specific foreign intelligence objectives (e.g. to acquire signals intelligence about the activities of a terrorist group operating in a particular region) and focus collection on communications that have such a nexus. According to the assurance provided by the ODNI, this is reflected in the fact that the ‘United States' signals intelligence activities touch only a fraction of the communications traversing the internet’ (73). Second, the ODNI representations explain that the filters and other technical tools used will be designed to focus the collection ‘as precisely as possible’ in order to ensure that the amount of ‘non-pertinent information’ collected will be minimised. |
(74) |
Finally, even where the United States considers it necessary to collect signals intelligence in bulk, under the conditions set out in recitals 70-73, PPD-28 limits the use of such information to a specific list of six national security purposes with a view to protect the privacy and civil liberties of all persons, whatever their nationality and place of residence (74). These permissible purposes comprise measures to detect and counter threats stemming from espionage, terrorism, weapons of mass destruction, threats to cybersecurity, to the Armed Forces or military personnel, as well as transnational criminal threats related to the other five purposes, and will be reviewed at least on an annual basis. According to the representations by the U.S. government, Intelligence Community elements have reinforced their analytic practices and standards for querying unevaluated signals intelligence to conform with these requirements; the use of targeted queries ‘ensures that only those items believed to be of potential intelligence value are ever presented to analysts to examine’ (75). |
(75) |
These limitations are particularly relevant to personal data transferred under the EU-U.S. Privacy Shield, in particular in case collection of personal data were to take place outside the United States, including during their transit on the transatlantic cables from the Union to the United States. As confirmed by the U.S. authorities in the representations of the ODNI, the limitations and safeguards set out therein — including those of PPD-28 — apply to such collection (76). |
(76) |
Although not phrased in those legal terms, these principles capture the essence of the principles of necessity and proportionality. Targeted collection is clearly prioritised, while bulk collection is limited to (exceptional) situations where targeted collection is not possible for technical or operational reasons. Even where bulk collection cannot be avoided, further ‘use’ of such data through access is strictly limited to specific, legitimate national security purposes (77). |
(77) |
As a directive issued by the President as the Chief Executive, these requirements bind the entire Intelligence Community and have been further implemented through agency rules and procedures that transpose the general principles into specific directions for day-to-day operations. Moreover, while Congress is itself not bound by PPD-28, it has also taken steps to ensure that collection and access of personal data in the United States are targeted rather than carried out ‘on a generalised basis’. |
(78) |
It follows from the available information, including the representations received from the U.S. government, that once the data has been transferred to organisations located in the United States and self-certified under the EU-U.S. Privacy Shield, U.S. intelligence agencies may only (78) seek personal data where their request complies with the Foreign Intelligence Surveillance Act (FISA) or is made by the Federal Bureau of Investigation (FBI) based on a so-called National Security Letter (NSL) (79). Several legal bases exist under FISA that may be used to collect (and subsequently process) the personal data of EU data subjects transferred under the EU-U.S. Privacy Shield. Aside from Section 104 FISA (80) covering traditional individualised electronic surveillance and Section 402 FISA (81) on the installation of pen registers or trap and trace devices, the two central instruments are Section 501 FISA (ex-Section 215 U.S. PATRIOT ACT) and Section 702 FISA (82). |
(79) |
In this respect, the USA FREEDOM Act, which was enacted on 2 June 2015, prohibits the collection in bulk of records based on Section 402 FISA (pen register and trap and trace authority), Section 501 FISA (formerly: Section 215 of the U.S. PATRIOT ACT) (83) and through the use of NSL, and instead requires the use of specific ‘selection terms’ (84). |
(80) |
While the FISA contains further legal authorisations to carry out national intelligence activities, including signals intelligence, the Commission's assessment has shown that, insofar as personal data to be transferred under the EU-U.S. Privacy Shield are concerned, these authorities equally restrict interference by public authorities to targeted collection and access. |
(81) |
This is clear for traditional individualised electronic surveillance under Section 104 FISA (85). As for Section 702 FISA, which provides the basis for two important intelligence programs run by the U.S. intelligence agencies (PRISM, UPSTREAM), searches are carried out in a targeted manner through the use of individual selectors that identify specific communications facilities, like the target's e-mail address or telephone number, but not key words or even the names of targeted individuals (86). Therefore, as noted by the Privacy and Civil Liberties Oversight Board (PCLOB), Section 702 surveillance ‘consists entirely of targeting specific [non-U.S.] persons about whom an individualised determination has been made’ (87). Due to a ‘sunset’ clause, Section 702 FISA will have to be reviewed in 2017, at which time the Commission will have to reassess the safeguards available to EU data subjects. |
(82) |
Moreover, in its representations the U.S. government has given the European Commission explicit assurance that the U.S. Intelligence Community ‘does not engage in indiscriminate surveillance of anyone, including ordinary European citizens’ (88). As regards personal data collected within the United States, this statement is supported by empirical evidence which shows that access requests through NSL and under FISA, both individually and together, only concern a relatively small number of targets when compared to the overall flow of data on the internet (89). |
(83) |
As regards access to collected data and data security, PPD-28 requires that access ‘shall be limited to authorized personnel with a need to know the information to perform their mission’ and that personal information ‘shall be processed and stored under conditions that provide adequate protection and prevent access by unauthorized persons, consistent with the applicable safeguards for sensitive information’. Intelligence personnel receive appropriate and adequate training in the principles set forth in PPD-28 (90). |
(84) |
Finally, as regards the storage and further dissemination of personal data from EU data subjects collected by U.S. intelligence authorities, PPD-28 states that all persons (including non-U.S. persons) should be treated with dignity and respect, that all persons have legitimate privacy interests in the handling of their personal data and that Intelligence Community elements therefore have to establish policies providing appropriate safeguards for such data ‘reasonably designed to minimize the[ir] dissemination and retention’ (91). |
(85) |
The U.S. government has explained that this reasonableness requirement signifies that Intelligence Community elements will not have to adopt ‘any measure theoretically possible’, but will need to ‘balance their efforts to protect legitimate privacy and civil liberties interests with the practical necessities of signals intelligence activities’ (92). In this respect, non-U.S. persons will be treated in the same way as U.S. persons, based on procedures approved by the Attorney-General (93). |
(86) |
According to these rules, retention is generally limited to a maximum of five years, unless there is a specific determination in law or an express determination by the Director of National Intelligence after careful evaluation of privacy concerns — taking into account the views of the ODNI Civil Liberties Protection Officer as well as agency privacy and civil liberties officials — that continued retention is in the interest of national security (94). Dissemination is limited to cases where the information is relevant to the underlying purpose of the collection and thus responsive to an authorised foreign intelligence or law enforcement requirement (95). |
(87) |
According to the assurances given by the U.S. government, personal information may not be disseminated solely because the individual concerned is a non-U.S. person and ‘signals intelligence about the routine activities of a foreign person would not be considered foreign intelligence that could be disseminated or retained permanently by virtue of that fact alone unless it is otherwise responsive to an authorized foreign intelligence requirement’ (96). |
(88) |
On the basis of all of the above, the Commission concludes that there are rules in place in the United States designed to limit any interference for national security purposes with the fundamental rights of the persons whose personal data are transferred from the Union to the United States under the EU-U.S. Privacy Shield to what is strictly necessary to achieve the legitimate objective in question. |
(89) |
As the above analysis has shown, U.S. law ensures that surveillance measures will only be employed to obtain foreign intelligence information — which is a legitimate policy objective (97) — and be tailored as much as possible. In particular, bulk collection will only be authorised exceptionally where targeted collection is not feasible, and will be accompanied by additional safeguards to minimise the amount of data collected and subsequent access (which will have to be targeted and only be allowed for specific purposes). |
(90) |
In the Commission's assessment, this conforms with the standard set out by the Court of Justice in the Schrems judgment, according to which legislation involving interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter must impose ‘minimum safeguards’ (98) and ‘is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail’ (99). Neither will there be unlimited collection and storage of data of all persons without any limitations, nor unlimited access. Moreover, the representations provided to the Commission, including the assurance that U.S. signals intelligence activities touch only a fraction of the communications traversing the internet, exclude that there would be access ‘on a generalised basis’ (100) to the content of electronic communications. |
3.1.2.
(91) |
The Commission has assessed both the oversight mechanisms that exist in the United States with regard to any interference by U.S. intelligence authorities with personal data transferred to the United States and the avenues available for EU data subjects to seek individual redress. |
Oversight
(92) |
The U.S. intelligence community is subject to various review and oversight mechanisms that fall within the three branches of the State. These include internal and external bodies within the executive branch, a number of Congressional Committees, as well as judicial supervision the latter specifically with respect to activities under the Foreign Intelligence Surveillance Act. |
(93) |
First, intelligence activities by U.S. authorities are subject to extensive oversight from within the executive branch. |
(94) |
According to PPD-28, Section 4(a)(iv), the policies and procedures of Intelligence Community elements ‘shall include appropriate measures to facilitate oversight over the implementation of safeguards protecting personal information’; these measures should include periodic auditing (101). |
(95) |
Multiple oversight layers have been put in place in this respect, including civil liberties or privacy officers, Inspector Generals, the ODNI Civil Liberties and Privacy Office, the PCLOB, and the President's Intelligence Oversight Board. These oversight functions are supported by compliance staff in all the agencies (102). |
(96) |
As explained by the U.S. government (103), civil liberties or privacy officers with oversight responsibilities exist at various departments with intelligence responsibilities and intelligence agencies (104). While the specific powers of these officers may vary somewhat depending on the authorising statute, they typically encompass the supervision of procedures to ensure that the respective department/agency is adequately considering privacy and civil liberties concerns and has put in place adequate procedures to address complaints from individuals who consider that their privacy or civil liberties have been violated (and in some cases, like the ODNI, may themselves have the power to investigate complaints (105)). The head of the department/agency in turn has to ensure that the officer receives all the information and is given access to all material necessary to carry out his functions. Civil liberties and privacy officers periodically report to Congress and the PCLOB, including on the number and nature of the complaints received by the department/agency and a summary of the disposition of such complaints, the reviews and inquiries conducted and the impact of the activities carried out by the officer (106) According to the assessment by the national data protection authorities, the internal oversight exercised by the civil liberties or privacy officers can be considered as ‘fairly robust’, even though in their view they do not meet the required level of independence (107). |
(97) |
In addition, each Intelligence Community element has its own Inspector General with responsibility, among others, to oversee foreign intelligence activities (108). This includes, within the ODNI, an Office of the Inspector General with comprehensive jurisdiction over the entire Intelligence Community and authorised to investigate complaints or information concerning allegations of unlawful conduct, or abuse of authority, in connection with ODNI and/or Intelligence Community programs and activities (109). Inspectors General are statutorily independent (110) units responsible for conducting audits and investigations relating to the programs and operations carried out by the respective agency for national intelligence purposes, including for abuse or violation of the law (111). They are authorised to have access to all records, reports, audits, reviews, documents, papers, recommendations or other relevant material, if need be by subpoena, and may take testimony (112). While the Inspectors General can only issue non-binding recommendations for corrective action, their reports, including on follow-up action (or the lack thereof) are made public and moreover sent to Congress which can on this basis exercise its oversight function (113). |
(98) |
Furthermore, the Privacy and Civil Liberties Oversight Board, an independent agency (114) within the executive branch composed of a bipartisan, five-member Board (115) appointed by the President for a fixed six-year term with Senate approval, is entrusted with responsibilities in the field of counterterrorism policies and their implementation, with a view to protect privacy and civil liberties. In its review of Intelligence Community action, it may access all relevant agency records, reports, audits, reviews, documents, papers and recommendations, including classified information, conduct interviews and hear testimony. It receives reports from the civil liberties and privacy officers of several federal departments/agencies (116), may issue recommendations to them, and regularly reports to Congressional committees and the President (117). The PCLOB is also tasked, within the confines of its mandate, to prepare a report assessing the implementation of PPD-28. |
(99) |
Finally, the aforementioned oversight mechanisms are complemented by the Intelligence Oversight Board established within the President's Intelligence Advisory Board which oversees compliance by U.S. intelligence authorities with the Constitution and all applicable rules. |
(100) |
To facilitate the oversight, Intelligence Community elements are encouraged to design information systems to allow for the monitoring, recording and reviewing of queries or other searches of personal information (118). Oversight and compliance bodies will periodically check the practices of Intelligence Community elements for protecting personal information contained in signals intelligence and their compliance with those procedures (119). |
(101) |
These oversight functions are moreover supported by extensive reporting requirements with respect to non-compliance. In particular, agency procedures must ensure that, when a significant compliance issue occurs involving personal information of any person, regardless of nationality, collected through signals intelligence, such issue shall be promptly reported to the head of the Intelligence Community element, which in turn will notify the Director of National Intelligence who, under PPD-28, shall determine if any corrective actions are necessary (120). Moreover, according to E.O. 12333, all Intelligence Community elements are required to report to the Intelligence Oversight Board on non-compliance incidents (121). These mechanisms ensure that the issue will be addressed at the highest level in the Intelligence Community. Where it involves a non-U.S. person, the Director of National Intelligence, in consultation with the Secretary of State and the head of the notifying department or agency, shall determine whether steps should be taken to notify the relevant foreign government, consistent with the protection of sources and methods and of U.S. personnel (122). |
(102) |
Second, in addition to these oversight mechanisms within the executive branch, the U.S. Congress, specifically the House and Senate Intelligence and Judiciary Committees, have oversight responsibilities regarding all U.S. foreign intelligence activities, including U.S. signals intelligence. According to the National Security Act, ‘[t]he President shall ensure that the congressional intelligence committees are kept fully and currently informed of the intelligence activities of the United States, including any significant anticipated intelligence activity as required by this subchapter’ (123). Also, ‘[t]he President shall ensure that any illegal intelligence activity is reported promptly to the congressional intelligence committees, as well as any corrective action that has been taken or is planned in connection with such illegal activity’ (124). Members of these committees have access to classified information as well as intelligence methods and programs (125). |
(103) |
Later statutes have extended and refined the reporting requirements, both regarding the Intelligence Community elements, the relevant Inspector Generals and the Attorney-General. For instance, FISA requires the Attorney General to ‘fully inform’ the Senate and House Intelligence and Judiciary Committees regarding the government's activities under certain sections of FISA (126). It also requires the government to provide the Congressional committees with ‘copies of all decisions, orders, or opinions of the Foreign Intelligence Surveillance Court or Foreign Intelligence Surveillance Court of Review that include significant construction or interpretation’ of FISA provisions. In particular, as regards surveillance under Section 702 FISA, oversight is exercised through statutorily required reports to the Intelligence and Judiciary Committees, as well as frequent briefings and hearings. These include a semi-annual report by the Attorney General describing the use of Section 702 FISA, with supporting documents including notably the Department of Justice and ODNI compliance reports and a description of any incidents of non-compliance (127), and a separate semi-annual assessment by the Attorney General and the DNI documenting compliance with the targeting and minimization procedures, including compliance with the procedures designed to ensure that collection is for a valid foreign intelligence purpose (128). Congress also receives reports by the Inspector Generals who are authorised to evaluate the agencies' compliance with targeting and minimization procedures and Attorney General Guidelines. |
(104) |
According to the USA FREEDOM Act of 2015, the U.S. government must disclose to Congress (and the public) each year the number of FISA orders and directives sought and received, as well as estimates of the number of U.S. and non-U.S. persons targeted by surveillance, among others (129). The Act also requires additional public reporting about the number of NSL issued, again both with regard to U.S. and non-U.S. persons (while at the same time allowing the recipients of FISA orders and certifications, as well as NSL requests, to issue transparency reports under certain conditions) (130). |
(105) |
Third, intelligence activities by U.S. public authorities based on FISA allow for review, and in some cases prior authorisation of the measures, by the FISA Court (FISC) (131), an independent tribunal (132) whose decisions can be challenged before the Foreign Intelligence Court of Review (FISCR) (133) and, ultimately, the Supreme Court of the United States (134). In case of prior authorisation, the requesting authorities (FBI, NSA, CIA, etc.) will have to submit a draft application to lawyers at the National Security Department of the Department of Justice who will scrutinise it and, if necessary, request additional information (135). Once the application has been finalised, it will have to be approved by the Attorney General, Deputy Attorney General or the Assistant Attorney General for National Security (136). The Department of Justice will then submit the application to the FISC that will assess the application and make a preliminary determination on how to proceed (137). Where a hearing takes place, the FISC has the authority to take testimony which may include expert advice (138). |
(106) |
The FISC (and FISCR) is supported by a standing panel of five individuals that have an expertise in national security matters as well as civil liberties (139). From this group the court shall appoint an individual to serve as amicus curiae to assist in the consideration of any application for an order or review that, in the opinion of the court, presents a novel or significant interpretation of the law, unless the court finds that such appointment is not appropriate (140). This shall in particular ensure that privacy considerations are properly reflected in the court's assessment. The court may also appoint an individual or organisation to serve as amicus curiae, including providing technical expertise, whenever it deems this appropriate or, upon motion, permit an individual or organisation leave to file an amicus curiae brief (141). |
(107) |
As regards the two legal authorisations for surveillance under FISA that are most important for data transfers under the EU-U.S. Privacy Shield, oversight by the FISC differs. |
(108) |
Under Section 501 FISA (142), which allows the collection of ‘any tangible things (including books, records, papers, documents, and other items)’, the application to the FISC must contain a statement of facts showing that there are reasonable grounds to believe that the tangible things sought for are relevant to an authorised investigation (other than a threat assessment) conducted to obtain foreign intelligence information not concerning a U.S. person or to protect against international terrorism or clandestine intelligence activities. Also, the application must contain an enumeration of the minimisation procedures adopted by the Attorney General for the retention and dissemination of the collected intelligence (143). |
(109) |
Conversely, under Section 702 FISA (144), the FISC does not authorise individual surveillance measures; rather, it authorises surveillance programs (like PRISM, UPSTREAM) on the basis of annual certifications prepared by the Attorney General and the Director of National Intelligence. Section 702 FISA allows the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information (145). Such targeting is carried out by the NSA in two steps: First, NSA analysts will identify non-U.S. persons located abroad whose surveillance will lead, based on the analysts' assessment, to the relevant foreign intelligence specified in the certification. Second, once these individualised persons have been identified and their targeting has been approved by an extensive review mechanism within the NSA (146), selectors identifying communication facilities (such as e-mail addresses) used by the targets will be ‘tasked’ (i.e. developed and applied) (147). As indicated, the certifications to be approved by the FISC contain no information about the individual persons to be targeted but rather identify categories of foreign intelligence information (148). While the FISC does not assess — under a probable cause or any other standard — that individuals are properly targeted to acquire foreign intelligence information (149), its control extends to the condition that ‘a significant purpose of the acquisition is to obtain foreign intelligence information’ (150). Indeed, under Section 702 FISA, the NSA is allowed to collect communications of non-U.S. persons outside the U.S. only if it can be reasonably believed that a given means of communication is being used to communicate foreign intelligence information (e.g. related to international terrorism, nuclear proliferation or hostile cyber activities). Determinations to this effect are subject to judicial review (151). Certifications also need to provide for targeting and minimization procedures (152). The Attorney General and the Director of National Intelligence verify compliance and the agencies have the obligation to report any incidents of non-compliance to the FISC (153) (as well as the Congress and the President's Intelligence Oversight Board), which on this basis can modify the authorisation (154). |
(110) |
Furthermore, to increase the efficiency of the oversight by the FISC, the U.S. Administration has agreed to implement a recommendation by the PCLOB to supply to the FISC documentation of Section 702 targeting decisions, including a random sample of tasking sheets, so as to allow the FISC to assess how the foreign intelligence purpose requirement is being met in practice (155). At the same time, the U.S. Administration accepted and has taken measures to revise NSA targeting procedures to better document the foreign intelligence reasons for targeting decisions (156). |
Individual redress
(111) |
A number of avenues are available under U.S. law to EU data subjects if they have concerns whether their personal data have been processed (collected, accessed, etc.) by U.S. Intelligence Community elements, and if so, whether the limitations applicable in U.S. law have been complied with. These relate essentially to three areas: interference under FISA; unlawful, intentional access to personal data by government officials; and access to information under Freedom of Information Act (FOIA) (157). |
(112) |
First, the Foreign Intelligence Surveillance Act provides a number of remedies, available also to non-U.S. persons, to challenge unlawful electronic surveillance (158). This includes the possibility for individuals to bring a civil cause of action for money damages against the United States when information about them has been unlawfully and wilfully used or disclosed (159); to sue U.S. government officials in their personal capacity (‘under colour of law’) for money damages (160); and to challenge the legality of surveillance (and seek to suppress the information) in the event the U.S. government intends to use or disclose any information obtained or derived from electronic surveillance against the individual in judicial or administrative proceedings in the United States (161). |
(113) |
Second, the U.S. government referred the Commission to a number of additional avenues that EU data subjects could use to seek legal recourse against government officials for unlawful government access to, or use of, personal data, including for purported national security purposes (i.e. the Computer Fraud and Abuse Act (162); Electronic Communications Privacy Act (163); and Right to Financial Privacy Act (164)). All of these causes of action concern specific data, targets and/or types of access (e.g. remote access of a Computer via the internet) and are available under certain conditions (e.g. intentional/wilful conduct, conduct outside of official capacity, harm suffered) (165). A more general redress possibility is offered by the Administrative Procedure Act (5 U.S.C. § 702), according to which ‘any person suffering legal wrong because of agency action, or adversely affected or aggrieved by agency action’, is entitled to seek judicial review. This includes the possibility to ask the court to ‘hold unlawful and set aside agency action, findings, and conclusions found to be […] arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law’ (166). |
(114) |
Finally, the U.S. government has pointed to the FOIA as a means for non-U.S. persons to seek access to existing federal agency records, including where these contain the individual's personal data (167). Given its focus, the FOIA does not provide an avenue for individual recourse against interference with personal data as such, even though it could in principle enable individuals to get access to relevant information held by national intelligence agencies. Even in this respect the possibilities appear to be limited as agencies may withhold information that falls within certain enumerated exceptions, including access to classified national security information and information concerning law enforcement investigations (168). This being said, the use of such exceptions by national intelligence agencies can be challenged by individuals who can seek both administrative and judicial review. |
(115) |
While individuals, including EU data subjects, therefore have a number of avenues of redress when they have been the subject of unlawful (electronic) surveillance for national security purposes, it is equally clear that at least some legal bases that U.S. intelligence authorities may use (e.g. E.O. 12333) are not covered. Moreover, even where judicial redress possibilities in principle do exist for non-U.S. persons, such as for surveillance under FISA, the available causes of action are limited (169) and claims brought by individuals (including U.S. persons) will be declared inadmissible where they cannot show ‘standing’ (170), which restricts access to ordinary courts (171). |
(116) |
In order to provide for an additional redress avenue accessible for all EU data subjects, the U.S. government has decided to create a new Ombudsperson Mechanism as set out in the letter from the U.S. Secretary of State to the Commission which is contained in Annex III to this decision. This mechanism builds on the designation, under PPD-28, of a Senior Coordinator (at the level of Under-Secretary) in the State Department as a contact point for foreign governments to raise concerns regarding U.S. signals intelligence activities, but goes significantly beyond this original concept. |
(117) |
In particular, according to the commitments from the U.S. government, the Ombudsperson Mechanism will ensure that individual complaints are properly investigated and addressed, and that individuals receive independent confirmation that U.S. laws have been complied with or, in case of a violation of such laws, the non-compliance has been remedied (172). The Mechanism includes ‘the Privacy Shield Ombudsperson’, i.e. the Under-Secretary and further staff as well as other oversight bodies competent to oversee the different elements of the Intelligence Community on whose cooperation the Privacy Shield Ombudsperson will rely in dealing with complaints. In particular, where an individual's request relates to the compatibility of surveillance with U.S. law, the Privacy Shield Ombudsperson will be able to rely on independent oversight bodies with investigatory powers (such as the Inspector-Generals or the PCLOB). In each case the Secretary of State ensures that the Ombudsperson will have the means to ensure that its response to individual requests is based on all the necessary information. |
(118) |
Through this ‘composite structure’, the Ombudsperson Mechanism guarantees independent oversight and individual redress. Moreover, the cooperation with other oversight bodies ensures access to the necessary expertise. Finally, by imposing an obligation on the Privacy Shield Ombudsperson to confirm compliance or remediation of any non-compliance, the mechanism reflects a commitment from the U.S. government as a whole to address and resolve complaint from EU individuals. |
(119) |
First, differently from a pure government-to-government mechanism, the Privacy Shield Ombudsperson will receive and respond to individual complaints. Such complaints can be addressed to the supervisory authorities in the Member States competent for the oversight of national security services and/or the processing of personal data by public authorities that will submit them to a centralised EU body from where they will be channelled to the Privacy Shield Ombudsperson (173). This will in fact benefit EU individuals who can turn to a national authority ‘close to home’ and in their own language. It will be the task of such an authority to support the individual in making a request to the Privacy Shield Ombudsperson that contains the basic information and thus can be considered ‘complete’. The individual does not have to demonstrate that his/her personal data have in fact been accessed by the U.S. government through signals intelligence activities. |
(120) |
Second, the U.S. government commits to ensure that, in carrying out its functions, the Privacy Shield Ombudsperson will be able to rely on the cooperation from other oversight and compliance review mechanisms existing in U.S. law. This will sometimes involve national intelligence authorities, in particular where the request is to be interpreted as one for access to documents under the Freedom of Information Act. In other cases, particularly when requests relate to the compatibility of surveillance with U.S. law, such cooperation will involve independent oversight bodies (e.g. Inspector Generals) with the responsibility and power to carry out a thorough investigation (in particular through access to all relevant documents and the power to request information and statements) and address non-compliance (174). Also, the Privacy Shield Ombudsperson will be able to refer matters to the PCLOB for its consideration (175). Where any non-compliance has been found by one of these oversight bodies, the Intelligence Community element (e.g. an intelligence agency) concerned will have to remedy the non-compliance as only this will allow the Ombudsperson to provide a ‘positive’ response to the individual (i.e. that any non-compliance has been remedied) to which the U.S. government has committed. Also, as part of the cooperation, the Privacy Shield Ombudsperson will be informed of the outcome of the investigation, and the Ombudsperson will have the means to ensure that it receives all the information necessary to prepare its response. |
(121) |
Finally, the Privacy Shield Ombudsperson will be independent from, and thus free from instructions by, the U.S. Intelligence Community (176). This is of significant importance, given that the Ombudsperson will have to ‘confirm’ that (i) the complaint has been properly investigated and that (ii) relevant U.S. law — including in particular the limitations and safeguards set out in Annex VI — has been complied with or, in the event of non-compliance, such violation has been remedied. In order to be able to provide that independent confirmation, the Privacy Shield Ombudsperson will have to receive the necessary information regarding the investigation to assess the accuracy of the response to the complaint. In addition, the Secretary of State has committed to ensure that the Under-Secretary will carry out the function as Privacy Shield Ombudsperson objectively and free from any improper influence liable to have an effect on the response to be provided. |
(122) |
Overall, this mechanism ensures that individual complaints will be thoroughly investigated and resolved, and that at least in the field of surveillance this will involve independent oversight bodies with the necessary expertise and investigatory powers and an Ombudsperson that will be able to carry out its functions free from improper, in particular political, influence. Moreover, individuals will be able to bring complaints without having to demonstrate, or just to provide indications, that they have been the object of surveillance (177). In the light of these features, the Commission is satisfied that there are adequate and effective guarantees against abuse. |
(123) |
On the basis of all the above, the Commission concludes that the United States ensures effective legal protection against interferences by its intelligence authorities with the fundamental rights of the persons whose data are transferred from the Union to the United States under the EU-U.S. Privacy Shield. |
(124) |
In this respect, the Commission takes note of the Court of Justice's judgment in the Schrems case according to which ‘legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification of erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter’ (178). The Commission's assessment has confirmed that such legal remedies are provided for in the United States, including through the introduction of the Ombudsperson mechanism. The Ombudsperson mechanism provides for independent oversight with investigatory powers. In the framework of the Commission's continuous monitoring of the Privacy Shield, including through the annual joint review which shall also involve the Ombudsperson, the effectiveness of this mechanism will be reassessed. |
3.2. Access and use by U.S. public authorities for law enforcement and public interest purposes
(125) |
As regards interference with personal data transferred under the EU-U.S. Privacy Shield for law enforcement purposes, the U.S. government (through the Department of Justice) has provided assurance on the applicable limitations and safeguards which in the Commission's assessment demonstrate an adequate level of protection. |
(126) |
According to this information, under the Fourth Amendment of the U.S. Constitution (179) searches and seizures by law enforcement authorities principally (180) require a court-ordered warrant upon a showing of ‘probable cause’. In the few specifically established and exceptional cases where the warrant requirement does not apply (181), law enforcement is subject to a ‘reasonableness’ test (182). Whether a search or seizure is reasonable is ‘determined by assessing, on the one hand, the degree to which it intrudes upon an individual's privacy and, on the other, the degree to which it is needed for the promotion of legitimate governmental interests’ (183). More generally, the Fourth Amendment guarantees privacy, dignity, and protects against arbitrary and invasive acts by officers of the Government (184). These concepts capture the idea of necessity and proportionality in Union law. Once law enforcement no longer has a need to use the seized items as evidence, they should be returned (185). |
(127) |
While the Fourth Amendment right does not extend to non-U.S. persons that are not resident in the United States, the latter nevertheless benefit indirectly from its protections, given that the personal data are held by U.S. companies with the effect that law enforcement authorities in any event have to seek judicial authorisation (or at least respect the reasonableness requirement) (186). Further protections are provided by special statutory authorities, as well as the Department of Justice Guidelines, which limit law enforcement access to data on grounds equivalent to necessity and proportionality (e.g. by requiring that the FBI use the least intrusive investigative methods feasible, taking into account the effect on privacy and civil liberties) (187). According to the representations made by the U.S. government, the same or higher protections apply to law enforcement investigations at State level (with respect to investigations carried out under State laws) (188). |
(128) |
Although a prior judicial authorisation by a court or grand jury (an investigate arm of the court impanelled by a judge or magistrate) is not required in all cases (189), administrative subpoenas are limited to specific cases and will be subject to independent judicial review at least where the government seeks enforcement in court (190). |
(129) |
The same applies for the use of administrative subpoenas for public interest purposes. In addition, according to the representations from the U.S. government, similar substantive limitations apply in that agencies may only seek access to data that is relevant to matters falling with their scope of authority and have to respect the standard of reasonableness. |
(130) |
Moreover, U.S. law provides for a number of judicial redress avenues for individuals, against a public authority or one of its officials, where these authorities process personal data. These avenues, which include in particular the Administrative Procedure Act (APA), the Freedom of Information Act (FOIA) and the Electronic Communications Privacy Act (ECPA), are open to all individuals irrespective of their nationality, subject to any applicable conditions. |
(131) |
Generally, under the judicial review provisions of the Administrative Procedure Act (191), ‘any person suffering legal wrong because of agency action, or adversely affected or aggrieved by agency action’, is entitled to seek judicial review (192). This includes the possibility to ask the court to ‘hold unlawful and set aside agency action, findings, and conclusions found to be […] arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law’ (193). |
(132) |
More specifically, Title II of the Electronic Communications Privacy Act (194) sets forth a system of statutory privacy rights and as such governs law enforcement access to the contents of wire, oral or electronic communications stored by third-party service providers (195). It criminalises the unlawful (i.e. not authorised by court or otherwise permissible) access to such communications and provides recourse for an affected individual to file a civil action in U.S. federal court for actual and punitive damages as well as equitable or declaratory relief against a government official that has wilfully committed such unlawful acts, or against the United States. |
(133) |
Also, under the Freedom of Information Act (FOIA, 5 U.S.C. § 552), any person has the right to obtain access to federal agency records and, upon exhaustion of administrative remedies, to enforce such right in court, except to the extent that such records are protected from public disclosure by an exemption or special law enforcement exclusion (196). |
(134) |
In addition, several other statutes afford individuals the right to bring suit against a U.S. public authority or official with respect to the processing of their personal data, such as the Wiretap Act (197), the Computer Fraud and Abuse Act (198), the Federal Torts Claim Act (199), the Right to Financial Privacy Act (200), and the Fair Credit Reporting Act (201). |
(135) |
The Commission therefore concludes that there are rules in place in the United States designed to limit any interference for law enforcement (202) or other public interest purposes with the fundamental rights of the persons whose personal data are transferred from the Union to the United States under the EU-U.S. Privacy Shield to what is strictly necessary to achieve the legitimate objective in question, and that ensure effective legal protection against such interference. |
4. ADEQUATE LEVEL OF PROTECTION UNDER THE EU-U.S. PRIVACY SHIELD
(136) |
In the light of the those findings, the Commission considers that the United States ensures an adequate level of protection for personal data transferred from the Union to self-certified organisations in the United States under the EU-U.S. Privacy Shield. |
(137) |
In particular, the Commission considers that the Principles issued by the U.S. Department of Commerce as a whole ensure a level of protection of personal data that is essentially equivalent to the one guaranteed by the basic principles laid down in Directive 95/46/EC. |
(138) |
In addition, the effective application of the Principles is guaranteed by the transparency obligations and the administration of the Privacy Shield by the Department of Commerce. |
(139) |
Moreover, the Commission considers that, taken as a whole, the oversight and recourse mechanisms provided for by the Privacy Shield enable infringements of the Principles by Privacy Shield organisations to be identified and punished in practice and offer legal remedies to the data subject to gain access to personal data relating to him and, eventually, to obtain the rectification or erasure of such data. |
(140) |
Finally, on the basis of the available information about the U.S. legal order, including the representations and commitments from the U.S. government, the Commission considers that any interference by U.S. public authorities with the fundamental rights of the persons whose data are transferred from the Union to the United States under the Privacy Shield for national security, law enforcement or other public interest purposes, and the ensuing restrictions imposed on self-certified organisations with respect to their adherence to the Principles, will be limited to what is strictly necessary to achieve the legitimate objective in question, and that there exists effective legal protection against such interference. |
(141) |
The Commission concludes that this meets the standards of Article 25 of Directive 95/46/EC, interpreted in light of the Charter of Fundamental Rights of the European Union, as explained by the Court of Justice in particular in the Schrems judgment. |
5. ACTION OF DATA PROTECTION AUTHORITIES AND INFORMATION TO THE COMMISSION
(142) |
In the Schrems judgment, the Court of Justice clarified that the Commission has no competence to restrict the powers that DPAs derive from Article 28 of Directive 95/46/EC (including the power to suspend data transfers) where a person, in bringing a claim under that provision, calls into question the compatibility of a Commission adequacy decision with the protection of the fundamental right to privacy and data protection (203). |
(143) |
In order to effectively monitor the functioning of the Privacy Shield, the Commission should be informed by Member States about relevant action undertaken by DPAs. |
(144) |
The Court of Justice furthermore considered that, in line with the second subparagraph of Article 25(6) of Directive 95/46/EC, Member States and their organs must take the measures necessary to comply with acts of the Union institutions, as the latter are in principle presumed to be lawful and accordingly produce legal effects until such time as they are withdrawn, annulled in an action for annulment or declared invalid following a reference for a preliminary ruling or a plea of illegality. Consequently, a Commission adequacy decision adopted pursuant to Article 25(6) of Directive 95/46/EC is binding on all organs of the Member States to which it is addressed, including their independent supervisory authorities (204). Where such an authority has received a complaint putting in question the compliance of a Commission adequacy decision with the protection of the fundamental right to privacy and data protection and considers the objections advanced to be well founded, national law must provide it with a legal remedy to put those objections before a national court which, in case of doubts, must stay proceedings and make a reference for a preliminary ruling to the Court of Justice (205). |
6. PERIODIC REVIEW OF ADEQUACY FINDING
(145) |
In the light of the fact that the level of protection afforded by the U.S. legal order may be liable to change, the Commission, following adoption of this decision, will check periodically whether the findings relating to the adequacy of the level of protection ensured by the United States under the EU-U.S. Privacy Shield are still factually and legally justified. Such a check is required, in any event, when the Commission acquires any information giving rise to a justified doubt in that regard (206). |
(146) |
Therefore, the Commission will continuously monitor the overall framework for the transfer of personal data created by the EU-U.S. Privacy Shield as well as compliance by U.S. authorities with the representations and commitments contained in the documents attached to this decision. To facilitate this process, the U.S. has committed to inform the Commission of material developments in U.S. law when relevant to the Privacy Shield in the field of data protection and the limitations and safeguards applicable to access to personal data by public authorities. Moreover, this decision will be subject to an Annual Joint Review which will cover all aspects of the functioning of the EU-U.S. Privacy Shield, including the operation of the national security and law enforcement exceptions to the Principles. In addition, since the adequacy finding may also be influenced by legal developments in Union law, the Commission will assess the level of protection provided by the Privacy Shield following the entry into application of the GDPR. |
(147) |
To perform the Annual Joint Review referred to in Annexes I, II and VI, the Commission will meet with the Department of Commerce and FTC, accompanied, if appropriate, by other departments and agencies involved in the implementation of the Privacy Shield arrangements, as well as, for matters pertaining to national security, representatives of the ODNI, other Intelligence Community elements and the Ombudsperson. The participation in this meeting will be open for EU DPAs and representatives of the Article 29 Working Party. |
(148) |
In the framework of the Annual Joint Review, the Commission will request that the Department of Commerce provides comprehensive information on all relevant aspects of the functioning of the EU-U.S. Privacy Shield, including referrals received by the Department of Commerce from DPAs and the results of ex officio compliance reviews. The Commission will also seek explanations concerning any questions or matters concerning the EU-U.S. Privacy Shield and its operation arising from any information available, including transparency reports allowed under the USA FREEDOM Act, public reports by U.S. national intelligence authorities, the DPAs, privacy groups, media reports, or any other possible source. Moreover, in order to facilitate the Commission's task in this regard, the Member States should inform the Commission of cases where the actions of bodies responsible for ensuring compliance with the Principles in the United States fail to secure compliance and of any indications that the actions of U.S. public authorities responsible for national security or the prevention, investigation, detection or prosecution of criminal offenses do not ensure the required level of protection. |
(149) |
On the basis of the annual joint review, the Commission will prepare a public report to be submitted to the European Parliament and the Council. |
7. SUSPENSION OF THE ADEQUACY DECISION
(150) |
Where, on the basis of the checks or of any other information available, the Commission concludes that the level of protection offered by the Privacy Shield can no longer be regarded as essentially equivalent to the one in the Union, or where there are clear indications that effective compliance with the Principles in the United States might no longer be ensured, or that the actions of U.S. public authorities responsible for national security or the prevention, investigation, detection or prosecution of criminal offenses do not ensure the required level of protection, it will inform the Department of Commerce thereof and request that appropriate measures are taken to swiftly address any potential non-compliance with the Principles within a specified, reasonable timeframe. If, after the expiration of the specified timeframe, the U.S. authorities fail to demonstrate satisfactorily that the EU-U.S. Privacy Shield continues to guarantee effective compliance and an adequate level of protection, the Commission will initiate the procedure leading to the partial or complete suspension or repeal of this decision (207). Alternatively, the Commission may propose to amend this decision, for instance by limiting the scope of the adequacy finding only to data transfers subject to additional conditions. |
(151) |
In particular, the Commission will initiate the procedure for suspension or repeal in case of:
|
(152) |
The Commission will also consider initiating the procedure leading to the amendment, suspension, or repeal of this decision if, in the context of the Annual Joint Review of the functioning of the EU-U.S. Privacy Shield or otherwise, the Department of Commerce or other departments or agencies involved in the implementation of the Privacy Shield, or, for matters pertaining to national security, representatives of the U.S. Intelligence Community or the Ombudsperson, fail to provide information or clarifications necessary for the assessment of compliance with the Principles, the effectiveness of complaint handling procedures, or any lowering of the required level of protection as a consequence of actions by U.S. national intelligence authorities, in particular as a consequence of the collection and/or access to personal data that is not limited to what is strictly necessary and proportionate. In this respect, the Commission will take into account the extent to which the relevant information can be obtained from other sources, including through reports from self-certified U.S. companies as allowed under the USA FREEDOM Act. |
(153) |
The Working Party on the Protection of Individuals with regard to the Processing of Personal Data established under Article 29 of Directive 95/46/EC published its opinion on the level of protection provided by the EU-U.S. Privacy Shield (208), which has been taken into account in the preparation of this Decision. |
(154) |
The European Parliament adopted a resolution on transatlantic data flows (209). |
(155) |
The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 31(1) of Directive 95/46/EC, |
HAS ADOPTED THIS DECISION:
Article 1
1. For the purposes of Article 25(2) of Directive 95/46/EC, the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States under the EU-U.S. Privacy Shield.
2. The EU-U.S. Privacy Shield is constituted by the Principles issued by the U.S. Department of Commerce on 7 July 2016 as set out in Annex II and the official representations and commitments contained in the documents listed in Annexes I, III to VII.
3. For the purpose of paragraph 1, personal data are transferred under the EU-U.S. Privacy Shield where they are transferred from the Union to organisations in the United States that are included in the ‘Privacy Shield List’, maintained and made publicly available by the U.S. Department of Commerce, in accordance with Sections I and III of the Principles set out in Annex II.
Article 2
This Decision does not affect the application of the provisions of Directive 95/46/EC other than Article 25(1) that pertain to the processing of personal data within the Member States, in particular Article 4 thereof.
Article 3
Whenever the competent authorities in Member States exercise their powers pursuant to Article 28(3) of Directive 95/46/EC leading to the suspension or definitive ban of data flows to an organisation in the United States that is included in the Privacy Shield List in accordance with Sections I and III of the Principles set out in Annex II in order to protect individuals with regard to the processing of their personal data, the Member State concerned shall inform the Commission without delay.
Article 4
1. The Commission will continuously monitor the functioning of the EU-U.S. Privacy Shield with a view to assessing whether the United States continues to ensure an adequate level of protection of personal data transferred thereunder from the Union to organisations in the United States.
2. The Member States and the Commission shall inform each other of cases where it appears that the government bodies in the United States with the statutory power to enforce compliance with the Principles set out in Annex II fail to provide effective detection and supervision mechanisms enabling infringements of the Principles to be identified and punished in practice.
3. The Member States and the Commission shall inform each other of any indications that the interferences by U.S. public authorities responsible for national security, law enforcement or other public interests with the right of individuals to the protection of their personal data go beyond what is strictly necessary, and/or that there is no effective legal protection against such interferences.
4. Within one year from the date of the notification of this Decision to the Member States and on a yearly basis thereafter, the Commission will evaluate the finding in Article 1(1) on the basis of all available information, including the information received as part of the Annual Joint Review referred to in Annexes I, II and VI.
5. The Commission will report any pertinent findings to the Committee established under Article 31 of Directive 95/46/EC.
6. The Commission will present draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to suspending, amending or repealing this Decision or limiting its scope, among others, where there are indications:
— |
that the U.S. public authorities do not comply with the representations and commitments contained in the documents annexed to this Decision, including as regards the conditions and limitations for access by U.S. public authorities for law enforcement, national security and other public interest purposes to personal data transferred under the EU-U.S. Privacy Shield, |
— |
of a systematic failure to effectively address complaints by EU data subjects, or |
— |
of a systematic failure by the Privacy Shield Ombudsperson to provide timely and appropriate responses to requests from EU data subjects as required by Section 4(e) of Annex III. |
The Commission will also present such draft measures if the lack of cooperation of the bodies involved in ensuring the functioning of the EU-U.S. Privacy Shield in the United States prevents the Commission from determining whether the finding in Article 1(1) is affected.
Article 5
Member States shall take all the measures necessary to comply with this Decision.
Article 6
This Decision is addressed to the Member States.
Done at Brussels, 12 July 2016.
For the Commission
Věra JOUROVÁ
Member of the Commission
(1) OJ L 281, 23.11.1995, p. 31.
(2) See Opinion 4/2016 on the EU-U.S. Privacy Shield draft adequacy decision, published 30 May 2016.
(3) Case C-362/14, Maximillian Schrems v Data Protection Commissioner (‘ Schrems ’), EU:C:2015:650, paragraph 39.
(4) Case C-553/07, Rijkeboer, EU:C:2009:293, paragraph 47; Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Others, EU:C:2014:238, paragraph 53; Case C-131/12, Google Spain and Google, EU:C:2014:317, paragraphs 53, 66 and 74.
(5) Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the U.S. Department of Commerce (OJ L 215, 28.8.2000, p. 7).
(6) Communication from the Commission to the European Parliament and the Council Rebuilding Trust in EU-U.S. Data Flows, COM(2013) 846 final of 27 November 2013.
(7) Communication from the Commission to the European Parliament and the Council on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies established in the EU, COM(2013) 847 final of 27 November 2013.
(8) See e.g. Council of the European Union, Final Report by EU-US High Level Contact Group on information sharing and privacy and personal data protection, Note 9831/08, 28 May 2008, available on the internet at: http://www.europarl.europa.eu/document/activities/cont/201010/20101019ATT88359/20101019ATT88359EN.pdf.
(9) Report on the Findings by the EU Co-chairs of the ad hoc EU-U.S. Working Group on Data Protection, 27 November 2013, available on the internet at: http://ec.europa.eu/justice/data-protection/files/report-findings-of-the-ad-hoc-eu-us-working-group-on-data-protection.pdf.
(10) See footnote 3.
(11) Schrems, paragraph 97.
(12) Schrems, paragraphs 73-74.
(13) Schrems, paragraph 88-89.
(14) See Annex II, Sec. III.10.a. In line with the definition in Sec. I.8.c., the EU controller will determine the purpose and means of processing of the personal data. Moreover, the contract with the agent has to make clear whether onward transfers are allowed (see Sec. III.10.a.ii.2.).
(15) This applies also where human resources data transferred from the Union in the context of the employment relationship are concerned. While the Principles stress the ‘primary responsibility’ of the EU employer (see Annex II, Sec. III.9.d.i.), they at the same time make clear that its conduct will be covered by the rules applicable in the Union and/or respective Member State, not the Principles. See Annex II, Sec. III.9.a.i., b.ii., c.i., d.i.
(16) This applies also to processing that takes place through the use of equipment situated in the Union but used by an organisation established outside the Union (see Article 4(1)(c) of Directive 95/46/EC). As of 25 May 2018, the General Data Protection Regulation (GDPR) will apply to the processing of personal data (i) in the context of the activities of an establishment of a controller or processor in the Union (even where the processing takes place in the United States), or (ii) of data subjects who are in the Union by a controller or processor not established in the Union where the processing activities are related to (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. See Article 3(1), (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
(17) The present decision has EEA relevance. The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union's internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Directive 95/46/EC, is covered by the EEA Agreement and has been incorporated into Annex XI thereof. The EEA Joint Committee has to decide on the incorporation of the present decision into the EEA Agreement. Once the present decision applies to Iceland, Liechtenstein and Norway, the EU-U.S. Privacy Shield will also cover these three countries and references in the Privacy Shield package to the EU and its Member States shall be read as including Iceland, Liechtenstein and Norway.
(18) See Annex II, Sec. III.6.e.
(19) Special rules providing additional safeguards apply for human resources data collected in the employment context as laid down in the supplemental principle on ‘Human Resources Data’ of the Privacy Principles (See Annex II, Sec. III.9). For instance, employers should accommodate the privacy preferences of employees by restricting access to the personal data, anonymising certain data or assigning codes or pseudonyms. Most importantly, organisations are required to cooperate and comply with the advice of Union Data Protection Authorities when it comes to such data.
(20) This applies to all data transfers under the Privacy Shield, including where these concern data collected through the employment relationship. While a self-certified U.S. organisation may in principle use human resources data for different, non-employment-related purposes (e.g. certain marketing communications), it must respect the prohibition on incompatible processing and moreover may do so only in accordance with the Notice and Choice Principles. The prohibition on the U.S. organisation to take any punitive action against the employee for exercising such choice, including any restriction of employment opportunities, will ensure that, despite the relationship of subordination and inherent dependency, the employee will be free from pressure and thus can exercise a genuine free choice.
(21) See Annex II, Sec. III.12.
(22) See also the supplemental principle on ‘Access’ (Annex II, Sec. III.8).
(23) See e.g. the Equal Credit Opportunity Act (ECOA, 15 U.S.C. 1691 et seq.), Fair Credit Reporting Act (FRCA, 15 USC § 1681 et seq.), or the Fair Housing Act (FHA, 42 U.S.C. 3601 et seq.).
(24) In the context of a transfer of personal data that have been collected in the EU, the contractual relationship with the individual (customer) will in most cases be with — and therefore any decision based on automated processing will typically be taken by — the EU controller which has to abide by the EU data protection rules. This includes scenarios where the processing is carried out by a Privacy Shield organisation acting as an agent on behalf of the EU controller.
(25) See also supplemental principle ‘Dispute Resolution and Enforcement’ (Annex II, Sec. III.11).
(26) See also supplemental principle ‘Self-Certification’ (Annex II, Sec. III.6).
(27) See also supplemental principle ‘Verification’ (Annex II, Sec. III.7).
(28) See also supplemental principle ‘Obligatory contracts for Onward Transfers’ (Annex II, Sec. III.10).
(29) See supplemental principle ‘Obligatory contracts for Onward Transfers’ (Annex II, Sec. III.10.b). While this principle allows for transfers based also on non-contractual instruments (e.g. intra-group compliance and control programs), the text makes clear that these instruments must always ‘ensur[e] the continuity of protection of personal information under the Principles’. Moreover, given that the self-certified U.S. organisation will remain responsible for compliance with the Principles it will have a strong incentive to use instruments that are indeed effective in practice.
(30) See Annex II, Sec. I.5.
(31) Individuals will have no opt-out right where the personal data is transferred to a third party that is acting as an agent to perform tasks on behalf of and under the instructions of the U.S. organisation. However, this requires a contract with the agent and the U.S. organisation will bear the responsibility to guarantee the protections provided under the Principles by exercising its powers of instruction.
(32) The situation is different depending on whether the third party is a controller or a processor (agent). In the first scenario, the contract with the third party must provide that the latter ceases processing or takes other reasonable and appropriate steps to remedy the situation. In the second scenario, it is for the Privacy Shield organisation — as the one controlling the processing under whose instructions the agent operates — to take these measures.
(33) In such a case, the U.S. organisation must also take reasonable and appropriate steps (i) to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organisation's obligations under the Principles and, (ii) to stop and remediate unauthorised processing, upon notice.
(34) Information about the management of the Privacy Shield List can be found in Annex I and Annex II (Sec. I.3, Sec. I.4, III.6.d, and Sec. III.11.g).
(35) See e.g. Annex II, Sec. I.3, Sec. III.6.f. and Sec. III.11.g.i.
(36) See Annex I, section on ‘Search for and Address False Claims of Participation’.
(37) See Annex II, Sec. III.6.h. and Sec. III.11.f.
(38) See Annex I.
(39) This is the handling authority designated by the panel of DPAs provided for in the supplemental principle on ‘The Role of the Data Protection Authorities’ (Annex II, Sec. III.5).
(40) The annual report must include: (1) the total number of Privacy Shield-related complaints received during the reporting year; (2) the types of complaints received; (3) dispute resolution quality measures, such as the length of time taken to process complaints; and (4) the outcomes of the complaints received, notably the number and types of remedies or sanctions imposed.
(41) See Annex II, Sec. III.11.e.
(42) See Annex II, Sec. III.11.g, in particular points (ii) and (iii).
(43) See Annex I, section on ‘Search for and Address False Claims of Participation’.
(44) The rules of procedure of the informal DPA panel should be established by the DPAs based on their competence to organise their work and cooperate among each other.
(45) See Annex I, sections on ‘Increase Cooperation with DPAs’ and ‘Facilitate Resolution of Complaints about Non-Compliance’ and Annex II, Sec. II.7.e.
(46) See Annex IV, p. 6.
(47) ibid.
(48) See Annex I, section on ‘Facilitate Resolution of Complaints about Non-Compliance’.
(49) A Privacy Shield organisation has to publicly declare its commitment to comply with the Principles, publicly disclose its privacy policies in line with these Principles and fully implement them. Failure to comply is enforceable under Section 5 of the FTC Act prohibiting unfair and deceptive acts in or affecting commerce.
(50) According to information from the FTC, it has no power to conduct on-site inspections in the area of privacy protection. However, it has the power to compel organisations to produce documents and provide witness statements (see Section 20 of the FTC Act), and may use the court system to enforce such orders in case of non-compliance.
(51) FTC or court orders may require companies to implement privacy programs and to regularly make compliance reports or independent third-party assessments of those programs available to the FTC.
(52) See Annex II, Sec. II.1.xi and III.7.c.
(53) The number of arbitrators on the panel will have to be agreed between the parties.
(54) However, the panel may find that, under the circumstances of the specific arbitration, coverage would lead to unjustified or disproportionate costs.
(55) Individuals may not claim damages in arbitration, but in turn invoking arbitration will not foreclose the option to seek damages in the ordinary U.S. courts.
(56) The Director of National Intelligence (DNI) serves as the head of the Intelligence Community and acts as the principal advisor to the President and the National Security Council. See the Intelligence Reform and Terrorism Prevention Act of 2004, Pub. L. 108-458 of 17.12.2004. Among others, the ODNI shall determine requirements for, and manage and direct the tasking, collection, analysis, production and dissemination of national intelligence by the Intelligence Community, including by developing guidelines for how information or intelligence is accessed, used and shared. See Sec. 1.3 (a), (b) of E.O. 12333.
(57) See Schrems, paragraph 91.
(58) U.S. Const., Article II. See also the introduction to PPD-28.
(59) E.O. 12333: United States Intelligence Activities, Federal Register Vol. 40, No 235 (8 December 1981). To the extent that the Executive Order is publicly accessible, it defines the goals, directions, duties and responsibilities of U.S. intelligence efforts (including the role of the various Intelligence Community elements) and sets out the general parameters for the conduct of intelligence activities (in particular the need to promulgate specific procedural rules). According to Sec. 3.2 of E.O. 12333, the President, supported by the National Security Council, and the DNI shall issue such appropriate directives, procedures and guidance as are necessary to implement the order.
(60) According to E.O. 12333, the Director of the National Security Agency (NSA) is the Functional Manager for signals intelligence and shall operate a unified organization for signals intelligence activities.
(61) For the definition of the term ‘Intelligence Community’, see Sec. 3.5 (h) of E.O. 12333 with n. 1 of PPD-28.
(62) See Memorandum by the Office of Legal Counsel, Department of Justice (DOJ), to President Clinton, 29 January 2000. According to this legal opinion, presidential directives have the ‘same substantive legal effect as an Executive Order’.
(63) ODNI Representations (Annex VI), p. 3.
(64) See Sec. 4(b),(c) of PPD-28. According to public information, the 2015 review confirmed the existing six purposes. See ODNI, Signals Intelligence Reform, 2016 Progress Report.
(65) ODNI Representations (Annex VI), p. 6 (with reference to Intelligence Community Directive 204). See also Sec. 3 of PPD-28.
(66) ODNI Representations (Annex VI), p. 6. See, for instance, NSA Civil Liberties and Privacy Office (NSA CLPO), NSA's Civil Liberties and Privacy Protections for Targeted SIGINT Activities under Executive Order 12333, 7 October 2014. See also ODNI Status Report 2014. For access requests under Sec. 702 FISA, queries are governed by the FISC-approved minimization procedures. See NSA CLPO, NSA's Implementation of Foreign Intelligence Surveillance Act Section 702, 16 April 2014.
(67) See Signal Intelligence Reform, 2015 Anniversary Report. See also ODNI Representations (Annex VI), pp. 6, 8-9, 11.
(68) See ODNI Representations (Annex VI), p. 3.
(69) It should also be noted that, according to Sec. 2.4 of E.O. 12333, elements of the IC ‘shall use the least intrusive collection techniques feasible within the United States’. As regards the limitations for substituting all bulk collection with targeted collections, see the results of an assessment by the National Research Council as reported by the European Union Agency for Fundamental Rights, Surveillance by intelligence services: fundamental rights, safeguards and remedies in the EU (2015), p. 18.
(70) ODNI Representations (Annex VI), p. 4.
(71) See also Sec. 5(d) of PPD-28 which directs the Director of National Intelligence, in coordination with the heads of relevant Intelligence Community elements and the Office of Science and Technology Policy, to provide the President with a ‘report assessing the feasibility of creating software that would allow the Intelligence Community more easily to conduct targeted information acquisition rather than bulk collection.’ According to public information, the result of this report was that ‘there is no software-based alternative which will provide a complete substitute for bulk collection in the detection of some national security threats.’ See Signals Intelligence Reform, 2015 Anniversary Report.
(72) See footnote 68.
(73) ODNI Representations (Annex VI). This specifically addresses the concern expressed by the national data protection authorities in their opinion on the draft adequacy decision. See Article 29 Data Protection Working Party, Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy decision (adopted 13 April 2016), p. 38 with n. 47.
(74) See Sec. 2 of PPD-28.
(75) ODNI Representations (Annex VI), p. 4. See also Intelligence Community Directive 203.
(76) ODNI Representations (Annex VI), p. 2. Likewise, the limitations stipulated in E.O. 12333 (e.g. the need for collected information to respond to intelligence priorities set by the President) apply.
(77) See Schrems, paragraph 93.
(78) In addition, the collection of data by the FBI may also be based on law enforcement authorizations (see Section 3.2 of this decision).
(79) For further explanations on the use of NSL see ODNI Representations (Annex VI), pp. 13-14 with n. 38. As indicated therein, the FBI may resort to NSLs only to request non-content information relevant to an authorized national security investigation to protect against international terrorism or clandestine intelligence activities. As regards data transfers under the EU-U.S. Privacy Shield, the most relevant legal authorization appears to be the Electronic Communications Privacy Act (18 U.S.C. § 2709), which requires that any request for subscriber information or transactional records uses a ‘term that specifically identifies a person, entity, telephone number, or account’.
(80) 50 U.S.C. § 1804. While this legal authority requires a ‘statement of the facts and circumstances relied upon by the applicant to justify his belief that (A) the target of the electronic surveillance is a foreign power or an agent of a foreign power’, the latter may include non-U.S. persons that engage in international terrorism or the international proliferation of weapons of mass destruction (including preparatory acts) (50 U.S.C. § 1801 (b)(1)). Still, there is only a theoretical link to personal data transferred under the EU-U.S. Privacy Shield, given that the statement of facts also has to justify the belief that ‘each of the facilities or places at which the electronic surveillance is directed is being used, or is about to be used, by a foreign power or an agent of a foreign power’. In any event, the use of this authority requires application to the FISC which will assess, among others, whether on the basis of the submitted facts there is probable cause that this is indeed the case.
(81) 50 U.S.C. § 1842 with § 1841(2) and Sec. 3127 of Title 18. This authority does not concern the contents of communications, but rather aims at information about the customer or subscriber using a service (such as name, address, subscriber number, length/type of service received, source/mechanism of payment). It requires an application for an order by the FISC (or a U.S. Magistrate Judge) and the use of a specific selection term in the sense of § 1841(4), i.e. a term that specifically identifies a person, account, etc. and is used to limit, to the greatest extent reasonably possible, the scope of the information sought.
(82) While Sec. 501 FISA (ex-Sec. 215 U.S. PATRIOT ACT) authorizes the FBI to request a court order aiming at the production of ‘tangible things’ (in particular telephone metadata, but also business records) for foreign intelligence purposes, Sec. 702 FISA allows US Intelligence Community elements to seek access to information, including the content of internet communications, from within the United States, but targeting certain non-U.S. persons outside the United States.
(83) Based on this provision, the FBI may request ‘tangible things’ (e.g. records, papers, documents) based on a showing to the Foreign Intelligence Surveillance Court (FISC) that there are reasonable grounds to believe that they are relevant to a specific FBI investigation. In carrying out its search, the FBI must use FISC-approved selection terms for which there is a ‘reasonable, articulable suspicion’ that such term is associated with one or more foreign powers or their agents engaged in international terrorism or activities in preparation therefore. See PCLOB, Sec. 215 Report, p. 59; NSA CLPO, Transparency Report: The USA Freedom Act Business Records FISA Implementation, 15 January 2016, pp. 4-6.
(84) ODNI Representations (Annex VI), p. 13 (n. 38).
(85) See footnote 81.
(86) PCLOB, Sec. 702 Report, pp. 32-33 with further references. According to its privacy office, the NSA must verify that there is a connection between the target and the selector, must document the foreign intelligence information expected to be acquired, this information must be reviewed and approved by two senior NSA analysts, and the overall process will be tracked for subsequent compliance reviews by the ODNI and Department of Justice. See NSA CLPO, NSA's Implementation of Foreign Intelligence Act Section 702, 16 April 2014.
(87) PLCOB, Sec. 702 Report, p. 111. See also ODNI Representations (Annex VI), p. 9 (‘Collection under Section 702 of the [FISA] is not “mass and indiscriminate” but is narrowly focused on the collection of foreign intelligence from individually identified legitimate targets’) and p. 13, n. 36 (with reference to a 2014 FISC Opinion); NSA CLPO, NSA's Implementation of Foreign Intelligence Act Section 702, 16 April 2014. Even in the case of UPSTREAM, the NSA may only request the interception of electronic communications to, from, or about tasked selectors.
(88) ODNI Representations (Annex VI), p. 18. See also p. 6, according to which the applicable procedures ‘demonstrate a clear commitment to prevent arbitrary and indiscriminate collection of signals intelligence information, and to implement — from the highest levels of our Government — the principle of reasonableness.’
(89) See Statistical Transparency Report Regarding Use of National Security Authorities, 22 April 2015. For the overall flow of data on the internet, see for example Fundamental Rights Agency, Surveillance by Intelligence Services: Fundamental Rights Safeguards and Remedies in the EU (2015), at pp. 15-16. As regards the UPSTREAM program, according to a declassified FISC opinion of 2011, over 90 % of the electronic communications acquired under Sec. 702 FISA came from the PRISM program, whereas less than 10 % came from UPSTREAM. See FISC, Memorandum Opinion, 2011 WL 10945618 (FISA Ct., 3.10.2011), n. 21 (available at: http://www.dni.gov/files/documents/0716/October-2011-Bates-Opinion-and%20Order-20140716.pdf).
(90) See Sec. 4(a)(ii) of PPD-28. See also ODNI, Safeguarding the Personal Information of all People: A Status Report on the Development and Implementation of Procedures under Presidential Policy Directive 28, July 2014, p. 5, according to which ‘Intelligence Community element policies should reinforce existing analytic practices and standards whereby analysts must seek to structure queries or other search terms and techniques to identify intelligence information relevant to a valid intelligence or law enforcement task; focus queries about persons on the categories of intelligence information responsive to an intelligence or law enforcement requirement; and minimize the review of personal information not pertinent to intelligence or law enforcement requirements.’ See e.g. CIA, Signals Intelligence Activities, p. 5; FBI, Presidential Policy Directive 28 Policies and Procedures, p. 3. According to the 2016 Progress Report on the Signals Intelligence Reform, IC elements (including the FBI, CIA and NSA) have taken steps to sensitise their personnel to the requirements of PPD-28 by creating new or modifying existing training policies.
(91) According to the ODNI Representations, these restrictions apply regardless of whether the information was collected in bulk or through targeted collection, and of the individual's nationality.
(92) See ODNI Representations (Annex VI).
(93) See Sec. 4(a)(i) of PPD-28 with Sec 2.3 of E.O. 12333.
(94) Sec. 4(a)(i) of PPD-28; ODNI Representations (Annex VI), p. 7. For instance, for personal information collected under Sec. 702 FISA, the NSA's FISC-approved minimization procedures foresee as a rule that the metadata and unevaluated content for PRISM is retained for no more than five years, whereas UPSTREAM data is retained for no more than two years. The NSA complies with these storage limits through an automated process that deletes collected data at the end of the respective retention period. See NSA Sec. 702 FISA Minimization Procedures, Sec. 7 with Sec. 6(a)(1); NSA CLPO, NSA's Implementation of Foreign Intelligence Surveillance Act Section 702, 16 April 2014. Likewise, retention under Sec. 501 FISA (ex-Sec. 215 U.S. PATRIOT ACT) is limited to five years, unless the personal data form part of properly approved dissemination of foreign intelligence information or the DOJ advises the NSA in writing that the records are subject to a preservation obligation in pending or anticipated litigation. See NSA, CLPO, Transparency Report: The USA Freedom Act Business Records FISA Implementation, 15 January 2016.
(95) In particular, in case of Sec. 501 FISA (ex-Sec. 215 U.S. PATRIOT ACT), dissemination of personal information may take place only for counterterrorism purposes or as evidence of a crime; in case of Sec. 702 FISA only if there is a valid foreign intelligence or law enforcement purpose. Cf. NSA, CLPO, NSA's Implementation of Foreign Intelligence Surveillance Act Section 702, 16 April 2014; Transparency Report: The USA Freedom Act Business Records FISA Implementation, 15 January 2016. See also NSA's Civil Liberties and Privacy Protections for Targeted SIGINT Activities under Executive Order 12333, 7 October 2014.
(96) ODNI Representations (Annex VI), p. 7 (with reference to Intelligence Community Directive (ICD) 203).
(97) The Court of Justice has clarified that national security constitutes a legitimate policy objective. See Schrems, paragraph 88. See also Digital Rights Ireland and Others, paragraphs 42-44 and 51, in which the Court of Justice considered that the fight against serious crime, in particular organised crime and terrorism, may depend to a large extent on the use of modern investigation techniques. Moreover, unlike for criminal investigations that typically concern the retrospective determination of responsibility and guilt for past conduct, intelligence activities often focus on preventing threats to national security before harm has occurred. Therefore, such investigations may often have to cover a broader range of possible actors (‘targets’) and a wider geographic area. Cf. ECtHR, Weber and Saravia v Germany, Decision of 29 June 2006, Application no. 54934/00, paragraphs 105-118 (on so-called ‘strategic monitoring’).
(98) Schrems, paragraph 91, with further references.
(99) Schrems, paragraph 93.
(100) Cf. Schrems, paragraph 94.
(101) ODNI, Safeguarding the Personal Information of all People: A Status Report on the Development and Implementation of Procedures under Presidential Policy Directive 28, p. 7. See e.g. CIA, Signals Intelligence Activities, p. 6 (Compliance); FBI, Presidential Policy Directive 28 Policies and Procedures, Sec. III (A)(4), (B)(4); NSA, PPD-28 Section 4 Procedures, 12 January 2015, Sec. 8.1, 8.6(c).
(102) For instance, the NSA employs more than 300 compliance staff in the Directorate for Compliance. See ODNI Representations (Annex VI), p. 7.
(103) See Ombudsperson Mechanism (Annex III), Sec. 6(b) (i) to (iii).
(104) See 42 U.S.C. § 2000ee-1. This includes for instance the Department of State, the Department of Justice (including the FBI), the Department of Homeland Security, the Department of Defense, the NSA, CIA and the ODNI.
(105) According to the U.S. government, if the ODNI Civil Liberties and Privacy Office receives a complaint, it will also coordinate with other Intelligence Community elements on how that complaint should be further processed within the IC. See Ombudsperson Mechanism (Annex III), Sec. 6(b)(ii).
(106) See 42 U.S.C. § 2000ee-1 (f)(1),(2).
(107) Article 29 Data Protection Working Party, Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy decision (adopted 13 April 2016), p. 41.
(108) ODNI Representations (Annex VI), p. 7. See e.g. NSA, PPD-28 Section 4 Procedures, 12 January 2015, Sec. 8.1; CIA, Signals Intelligence Activities, p. 7 (Responsibilities).
(109) This Inspector General (IG) (which was created in October 2010) is appointed by the President, with Senate confirmation, and can be removed only by the President, not the DNI.
(110) These IGs have secure tenure and may only be removed by the President who must communicate to Congress in writing the reasons for any such removal. This does not necessarily mean that they are completely free from instructions. In some cases, the head of the department may prohibit the Inspector General from initiating, carrying out, or completing an audit or investigation where this is considered necessary to preserve important national (security) interests. However, Congress must be informed of the exercise of this authority and on this basis could hold the respective director responsible. See, e.g. Inspector General Act of 1978, § 8 (IG of the Department of Defense); § 8E (IG of the DOJ), § 8G (d)(2)(A),(B) (IG of the NSA); 50. U.S.C. § 403q (b) (IG for the CIA); Intelligence Authorization Act For Fiscal Year 2010, Sec 405(f) (IG for the Intelligence Community). According to the assessment by the national data protection authorities, the Inspector-Generals ‘are likely to meet the criterion for organisational independence as defined by the CJEU and the European Court of Human Rights (ECtHR), at least from the moment the new nomination process applies to all.’ See Article 29 Data Protection Working Party, Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy decision (adopted 13 April 2016), p. 40.
(111) See ODNI Representations (Annex VI), p. 7. See also Inspector General Act of 1978, as amended, Pub. L. 113-126 of 7 July 2014.
(112) See Inspector General Act of 1978, § 6.
(113) See ODNI Representations (Annex VI), p. 7. See also Inspector General Act of 1978, §§ 4(5), 5. According to Sec. 405(b)(3),(4) of the Intelligence Authorization Act For Fiscal Year 2010, Pub. L. 111-259 of 7 October 2010, the IG for the Intelligence Community will keep the DNI as well as Congress informed of the necessity for, and the progress of, corrective actions.
(114) According to the assessment by the national data protection authorities, the PCLOB has in the past ‘demonstrated its independent powers’. See Article 29 Data Protection Working Party, Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy decision (adopted 13 April 2016), p. 42.
(115) In addition, the PCLOB employs some 20 regular staff. See https://www.pclob.gov/about-us/staff.html.
(116) These include at least the Department of Justice, the Department of Defense, the Department of Homeland Security, the Director of National Intelligence and the Central Intelligence Agency, plus any other department, agency or element of the executive branch designated by the PCLOB to be appropriate for coverage.
(117) See 42 U.S.C. § 2000ee. See also Ombudsperson Mechanism (Annex III), Sec. 6(b) (iv). Among others, the PCLOB is required to report when an Executive Branch agency declines to follow its advice.
(118) ODNI, Safeguarding the Personal Information of all People: A Status Report on the Development and Implementation of Procedures under Presidential Policy Directive 28, pp. 7-8.
(119) Id. at p. 8. See also ODNI Representations (Annex VI), p. 9.
(120) ODNI, Safeguarding the Personal Information of all People: A Status Report on the Development and Implementation of Procedures under Presidential Policy Directive 28, p. 7. See, e.g. NSA, PPD-28 Section 4 Procedures, 12 January 2015, Sec. 7.3, 8.7(c),(d); FBI, Presidential Policy Directive 28 Policies and Procedures, Sec. III.(A)(4), (B)(4); CIA, Signals Intelligence Activities, p. 6 (Compliance) and p. 8 (Responsibilities).
(121) See E.O. 12333, Sec. 1.6(c).
(122) PPD-28, Sec. 4(a)(iv).
(123) See Sec. 501(a)(1) (50 U.S.C. § 413(a)(1)). This provision contains the general requirements as regards Congressional oversight in the area of national security.
(124) See Sec. 501(b) (50 U.S.C. § 413(b)).
(125) Cf. Sec. 501(d) (50 U.S.C. § 413(d)).
(126) See 50 U.S.C. §§ 1808, 1846, 1862, 1871, 1881f.
(127) See 50 U.S.C. § 1881f.
(128) See 50 U.S.C. § 1881a(l)(1).
(129) See USA FREEDOM Act of 2015, Pub. L. No 114-23, Sec. 602(a). In addition, according to Sec 402, ‘the Director of National Intelligence, in consultation with the Attorney General, shall conduct a declassification review of each decision, order, or opinion issued by the Foreign Intelligence Surveillance Court or the Foreign Intelligence Surveillance Court of Review (as defined in section 601(e)) that includes a significant construction or interpretation of any provision of law, including any novel or significant construction or interpretation of the term “specific selection term”, and, consistent with that review, make publicly available to the greatest extent practicable each such decision, order, or opinion.’
(130) USA FREEDOM Act, Sec. 602(a), 603(a).
(131) For certain types of surveillance, alternatively a U.S. Magistrate Judge publicly designated by the Chief Justice of the United States may have the power to hear applications and grant orders.
(132) The FISC is comprised of eleven judges appointed by the Chief Justice of the United States from among sitting U.S. district court judges, who previously have been appointed by the President and confirmed by the Senate. The judges, who have life tenure and can only be removed for good cause, serve on the FISC for staggered seven-year terms. FISA requires that the judges be drawn from at least seven different U.S. judicial circuits. See Sec 103 FISA (50 U.S.C. 1803 (a)); PCLOB, Sec. 215 Report, pp. 174-187. The judges are supported by experienced judicial law clerks that constitute the court's legal staff and prepare legal analysis on collection requests. See PCLOB, Sec. 215 Report, p. 178; Letter from the Honourable Reggie B. Walton, Presiding Judge, U.S. Foreign Intelligence Surveillance Court, to the Honourable Patrick J. Leahy, Chairman, Committee on the Judiciary, U.S. Senate (July 29, 2013) (‘Walton Letter’), pp. 2-3.
(133) The FISCR is composed of three judges appointed by the Chief Justice of the United States and drawn from U.S. district courts or courts of appeals, serving for a staggered seven year term. See Sec. 103 FISA (50 U.S.C. § 1803 (b)).
(134) See 50 U.S.C. §§ 1803 (b), 1861 a (f), 1881 a (h), 1881 a (i)(4).
(135) For instance, additional factual details about the target of the surveillance, technical information about the surveillance methodology, or assurances about how the information acquired will be used and disseminated. See PCLOB, Sec. 215 Report, p. 177.
(136) 50 U.S.C. §§ 1804 (a), 1801 (g).
(137) The FISC may approve the application, request further information, determine the necessity of a hearing or indicate a possible denial of the application. On the basis of this preliminary determination, the government will make its final application. The latter may include substantial changes to the original application on the basis of the judge's preliminary comments. Although a large percentage of final applications are approved by the FISC, a substantial part of these contain substantive changes to the original application, e.g. 24 % of applications approved for the period from July to September 2013. See PCLOB, Sec. 215 Report, p. 179; Walton Letter, p. 3.
(138) PCLOB, Sec. 215 Report, p. 179, n. 619.
(139) 50 U.S.C. § 1803 (i)(1),(3)(A). This new legislation implemented recommendations by the PCLOB to establish a pool of privacy and civil liberties experts that can serve as amicus curiae, in order to provide the court with legal arguments to the advancement of privacy and civil liberties. See PCLOB, Sec. 215 Report, pp. 183-187.
(140) 50 U.S.C. § 1803 (i)(2)(A). According to information by the ODNI, such appointments have already taken place. See Signals Intelligence Reform, 2016 Progress Report.
(141) 50 U.S.C. § 1803 (i)(2)(B).
(142) 50 U.S.C. § 1861
(143) 50 U.S.C. § 1861 (b).
(144) 50 U.S.C. § 1881.
(145) 50 U.S.C. § 1881a (a).
(146) PCLOB, Sec. 702 Report, p. 46.
(147) 50 U.S.C. § 1881a (h).
(148) 50 U.S.C. § 1881a (g). According to the PCLOB, these categories have so far mainly concerned international terrorism and topics such as the acquisition of weapons of mass destruction. See PCLOB, Sec. 702 Report, p. 25.
(149) PCLOB, Sec. 702 Report, p. 27.
(150) 50 U.S.C. § 1881a.
(151) ‘Liberty and Security in a Changing World’, Report and Recommendations of the President's Review Group on Intelligence and Communications Technologies, 12 December 2013, p. 152.
(152) 50 U.S.C.1881a (i).
(153) Rule 13(b) of the FISC Rules of Procedure requires the government to file a written notice with the Court immediately upon discovering that any authority or approval granted by the Court has been implemented in a manner that does not comply with the Court's authorization or approval, or with applicable law. It also requires the government to notify the Court in writing of the facts and circumstances relevant to such non-compliance. Typically, the government will file a final Rule 13(a) notice once the relevant facts are known and any unauthorized collection has been destroyed. See Walton Letter, p. 10.
(154) 50 U.S.C. § 1881 (l). See also PCLOB, Sec. 702 Report, pp. 66-76; NSA CLPO, NSA's Implementation of Foreign Intelligence Surveillance Act Section 702, 16 April 2014. The collection of personal data for intelligence purposes under Sec 702 FISA is subject to both internal and external oversight within the executive branch. Among others, the internal oversight includes internal compliance programs to evaluate and oversee compliance with targeting and minimization procedures; reporting of non-compliance incidents, both internally and externally to the ODNI, Department of Justice, Congress and the FISC; and annual reviews sent to the same bodies. As for external oversight, it mainly consists in targeting and minimization reviews conducted by the ODNI, DOJ and Inspectors General, which in turn report to Congress and the FISC, including on non-compliance incidents. Significant compliance incidents must be reported to the FISC immediately, others in a quarterly report. See PCLOB, Sec. 702 Report, pp. 66-77.
(155) PCLOB, Recommendations Assessment Report, 29 January 2015, p. 20.
(156) PCLOB, Recommendations Assessment Report, 29 January 2015, p. 16.
(157) In addition, Sec. 10 of the Classified Information Procedures Act provides that, in any prosecution in which the United States must establish that material constitutes classified information (e.g. because it requires protection against unauthorized disclosure for reasons of national security), the United States shall notify the defendant of the portions of the material that it reasonably expects to rely upon to establish the classified information element of the offense.
(158) See for the following ODNI Representations (Annex VI), p. 16.
(159) 18 U.S.C. § 2712.
(160) 50 U.S.C. § 1810.
(161) 50 U.S.C. § 1806.
(162) 18 U.S.C. § 1030.
(163) 18 U.S.C. §§ 2701-2712.
(164) 12 U.S.C. § 3417.
(165) ODNI Representations (Annex VI), p. 17.
(166) 5 U.S.C. § 706(2)(A).
(167) 5 U.S.C. § 552. Similar laws exist at State level.
(168) If this is the case, the individual will normally only receive a standard reply by which the agency declines either to confirm or deny the existence of any records. See ACLU v CIA, 710 F.3d 422 (D.C. Cir. 2014).
(169) See ODNI Representations (Annex VI), p. 16. According to the explanations provided, the available causes of action either require the existence of damage (18 U.S.C. § 2712; 50 U.S.C. § 1810) or a showing that the government intends to use or disclose information obtained or derived from electronic surveillance of the person concerned against that person in judicial or administrative proceedings in the United States (50 U.S.C. § 1806). However, as the Court of Justice has repeatedly stressed, to establish the existence of an interference with the fundamental right to privacy, it does not matter whether the person concerned has suffered any adverse consequences on account of that interference. See Schrems, paragraph 89 with further references.
(170) This admissibility criterion stems from the ‘case or controversy’ requirement of the U.S. Const., Article III.
(171) See Clapper v Amnesty Int'l USA, 133 S.Ct. 1138, 1144 (2013). As regards the use of NSLs, the USA FREEDOM Act (Sec. 502(f)-503) provides that non-disclosure requirements must be periodically reviewed, and that recipients of NSL be notified when the facts no longer support a non-disclosure requirement (see ODNI Representations (Annex VI), p. 13). However, this does not ensure that the EU data subject would be informed that (s)he has been the target of an investigation.
(172) In case the complainant seeks access to documents held by U.S. public authorities, the rules and procedures set out in the Freedom of Information Act apply. This includes the possibility to seek judicial redress (rather than independent oversight) in case the request is rejected, under the conditions set out in the FOIA.
(173) According to the Ombudsperson Mechanism (Annex III), Sec. 4(f), the Privacy Shield Ombudsperson will communicate directly with the EU individual complaint handling body, who will in turn be responsible for communicating with the individual submitting the request. If direct communications are part of the ‘underlying processes’ that may provide the requested relief (e.g. a FOIA access request, see Sec. 5), those communications will take place in accordance with the applicable procedures.
(174) See Ombudsperson Mechanism (Annex III), Sec. 2(a). See also recitals 0-0.
(175) See Ombudsperson Mechanism (Annex III), Sec. 2(c). According to the explanations provided by the U.S. government, the PCLOB shall continually review the policies and procedures, as well as their implementation, of those U.S. authorities responsible for counterterrorism to determine whether their actions ‘appropriately protect privacy and civil liberties and are consistent with governing laws, regulations, and policies regarding privacy and civil liberties.’ It also shall ‘receive and review reports and other information from privacy officers and civil liberties officers and, when appropriate, make recommendations to them regarding their activities.’
(176) See Roman Zakharov v Russia, Judgment of 4 December 2015 (Grand Chamber), Application No 47143/06, paragraph 275 (‘although it is in principle desirable to entrust supervisory control to a judge, supervision by non-judicial bodies may be considered compatible with the Convention, provided that the supervisory body is independent of the authorities carrying out the surveillance and is vested with sufficient and effective oversight powers’).
(177) See Kennedy v the United Kingdom, Judgment of 18 May 2010, Application No 26839/05, paragraph 167.
(178) Schrems, paragraph 95. As is clear from paragraphs 91, 96 of the judgment, paragraph 95 concerns the level of protection guaranteed in the Union legal order, to which the level of protection in the third country must be ‘essentially equivalent’. According to paragraphs 73 and 74 of the judgment, this does not require that the level of protection or the means to which the third country has recourse must be identical, even though the means to be employed have to prove, in practice, effective.
(179) According to the Fourth Amendment, ‘[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.’ Only (magistrate) judges may issue search warrants. Federal warrants for the copying of electronically stored information are further governed by Rule 41 of the Federal Rules of Criminal Procedure.
(180) Repeatedly, the Supreme Court has referred to searches without warrants as ‘exceptional’. See e.g. Johnson v United States, 333 U.S. 10, 14 (1948); McDonald v United States, 335 U.S. 451, 453 (1948); Camara v Municipal Court, 387 U.S. 523, 528-29 (1967); G.M. Leasing Corp. v United States, 429 U.S. 338, 352-53, 355 (1977). Likewise, the Supreme Court regularly stresses that ‘the most basic constitutional rule in this area is that searches conducted outside the judicial process, without prior approval by judge or magistrate, are per se unreasonable under the Fourth Amendment — subject only to a few specifically established and well-delineated exceptions.’ See e.g. Coolidge v New Hampshire, 403 U.S. 443, 454-55 (1971); G.M. Leasing Corp. v United States, 429 U.S. 338, 352-53, 358 (1977).
(181) City of Ontario, Cal. v Quon, 130 S. Ct. 2619, 2630 (2010).
(182) PCLOB, Sec. 215 Report, p. 107, referring to Maryland v King, 133 S. Ct. 1958, 1970 (2013).
(183) PCLOB, Sec. 215 Report, p. 107, referring to Samson v California, 547 U.S. 843, 848 (2006).
(184) City of Ontario, Cal. v Quon, 130 S. Ct. 2619, 2630 (2010), 2627.
(185) See e.g. United States v Wilson, 540 F.2d 1100 (D.C. Cir. 1976).
(186) Cf. Roman Zakharov v Russia, Judgment of 4.12.2015 (Grand Chamber), Application No 47143/06, paragraph 269, according to which ‘the requirement to show an interception authorisation to the communications service provider before obtaining access to a person's communications is one of the important safeguards against abuse by the law-enforcement authorities, ensuring that proper authorisation is obtained in all cases of interception.’
(187) DOJ Representations (Annex VII), p. 4 with further references.
(188) DOJ Representations (Annex VII), n. 2.
(189) According to the information the Commission has received, and leaving aside specific areas likely not relevant for data transfers under the EU-U.S. Privacy Shield (e.g. investigations into health care fraud, child abuse or controlled substances cases), this concerns mainly certain authorities under the Electronic Communications Privacy Act (ECPA), namely requests for basic subscriber, session and billing information (18 U.S.C. § 2703(c)(1), (2), e.g. address, type/length of service) and for the content of emails more than 180 days old (18 U.S.C. § 2703(a), (b)). In the latter case, however, the individual concerned has to be notified and thus has the opportunity to challenge the request in court. See also the overview in DOJ, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, Ch. 3: The Stored Communications Act, pp. 115-138.
(190) According to the representations by the U.S. government, recipients of administrative subpoenas may challenge them in court on the grounds that they are unreasonable, i.e. overboard, oppressive of burdensome. See DOJ Representations (Annex VII), p. 2.
(191) 5 U.S.C. § 702.
(192) Generally, only ‘final’ agency action — rather than ‘preliminary, procedural, or intermediate’ agency action — is subject to judicial review. See 5 U.S.C. § 704.
(193) 5 U.S.C. § 706(2)(A).
(194) 18 U.S.C. §§ 2701-2712.
(195) The ECPA protects communications held by two defined classes of network service providers, namely providers of: (i) electronic communication services, for instance telephony or e-mail; (ii) remote computing services like computer storage or processing services.
(196) These exclusions are, however, framed. For example, according to 5 U.S.C. § 552 (b)(7), FOIA rights are ruled out for ‘records or information compiled for law enforcement purposes, but only to the extent that the production of such law enforcement records or information (A) could reasonably be expected to interfere with enforcement proceedings, (B) would deprive a person of a right to a fair trial or an impartial adjudication, (C) could reasonably be expected to constitute an unwarranted invasion of personal privacy, (D) could reasonably be expected to disclose the identity of a confidential source, including a State, local, or foreign agency or authority or any private institution which furnished information on a confidential basis, and, in the case of a record or information compiled by criminal law enforcement authority in the course of a criminal investigation or by an agency conducting a lawful national security intelligence investigation, information furnished by a confidential source, (E) would disclose techniques and procedures for law enforcement investigations or prosecutions, or would disclose guidelines for law enforcement investigations or prosecutions, if such disclosure could reasonably be expected to risk circumvention of the law, or (F) could reasonably be expected to endanger the life or physical safety of any individual.’ Also, ‘[w]henever a request is made which involves access to records [the production of which could reasonably be expected to interfere with enforcement proceedings] and– (A) the investigation or proceeding involves a possible violation of criminal law; and (B) there is reason to believe that (i) the subject of the investigation or proceeding is not aware of its pendency, and (ii) disclosure of the existence of the records could reasonably be expected to interfere with enforcement proceedings, the agency may, during only such time as that circumstance continues, treat the records as not subject to the requirements of this section.’ (5 U.S.C. § 552 (c)(1)).
(197) 18 U.S.C. §§ 2510 et seq. Under the Wiretap Act (18 U.S.C. § 2520), a person whose wire, oral, or electronic communication is intercepted, disclosed, or intentionally used may bring a civil action for violation of the Wiretap Act, including under certain circumstances against an individual government official or the United States. For the collection of addressing and other non-content information (e.g. IP address, e-mail to/from address), see also the Pen Registers and Trap and Trace Devices chapter of Title 18 (18 U.S.C. §§ 3121-3127 and, for civil action, § 2707).
(198) 18 U.S.C. § 1030. Under the Computer Fraud and Abuse Act, a person may bring suit against any person with respect to intentional unauthorised access (or exceeding authorised access) to obtain information from a financial institution, a U.S. government computer system or other specified computer, including under certain circumstances against an individual government official.
(199) 28 U.S.C. §§ 2671 et seq. Under the Federal Tort Claims Act, a person may bring suit, under certain circumstances, against the United States with respect to ‘the negligent or wrongful act or omission of any employee of the Government while acting within the scope of his office or employment.’
(200) 12 U.S.C. §§ 3401 et seq. Under the Right to Financial Privacy Act, a person may bring suit, under certain circumstances, against the United States with respect to the obtaining or disclosing of protected financial records in violation of the statute. Government access to protected financial records is generally prohibited unless the government makes the request subject to a lawful subpoena or search warrant or, subject to limitations, a formal written request and the individual whose information is sought receives notice of such a request.
(201) 15 U.S.C. §§ 1681-1681x. Under the Fair Credit Reporting Act, a person may bring suit against any person who fails to comply with requirements (in particular the need for lawful authorisation) regarding the collection, dissemination and use of consumer credit reports, or, under certain circumstances, against a government agency.
(202) The Court of Justice has recognised that law enforcement constitutes a legitimate policy objective. See Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Others, EU:C:2014:238, paragraph 42. See also Article 8(2) ECHR and the judgment by the European Court of Human Rights in Weber and Saravia v Germany, Application no. 54934/00, paragraph 104.
(203) Schrems, paragraphs 40 et seq., 101-103.
(204) Schrems, paragraphs 51, 52 and 62.
(205) Schrems, paragraph 65.
(206) Schrems, paragraph 76.
(207) As of the date of application of the General Data Protection Regulation, the Commission will make use of its powers to adopt, on duly justified imperative grounds of urgency, an implementing act suspending the present decision which shall apply immediately without its prior submission to the relevant comitology committee and shall remain in force for a period not exceeding six months.
(208) Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy decision, adopted on 13 April 2016.
(209) European Parliament resolution of 26 May 2016 on transatlantic data flows ((2016/2727(RSP)).
ANNEX I
July 7, 2016
Ms. Věra Jourová |
Commissioner for Justice, Consumers and Gender Equality |
European Commission |
Rue de la Loi/Westraat 200 |
1049 Brussels |
Belgium |
Dear Commissioner Jourová:
On behalf of the United States, I am pleased to transmit herewith a package of EU-U.S. Privacy Shield materials that is the product of two years of productive discussions among our teams. This package, along with other materials available to the Commission from public sources, provides a very strong basis for a new adequacy finding by the European Commission (1).
We should both be proud of the improvements to the Framework. The Privacy Shield is based on Principles that have strong consensus support on both sides of the Atlantic, and we have strengthened their operation. Through our work together, we have the real opportunity to improve the protection of privacy around the world.
The Privacy Shield Package includes the Privacy Shield Principles, along with a letter, attached as Annex 1, from the International Trade Administration (ITA) of the Department of Commerce, which administers the program, describing the commitments that our Department has made to ensure that the Privacy Shield operates effectively. The Package also includes Annex 2, which includes other Department of Commerce commitments relating to the new arbitral model available under the Privacy Shield.
I have directed my staff to devote all necessary resources to implement the Privacy Shield Framework expeditiously and fully and to ensure the commitments in Annex 1 and Annex 2 are met in a timely fashion.
The Privacy Shield Package also includes other documents from other United States agencies, namely:
— |
A letter from the Federal Trade Commission (FTC) describing its enforcement of the Privacy Shield; |
— |
A letter from the Department of Transportation describing its enforcement of the Privacy Shield; |
— |
Two letters prepared by the Office of the Director of National Intelligence (ODNI) regarding safeguards and limitations applicable to U.S. national security authorities; |
— |
A letter from the Department of State and accompanying memorandum describing the State Department's commitment to establish a new Privacy Shield Ombudsperson for submission of inquiries regarding the United States' signals intelligence practices; and |
— |
A letter prepared by the Department of Justice regarding safeguards and limitations on U.S. Government access for law enforcement and public interest purposes. |
You can be assured that the United States takes these commitments seriously.
Within 30 days of final approval of the adequacy determination, the full Privacy Shield Package will be delivered to the Federal Register for publication.
We look forward to working with you as the Privacy Shield is implemented and as we embark on the next phase of this process together.
Sincerely,
Penny Pritzker
(1) Provided that the Commission Decision on the adequacy of the protection provided by the EU-U.S. Privacy Shield applies to Iceland, Liechtenstein and Norway, the Privacy Shield Package will cover both the European Union, as well as these three countries.
Annex 1
The Honorable Věra Jourová |
Commissioner for Justice, Consumers and Gender Equality |
European Commission |
Rue de la Loi/Westraat 200 |
1049 Brussels |
Belgium |
Dear Commissioner Jourová:
On behalf of the International Trade Administration, I am pleased to describe the enhanced protection of personal data that the EU-U.S. Privacy Shield Framework (‘Privacy Shield’ or ‘Framework’) provides and the commitments the Department of Commerce (‘Department’) has made to ensure that the Privacy Shield operates effectively. Finalizing this historic arrangement is a major achievement for privacy and for businesses on both sides of the Atlantic. It offers confidence to EU individuals that their data will be protected and that they will have legal remedies to address any concerns. It offers certainty that will help grow the transatlantic economy by ensuring that thousands of European and American businesses can continue to invest and do business across our borders. The Privacy Shield is the result of over two years of hard work and collaboration with you, our colleagues in the European Commission (‘Commission’). We look forward to continuing to work with the Commission to ensure that the Privacy Shield functions as intended.
We have worked with the Commission to develop the Privacy Shield to allow organizations established in the United States to meet the adequacy requirements for data protection under EU law. The new Framework will yield several significant benefits for both individuals and businesses. First, it provides an important set of privacy protections for the data of EU individuals. It requires participating U.S. organizations to develop a conforming privacy policy, publicly commit to comply with the Privacy Shield Principles so that the commitment becomes enforceable under U.S. law, annually re-certify their compliance to the Department, provide free independent dispute resolution to EU individuals, and be subject to the authority of the U.S. Federal Trade Commission (‘FTC’), Department of Transportation (‘DOT’), or another enforcement agency. Second, the Privacy Shield will enable thousands of companies in the United States and subsidiaries of European companies in the United States to receive personal data from the European Union to facilitate data flows that support transatlantic trade. The transatlantic economic relationship is already the world's largest, accounting for half of global economic output and nearly one trillion dollars in goods and services trade, supporting millions of jobs on both sides of the Atlantic. Businesses that rely on transatlantic data flows come from all industry sectors and include major Fortune 500 firms as well as many small and medium-sized enterprises (SMEs). Transatlantic data flows allow U.S. organizations to process data required to offer goods, services, and employment opportunities to European individuals. The Privacy Shield supports shared privacy principles, bridging the differences in our legal approaches, while furthering trade and economic objectives of both Europe and the United States.
While a company's decision to self-certify to this new Framework will be voluntary, once a company publicly commits to the Privacy Shield, its commitment is enforceable under U.S. law by either the Federal Trade Commission or Department of Transportation, depending on which authority has jurisdiction over the Privacy Shield organization.
Enhancements under the Privacy Shield Principles
The resulting Privacy Shield strengthens the protection of privacy by:
— |
requiring additional information be provided to individuals in the Notice Principle, including a declaration of the organization's participation in the Privacy Shield, a statement of the individual's right to access personal data, and the identification of the relevant independent dispute resolution body; |
— |
strengthening protection of personal data that is transferred from a Privacy Shield organization to a third party controller by requiring the parties to enter into a contract that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles; |
— |
strengthening protection of personal data that is transferred from a Privacy Shield organization to a third party agent, including by requiring a Privacy Shield organization to: take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles; upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request; |
— |
providing that a Privacy Shield organization is responsible for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf, and that the Privacy Shield organization shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage; |
— |
clarifying that Privacy Shield organizations must limit personal information to the information that is relevant for the purposes of processing; |
— |
requiring an organization to annually certify with the Department its commitment to apply the Principles to information it received while it participated in the Privacy Shield if it leaves the Privacy Shield and chooses to keep such data; |
— |
requiring that independent recourse mechanisms be provided at no cost to the individual; |
— |
requiring organizations and their selected independent recourse mechanisms to respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield; |
— |
requiring organizations to respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department; and |
— |
requiring a Privacy Shield organization to make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC if it becomes subject to an FTC or court order based on non-compliance. |
Administration and Supervision of the Privacy Shield Program by the Department of Commerce
The Department reiterates its commitment to maintain and make available to the public an authoritative list of U.S. organizations that have self-certified to the Department and declared their commitment to adhere to the Principles (the ‘Privacy Shield List’). The Department will keep the Privacy Shield List up to date by removing organizations when they voluntarily withdraw, fail to complete the annual re-certification in accordance with the Department's procedures, or are found to persistently fail to comply. The Department will also maintain and make available to the public an authoritative record of U.S. organizations that had previously self-certified to the Department, but that have been removed from the Privacy Shield List, including those that were removed for persistent failure to comply with the Principles. The Department will identify the reason each organization was removed.
In addition, the Department commits to strengthening the administration and supervision of the Privacy Shield. Specifically, the Department will:
|
Provide Additional Information on the Privacy Shield Website
|
|
Verify Self-Certification Requirements
|
|
Expand Efforts to Follow Up with Organizations That Have Been Removed from the Privacy Shield List
|
|
Search for and Address False Claims of Participation
The Department will undertake reviews of privacy policies of organizations to more effectively identify and address false claims of Privacy Shield participation. Specifically, the Department will review the privacy policies of organizations whose self-certification has lapsed due to their failure to re-certify adherence to the Principles. The Department will conduct this type of review to verify that such organizations have removed from any relevant published privacy policy any references that imply that the organizations continue to actively participate in the Privacy Shield. As a result of these types of reviews, we will identify organizations that have not removed such references and send those organizations a letter from the Department's Office of General Counsel warning of potential enforcement action if the references are not removed. The Department will take follow-up action to ensure that the organizations either remove the inappropriate references or re-certify their adherence to the Principles. In addition, the Department will undertake efforts to identify false claims of Privacy Shield participation by organizations that have never participated in the Privacy Shield program, and will take similar corrective action with respect to such organizations. |
|
Conduct Periodic ex officio Compliance Reviews and Assessments of the Program
The Department has increased the resources that will be devoted to the administration and supervision of the Privacy Shield program, including doubling the number of staff responsible for the administration and supervision of the program. We will continue to dedicate appropriate resources to such efforts to ensure effective monitoring and administration of the program. |
|
Tailor the Privacy Shield Website to Targeted Audiences The Department will tailor the Privacy Shield website to focus on three target audiences: EU individuals, EU businesses, and U.S. businesses. The inclusion of material targeted directly to EU individuals and EU businesses will facilitate transparency in a number of ways. With regard to EU individuals, it will clearly explain: (1) the rights the Privacy Shield provides to EU individuals; (2) the recourse mechanisms available to EU individuals when they believe an organization has breached its commitment to comply with the Principles; and (3) how to find information pertaining to an organization's Privacy Shield self-certification. With regard to EU businesses, it will facilitate verification of: (1) whether an organization is assured of the benefits of the Privacy Shield; (2) the type of information covered by an organization's Privacy Shield self-certification; (3) the privacy policy that applies to the covered information; and (4) the method the organization uses to verify its adherence to the Principles. |
|
Increase Cooperation with DPAs To increase opportunities for cooperation with DPAs, the Department will establish a dedicated contact at the Department to act as a liaison with DPAs. In instances where a DPA believes that an organization is not complying with the Principles, including following a complaint from an EU individual, the DPA can reach out to the dedicated contact at the Department to refer the organization for further review. The contact will also receive referrals regarding organizations that falsely claim to participate in the Privacy Shield, despite never having self-certified their adherence to the Principles. The contact will assist DPAs seeking information related to a specific organization's self-certification or previous participation in the program, and the contact will respond to DPA inquiries regarding the implementation of specific Privacy Shield requirements. Second, the Department will provide DPAs with material regarding the Privacy Shield for inclusion on their own websites to increase transparency for EU individuals and EU businesses. Increased awareness regarding the Privacy Shield and the rights and responsibilities it creates should facilitate the identification of issues as they arise, so that these can be appropriately addressed. |
|
Facilitate Resolution of Complaints about Non-Compliance The Department, through the dedicated contact, will receive complaints referred to the Department by a DPA that a Privacy Shield organization is not complying with the Principles. The Department will make its best effort to facilitate resolution of the complaint with the Privacy Shield organization. Within 90 days after receipt of the complaint, the Department will provide an update to the DPA. To facilitate the submission of such complaints, the Department will create a standard form for DPAs to submit to the Department's dedicated contact. The dedicated contact will track all referrals from DPAs received by the Department, and the Department will provide in the annual review described below a report analyzing in aggregate the complaints it receives each year. |
|
Adopt Arbitral Procedures and Select Arbitrators in Consultation with the Commission The Department will fulfill its commitments under Annex I and publish the procedures after agreement has been reached. |
|
Joint Review Mechanism of the Functioning of the Privacy Shield The Department of Commerce, the FTC, and other agencies, as appropriate, will hold annual meetings with the Commission, interested DPAs, and appropriate representatives from the Article 29 Working Party, where the Department will provide updates on the Privacy Shield program. The annual meetings will include discussion of current issues related to the functioning, implementation, supervision, and enforcement of the Privacy Shield, including referrals received by the Department from DPAs, the results of ex officio compliance reviews, and may also include discussion of relevant changes of law. The first annual review and subsequent reviews as appropriate will include a dialogue on other topics, such as in the area of automated decision-making, including aspects relating to similarities and differences in approaches in the EU and the US. |
|
Update of Laws The Department will make reasonable efforts to inform the Commission of material developments in the law in the United States so far as they are relevant to the Privacy Shield in the field of data privacy protection and the limitations and safeguards applicable to access to personal data by U.S. authorities and its subsequent use. |
|
National Security Exception With respect to the limitations to the adherence to the Privacy Shield Principles for national security purposes, the General Counsel of the Office of the Director of National Intelligence, Robert Litt, has also sent two letters addressed to Justin Antonipillai and Ted Dean of the Department of Commerce, and these have been forwarded to you. These letters extensively discuss, among other things, the policies, safeguards, and limitations that apply to signals intelligence activities conducted by the U.S. In addition, these letters describe the transparency provided by the Intelligence Community about these matters. As the Commission is assessing the Privacy Shield Framework, the information in these letters provides assurance to conclude that the Privacy Shield will operate appropriately, in accordance with the Principles therein. We understand that you may raise information that has been released publicly by the Intelligence Community, along with other information, in the future to inform the annual review of the Privacy Shield Framework. On the basis of the Privacy Shield Principles and the accompanying letters and materials, including the Department's commitments regarding the administration and supervision of the Privacy Shield Framework, our expectation is that the Commission will determine that the EU-U.S. Privacy Shield Framework provides adequate protection for the purposes of EU law and data transfers from the European Union will continue to organizations that participate in the Privacy Shield. |
Sincerely,
Ken Hyatt
Annex 2
Arbitral Model
ANNEX I
This Annex I provides the terms under which Privacy Shield organizations are obligated to arbitrate claims, pursuant to the Recourse, Enforcement and Liability Principle. The binding arbitration option described below applies to certain ‘residual’ claims as to data covered by the EU-U.S. Privacy Shield. The purpose of this option is to provide a prompt, independent, and fair mechanism, at the option of individuals, for resolution of claimed violations of the Principles not resolved by any of the other Privacy Shield mechanisms, if any.
A. Scope
This arbitration option is available to an individual to determine, for residual claims, whether a Privacy Shield organization has violated its obligations under the Principles as to that individual, and whether any such violation remains fully or partially unremedied. This option is available only for these purposes. This option is not available, for example, with respect to the exceptions to the Principles (1) or with respect to an allegation about the adequacy of the Privacy Shield.
B. Available Remedies
Under this arbitration option, the Privacy Shield Panel (consisting of one or three arbitrators, as agreed by the parties) has the authority to impose individual-specific, non-monetary equitable relief (such as access, correction, deletion, or return of the individual's data in question) necessary to remedy the violation of the Principles only with respect to the individual. These are the only powers of the arbitration panel with respect to remedies. In considering remedies, the arbitration panel is required to consider other remedies that already have been imposed by other mechanisms under the Privacy Shield. No damages, costs, fees, or other remedies are available. Each party bears its own attorney's fees.
C. Pre-Arbitration Requirements
An individual who decides to invoke this arbitration option must take the following steps prior to initiating an arbitration claim: (1) raise the claimed violation directly with the organization and afford the organization an opportunity to resolve the issue within the timeframe set forth in Section III.11(d)(i) of the Principles; (2) make use of the independent recourse mechanism under the Principles, which is at no cost to the individual; and (3) raise the issue through their Data Protection Authority to the Department of Commerce and afford the Department of Commerce an opportunity to use best efforts to resolve the issue within the timeframes set forth in the Letter from the International Trade Administration of the Department of Commerce, at no cost to the individual.
This arbitration option may not be invoked if the individual's same claimed violation of the Principles (1) has previously been subject to binding arbitration; (2) was the subject of a final judgment entered in a court action to which the individual was a party; or (3) was previously settled by the parties. In addition, this option may not be invoked if an EU Data Protection Authority (1) has authority under Sections III.5 or III.9 of the Principles; or (2) has the authority to resolve the claimed violation directly with the organization. A DPA's authority to resolve the same claim against an EU data controller does not alone preclude invocation of this arbitration option against a different legal entity not bound by the DPA authority.
D. Binding Nature of Decisions
An individual's decision to invoke this binding arbitration option is entirely voluntary. Arbitral decisions will be binding on all parties to the arbitration. Once invoked, the individual forgoes the option to seek relief for the same claimed violation in another forum, except that if non-monetary equitable relief does not fully remedy the claimed violation, the individual's invocation of arbitration will not preclude a claim for damages that is otherwise available in the courts.
E. Review and Enforcement
Individuals and Privacy Shield organizations will be able to seek judicial review and enforcement of the arbitral decisions pursuant to U.S. law under the Federal Arbitration Act (2). Any such cases must be brought in the federal district court whose territorial coverage includes the primary place of business of the Privacy Shield organization.
This arbitration option is intended to resolve individual disputes, and arbitral decisions are not intended to function as persuasive or binding precedent in matters involving other parties, including in future arbitrations or in EU or U.S. courts, or FTC proceedings.
F. The Arbitration Panel
The parties will select the arbitrators from the list of arbitrators discussed below.
Consistent with applicable law, the U.S. Department of Commerce and the European Commission will develop a list of at least 20 arbitrators, chosen on the basis of independence, integrity, and expertise. The following shall apply in connection with this process:
Arbitrators:
(1) |
will remain on the list for a period of 3 years, absent exceptional circumstances or for cause, renewable for one additional period of 3 years; |
(2) |
shall not be subject to any instructions from, or be affiliated with, either party, or any Privacy Shield organization, or the U.S., EU, or any EU Member State or any other governmental authority, public authority, or enforcement authority; and |
(3) |
must be admitted to practice law in the U.S. and be experts in U.S. privacy law, with expertise in EU data protection law. |
G. Arbitration Procedures
Consistent with applicable law, within 6 months from the adoption of the adequacy decision, the Department of Commerce and the European Commission will agree to adopt an existing, well-established set of U.S. arbitral procedures (such as AAA or JAMS) to govern proceedings before the Privacy Shield Panel, subject to each of the following considerations:
1. |
An individual may initiate binding arbitration, subject to the pre-arbitration requirements provision above, by delivering a ‘Notice’ to the organization. The Notice shall contain a summary of steps taken under Paragraph C to resolve the claim, a description of the alleged violation, and, at the choice of the individual, any supporting documents and materials and/or a discussion of law relating to the alleged claim. |
2. |
Procedures will be developed to ensure that an individual's same claimed violation does not receive duplicative remedies or procedures. |
3. |
FTC action may proceed in parallel with arbitration. |
4. |
No representative of the U.S., EU, or any EU Member State or any other governmental authority, public authority, or enforcement authority may participate in these arbitrations, provided, that at the request of an EU individual, EU DPAs may provide assistance in the preparation only of the Notice but EU DPAs may not have access to discovery or any other materials related to these arbitrations. |
5. |
The location of the arbitration will be the United States, and the individual may choose video or telephone participation, which will be provided at no cost to the individual. In-person participation will not be required. |
6. |
The language of the arbitration will be English unless otherwise agreed by the parties. Upon a reasoned request, and taking into account whether the individual is represented by an attorney, interpretation at the arbitral hearing as well as translation of arbitral materials will be provided at no cost to the individual, unless the panel finds that, under the circumstances of the specific arbitration, this would lead to unjustified or disproportionate costs. |
7. |
Materials submitted to arbitrators will be treated confidentially and will only be used in connection with the arbitration. |
8. |
Individual-specific discovery may be permitted if necessary, and such discovery will be treated confidentially by the parties and will only be used in connection with the arbitration. |
9. |
Arbitrations should be completed within 90 days of the delivery of the Notice to the organization at issue, unless otherwise agreed to by the parties. |
H. Costs
Arbitrators should take reasonable steps to minimize the costs or fees of the arbitrations.
Subject to applicable law, the Department of Commerce will facilitate the establishment of a fund, into which Privacy Shield organizations will be required to pay an annual contribution, based in part on the size of the organization, which will cover the arbitral cost, including arbitrator fees, up to maximum amounts (‘caps’), in consultation with the European Commission. The fund will be managed by a third party, which will report regularly on the operations of the fund. At the annual review, the Department of Commerce and European Commission will review the operation of the fund, including the need to adjust the amount of the contributions or of the caps, and will consider, among other things, the number of arbitrations and the costs and timing of the arbitrations, with the mutual understanding that there will be no excessive financial burden imposed on Privacy Shield organizations. Attorney's fees are not covered by this provision or any fund under this provision.
(1) Section I.5 of the Principles.
(2) Chapter 2 of the Federal Arbitration Act (‘FAA’) provides that ‘[a]n arbitration agreement or arbitral award arising out of a legal relationship, whether contractual or not, which is considered as commercial, including a transaction, contract, or agreement described in [section 2 of the FAA], falls under the Convention [on the Recognition and Enforcement of Foreign Arbitral Awards of June 10, 1958, 21 U.S.T. 2519, T.I.A.S. No 6997 (“New York Convention”)].’ 9 U.S.C. § 202. The FAA further provides that ‘[a]n agreement or award arising out of such a relationship which is entirely between citizens of the United States shall be deemed not to fall under the [New York] Convention unless that relationship involves property located abroad, envisages performance or enforcement abroad, or has some other reasonable relation with one or more foreign states.’ Id. Under Chapter 2, ‘any party to the arbitration may apply to any court having jurisdiction under this chapter for an order confirming the award as against any other party to the arbitration. The court shall confirm the award unless it finds one of the grounds for refusal or deferral of recognition or enforcement of the award specified in the said [New York] Convention.’ Id. § 207. Chapter 2 further provides that ‘[t]he district courts of the United States … shall have original jurisdiction over … an action or proceeding [under the New York Convention], regardless of the amount in controversy.’ Id. § 203.
Chapter 2 also provides that ‘Chapter 1 applies to actions and proceedings brought under this chapter to the extent that chapter is not in conflict with this chapter or the [New York] Convention as ratified by the United States.’ Id. § 208. Chapter 1, in turn, provides that ‘[a] written provision in … a contract evidencing a transaction involving commerce to settle by arbitration a controversy thereafter arising out of such contract or transaction, or the refusal to perform the whole or any part thereof, or an agreement in writing to submit to arbitration an existing controversy arising out of such a contract, transaction, or refusal, shall be valid, irrevocable, and enforceable, save upon such grounds as exist at law or in equity for the revocation of any contract.’ Id. § 2. Chapter 1 further provides that ‘any party to the arbitration may apply to the court so specified for an order confirming the award, and thereupon the court must grant such an order unless the award is vacated, modified, or corrected as prescribed in sections 10 and 11 of [the FAA].’ Id. § 9.
ANNEX II
EU-U.S. PRIVACY SHIELD FRAMEWORK PRINCIPLES ISSUED BY THE U.S. DEPARTMENT OF COMMERCE
I. OVERVIEW
1. |
While the United States and the European Union share the goal of enhancing privacy protection, the United States takes a different approach to privacy from that taken by the European Union. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self-regulation. Given those differences and to provide organizations in the United States with a reliable mechanism for personal data transfers to the United States from the European Union while ensuring that EU data subjects continue to benefit from effective safeguards and protection as required by European legislation with respect to the processing of their personal data when they have been transferred to non-EU countries, the Department of Commerce is issuing these Privacy Shield Principles, including the Supplemental Principles (collectively ‘the Principles’) under its statutory authority to foster, promote, and develop international commerce (15 U.S.C. § 1512). The Principles were developed in consultation with the European Commission, and with industry and other stakeholders, to facilitate trade and commerce between the United States and European Union. They are intended for use solely by organizations in the United States receiving personal data from the European Union for the purpose of qualifying for the Privacy Shield and thus benefitting from the European Commission's adequacy decision (1). The Principles do not affect the application of national provisions implementing Directive 95/46/EC (‘the Directive’) that apply to the processing of personal data in the Member States. Nor do the Principles limit privacy obligations that otherwise apply under U.S. law. |
2. |
In order to rely on the Privacy Shield to effectuate transfers of personal data from the EU, an organization must self-certify its adherence to the Principles to the Department of Commerce (or its designee) (‘the Department’). While decisions by organizations to thus enter the Privacy Shield are entirely voluntary, effective compliance is compulsory: organizations that self-certify to the Department and publicly declare their commitment to adhere to the Principles must comply fully with the Principles. In order to enter the Privacy Shield, an organization must (a) be subject to the investigatory and enforcement powers of the Federal Trade Commission (the ‘FTC’), the Department of Transportation or another statutory body that will effectively ensure compliance with the Principles (other U.S. statutory bodies recognized by the EU may be included as an annex in the future); (b) publicly declare its commitment to comply with the Principles; (c) publicly disclose its privacy policies in line with these Principles; and (d) fully implement them. An organization's failure to comply is enforceable under Section 5 of the Federal Trade Commission Act prohibiting unfair and deceptive acts in or affecting commerce (15 U.S.C. § 45(a)) or other laws or regulations prohibiting such acts. |
3. |
The Department of Commerce will maintain and make available to the public an authoritative list of U.S. organizations that have self-certified to the Department and declared their commitment to adhere to the Principles (‘the Privacy Shield List’). Privacy Shield benefits are assured from the date that the Department places the organization on the Privacy Shield List. The Department will remove an organization from the Privacy Shield List if it voluntarily withdraws from the Privacy Shield or if it fails to complete its annual re-certification to the Department. An organization's removal from the Privacy Shield List means it may no longer benefit from the European Commission's adequacy decision to receive personal information from the EU. The organization must continue to apply the Principles to the personal information it received while it participated in the Privacy Shield, and affirm to the Department on an annual basis its commitment to do so, for as long as it retains such information; otherwise, the organization must return or delete the information or provide ‘adequate’ protection for the information by another authorized means. The Department will also remove from the Privacy Shield List those organizations that have persistently failed to comply with the Principles; these organizations do not qualify for Privacy Shield benefits and must return or delete the personal information they received under the Privacy Shield. |
4. |
The Department will also maintain and make available to the public an authoritative record of U.S. organizations that had previously self-certified to the Department, but that have been removed from the Privacy Shield List. The Department will provide a clear warning that these organizations are not participants in the Privacy Shield; that removal from the Privacy Shield List means that such organizations cannot claim to be Privacy Shield compliant and must avoid any statements or misleading practices implying that they participate in the Privacy Shield; and that such organizations are no longer entitled to benefit from the European Commission's adequacy decision that would enable those organizations to receive personal information from the EU. An organization that continues to claim participation in the Privacy Shield or makes other Privacy Shield-related misrepresentations after it has been removed from the Privacy Shield List may be subject to enforcement action by the FTC, the Department of Transportation, or other enforcement authorities. |
5. |
Adherence to these Principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization; or (c) if the effect of the Directive or Member State law is to allow exceptions or derogations, provided such exceptions or derogations are applied in comparable contexts. Consistent with the goal of enhancing privacy protection, organizations should strive to implement these Principles fully and transparently, including indicating in their privacy policies where exceptions to the Principles permitted by (b) above will apply on a regular basis. For the same reason, where the option is allowable under the Principles and/or U.S. law, organizations are expected to opt for the higher protection where possible. |
6. |
Organizations are obligated to apply the Principles to all personal data transferred in reliance on the Privacy Shield after they enter the Privacy Shield. An organization that chooses to extend Privacy Shield benefits to human resources personal information transferred from the EU for use in the context of an employment relationship must indicate this when it self-certifies to the Department and conform to the requirements set forth in the Supplemental Principle on Self-Certification. |
7. |
U.S. law will apply to questions of interpretation and compliance with the Principles and relevant privacy policies by Privacy Shield organizations, except where such organizations have committed to cooperate with European data protection authorities (‘DPAs’). Unless otherwise stated, all provisions of the Principles apply where they are relevant. |
8. |
Definitions:
|
9. |
The effective date of the Principles is the date of final approval of the European Commission's adequacy determination. |
II. PRINCIPLES
1. Notice
a. |
An organization must inform individuals about:
|
b. |
This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party. |
2. Choice
a. |
An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Individuals must be provided with clear, conspicuous, and readily available mechanisms to exercise choice. |
b. |
By derogation to the previous paragraph, it is not necessary to provide choice when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of the organization. However, an organization shall always enter into a contract with the agent. |
c. |
For sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), organizations must obtain affirmative express consent (opt in) from individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. In addition, an organization should treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive. |
3. Accountability For Onward Transfer
a. |
To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles. Organizations must also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate. |
b. |
To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles; (iv) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request. |
4. Security
a. |
Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. |
5. Data integrity and purpose limitation
a. |
Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing (2). An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information. |
b. |
Information may be retained in a form identifying or making identifiable (3) the individual only for as long as it serves a purpose of processing within the meaning of 5a. This obligation does not prevent organizations from processing personal information for longer periods for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research, and statistical analysis. In these cases, such processing shall be subject to the other Principles and provisions of the Framework. Organizations should take reasonable and appropriate measures in complying with this provision. |
6. Access
a. |
Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated. |
7. Recourse, enforcement and liability
a. |
Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must include:
|
b. |
Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. Organizations that have chosen to cooperate with DPAs, including organizations that process human resources data, must respond directly to such authorities with regard to the investigation and resolution of complaints. |
c. |
Organizations are obligated to arbitrate claims and follow the terms as set forth in Annex I, provided that an individual has invoked binding arbitration by delivering notice to the organization at issue and following the procedures and subject to conditions set forth in Annex I. |
d. |
In the context of an onward transfer, a Privacy Shield organization has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. The Privacy Shield organization shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage. |
e. |
When an organization becomes subject to an FTC or court order based on non-compliance, the organization shall make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements. The Department has established a dedicated point of contact for DPAs for any problems of compliance by Privacy Shield organizations. The FTC will give priority consideration to referrals of non-compliance with the Principles from the Department and EU Member State authorities, and will exchange information regarding referrals with the referring state authorities on a timely basis, subject to existing confidentiality restrictions. |
III. SUPPLEMENTAL PRINCIPLES
1. Sensitive Data
a. |
An organization is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is:
|
2. Journalistic Exceptions
a. |
Given U.S. constitutional protections for freedom of the press and the Directive's exemption for journalistic material, where the rights of a free press embodied in the First Amendment of the U.S. Constitution intersect with privacy protection interests, the First Amendment must govern the balancing of these interests with regard to the activities of U.S. persons or organizations. |
b. |
Personal information that is gathered for publication, broadcast, or other forms of public communication of journalistic material, whether used or not, as well as information found in previously published material disseminated from media archives, is not subject to the requirements of the Privacy Shield Principles. |
3. Secondary Liability
a. |
Internet Service Providers (‘ISPs’), telecommunications carriers, and other organizations are not liable under the Privacy Shield Principles when on behalf of another organization they merely transmit, route, switch, or cache information. As is the case with the Directive itself, the Privacy Shield does not create secondary liability. To the extent that an organization is acting as a mere conduit for data transmitted by third parties and does not determine the purposes and means of processing those personal data, it would not be liable. |
4. Performing Due Diligence and Conducting Audits
a. |
The activities of auditors and investment bankers may involve processing personal data without the consent or knowledge of the individual. This is permitted by the Notice, Choice, and Access Principles under the circumstances described below. |
b. |
Public stock corporations and closely held companies, including Privacy Shield organizations, are regularly subject to audits. Such audits, particularly those looking into potential wrongdoing, may be jeopardized if disclosed prematurely. Similarly, a Privacy Shield organization involved in a potential merger or takeover will need to perform, or be the subject of, a ‘due diligence’ review. This will often entail the collection and processing of personal data, such as information on senior executives and other key personnel. Premature disclosure could impede the transaction or even violate applicable securities regulation. Investment bankers and attorneys engaged in due diligence, or auditors conducting an audit, may process information without knowledge of the individual only to the extent and for the period necessary to meet statutory or public interest requirements and in other circumstances in which the application of these Principles would prejudice the legitimate interests of the organization. These legitimate interests include the monitoring of organizations' compliance with their legal obligations and legitimate accounting activities, and the need for confidentiality connected with possible acquisitions, mergers, joint ventures, or other similar transactions carried out by investment bankers or auditors. |
5. The Role of the Data Protection Authorities
a. |
Organizations will implement their commitment to cooperate with European Union data protection authorities (‘DPAs’) as described below. Under the Privacy Shield, U.S. organizations receiving personal data from the EU must commit to employ effective mechanisms for assuring compliance with the Privacy Shield Principles. More specifically as set out in the Recourse, Enforcement and Liability Principle, participating organizations must provide: (a)(i) recourse for individuals to whom the data relate; (a)(ii) follow up procedures for verifying that the attestations and assertions they have made about their privacy practices are true; and (a)(iii) obligations to remedy problems arising out of failure to comply with the Principles and consequences for such organizations. An organization may satisfy points (a)(i) and (a)(iii) of the Recourse, Enforcement and Liability Principle if it adheres to the requirements set forth here for cooperating with the DPAs. |
b. |
An organization commits to cooperate with the DPAs by declaring in its Privacy Shield self-certification submission to the Department of Commerce (see Supplemental Principle on Self-Certification) that the organization:
|
c. |
Operation of DPA Panels
|
d. |
An organization that wishes its Privacy Shield benefits to cover human resources data transferred from the EU in the context of the employment relationship must commit to cooperate with the DPAs with regard to such data (see Supplemental Principle on Human Resources Data). |
e. |
Organizations choosing this option will be required to pay an annual fee which will be designed to cover the operating costs of the panel, and they may additionally be asked to meet any necessary translation expenses arising out of the panel's consideration of referrals or complaints against them. The annual fee will not exceed USD 500 and will be less for smaller companies. |
6. Self-Certification
a. |
Privacy Shield benefits are assured from the date on which the Department has placed the organization's self-certification submission on the Privacy Shield List after having determined that the submission is complete. |
b. |
To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information:
|
c. |
Where the organization wishes its Privacy Shield benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims against the organization arising out of the processing of human resources information. In addition, the organization must indicate this in its self-certification submission and declare its commitment to cooperate with the EU authority or authorities concerned in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities as applicable and that it will comply with the advice given by such authorities. The organization must also provide the Department with a copy of its human resources privacy policy and provide information where the privacy policy is available for viewing by its affected employees. |
d. |
The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self-certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization's privacy policy must include a hyperlink to the Department's Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. |
e. |
The Privacy Principles apply immediately upon certification. Recognizing that the Principles will impact commercial relationships with third parties, organizations that certify to the Privacy Shield Framework in the first two months following the Framework's effective date shall bring existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle as soon as possible, and in any event no later than nine months from the date upon which they certify to the Privacy Shield. During that interim period, where organizations transfer data to a third party, they shall (i) apply the Notice and Choice Principles, and (ii) where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles. |
f. |
An organization must subject to the Privacy Shield Principles all personal data received from the EU in reliance upon the Privacy Shield. The undertaking to adhere to the Privacy Shield Principles is not time-limited in respect of personal data received during the period in which the organization enjoys the benefits of the Privacy Shield. Its undertaking means that it will continue to apply the Principles to such data for as long as the organization stores, uses or discloses them, even if it subsequently leaves the Privacy Shield for any reason. An organization that withdraws from the Privacy Shield but wants to retain such data must affirm to the Department on an annual basis its commitment to continue to apply the Principles or provide ‘adequate’ protection for the information by another authorized means (for example, using a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission); otherwise, the organization must return or delete the information. An organization that withdraws from the Privacy Shield must remove from any relevant privacy policy any references to the Privacy Shield that imply that the organization continues to actively participate in the Privacy Shield and is entitled to its benefits. |
g. |
An organization that will cease to exist as a separate legal entity as a result of a merger or a takeover must notify the Department of this in advance. The notification should also indicate whether the acquiring entity or the entity resulting from the merger will (i) continue to be bound by the Privacy Shield Principles by the operation of law governing the takeover or merger or (ii) elect to self-certify its adherence to the Privacy Shield Principles or put in place other safeguards, such as a written agreement that will ensure adherence to the Privacy Shield Principles. Where neither (i) nor (ii) applies, any personal data that has been acquired under the Privacy Shield must be promptly deleted. |
h. |
When an organization leaves the Privacy Shield for any reason, it must remove all statements implying that the organization continues to participate in the Privacy Shield or is entitled to the benefits of the Privacy Shield. The EU-U.S. Privacy Shield certification mark, if used, must also be removed. Any misrepresentation to the general public concerning an organization's adherence to the Privacy Shield Principles may be actionable by the FTC or other relevant government body. Misrepresentations to the Department may be actionable under the False Statements Act (18 U.S.C. § 1001). |
7. Verification
a. |
Organizations must provide follow up procedures for verifying that the attestations and assertions they make about their Privacy Shield privacy practices are true and those privacy practices have been implemented as represented and in accordance with the Privacy Shield Principles. |
b. |
To meet the verification requirements of the Recourse, Enforcement and Liability Principle, an organization must verify such attestations and assertions either through self-assessment or outside compliance reviews. |
c. |
Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. |
d. |
Where the organization has chosen outside compliance review, such a review must demonstrate that its privacy policy regarding personal information received from the EU conforms to the Privacy Shield Principles, that it is being complied with, and that individuals are informed of the mechanisms through which they may pursue complaints. The methods of review may include, without limitation, auditing, random reviews, use of ‘decoys’, or use of technology tools as appropriate. A statement verifying that an outside compliance review has been successfully completed must be signed either by the reviewer or by the corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about compliance. |
e. |
Organizations must retain their records on the implementation of their Privacy Shield privacy practices and make them available upon request in the context of an investigation or a complaint about non-compliance to the independent body responsible for investigating complaints or to the agency with unfair and deceptive practices jurisdiction. Organizations must also respond promptly to inquiries and other requests for information from the Department relating to the organization's adherence to the Principles. |
8. Access
a. The Access Principle in Practice
i. |
Under the Privacy Shield Principles, the right of access is fundamental to privacy protection. In particular, it allows individuals to verify the accuracy of information held about them. The Access Principle means that individuals have the right to:
|
ii. |
Individuals do not have to justify requests for access to their personal data. In responding to individuals' access requests, organizations should first be guided by the concern(s) that led to the requests in the first place. For example, if an access request is vague or broad in scope, an organization may engage the individual in a dialogue so as to better understand the motivation for the request and to locate responsive information. The organization might inquire about which part(s) of the organization the individual interacted with or about the nature of the information or its use that is the subject of the access request. |
iii. |
Consistent with the fundamental nature of access, organizations should always make good faith efforts to provide access. For example, where certain information needs to be protected and can be readily separated from other personal information subject to an access request, the organization should redact the protected information and make available the other information. If an organization determines that access should be restricted in any particular instance, it should provide the individual requesting access with an explanation of why it has made that determination and a contact point for any further inquiries. |
b. Burden or Expense of Providing Access
i. |
The right of access to personal data may be restricted in exceptional circumstances where the legitimate rights of persons other than the individual would be violated or where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question. Expense and burden are important factors and should be taken into account but they are not controlling factors in determining whether providing access is reasonable. |
ii. |
For example, if the personal information is used for decisions that will significantly affect the individual (e.g., the denial or grant of important benefits, such as insurance, a mortgage, or a job), then consistent with the other provisions of these Supplemental Principles, the organization would have to disclose that information even if it is relatively difficult or expensive to provide. If the personal information requested is not sensitive or not used for decisions that will significantly affect the individual, but is readily available and inexpensive to provide, an organization would have to provide access to such information. |
c. Confidential Commercial Information
i. |
Confidential commercial information is information that an organization has taken steps to protect from disclosure, where disclosure would help a competitor in the market. Organizations may deny or limit access to the extent that granting full access would reveal its own confidential commercial information, such as marketing inferences or classifications generated by the organization, or the confidential commercial information of another that is subject to a contractual obligation of confidentiality. |
ii. |
Where confidential commercial information can be readily separated from other personal information subject to an access request, the organization should redact the confidential commercial information and make available the non-confidential information. |
d. Organization of Data Bases
i. |
Access can be provided in the form of disclosure of the relevant personal information by an organization to the individual and does not require access by the individual to an organization's data base. |
ii. |
Access needs to be provided only to the extent that an organization stores the personal information. The Access Principle does not itself create any obligation to retain, maintain, reorganize, or restructure personal information files. |
e. When Access May be Restricted
i. |
As organizations must always make good faith efforts to provide individuals with access to their personal data, the circumstances in which organizations may restrict such access are limited, and any reasons for restricting access must be specific. As under the Directive, an organization can restrict access to information to the extent that disclosure is likely to interfere with the safeguarding of important countervailing public interests, such as national security; defense; or public security. In addition, where personal information is processed solely for research or statistical purposes, access may be denied. Other reasons for denying or limiting access are:
|
ii. |
An organization which claims an exception has the burden of demonstrating its necessity, and the reasons for restricting access and a contact point for further inquiries should be given to individuals. |
f. Right to Obtain Confirmation and Charging a Fee to Cover the Costs for Providing Access
i. |
An individual has the right to obtain confirmation of whether or not this organization has personal data relating to him or her. An individual also has the right to have communicated to him or her personal data relating to him or her. An organization may charge a fee that is not excessive. |
ii. |
Charging a fee may be justified, for example, where requests for access are manifestly excessive, in particular because of their repetitive character. |
iii. |
Access may not be refused on cost grounds if the individual offers to pay the costs. |
g. Repetitious or Vexatious Requests for Access
An organization may set reasonable limits on the number of times within a given period that access requests from a particular individual will be met. In setting such limitations, an organization should consider such factors as the frequency with which information is updated, the purpose for which the data are used, and the nature of the information.
h. Fraudulent Requests for Access
An organization is not required to provide access unless it is supplied with sufficient information to allow it to confirm the identity of the person making the request.
i. Timeframe for Responses
Organizations should respond to access requests within a reasonable time period, in a reasonable manner, and in a form that is readily intelligible to the individual. An organization that provides information to data subjects at regular intervals may satisfy an individual access request with its regular disclosure if it would not constitute an excessive delay.
9. Human Resources Data
a. Coverage by the Privacy Shield
i. |
Where an organization in the EU transfers personal information about its employees (past or present) collected in the context of the employment relationship, to a parent, affiliate, or unaffiliated service provider in the United States participating in the Privacy Shield, the transfer enjoys the benefits of the Privacy Shield. In such cases, the collection of the information and its processing prior to transfer will have been subject to the national laws of the EU country where it was collected, and any conditions for or restrictions on its transfer according to those laws will have to be respected. |
ii. |
The Privacy Shield Principles are relevant only when individually identified or identifiable records are transferred or accessed. Statistical reporting relying on aggregate employment data and containing no personal data or the use of anonymized data does not raise privacy concerns. |
b. Application of the Notice and Choice Principles
i. |
A U.S. organization that has received employee information from the EU under the Privacy Shield may disclose it to third parties or use it for different purposes only in accordance with the Notice and Choice Principles. For example, where an organization intends to use personal information collected through the employment relationship for non-employment-related purposes, such as marketing communications, the U.S. organization must provide the affected individuals with the requisite choice before doing so, unless they have already authorized the use of the information for such purposes. Such use must not be incompatible with the purposes for which the personal information has been collected or subsequently authorised by the individual. Moreover, such choices must not be used to restrict employment opportunities or take any punitive action against such employees. |
ii. |
It should be noted that certain generally applicable conditions for transfer from some EU Member States may preclude other uses of such information even after transfer outside the EU and such conditions will have to be respected. |
iii. |
In addition, employers should make reasonable efforts to accommodate employee privacy preferences. This could include, for example, restricting access to the personal data, anonymizing certain data, or assigning codes or pseudonyms when the actual names are not required for the management purpose at hand. |
iv. |
To the extent and for the period necessary to avoid prejudicing the ability of the organization in making promotions, appointments, or other similar employment decisions, an organization does not need to offer notice and choice. |
c. Application of the Access Principle
The Supplemental Principle on Access provides guidance on reasons which may justify denying or limiting access on request in the human resources context. Of course, employers in the European Union must comply with local regulations and ensure that European Union employees have access to such information as is required by law in their home countries, regardless of the location of data processing and storage. The Privacy Shield requires that an organization processing such data in the United States will cooperate in providing such access either directly or through the EU employer.
d. Enforcement
i. |
In so far as personal information is used only in the context of the employment relationship, primary responsibility for the data vis-à-vis the employee remains with the organization in the EU. It follows that, where European employees make complaints about violations of their data protection rights and are not satisfied with the results of internal review, complaint, and appeal procedures (or any applicable grievance procedures under a contract with a trade union), they should be directed to the state or national data protection or labor authority in the jurisdiction where the employees work. This includes cases where the alleged mishandling of their personal information is the responsibility of the U.S. organization that has received the information from the employer and thus involves an alleged breach of the Privacy Shield Principles. This will be the most efficient way to address the often overlapping rights and obligations imposed by local labor law and labor agreements as well as data protection law. |
ii. |
A U.S. organization participating in the Privacy Shield that uses EU human resources data transferred from the European Union in the context of the employment relationship and that wishes such transfers to be covered by the Privacy Shield must therefore commit to cooperate in investigations by and to comply with the advice of competent EU authorities in such cases. |
e. Application of the Accountability for Onward Transfer Principle
For occasional employment-related operational needs of the Privacy Shield organization with respect to personal data transferred under the Privacy Shield, such as the booking of a flight, hotel room, or insurance coverage, transfers of personal data of a small number of employees can take place to controllers without application of the Access Principle or entering into a contract with the third-party controller, as otherwise required under the Accountability for Onward Transfer Principle, provided that the Privacy Shield organization has complied with the Notice and Choice Principles.
10. Obligatory Contracts for Onward Transfers
a. Data Processing Contracts
i. |
When personal data is transferred from the EU to the United States only for processing purposes, a contract will be required, regardless of participation by the processor in the Privacy Shield. |
ii. |
Data controllers in the European Union are always required to enter into a contract when a transfer for mere processing is made, whether the processing operation is carried out inside or outside the EU, and whether or not the processor participates in the Privacy Shield. The purpose of the contract is to make sure that the processor:
|
iii. |
Because adequate protection is provided by Privacy Shield participants, contracts with Privacy Shield participants for mere processing do not require prior authorization (or such authorization will be granted automatically by the EU Member States), as would be required for contracts with recipients not participating in the Privacy Shield or otherwise not providing adequate protection. |
b. Transfers within a Controlled Group of Corporations or Entities
When personal information is transferred between two controllers within a controlled group of corporations or entities, a contract is not always required under the Accountability for Onward Transfer Principle. Data controllers within a controlled group of corporations or entities may base such transfers on other instruments, such as EU Binding Corporate Rules or other intra-group instruments (e.g., compliance and control programs), ensuring the continuity of protection of personal information under the Principles. In case of such transfers, the Privacy Shield organization remains responsible for compliance with the Principles.
c. Transfers between Controllers
For transfers between controllers, the recipient controller need not be a Privacy Shield organization or have an independent recourse mechanism. The Privacy Shield organization must enter into a contract with the recipient third-party controller that provides for the same level of protection as is available under the Privacy Shield, not including the requirement that the third party controller be a Privacy Shield organization or have an independent recourse mechanism, provided it makes available an equivalent mechanism.
11. Dispute Resolution and Enforcement
a. The Recourse, Enforcement and Liability Principle sets out the requirements for Privacy Shield enforcement. How to meet the requirements of point (a)(ii) of the Principle is set out in the Supplemental Principle on Verification. This Supplemental Principle addresses points (a)(i) and (a)(iii), both of which require independent recourse mechanisms. These mechanisms may take different forms, but they must meet the Recourse, Enforcement and Liability Principle's requirements. Organizations satisfy the requirements through the following: (i) compliance with private sector developed privacy programs that incorporate the Privacy Shield Principles into their rules and that include effective enforcement mechanisms of the type described in the Recourse, Enforcement and Liability Principle; (ii) compliance with legal or regulatory supervisory authorities that provide for handling of individual complaints and dispute resolution; or (iii) commitment to cooperate with data protection authorities located in the European Union or their authorized representatives.
b. This list is intended to be illustrative and not limiting. The private sector may design additional mechanisms to provide enforcement, so long as they meet the requirements of the Recourse, Enforcement and Liability Principle and the Supplemental Principles. Please note that the Recourse, Enforcement and Liability Principle's requirements are additional to the requirement that self-regulatory efforts must be enforceable under Section 5 of the Federal Trade Commission Act, which prohibits unfair and deceptive acts, or another law or regulation prohibiting such acts.
c. In order to help ensure compliance with their Privacy Shield commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the Privacy Shield when requested by the Department. In addition, organizations must respond expeditiously to complaints regarding their compliance with the Principles referred through the Department by DPAs. The response should address whether the complaint has merit and, if so, how the organization will rectify the problem. The Department will protect the confidentiality of information it receives in accordance with U.S. law.
d. Recourse Mechanisms
i. |
Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism's privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. |
ii. |
Independent recourse mechanisms must include on their public websites information regarding the Privacy Shield Principles and the services that they provide under the Privacy Shield. This information must include: (1) information on or a link to the Privacy Shield Principles' requirements for independent recourse mechanisms; (2) a link to the Department's Privacy Shield website; (3) an explanation that their dispute resolution services under the Privacy Shield are free of charge to individuals; (4) a description of how a Privacy Shield-related complaint can be filed; (5) the timeframe in which Privacy Shield-related complaints are processed; and (6) a description of the range of potential remedies. |
iii. |
Independent recourse mechanisms must publish an annual report providing aggregate statistics regarding their dispute resolution services. The annual report must include: (1) the total number of Privacy Shield-related complaints received during the reporting year; (2) the types of complaints received; (3) dispute resolution quality measures, such as the length of time taken to process complaints; and (4) the outcomes of the complaints received, notably the number and types of remedies or sanctions imposed. |
iv. |
As set forth in Annex I, an arbitration option is available to an individual to determine, for residual claims, whether a Privacy Shield organization has violated its obligations under the Principles as to that individual, and whether any such violation remains fully or partially unremedied. This option is available only for these purposes. This option is not available, for example, with respect to the exceptions to the Principles (5) or with respect to an allegation about the adequacy of the Privacy Shield. Under this arbitration option, the Privacy Shield Panel (consisting of one or three arbitrators, as agreed by the parties) has the authority to impose individual-specific, non-monetary equitable relief (such as access, correction, deletion, or return of the individual's data in question) necessary to remedy the violation of the Principles only with respect to the individual. Individuals and Privacy Shield organizations will be able to seek judicial review and enforcement of the arbitral decisions pursuant to U.S. law under the Federal Arbitration Act. |
e. Remedies and Sanctions
The result of any remedies provided by the dispute resolution body should be that the effects of non-compliance are reversed or corrected by the organization, insofar as feasible, and that future processing by the organization will be in conformity with the Principles and, where appropriate, that processing of the personal data of the individual who brought the complaint will cease. Sanctions need to be rigorous enough to ensure compliance by the organization with the Principles. A range of sanctions of varying degrees of severity will allow dispute resolution bodies to respond appropriately to varying degrees of non-compliance. Sanctions should include both publicity for findings of non-compliance and the requirement to delete data in certain circumstances (6). Other sanctions could include suspension and removal of a seal, compensation for individuals for losses incurred as a result of non-compliance and injunctive awards. Private sector dispute resolution bodies and self-regulatory bodies must notify failures of Privacy Shield organizations to comply with their rulings to the governmental body with applicable jurisdiction or to the courts, as appropriate, and to notify the Department.
f. FTC Action
The FTC has committed to reviewing on a priority basis referrals alleging non-compliance with the Principles received from: (i) privacy self-regulatory organizations and other independent dispute resolution bodies; (ii) EU Member States; and (iii) the Department, to determine whether Section 5 of the FTC Act prohibiting unfair or deceptive acts or practices in commerce has been violated. If the FTC concludes that it has reason to believe Section 5 has been violated, it may resolve the matter by seeking an administrative cease and desist order prohibiting the challenged practices or by filing a complaint in a federal district court, which if successful could result in a federal court order to same effect. This includes false claims of adherence to the Privacy Shield Principles or participation in the Privacy Shield by organizations, which either are no longer on the Privacy Shield List or have never self-certified to the Department. The FTC may obtain civil penalties for violations of an administrative cease and desist order and may pursue civil or criminal contempt for violation of a federal court order. The FTC will notify the Department of any such actions it takes. The Department encourages other government bodies to notify it of the final disposition of any such referrals or other rulings determining adherence to the Privacy Shield Principles.
g. Persistent Failure to Comply
i. |
If an organization persistently fails to comply with the Principles, it is no longer entitled to benefit from the Privacy Shield. Organizations that have persistently failed to comply with the Principles will be removed from the Privacy Shield List by the Department and must return or delete the personal information they received under the Privacy Shield. |
ii. |
Persistent failure to comply arises where an organization that has self-certified to the Department refuses to comply with a final determination by any privacy self-regulatory, independent dispute resolution, or government body, or where such a body determines that an organization frequently fails to comply with the Principles to the point where its claim to comply is no longer credible. In these cases, the organization must promptly notify the Department of such facts. Failure to do so may be actionable under the False Statements Act (18 U.S.C. § 1001). An organization's withdrawal from a private-sector privacy self-regulatory program or independent dispute resolution mechanism does not relieve it of its obligation to comply with the Principles and would constitute a persistent failure to comply. |
iii. |
The Department will remove an organization from the Privacy Shield List in response to any notification it receives of persistent failure to comply, whether it is received from the organization itself, from a privacy self-regulatory body or another independent dispute resolution body, or from a government body, but only after first providing 30 days' notice and an opportunity to respond to the organization that has failed to comply. Accordingly, the Privacy Shield List maintained by the Department will make clear which organizations are assured and which organizations are no longer assured of Privacy Shield benefits. |
iv. |
An organization applying to participate in a self-regulatory body for the purposes of requalifying for the Privacy Shield must provide that body with full information about its prior participation in the Privacy Shield. |
12. Choice — Timing of Opt Out
a. |
Generally, the purpose of the Choice Principle is to ensure that personal information is used and disclosed in ways that are consistent with the individual's expectations and choices. Accordingly, an individual should be able to exercise ‘opt out’ choice of having personal information used for direct marketing at any time subject to reasonable limits established by the organization, such as giving the organization time to make the opt out effective. An organization may also require sufficient information to confirm the identity of the individual requesting the ‘opt out’. In the United States, individuals may be able to exercise this option through the use of a central ‘opt out’ program such as the Direct Marketing Association's Mail Preference Service. Organizations that participate in the Direct Marketing Association's Mail Preference Service should promote its availability to consumers who do not wish to receive commercial information. In any event, an individual should be given a readily available and affordable mechanism to exercise this option. |
b. |
Similarly, an organization may use information for certain direct marketing purposes when it is impracticable to provide the individual with an opportunity to opt out before using the information, if the organization promptly gives the individual such opportunity at the same time (and upon request at any time) to decline (at no cost to the individual) to receive any further direct marketing communications and the organization complies with the individual's wishes. |
13. Travel Information
a. |
Airline passenger reservation and other travel information, such as frequent flyer or hotel reservation information and special handling needs, such as meals to meet religious requirements or physical assistance, may be transferred to organizations located outside the EU in several different circumstances. Under Article 26 of the Directive, personal data may be transferred ‘to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2)’ on the condition that it (i) is necessary to provide the services requested by the consumer or to fulfill the terms of an agreement, such as a ‘frequent flyer’ agreement; or (ii) has been unambiguously consented to by the consumer. U.S. organizations subscribing to the Privacy Shield provide adequate protection for personal data and may therefore receive data transfers from the EU without meeting these conditions or other conditions set out in Article 26 of the Directive. Since the Privacy Shield includes specific rules for sensitive information, such information (which may need to be collected, for example, in connection with customers' needs for physical assistance) may be included in transfers to Privacy Shield participants. In all cases, however, the organization transferring the information has to respect the law in the EU Member State in which it is operating, which may, inter alia, impose special conditions for the handling of sensitive data. |
14. Pharmaceutical and Medical Products
a. Application of EU Member State Laws or the Privacy Shield Principles
EU Member State law applies to the collection of the personal data and to any processing that takes place prior to the transfer to the United States. The Privacy Shield Principles apply to the data once they have been transferred to the United States. Data used for pharmaceutical research and other purposes should be anonymized when appropriate.
b. Future Scientific Research
i. |
Personal data developed in specific medical or pharmaceutical research studies often play a valuable role in future scientific research. Where personal data collected for one research study are transferred to a U.S. organization in the Privacy Shield, the organization may use the data for a new scientific research activity if appropriate notice and choice have been provided in the first instance. Such notice should provide information about any future specific uses of the data, such as periodic follow-up, related studies, or marketing. |
ii. |
It is understood that not all future uses of the data can be specified, since a new research use could arise from new insights on the original data, new medical discoveries and advances, and public health and regulatory developments. Where appropriate, the notice should therefore include an explanation that personal data may be used in future medical and pharmaceutical research activities that are unanticipated. If the use is not consistent with the general research purpose(s) for which the personal data were originally collected, or to which the individual has consented subsequently, new consent must be obtained. |
c. Withdrawal from a Clinical Trial
Participants may decide or be asked to withdraw from a clinical trial at any time. Any personal data collected previous to withdrawal may still be processed along with other data collected as part of the clinical trial, however, if this was made clear to the participant in the notice at the time he or she agreed to participate.
d. Transfers for Regulatory and Supervision Purposes
Pharmaceutical and medical device companies are allowed to provide personal data from clinical trials conducted in the EU to regulators in the United States for regulatory and supervision purposes. Similar transfers are allowed to parties other than regulators, such as company locations and other researchers, consistent with the Principles of Notice and Choice.
e. ‘Blinded’ Studies
i. |
To ensure objectivity in many clinical trials, participants, and often investigators as well, cannot be given access to information about which treatment each participant may be receiving. Doing so would jeopardize the validity of the research study and results. Participants in such clinical trials (referred to as ‘blinded’ studies) do not have to be provided access to the data on their treatment during the trial if this restriction has been explained when the participant entered the trial and the disclosure of such information would jeopardize the integrity of the research effort. |
ii. |
Agreement to participate in the trial under these conditions is a reasonable forgoing of the right of access. Following the conclusion of the trial and analysis of the results, participants should have access to their data if they request it. They should seek it primarily from the physician or other health care provider from whom they received treatment within the clinical trial, or secondarily from the sponsoring organization. |
f. Product Safety and Efficacy Monitoring
A pharmaceutical or medical device company does not have to apply the Privacy Shield Principles with respect to the Notice, Choice, Accountability for Onward Transfer, and Access Principles in its product safety and efficacy monitoring activities, including the reporting of adverse events and the tracking of patients/subjects using certain medicines or medical devices, to the extent that adherence to the Principles interferes with compliance with regulatory requirements. This is true both with respect to reports by, for example, health care providers to pharmaceutical and medical device companies, and with respect to reports by pharmaceutical and medical device companies to government agencies like the Food and Drug Administration.
g. Key-coded Data
Invariably, research data are uniquely key-coded at their origin by the principal investigator so as not to reveal the identity of individual data subjects. Pharmaceutical companies sponsoring such research do not receive the key. The unique key code is held only by the researcher, so that he or she can identify the research subject under special circumstances (e.g., if follow-up medical attention is required). A transfer from the EU to the United States of data coded in this way would not constitute a transfer of personal data that would be subject to the Privacy Shield Principles.
15. Public Record and Publicly Available Information
a. |
An organization must apply the Privacy Shield Principles of Security, Data Integrity and Purpose Limitation, and Recourse, Enforcement and Liability to personal data from publicly available sources. These Principles shall apply also to personal data collected from public records, i.e., those records kept by government agencies or entities at any level that are open to consultation by the public in general. |
b. |
It is not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to public record information, as long as it is not combined with non-public record information, and any conditions for consultation established by the relevant jurisdiction are respected. Also, it is generally not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to publicly available information unless the European transferor indicates that such information is subject to restrictions that require application of those Principles by the organization for the uses it intends. Organizations will have no liability for how such information is used by those obtaining such information from published materials. |
c. |
Where an organization is found to have intentionally made personal information public in contravention of the Principles so that it or others may benefit from these exceptions, it will cease to qualify for the benefits of the Privacy Shield. |
d. |
It is not necessary to apply the Access Principle to public record information as long as it is not combined with other personal information (apart from small amounts used to index or organize the public record information); however, any conditions for consultation established by the relevant jurisdiction are to be respected. In contrast, where public record information is combined with other non-public record information (other than as specifically noted above), an organization must provide access to all such information, assuming it is not subject to other permitted exceptions. |
e. |
As with public record information, it is not necessary to provide access to information that is already publicly available to the public at large, as long as it is not combined with non-publicly available information. Organizations that are in the business of selling publicly available information may charge the organization's customary fee in responding to requests for access. Alternatively, individuals may seek access to their information from the organization that originally compiled the data. |
16. Access Requests by Public Authorities
a. |
In order to provide transparency in respect of lawful requests by public authorities to access personal information, Privacy Shield organizations may voluntarily issue periodic transparency reports on the number of requests for personal information they receive by public authorities for law enforcement or national security reasons, to the extent such disclosures are permissible under applicable law. |
b. |
The information provided by the Privacy Shield organizations in these reports together with information that has been released by the intelligence community, along with other information, can be used to inform the annual joint review of the functioning of the Privacy Shield in accordance with the Principles. |
c. |
Absence of notice in accordance with point (a)(xii) of the Notice Principle shall not prevent or impair an organization's ability to respond to any lawful request. |
(1) Provided that the Commission Decision on the adequacy of the protection provided by the EU-U.S. Privacy Shield applies to Iceland, Liechtenstein and Norway, the Privacy Shield Package will cover both the European Union, as well as these three countries. Consequently, references to the EU and its Member States will be read as including Iceland, Liechtenstein and Norway.
(2) Depending on the circumstances, examples of compatible processing purposes may include those that reasonably serve customer relations, compliance and legal considerations, auditing, security and fraud prevention, preserving or defending the organization's legal rights, or other purposes consistent with the expectations of a reasonable person given the context of the collection.
(3) In this context, if, given the means of identification reasonably likely to be used (considering, among other things, the costs of and the amount of time required for identification and the available technology at the time of the processing) and the form in which the data is retained, an individual could reasonably be identified by the organization, or a third party if it would have access to the data, then the individual is ‘identifiable.’
(4) The organization should answer requests from an individual concerning the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data is disclosed.
(5) Section I.5 of the Principles.
(6) Dispute resolution bodies have discretion about the circumstances in which they use these sanctions. The sensitivity of the data concerned is one factor to be taken into consideration in deciding whether deletion of data should be required, as is whether an organization has collected, used, or disclosed information in blatant contravention of the Privacy Shield Principles.
Annex I
Arbitral model
This Annex I provides the terms under which Privacy Shield organizations are obligated to arbitrate claims, pursuant to the Recourse, Enforcement and Liability Principle. The binding arbitration option described below applies to certain ‘residual’ claims as to data covered by the EU-U.S. Privacy Shield. The purpose of this option is to provide a prompt, independent, and fair mechanism, at the option of individuals, for resolution of claimed violations of the Principles not resolved by any of the other Privacy Shield mechanisms, if any.
A. Scope
This arbitration option is available to an individual to determine, for residual claims, whether a Privacy Shield organization has violated its obligations under the Principles as to that individual, and whether any such violation remains fully or partially unremedied. This option is available only for these purposes. This option is not available, for example, with respect to the exceptions to the Principles (1) or with respect to an allegation about the adequacy of the Privacy Shield.
B. Available Remedies
Under this arbitration option, the Privacy Shield Panel (consisting of one or three arbitrators, as agreed by the parties) has the authority to impose individual-specific, non-monetary equitable relief (such as access, correction, deletion, or return of the individual's data in question) necessary to remedy the violation of the Principles only with respect to the individual. These are the only powers of the arbitration panel with respect to remedies. In considering remedies, the arbitration panel is required to consider other remedies that already have been imposed by other mechanisms under the Privacy Shield. No damages, costs, fees, or other remedies are available. Each party bears its own attorney's fees.
C. Pre-Arbitration Requirements
An individual who decides to invoke this arbitration option must take the following steps prior to initiating an arbitration claim: (1) raise the claimed violation directly with the organization and afford the organization an opportunity to resolve the issue within the timeframe set forth in Section III.11(d)(i) of the Principles; (2) make use of the independent recourse mechanism under the Principles, which is at no cost to the individual; and (3) raise the issue through their Data Protection Authority to the Department of Commerce and afford the Department of Commerce an opportunity to use best efforts to resolve the issue within the timeframes set forth in the Letter from the International Trade Administration of the Department of Commerce, at no cost to the individual.
This arbitration option may not be invoked if the individual's same claimed violation of the Principles (1) has previously been subject to binding arbitration; (2) was the subject of a final judgment entered in a court action to which the individual was a party; or (3) was previously settled by the parties. In addition, this option may not be invoked if an EU Data Protection Authority (1) has authority under Sections III.5 or III.9 of the Principles; or (2) has the authority to resolve the claimed violation directly with the organization. A DPA's authority to resolve the same claim against an EU data controller does not alone preclude invocation of this arbitration option against a different legal entity not bound by the DPA authority.
D. Binding Nature of Decisions
An individual's decision to invoke this binding arbitration option is entirely voluntary. Arbitral decisions will be binding on all parties to the arbitration. Once invoked, the individual forgoes the option to seek relief for the same claimed violation in another forum, except that if non-monetary equitable relief does not fully remedy the claimed violation, the individual's invocation of arbitration will not preclude a claim for damages that is otherwise available in the courts.
E. Review and Enforcement
Individuals and Privacy Shield organizations will be able to seek judicial review and enforcement of the arbitral decisions pursuant to U.S. law under the Federal Arbitration Act (2). Any such cases must be brought in the federal district court whose territorial coverage includes the primary place of business of the Privacy Shield organization.
This arbitration option is intended to resolve individual disputes, and arbitral decisions are not intended to function as persuasive or binding precedent in matters involving other parties, including in future arbitrations or in EU or U.S. courts, or FTC proceedings.
F. The Arbitration Panel
The parties will select the arbitrators from the list of arbitrators discussed below.
Consistent with applicable law, the U.S. Department of Commerce and the European Commission will develop a list of at least 20 arbitrators, chosen on the basis of independence, integrity, and expertise. The following shall apply in connection with this process:
Arbitrators:
(1) |
will remain on the list for a period of 3 years, absent exceptional circumstances or for cause, renewable for one additional period of 3 years; |
(2) |
shall not be subject to any instructions from, or be affiliated with, either party, or any Privacy Shield organization, or the U.S., EU, or any EU Member State or any other governmental authority, public authority, or enforcement authority; and |
(3) |
must be admitted to practice law in the U.S. and be experts in U.S. privacy law, with expertise in EU data protection law. |
G. Arbitration Procedures
Consistent with applicable law, within 6 months from the adoption of the adequacy decision, the Department of Commerce and the European Commission will agree to adopt an existing, well-established set of U.S. arbitral procedures (such as AAA or JAMS) to govern proceedings before the Privacy Shield Panel, subject to each of the following considerations:
1. |
An individual may initiate binding arbitration, subject to the pre-arbitration requirements provision above, by delivering a ‘Notice’ to the organization. The Notice shall contain a summary of steps taken under Paragraph C to resolve the claim, a description of the alleged violation, and, at the choice of the individual, any supporting documents and materials and/or a discussion of law relating to the alleged claim. |
2. |
Procedures will be developed to ensure that an individual's same claimed violation does not receive duplicative remedies or procedures. |
3. |
FTC action may proceed in parallel with arbitration. |
4. |
No representative of the U.S., EU, or any EU Member State or any other governmental authority, public authority, or enforcement authority may participate in these arbitrations, provided, that at the request of an EU individual, EU DPAs may provide assistance in the preparation only of the Notice but EU DPAs may not have access to discovery or any other materials related to these arbitrations. |
5. |
The location of the arbitration will be the United States, and the individual may choose video or telephone participation, which will be provided at no cost to the individual. In-person participation will not be required. |
6. |
The language of the arbitration will be English unless otherwise agreed by the parties. Upon a reasoned request, and taking into account whether the individual is represented by an attorney, interpretation at the arbitral hearing as well as translation of arbitral materials will be provided at no cost to the individual, unless the panel finds that, under the circumstances of the specific arbitration, this would lead to unjustified or disproportionate costs. |
7. |
Materials submitted to arbitrators will be treated confidentially and will only be used in connection with the arbitration. |
8. |
Individual-specific discovery may be permitted if necessary, and such discovery will be treated confidentially by the parties and will only be used in connection with the arbitration. |
9. |
Arbitrations should be completed within 90 days of the delivery of the Notice to the organization at issue, unless otherwise agreed to by the parties. |
H. Costs
Arbitrators should take reasonable steps to minimize the costs or fees of the arbitrations.
Subject to applicable law, the Department of Commerce will facilitate the establishment of a fund, into which Privacy Shield organizations will be required to pay an annual contribution, based in part on the size of the organization, which will cover the arbitral cost, including arbitrator fees, up to maximum amounts (‘caps’), in consultation with the European Commission. The fund will be managed by a third party, which will report regularly on the operations of the fund. At the annual review, the Department of Commerce and European Commission will review the operation of the fund, including the need to adjust the amount of the contributions or of the caps, and will consider, among other things, the number of arbitrations and the costs and timing of the arbitrations, with the mutual understanding that there will be no excessive financial burden imposed on Privacy Shield organizations. Attorney's fees are not covered by this provision or any fund under this provision.
(1) Section I.5 of the Principles.
(2) Chapter 2 of the Federal Arbitration Act (‘FAA’) provides that ‘[a]n arbitration agreement or arbitral award arising out of a legal relationship, whether contractual or not, which is considered as commercial, including a transaction, contract, or agreement described in [section 2 of the FAA], falls under the Convention [on the Recognition and Enforcement of Foreign Arbitral Awards of June 10, 1958, 21 U.S.T. 2519, T.I.A.S. No 6997 (“New York Convention”)].’ 9 U.S.C. § 202. The FAA further provides that ‘[a]n agreement or award arising out of such a relationship which is entirely between citizens of the United States shall be deemed not to fall under the [New York] Convention unless that relationship involves property located abroad, envisages performance or enforcement abroad, or has some other reasonable relation with one or more foreign states.’ Id. Under Chapter 2, ‘any party to the arbitration may apply to any court having jurisdiction under this chapter for an order confirming the award as against any other party to the arbitration. The court shall confirm the award unless it finds one of the grounds for refusal or deferral of recognition or enforcement of the award specified in the said [New York] Convention.’ Id. § 207. Chapter 2 further provides that ‘[t]he district courts of the United States … shall have original jurisdiction over … an action or proceeding [under the New York Convention], regardless of the amount in controversy.’ Id. § 203.
Chapter 2 also provides that ‘Chapter 1 applies to actions and proceedings brought under this chapter to the extent that chapter is not in conflict with this chapter or the [New York] Convention as ratified by the United States.’ Id. § 208. Chapter 1, in turn, provides that ‘[a] written provision in … a contract evidencing a transaction involving commerce to settle by arbitration a controversy thereafter arising out of such contract or transaction, or the refusal to perform the whole or any part thereof, or an agreement in writing to submit to arbitration an existing controversy arising out of such a contract, transaction, or refusal, shall be valid, irrevocable, and enforceable, save upon such grounds as exist at law or in equity for the revocation of any contract.’ Id. § 2. Chapter 1 further provides that ‘any party to the arbitration may apply to the court so specified for an order confirming the award, and thereupon the court must grant such an order unless the award is vacated, modified, or corrected as prescribed in sections 10 and 11 of [the FAA].’ Id. § 9.
ANNEX III
July 7, 2016
Dear Commissioner Jourová,
I am pleased we have reached an understanding on the European Union-United States Privacy Shield that will include an Ombudsperson mechanism through which authorities in the EU will be able to submit requests on behalf of EU individuals regarding U.S. signals intelligence practices.
On January 17, 2014, President Barack Obama announced important intelligence reforms included in Presidential Policy Directive 28 (PPD-28). Under PPD-28, I designated Under Secretary of State Catherine A. Novelli, who also serves as Senior Coordinator for International Information Technology Diplomacy, as our point of contact for foreign governments that wish to raise concerns regarding U.S. signals intelligence activities. Building on this role, I have established a Privacy Shield Ombudsperson mechanism in accordance with the terms set out in Annex A, which have been updated since my letter of February 22, 2016. I have directed Under Secretary Novelli to perform this function. Under Secretary Novelli is independent from the U.S. intelligence community, and reports directly to me.
I have directed my staff to devote the necessary resources to implement this new Ombudsperson mechanism, and am confident it will be an effective means to address EU individuals' concerns.
Sincerely,
John F. Kerry
Annex A
EU-U.S. Privacy Shield Ombudsperson mechanism regarding signals intelligence
In recognition of the importance of the EU-U.S. Privacy Shield Framework, this Memorandum sets forth the process for implementing a new mechanism, consistent with Presidential Policy Directive 28 (PPD-28), regarding signals intelligence (1).
On January 17, 2014, President Obama gave a speech announcing important intelligence reforms. In that speech, he pointed out that ‘[o]ur efforts help protect not only our nation, but our friends and allies as well. Our efforts will only be effective if ordinary citizens in other countries have confidence that the United States respects their privacy too.’ President Obama announced the issuance of a new presidential directive—PPD-28—to ‘clearly prescribe what we do, and do not do, when it comes to our overseas surveillance.’
Section 4(d) of PPD-28 directs the Secretary of State to designate a ‘Senior Coordinator for International Information Technology Diplomacy’ (Senior Coordinator) ‘to … serve as a point of contact for foreign governments who wish to raise concerns regarding signals intelligence activities conducted by the United States.’ As of January 2015, Under Secretary C. Novelli has served as the Senior Coordinator.
This Memorandum describes a new mechanism that the Senior Coordinator will follow to facilitate the processing of requests relating to national security access to data transmitted from the EU to the United States pursuant to the Privacy Shield, standard contractual clauses (SCCs), binding corporate rules (BCRs), ‘Derogations,’ (2) or ‘Possible Future Derogations,’ (3) through established avenues under applicable United States laws and policy, and the response to those requests.
1. The Privacy Shield Ombudsperson. The Senior Coordinator will serve as the Privacy Shield Ombudsperson and designate additional State Department officials, as appropriate to assist in her performance of the responsibilities detailed in this memorandum. (Hereinafter, the Coordinator and any officials performing such duties will be referred to as ‘Privacy Shield Ombudsperson.’) The Privacy Shield Ombudsperson will work closely with appropriate officials from other departments and agencies who are responsible for processing requests in accordance with applicable United States law and policy. The Ombudsperson is independent from the Intelligence Community. The Ombudsperson reports directly to the Secretary of State who will ensure that the Ombudsperson carries out its function objectively and free from improper influence that is liable to have an effect on the response to be provided.
2. Effective Coordination. The Privacy Shield Ombudsperson will be able to effectively use and coordinate with the oversight bodies, described below, in order to ensure that the Ombudsperson's response to requests from the submitting EU individual complaint handing body is based on the necessary information. When the request relates to the compatibility of surveillance with U.S. law, the Privacy Shield Ombudsperson will be able to cooperate with one of the independent oversight bodies with investigatory powers.
a. |
The Privacy Shield Ombudsperson will work closely with other United States Government officials, including appropriate independent oversight bodies, to ensure that completed requests are processed and resolved in accordance with applicable laws and policies. In particular, the Privacy Shield Ombudsperson will be able to coordinate closely with the Office of the Director of National Intelligence, the Department of Justice, and other departments and agencies involved in United States national security as appropriate, and Inspectors General, Freedom of Information Act Officers, and Civil Liberties and Privacy Officers. |
b. |
The United States Government will rely on mechanisms for coordinating and overseeing national security matters across departments and agencies to help ensure that the Privacy Shield Ombudsperson is able to respond within the meaning of Section 4(e) to completed requests under Section 3(b). |
c. |
The Privacy Shield Ombudsperson may refer matters related to requests to the Privacy and Civil Liberties Oversight Board for its consideration. |
3. Submitting Requests.
a. |
A request will initially be submitted to the supervisory authorities in the Member States competent for the oversight of national security services and/or the processing of personal data by public authorities. The request will be submitted to the Ombudsperson by a EU centralized body (hereafter together: the ‘EU individual complaint handling body’). |
b. |
The EU individual complaint handling body will ensure, in compliance with the following actions, that the request is complete:
|
c. |
To be completed for purposes of further handling by the Privacy Shield Ombudsperson under this memorandum, the request need not demonstrate that the requester's data has in fact been accessed by the United States Government through signal intelligence activities. |
4. Commitments to Communicate with Submitting EU Individual Complaint Handling Body.
a. |
The Privacy Shield Ombudsperson will acknowledge receipt of the request to the submitting EU individual complaint handling body. |
b. |
The Privacy Shield Ombudsperson will conduct an initial review to verify that the request has been completed in conformance with Section 3(b). If the Privacy Shield Ombudsperson notes any deficiencies or has any questions regarding the completion of the request, the Privacy Shield Ombudsperson will seek to address and resolve those concerns with the submitting EU individual complaint handling body. |
c. |
If, to facilitate appropriate processing of the request, the Privacy Shield Ombudsperson needs more information about the request, or if specific action is needed to be taken by the individual who originally submitted the request, the Privacy Shield Ombudsperson will so inform the submitting EU individual complaint handling body. |
d. |
The Privacy Shield Ombudsperson will track the status of requests and provide updates as appropriate to the submitting EU individual complaint handling body. |
e. |
Once a request has been completed as described in Section 3 of this Memorandum, the Privacy Shield Ombudsperson will provide in a timely manner an appropriate response to the submitting EU individual complaint handling body, subject to the continuing obligation to protect information under applicable laws and policies. The Privacy Shield Ombudsperson will provide a response to the submitting EU individual complaint handling body confirming (i) that the complaint has been properly investigated, and (ii) that the U.S. law, statutes, executives orders, presidential directives, and agency policies, providing the limitations and safeguards described in the ODNI letter, have been complied with, or, in the event of non-compliance, such non-compliance has been remedied. The Privacy Shield Ombudsperson will neither confirm nor deny whether the individual has been the target of surveillance nor will the Privacy Shield Ombudsperson confirm the specific remedy that was applied. As further explained in Section 5, FOIA requests will be processed as provided under that statute and applicable regulations. |
f. |
The Privacy Shield Ombudsperson will communicate directly with the EU individual complaint handling body, who will in turn be responsible for communicating with the individual submitting the request. If direct communications are part of one of the underlying processes described below, then those communications will take place in accordance with existing procedures. |
g. |
Commitments in this Memorandum will not apply to general claims that the EU-U.S. Privacy Shield is inconsistent with European Union data protection requirements. The commitments in this Memorandum are made based on the common understanding by the European Commission and the U.S. government that given the scope of commitments under this mechanism, there may be resource constraints that arise, including with respect to Freedom of Information Act (FOIA) requests. Should the carrying-out of the Privacy Shield Ombudsperson's functions exceed reasonable resource constraints and impede the fulfillment of these commitments, the U.S. government will discuss with the European Commission any adjustments that may be appropriate to address the situation. |
5. Requests for Information. Requests for access to United States Government records may be made and processed under the Freedom of Information Act (FOIA).
a. |
FOIA provides a means for any person to seek access to existing federal agency records, regardless of the nationality of the requester. This statute is codified in the United States Code at 5 U.S.C. § 552. The statute, together with additional information about FOIA, is available at www.FOIA.gov and http://www.justice.gov/oip/foia-resources. Each agency has a Chief FOIA Officer, and has provided information on its public website about how to submit a FOIA request to the agency. Agencies have processes for consulting with one another on FOIA requests that involve records held by another agency. |
b. |
By way of example:
|
c. |
Under FOIA, access to government records is subject to certain enumerated exemptions. These include limits on access to classified national security information, personal information of third parties, and information concerning law enforcement investigations, and are comparable to the limitations imposed by each EU Member State with its own information access law. These limitations apply equally to Americans and non-Americans. |
d. |
Disputes over the release of records requested pursuant to FOIA can be appealed administratively and then in federal court. The court is required to make a de novo determination of whether records are properly withheld, 5 U.S.C. § 552(a)(4)(B), and can compel the government to provide access to records. In some cases courts have overturned government assertions that information should be withheld as classified. Although no monetary damages are available, courts can award attorney's fees. |
6. Requests for Further Action. A request alleging violation of law or other misconduct will be referred to the appropriate United States Government body, including independent oversight bodies, with the power to investigate the respective request and address non-compliance as described below.
a. |
Inspectors General are statutorily independent; have broad power to conduct investigations, audits and reviews of programs, including of fraud and abuse or violation of law; and can recommend corrective actions.
|
b. |
Privacy and Civil Liberties offices and entities in the United States Government also have relevant responsibilities. By way of example:
|
(1) Provided that the Commission Decision on the adequacy of the protection provided by the EU-U.S. Privacy Shield applies to Iceland, Liechtenstein and Norway, the Privacy Shield Package will cover both the European Union, as well as these three countries. Consequently, references to the EU and its Member States will be read as including Iceland, Liechtenstein and Norway.
(2) ‘Derogations’ in this context mean a commercial transfer or transfers that take place on the condition that: (a) the data subject has given his consent unambiguously to the proposed transfer; or (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request; or (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or (d) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defense of legal claims; or (e) the transfer is necessary in order to protect the vital interests of the data subject; or (f) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.
(3) ‘Possible Future Derogations’ in this context mean a commercial transfer or transfers that take place on one of the following conditions, to the extent the condition constitutes lawful grounds for transfers of personal data from the EU to the U.S.: (a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards; or (b) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or (c) in case of a transfer to a third country or an international organization and none of the other derogations or possible future derogations is applicable, only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.
ANNEX IV
July 7, 2016
VIA EMAIL
Věra Jourová |
Commissioner for Justice, Consumers and Gender Equality |
European Commission |
Rue de la Loi/Wetstraat 200 |
1049 Brussels |
Belgium |
Dear Commissioner Jourová:
The United States Federal Trade Commission (‘FTC’) appreciates the opportunity to describe its enforcement of the new EU-U.S. Privacy Shield Framework (the ‘Privacy Shield Framework’ or ‘Framework’). We believe the Framework will play a critical role in facilitating privacy-protective commercial transactions in an increasingly interconnected world. It will enable businesses to conduct important operations in the global economy, while at the same time ensuring that EU consumers retain important privacy protections. The FTC has long committed to protecting privacy across borders and will make enforcement of the new Framework a high priority. Below, we explain the FTC's history of strong privacy enforcement generally, including our enforcement of the original Safe Harbor program, as well as the FTC's approach to enforcement of the new Framework.
The FTC first publicly expressed its commitment to enforce the Safe Harbor program in 2000. At that time, then-FTC Chairman Robert Pitofsky sent the European Commission a letter outlining the FTC's pledge to vigorously enforce the Safe Harbor Privacy Principles. The FTC has continued to uphold this commitment through nearly 40 enforcement actions, numerous additional investigations, and cooperation with individual European data protection authorities (‘EU DPAs’) on matters of mutual interest.
After the European Commission raised concerns in November 2013 about the administration and enforcement of the Safe Harbor program, we and the U.S. Department of Commerce began consultations with officials from the European Commission to explore ways to strengthen it. While those consultations were proceeding, on October 6, 2015, the European Court of Justice issued a decision in the Schrems case that, among other things, invalidated the European Commission's decision on the adequacy of the Safe Harbor program. Following the decision, we continued to work closely with the Department of Commerce and the European Commission in an effort to strengthen the privacy protections provided to EU individuals. The Privacy Shield Framework is a result of these ongoing consultations. As was the case with the Safe Harbor program, the FTC hereby commits to vigorous enforcement of the new Framework. This letter memorializes that commitment.
Notably, we affirm our commitment in four key areas: (1) referral prioritization and investigations; (2) addressing false or deceptive Privacy Shield membership claims; (3) continued order monitoring; and (4) enhanced engagement and enforcement cooperation with EU DPAs. We provide below detailed information about each of these commitments and relevant background about the FTC's role in protecting consumer privacy and enforcing Safe Harbor, as well as the broader privacy landscape in the United States (1).
I. BACKGROUND
A. FTC Privacy Enforcement and Policy Work
The FTC has broad civil enforcement authority to promote consumer protection and competition in the commercial sphere. As part of its consumer protection mandate, the FTC enforces a wide range of laws to protect the privacy and security of consumer data. The primary law enforced by the FTC, the FTC Act, prohibits ‘unfair’ and ‘deceptive’ acts or practices in or affecting commerce (2). A representation, omission, or practice is deceptive if it is material and likely to mislead consumers acting reasonably under the circumstances (3). An act or practice is unfair if it causes, or is likely to cause, substantial injury that is not reasonably avoidable by consumers or outweighed by countervailing benefits to consumers or competition (4). The FTC also enforces targeted statutes that protect information relating to health, credit and other financial matters, as well as children's online information, and has issued regulations implementing each of these statutes.
The FTC's jurisdiction under the FTC Act applies to matters ‘in or affecting commerce.’ The FTC does not have jurisdiction over criminal law enforcement or national security matters. Nor can the FTC reach most other governmental actions. In addition, there are exceptions to the FTC's jurisdiction over commercial activities, including with respect to banks, airlines, the business of insurance, and the common carrier activities of telecommunications service providers. The FTC also does not have jurisdiction over most non-profit organizations, but it does have jurisdiction over sham charities or other non-profits that in actuality operate for profit. The FTC also has jurisdiction over non-profit organizations that operate for the profit of their for-profit members, including by providing substantial economic benefits to those members (5). In some instances, the FTC's jurisdiction is concurrent with that of other law enforcement agencies.
We have developed strong working relationships with federal and state authorities and work closely with them to coordinate investigations or make referrals where appropriate.
Enforcement is the lynchpin of the FTC's approach to privacy protection. To date, the FTC has brought over 500 cases protecting the privacy and security of consumer information. This body of cases covers both offline and online information and includes enforcement actions against companies large and small, alleging that they failed to properly dispose of sensitive consumer data, failed to secure consumers' personal information, deceptively tracked consumers online, spammed consumers, installed spyware or other malware on consumers' computers, violated Do Not Call and other telemarketing rules, and improperly collected and shared consumer information on mobile devices. The FTC's enforcement actions—in both the physical and digital worlds—send an important message to companies about the need to protect consumer privacy.
The FTC has also pursued numerous policy initiatives aimed at enhancing consumer privacy that inform its enforcement work. The FTC has hosted workshops and issued reports recommending best practices aimed at improving privacy in the mobile ecosystem; increasing transparency of the data broker industry; maximizing the benefits of big data while mitigating its risks, particularly for low-income and underserved consumers; and highlighting the privacy and security implications of facial recognition and the internet of Things, among other areas.
The FTC also engages in consumer and business education to enhance the impact of its enforcement and policy development initiatives. The FTC has used a variety of tools— publications, online resources, workshops, and social media—to provide educational materials on a wide range of topics, including mobile apps, children's privacy, and data security. Most recently, the Commission launched its ‘Start With Security’ initiative, which includes new guidance for businesses drawing on lessons learned from the agency's data security cases, as well as a series of workshops across the country. In addition, the FTC has long been a leader in educating consumers about basic computer security. Last year, our OnGuard Online site and its Spanish language counterpart, Alerta en Línea, had more than 5 million page views.
B. U.S. Legal Protections Benefiting EU Consumers
The Framework will operate in the context of the larger U.S. privacy landscape, which protects EU consumers in a number of ways.
The FTC Act's prohibition on unfair or deceptive acts or practices is not limited to protecting U.S. consumers from U.S. companies, as it includes those practices that (1) cause or are likely to cause reasonably foreseeable injury in the United States, or (2) involve material conduct in the United States. Further, the FTC can use all remedies, including restitution, that are available to protect domestic consumers when protecting foreign consumers.
Indeed, the FTC's enforcement work significantly benefits both U.S. and foreign consumers. For example, our cases enforcing Section 5 of the FTC Act have protected the privacy of U.S. and foreign consumers alike. In a case against an information broker, Accusearch, the FTC alleged that the company's sale of confidential telephone records to third parties without consumers' knowledge or consent was an unfair practice in violation of Section 5 of the FTC Act. Accusearch sold information relating to both U.S. and foreign consumers (6). The court granted injunctive relief against Accusearch prohibiting, among other things, the marketing or sale of consumers' personal information without written consent, unless it was lawfully obtained from publicly available information, and ordered disgorgement of almost USD 200 000 (7).
The FTC's settlement with TRUSTe is another example. It ensures that consumers, including those in the European Union, can rely on representations that a global self-regulatory organization makes about its review and certification of domestic and foreign online services (8). Importantly, our action against TRUSTe also strengthens the privacy self-regulatory system more broadly by ensuring the accountability of entities that play an important role in self-regulatory schemes, including cross-border privacy frameworks.
The FTC also enforces other targeted laws whose protections extend to non-U.S. consumers, such as the Children's Online Privacy Protection Act (‘COPPA’). Among other things, COPPA requires that operators of child-directed websites and online services, or general audience sites that knowingly collect personal information from children under the age of 13, provide parental notice and obtain verifiable parental consent. U.S.-based websites and services that are subject to COPPA and collect personal information from foreign children are required to comply with COPPA. Foreign-based websites and online services must also comply with COPPA if they are directed to children in the United States, or if they knowingly collect personal information from children in the United States. In addition to the U.S. federal laws enforced by the FTC, certain other federal and state consumer protection and privacy laws may provide additional benefits to EU consumers.
C. Safe Harbor Enforcement
As part of its privacy and security enforcement program, the FTC has also sought to protect EU consumers by bringing enforcement actions that involved Safe Harbor violations. The FTC has brought 39 Safe Harbor enforcement actions: 36 alleging false certification claims, and three cases—against Google, Facebook, and Myspace—involving alleged violations of Safe Harbor Privacy Principles (9). These cases demonstrate the enforceability of certifications and the repercussions for non-compliance. Twenty-year consent orders require Google, Facebook, and Myspace to implement comprehensive privacy programs that must be reasonably designed to address privacy risks related to the development and management of new and existing products and services and to protect the privacy and confidentiality of personal information. The comprehensive privacy programs mandated under these orders must identify foreseeable material risks and have controls to address those risks. The companies must also submit to ongoing, independent assessments of their privacy programs, which must be provided to the FTC. The orders also prohibit these companies from misrepresenting their privacy practices and their participation in any privacy or security program. This prohibition would also apply to companies' acts and practices under the new Privacy Shield Framework. The FTC can enforce these orders by seeking civil penalties. In fact, Google paid a record USD 22,5 million civil penalty in 2012 to resolve allegations it had violated its order. Consequently, these FTC orders help protect over a billion consumers worldwide, hundreds of millions of whom reside in Europe.
The FTC's cases have also focused on false, deceptive, or misleading claims of Safe Harbor participation. The FTC takes these claims seriously. For example, in FTC v. Karnani, the FTC brought an action in 2011 against an internet marketer in the United States alleging that he and his company tricked British consumers into believing that the company was based in the United Kingdom, including by using.uk web extensions and referencing British currency and the UK postal system (10). However, when consumers received the products, they discovered unexpected import duties, warranties that were not valid in the United Kingdom, and charges associated with obtaining refunds. The FTC also charged that the defendants deceived consumers about their participation in the Safe Harbor program. Notably, all of the consumer victims were in the United Kingdom.
Many of our other Safe Harbor enforcement cases involved organizations that joined the Safe Harbor program but failed to renew their annual certification while they continued to represent themselves as current members. As discussed further below, the FTC also commits to addressing false claims of participation in the Privacy Shield Framework. This strategic enforcement activity will complement the Department of Commerce's increased actions to verify compliance with program requirements for certification and re-certification, its monitoring of effective compliance, including through the use of questionnaires to Framework participants, and its increased efforts to identify false Framework membership claims and misuse of any Framework certification mark (11).
II. REFERRAL PRIORITIZATION AND INVESTIGATIONS
As we did under the Safe Harbor program, the FTC commits to give priority to Privacy Shield referrals from EU Member States. We will also prioritize referrals of non-compliance with self-regulatory guidelines relating to the Privacy Shield Framework from privacy self- regulatory organizations and other independent dispute resolution bodies.
To facilitate referrals under the Framework from EU Member States, the FTC is creating a standardized referral process and providing guidance to EU Member States on the type of information that would best assist the FTC in its inquiry into a referral. As part of this effort, the FTC will designate an agency point of contact for EU Member State referrals. It is most useful when the referring authority has conducted a preliminary inquiry into the alleged violation and can cooperate with the FTC in an investigation.
Upon receipt of a referral from an EU Member State or self-regulatory organization, the FTC can take a range of actions to address the issues raised. For example, we may review the company's privacy policies, obtain further information directly from the company or from third parties, follow up with the referring entity, assess whether there is a pattern of violations or significant number of consumers affected, determine whether the referral implicates issues within the purview of the Department of Commerce, assess whether consumer and business education would be helpful, and, as appropriate, initiate an enforcement proceeding.
The FTC also commits to exchange information on referrals with referring enforcement authorities, including the status of referrals, subject to confidentiality laws and restrictions. To the extent feasible given the number and type of referrals received, the information provided will include an evaluation of the referred matters, including a description of significant issues raised and any action taken to address law violations within the jurisdiction of the FTC. The FTC will also provide feedback to the referring authority on the types of referrals received in order to increase the effectiveness of efforts to address unlawful conduct. If a referring enforcement authority seeks information about the status of a particular referral for purposes of pursuing its own enforcement proceeding, the FTC will respond, taking into account the number of referrals under consideration and subject to confidentiality and other legal requirements.
The FTC will also work closely with EU DPAs to provide enforcement assistance. In appropriate cases, this could include information sharing and investigative assistance pursuant to the U.S. SAFE WEB Act, which authorizes FTC assistance to foreign law enforcement agencies when the foreign agency is enforcing laws prohibiting practices that are substantially similar to those prohibited by laws the FTC enforces (12). As part of this assistance, the FTC can share information obtained in connection with an FTC investigation, issue compulsory process on behalf of the EU DPA conducting its own investigation, and seek oral testimony from witnesses or defendants in connection with the DPA's enforcement proceeding, subject to the requirements of the U.S. SAFE WEB Act. The FTC regularly uses this authority to assist other authorities around the world in privacy and consumer protection cases (13).
In addition to prioritizing Privacy Shield referrals from EU Member States and privacy self-regulatory organizations (14), the FTC commits to investigating possible Framework violations on its own initiative where appropriate using a range of tools.
For well over a decade, the FTC has maintained a robust program of investigating privacy and security issues involving commercial organizations. As part of these investigations, the FTC routinely examined whether the entity at issue was making Safe Harbor representations. If the entity was making such representations and the investigation revealed apparent violations of the Safe Harbor Privacy Principles, the FTC included allegations of Safe Harbor violations in its enforcement actions. We will continue this proactive approach under the new Framework. Importantly, the FTC conducts many more investigations than ultimately result in public enforcement actions. Many FTC investigations are closed because staff does not identify an apparent law violation. Because FTC investigations are non-public and confidential, the closing of an investigation is often not made public.
The nearly 40 enforcement actions initiated by the FTC involving the Safe Harbor program evidence the agency's commitment to proactive enforcement of cross-border privacy programs. The FTC will look for potential Framework violations as part of the privacy and security investigations we undertake on a regular basis.
III. ADDRESSING FALSE OR DECEPTIVE PRIVACY SHIELD MEMBERSHIP CLAIMS
As referenced above, the FTC will take action against entities that misrepresent their participation in the Framework. The FTC will give priority consideration to referrals from the Department of Commerce regarding organizations that it identifies as improperly holding themselves out to be current members of the Framework or using any Framework certification mark without authorization.
In addition, we note that if an organization's privacy policy promises that it complies with the Privacy Shield Principles, its failure to make or maintain a registration with the Department of Commerce likely will not, by itself, excuse the organization from FTC enforcement of those Framework commitments.
IV. ORDER MONITORING
The FTC also affirms its commitment to monitor enforcement orders to ensure compliance with the Privacy Shield Framework.
We will require compliance with the Framework through a variety of appropriate injunctive provisions in future FTC Framework orders. This includes prohibiting misrepresentations regarding the Framework and other privacy programs when these are the basis for the underlying FTC action.
The FTC's cases enforcing the original Safe Harbor program are instructive. In the 36 cases involving false or deceptive claims of Safe Harbor certification, each order prohibits the defendant from misrepresenting its participation in Safe Harbor or any other privacy or security program and requires the company to make compliance reports available to the FTC. In cases that involved violations of Safe Harbor Privacy Principles, companies have been required to implement comprehensive privacy programs and obtain independent third-party assessments of those programs every other year for 20 years, which they must provide to the FTC.
Violations of the FTC's administrative orders can lead to civil penalties of up to USD 16 000 per violation, or USD 16 000 per day for a continuing violation (15), which, in the case of practices affecting many consumers, can amount to millions of dollars. Each consent order also has reporting and compliance provisions. The entities under order must retain documents demonstrating their compliance for a specified number of years. The orders must also be disseminated to employees responsible for ensuring order compliance.
The FTC systematically monitors compliance with Safe Harbor orders, as it does with all of its orders. The FTC takes enforcement of its privacy and data security orders seriously and brings actions to enforce them when necessary. For example, as noted above, Google paid a USD 22,5 million civil penalty to resolve allegations it had violated its FTC order. Importantly, FTC orders will continue to protect all consumers worldwide who interact with a business, not just those consumers who have lodged complaints.
Finally, the FTC will continue to maintain an online list of companies subject to orders obtained in connection with enforcement of both the Safe Harbor program and the new Privacy Shield Framework (16). In addition, the Privacy Shield Principles now require companies subject to an FTC or court order based on non-compliance with the Principles to make public any relevant Framework-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality laws and rules.
V. ENGAGEMENT WITH EU DPAS AND ENFORCEMENT COOPERATION
The FTC recognizes the important role that EU DPAs play with respect to Framework compliance and encourages increased consultation and enforcement cooperation. In addition to any consultation with referring DPAs on case-specific matters, the FTC commits to participate in periodic meetings with designated representatives of the Article 29 Working Party to discuss in general terms how to improve enforcement cooperation with respect to the Framework. The FTC will also participate, along with the Department of Commerce, the European Commission, and Article 29 Working Party representatives, in the annual review of the Framework to discuss its implementation.
The FTC also encourages the development of tools that will enhance enforcement cooperation with EU DPAs, as well as other privacy enforcement authorities around the world. In particular, the FTC, along with enforcement partners in the European Union and around the globe, last year launched an alert system within the Global Privacy Enforcement Network (‘GPEN’) to share information about investigations and promote enforcement coordination. This GPEN Alert tool could be particularly useful in the context of the Privacy Shield Framework. The FTC and EU DPAs could use it to coordinate with respect to the Framework and other privacy investigations, including as a starting point for sharing information in order to deliver coordinated and more effective privacy protection for consumers. We look forward to continuing to work with participating EU authorities to deploy the GPEN Alert system more broadly and develop other tools to improve enforcement cooperation in privacy cases, including those involving the Framework.
The FTC is pleased to affirm its commitment to enforcing the new Privacy Shield Framework. We also look forward to continuing engagement with our EU colleagues as we work together to protect consumer privacy on both sides of the Atlantic.
Sincerely,
Edith Ramirez
Chairwoman
(1) We provide additional information about U.S. federal and state privacy laws in Attachment A. In addition, a summary of our recent privacy and security enforcement actions is available on the FTC's website at https://www.ftc.gov/reports/privacy-data-security-update-2015.
(2) 15 U.S.C. § 45(a).
(3) See FTC Policy Statement on Deception, appended to Cliffdale Assocs., Inc., 103 F.T.C. 110, 174 (1984), available at https://www.ftc.gov/public-statements/1983/10/ftc-policy-statement-deception.
(4) See 15 U.S.C § 45(n); FTC Policy Statement on Unfairness, appended to Int'l Harvester Co., 104 F.T.C. 949, 1070 (1984), available at https://www.ftc.gov/public-statements/1980/12/ftc-policy-statement-unfairness.
(5) See California Dental Ass'n v. FTC, 526 U.S. 756 (1999).
(6) See Office of the Privacy Commissioner of Canada, Complaint under PIPEDA against Accusearch, Inc., doing business as Abika.com, https://www.priv.gc.ca/cf-dc/2009/2009_009_0731_e.asp. The Office of the Privacy Commissioner of Canada filed an amicus curiae brief in the appeal of the FTC action and conducted its own investigation, concluding that Accusearch's practices also violated Canadian law.
(7) See FTC v. Accusearch, Inc., No 06CV015D (D. Wyo. Dec. 20, 2007), aff'd 570 F.3d 1187 (10th Cir. 2009).
(8) See In the Matter of True Ultimate Standards Everywhere, Inc., No. C-4512 (F.T.C. Mar. 12, 2015) (decision and order), available at https://www.ftc.gov/system/files/documents/cases/150318trust-edo.pdf.
(9) See In the Matter of Google, Inc., No. C-4336 (F.T.C. Oct. 13 2011) (decision and order), available at https://www.ftc.gov/news-events/press-releases/2011/03/ftc-charges-deceptive-privacy-practices-googles-rollout-its-buzz; In the Matter of Facebook, Inc., No. C-4365 (F.T.C. July 27, 2012) (decision and order), available at https://www.ftc.gov/news-events/press-releases/2012/08/ftc-approves-final-settlement-facebook; In the Matter of Myspace LLC, No. C-4369 (F.T.C. Aug. 30, 2012) (decision and order), available at https://www.ftc.gov/news-events/press-releases/2012/09/ftc-finalizes-privacy-settlement-myspace.
(10) See FTC v. Karnani, No 2:09-cv-05276 (C.D. Cal. May 20, 2011) (stipulated final order), available at https://www.ftc.gov/sites/default/files/documents/cases/2011/06/110609karnanistip.pdf; see also Lesley Fair, FTC Business Center Blog, Around the World in Shady Ways, https://www.ftc.gov/blog/2011/06/around-world-shady-ways (June 9, 2011).
(11) Letter from Ken Hyatt, Acting Under Secretary of Commerce for International Trade, International Trade Administration, to Věra Jourová, Commissioner for Justice, Consumers and Gender Equality.
(12) In determining whether to exercise its U.S. SAFE WEB Act authority, the FTC considers, inter alia: ‘(A) whether the requesting agency has agreed to provide or will provide reciprocal assistance to the Commission; (B) whether compliance with the request would prejudice the public interest of the United States; and (C) whether the requesting agency's investigation or enforcement proceeding concerns acts or practices that cause or are likely to cause injury to a significant number of persons.’ 15 U.S.C. § 46(j)(3). This authority does not apply to enforcement of competition laws.
(13) In fiscal years 2012-2015, for example, the FTC used its U.S. SAFE WEB Act authority to share information in response to almost 60 requests from foreign agencies and it issued nearly 60 civil investigative demands (equivalent to administrative subpoenas) to aid 25 foreign investigations.
(14) Although the FTC does not resolve or mediate individual consumer complaints, the FTC affirms that it will prioritize Privacy Shield referrals from EU DPAs. In addition, the FTC uses complaints in its Consumer Sentinel database, which is accessible by many other law enforcement agencies, to identify trends, determine enforcement priorities, and identify potential investigative targets. EU individuals can use the same complaint system available to U.S. citizens to submit a complaint to the FTC at www.ftc.gov/complaint. For individual Privacy Shield complaints, however, it may be most useful for EU individuals to submit complaints to their Member State DPA or alternative dispute resolution provider.
(15) 15 U.S.C. § 45(m); 16 C.F.R. § 1.98.
(16) See FTC, Business Center, Legal Resources, https://www.ftc.gov/tips-advice/business-center/legal-resources?type=case&field-consumer-protection-topics-tid=251.
Attachment A
The EU-U.S. Privacy Shield Framework in Context: An Overview of the U.S. Privacy and Security Landscape
The protections provided by the EU-U.S. Privacy Shield Framework (the ‘Framework’) exist in the context of the broader privacy protections afforded under the U.S. legal system as a whole. First, the U.S. Federal Trade Commission (‘FTC’) has a robust privacy and data security program for U.S. commercial practices that protects consumers worldwide. Second, the landscape of consumer privacy and security protection in the United States has evolved substantially since 2000 when the original U.S.-EU Safe Harbor program was adopted. Since that time, many federal and state privacy and security laws have been enacted, and public and private litigation to enforce privacy rights has increased significantly. The broad scope of U.S. legal protections for consumer privacy and security applicable to commercial data practices complements the protections provided to EU individuals by the new Framework.
I. THE FTC'S GENERAL PRIVACY AND SECURITY ENFORCEMENT PROGRAM
The FTC is the leading U.S. consumer protection agency focused on commercial sector privacy. The FTC has authority to prosecute unfair and deceptive acts or practices that violate consumer privacy, as well as to enforce more targeted privacy laws that protect certain financial and health information, information about children, and information used to make certain eligibility decisions about consumers.
The FTC has unparalleled experience in consumer privacy enforcement. The FTC's enforcement actions have addressed unlawful practices in offline and online environments. For example, the FTC has brought enforcement actions against well-known companies, such as Google, Facebook, Twitter, Microsoft, Wyndham, Oracle, HTC, and Snapchat, as well as lesser- known companies. The FTC has sued businesses that allegedly spammed consumers, installed spyware on computers, failed to secure consumers' personal information, deceptively tracked consumers online, violated children's privacy, unlawfully collected information on consumers' mobile devices, and failed to secure internet-connected devices used to store personal information. The resulting orders have typically provided for ongoing monitoring by the FTC for a period of 20 years, prohibited further law violations, and subjected the businesses to substantial financial penalties for order violations (1). Importantly, FTC orders do not just protect the individuals who may have complained about a problem; rather, they protect all consumers dealing with the business going forward. In the cross-border context, the FTC has jurisdiction to protect consumers worldwide from practices taking place in the United States (2).
To date, the FTC has brought over 130 spam and spyware cases, over 120 ‘Do Not Call’ telemarketing cases, over 100 Fair Credit Reporting Act actions, almost 60 data security cases, more than 50 general privacy actions, almost 30 cases for violations of the Gramm-Leach-Bliley Act, and over 20 actions enforcing the Children's Online Privacy Protection Act (‘COPPA’) (3). In addition to these cases, the FTC has also issued and publicized warning letters (4).
As part of its history of strong privacy enforcement, the FTC has also regularly looked for potential violations of the Safe Harbor program. Since the Safe Harbor program was adopted, the FTC has undertaken numerous investigations into Safe Harbor compliance on its own initiative and has brought 39 cases against U.S. companies for Safe Harbor violations. The FTC will continue this proactive approach by making enforcement of the new Framework a priority.
II. FEDERAL AND STATE PROTECTIONS FOR CONSUMER PRIVACY
The Safe Harbor Enforcement Overview, which appears as an annex to the European Commission's Safe Harbor adequacy decision, provides a summary of many of the federal and state privacy laws in place at the time the Safe Harbor program was adopted in 2000 (5). At that time, many federal statutes regulated the commercial collection and use of personal information, beyond Section 5 of the FTC Act, including: the Cable Communications Policy Act, the Driver's Privacy Protection Act, the Electronic Communications Privacy Act, the Electronic Funds Transfer Act, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Right to Financial Privacy Act, the Telephone Consumer Protection Act, and the Video Privacy Protection Act. Many states had analogous laws in these areas as well.
Since 2000, there have been numerous developments at both the federal and state level that provide additional consumer privacy protections (6). At the federal level, for example, the FTC amended the COPPA Rule in 2013 to provide a number of additional protections for children's personal information. The FTC also issued two rules implementing the Gramm- Leach-Bliley Act — the Privacy Rule and the Safeguards Rule — which require financial institutions (7) to make disclosures about their information sharing practices and to implement a comprehensive information security program to protect consumer information (8). Similarly, the Fair and Accurate Credit Transactions Act (‘FACTA’), enacted in 2003, supplements longstanding U.S. credit laws to establish requirements for the masking, sharing, and disposal of certain sensitive financial data. The FTC promulgated a number of rules under FACTA regarding, among other things, consumers' right to a free annual credit report; secure disposal requirements for consumer report information; consumers' right to opt out of receiving certain offers of credit and insurance; consumers' right to opt out of the use of information provided by an affiliated company to market its products and services; and requirements for financial institutions and creditors to implement identity theft detection and prevention programs (9). In addition, rules promulgated under the Health Insurance Portability and Accountability Act were revised in 2013, adding additional safeguards to protect the privacy and security of personal health information (10). Rules protecting consumers from unwanted telemarketing calls, robocalls, and spam have also gone into effect. Congress has also enacted laws requiring certain companies that collect health information to provide consumers with notification in the event of a breach (11).
States have also been very active in passing laws related to privacy and security. Since 2000, forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted laws requiring businesses to notify individuals of security breaches of personal information (12). At least thirty-two states and Puerto Rico have data disposal laws, establishing requirements for the destruction or disposal of personal information (13). A number of states also have enacted general data security laws. In addition, California has enacted various privacy laws, including a law requiring companies to have privacy policies and disclose their Do Not Track practices (14), a ‘Shine the Light’ law requiring greater transparency for data brokers (15), and a law that mandates an ‘eraser button’ allowing minors to request the deletion of certain social media information (16). Using these laws and other authorities, federal and state governments have levied significant fines against companies that have failed to protect the privacy and security of consumers' personal information (17).
Private lawsuits have also led to successful judgments and settlements that provide additional privacy and data security protection for consumers. For example, in 2015, Target agreed to pay USD 10 million as part of a settlement with customers who claimed their personal financial information was compromised by a widespread data breach. In 2013, AOL agreed to pay a USD 5 million settlement to resolve a class action involving alleged inadequate de- identification related to the release of search queries of hundreds of thousands of AOL members. Additionally, a federal court approved a USD 9 million payment by Netflix for allegedly keeping rental history records in violation of the Video Privacy Protection Act of 1988. Federal courts in California approved two separate settlements with Facebook, one for USD 20 million and another for USD 9,5 million, involving the company's collection, use, and sharing of its users' personal information. And, in 2008, a California state court approved a USD 20 million settlement with LensCrafters for unlawful disclosure of consumers' medical information.
In sum, as this summary illustrates, the United States provides significant legal protection for consumer privacy and security. The new Privacy Shield Framework, which ensures meaningful safeguards for EU individuals, will operate against this larger backdrop in which the protection of consumers' privacy and security continues to be an important priority.
(1) Any entity that fails to comply with an FTC order is subject to a civil penalty of up to USD 16 000 per violation, or USD 16 000 per day for a continuing violation. See 15 U.S.C. § 45(l); 16 C.F.R. § 1.98(c).
(2) Congress has expressly affirmed the FTC's authority to seek legal remedies, including restitution, for any acts or practices involving foreign commerce that (1) cause or are likely to cause reasonably foreseeable injury in the United States, or (2) involve material conduct occurring within the United States. See 15 U.S.C. § 45(a)(4).
(3) In some instances, the Commission's privacy and data security cases allege that a company engaged in both deceptive and unfair practices; these cases also sometimes involve alleged violations of multiple statutes, such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and COPPA.
(4) See, e.g., Press Release, Fed. Trade Comm'n, FTC Warns Children's App Maker BabyBus About Potential COPPA Violations (Dec. 22, 2014), https://www.ftc.gov/news-events/press-releases/2014/12/ftc-warns-childrens-app-maker-babybus-about-potential-coppa; Press Release, Fed. Trade Comm'n, FTC Warns Data Broker Operations of Possible Privacy Violations (May 7, 2013), https://www.ftc.gov/news-events/press-releases/2013/05/ftc-warns-data-broker-operations-possible-privacy-violations; Press Release, Fed. Trade Comm'n, FTC Warns Data Brokers That Provide Tenant Rental Histories They May Be Subject to Fair Credit Reporting Act (Apr. 3, 2013), https://www.ftc.gov/news-events/press-releases/2013/04/ftc-warns-data-brokers-provide-tenant-rental-histories-they-may.
(5) See U.S. Dep't of Commerce, Safe Harbor Enforcement Overview, https://build.export.gov/main/safeharbor/eu/eg_main_018476.
(6) For a more comprehensive summary of the legal protections in the United States, see Daniel J. Solove & Paul Schwartz, Information Privacy Law (5th ed. 2015).
(7) Financial institutions are defined very broadly under the Gramm-Leach-Bliley Act to include all businesses that are ‘significantly engaged’ in providing financial products or services. This includes, for example, check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, and professional tax preparers.
(8) Under the Consumer Financial Protection Act of 2010 (‘CFPA’), Title X of Pub. L. 111-203, 124 Stat. 1955 (July 21, 2010) (also known as the ‘Dodd-Frank Wall Street Reform and Consumer Protection Act’), most of the FTC's Gramm-Leach-Bliley Act rulemaking authority was transferred to the Consumer Financial Protection Bureau (‘CFPB’). The FTC retains enforcement authority under the Gramm-Leach- Bliley Act as well as rulemaking authority for the Safeguards Rule and limited rulemaking authority under the Privacy Rule with respect to auto dealers.
(9) Under the CFPA, the Commission shares its FCRA enforcement role with the CFPB, but rulemaking authority transferred in large part to the CFPB (with the exception of the Red Flags and Disposal Rules).
(10) See 45 C.F.R. pts. 160, 162, 164.
(11) See, e.g., American Recovery & Reinvestment Act of 2009, Pub. L. No 111-5, 123 Stat. 115 (2009) and relevant regulations, 45 C.F.R. §§ 164.404-164.414; 16 C.F.R. pt. 318.
(12) See, e.g., National Conference of State Legislatures (‘NCSL’), State Security Breach Notification Laws (Jan. 4, 2016), available at http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx.
(13) NCSL, Data Disposal Laws (Jan. 12, 2016), available at http://www.ncsl.org/research/telecommunications-and-information-technology/data-disposal-laws.aspx.
(14) Cal. Bus. & Professional Code §§ 22575-22579.
(15) Cal. Civ. Code §§ 1798.80-1798.84.
(16) Cal. Bus. & Professional Code § 22580-22582.
(17) See Jay Cline, U.S. Takes the Gold in Doling Out Privacy Fines, Computerworld (Feb. 17, 2014), available at http://www.computerworld.com/s/article/9246393/Jay-Cline-U.S.-takes-the-gold-in-doling-out-privacy-fines?taxonomyId=17&pageNumber=1.
ANNEX V
February 19, 2016
Commissioner Vera Jourová |
European Commission |
Rue de la Loi/Wetstraat 200 |
1049 l049 Brussels |
Belgium |
Re: EU-U.S. Privacy Shield Framework
Dear Commissioner Jourová:
The United States Department of Transportation (‘Department’ or ‘DOT’) appreciates the opportunity to describe its role in enforcing the EU-U.S. Privacy Shield Framework. This Framework plays a critical role in protecting personal data provided during commercial transactions in an increasingly interconnected world. It enables businesses to conduct important operations in the global economy, while at the same time ensuring that EU consumers retain important privacy protections.
The DOT first publicly expressed its commitment to enforcement of the Safe Harbor Framework in a letter sent to the European Commission over 15 years ago. The DOT pledged to vigorously enforce the Safe Harbor Privacy Principles in that letter. The DOT continues to uphold this commitment and this letter memorializes that commitment.
Notably, the DOT renews its commitment in the following key areas: (1) prioritization of investigation of alleged Privacy Shield violations; (2) appropriate enforcement action against entities making false or deceptive Privacy Shield certification claims; and (3) monitoring and making public enforcement orders concerning Privacy Shield violations. We provide information about each of these commitments and, for necessary context, pertinent background about the DOT's role in protecting consumer privacy and enforcing the Privacy Shield Framework.
I. BACKGROUND
A. DOT's Privacy Authority
The Department is strongly committed to ensuring the privacy of information provided by consumers to airlines and ticket agents. The DOT's authority to take act ion in this area is found in 49 U.S.C. 41712, which prohibits a carrier or ticket agent from engaging in ‘an unfair or deceptive practice or an unfair method of competition’ in the sale of air transportation that results or is likely to result in consumer harm. Section 41712 is patterned after Section 5 of the Federal Trade Commission (FTC) Act (15 U.S.C. 45). We interpret our unfair or deceptive practice statute as prohibiting an airline or ticket agent from: (1) violating the terms of its privacy policy; or (2) gathering or disclosing private information in a way that violates public policy, is immoral, or causes substantial consumer injury not offset by any countervailing benefits. We also interpret section 41712 as prohibiting carriers and ticket agents from: (l) violating any rule issued by the Department that identifies specific privacy practices as unfair or deceptive; or (2) violating the Children's Online Privacy Protection Act (COPPA) or FTC rules implementing COPPA. Under federal law, the DOT has exclusive authority to regulate the privacy practices of airlines, and it shares jurisdiction with the FTC with respect to the privacy practices of ticket agents in the sale of air transportation.
As such, once a carrier or seller of air transportation publicly commits to the Privacy Shield Framework's privacy principles the Department is able to use the statutory powers of section 41712 to ensure compliance with those principles. Therefore, once a passenger provides information to a carrier or ticket agent that has committed to honoring the Privacy Shield Framework's privacy principles, any failure to do so by the carrier or ticket agent would be a violation of section 41712.
B. Enforcement Practices
The Department's Office of Aviation Enforcement and Proceedings (Aviation Enforcement Office) investigates and prosecutes cases under 49 U.S.C. 41712. It enforces the statutory prohibition in section 41712 against unfair and deceptive practices primarily through negotiation, preparing cease and desist orders, and drafting orders assessing civil penalties. The office learns of potential violations largely from complaints it receives from individuals, travel agents, airlines, and U.S. and foreign government agencies. Consumers may use the DOT's website to file privacy complaints against airlines and ticket agents (1).
If a reasonable and appropriate settlement in a case is not reached, the Aviation Enforcement Office has the authority to institute an enforcement proceeding involving an evidentiary hearing before a DOT administrative law judge (ALJ). The ALJ has the authority to issue cease-and desist orders and civil penalties. Violations of section 41712 can result in the issuance of cease and desist orders and the imposition of civil penalties of up to USD 27 500 for each violation of section 41712.
The Department does not have the authority to award damages or provide pecuniary relief to individual complainants. However, the Department does have the authority to approve settlements resulting from investigations brought by its Aviation Enforcement Office that directly benefit consumers (e.g., cash, vouchers) as an offset to monetary penalties otherwise payable to the U.S. Government. This has occurred in the past, and may also occur in the context of the Privacy Shield Framework principles when circumstances warrant. Repeated violations of section 41712 by an airline would also raise questions regarding the airline's compliance disposition which could, in egregious situations, result in an airline being found to be no longer fit to operate and, therefore, losing its economic operating authority.
To date, the DOT has received relatively few complaints involving alleged privacy violations by ticket agents or airlines. When they arise, they are investigated according to the principles set forth above.
C. DOT Legal Protections Benefiting EU Consumers
Under section 41712, the prohibition on unfair or deceptive practices in air transportation or the sale of air transportation applies to U.S. and foreign air carriers as well as ticket agents. The DOT frequently takes action against U.S. and foreign airlines for practices that affect both foreign and U.S. consumers on the basis that the airline's practices took place in the course of providing transportation to or from the United States. The DOT does and will continue to use all remedies that are available to protect both foreign and U.S. consumers from unfair or deceptive practices in air transportation by regulated entities.
The DOT also enforces, with respect to airlines, other targeted laws whose protections extend to non-U.S. consumers such as COPPA. Among other things, COPPA requires that operators of child-directed websites and online services, or general audience sites that knowingly collect personal information from children under 13 provide parental notice and obtain verifiable parental consent. U.S.-based websites and services that are subject to COPPA and collect personal information from foreign children are required to comply with COPPA. Foreign-based websites and online services must also comply with COPPA if they are directed to children in the United States, or if they knowingly collect personal information from children in the United States. To the extent that U.S. or foreign airlines doing business in the United States violate COPPA, the DOT would have jurisdiction to take enforcement action.
II. PRIVACY SHIELD ENFORCEMENT
If an airline or ticket agent chooses to participate in the Privacy Shield Framework and the Department receives a complaint that such an airline or ticket agent had allegedly violated the Framework, the Department would take the following steps to vigorously enforce the Framework.
A. Prioritizing Investigation of Alleged Violations
The Department's Aviation Enforcement Office will investigate each complaint alleging Privacy Shield violations (including complaints received from EU Data Protection Authorities) and take enforcement action where there is evidence of a violation. Further, the Aviation Enforcement Office will cooperate with the FTC and Department of Commerce and give priority consideration to allegations that the regulated entities are not complying with privacy commitments made as part of the Privacy Shield Framework.
Upon receipt of an allegation of a violation of the Privacy Shield Framework, the Department's Aviation Enforcement Office may take a range of actions as part of its investigation. For example, it may review the ticket agent or airline's privacy policies, obtain further information from the ticket agent or airline or from third parties, follow up with the referring entity, and assess whether there is a pattern of violations or significant number of consumers affected. In addition, it would determine whether the issue implicates matters within the purview of the Department of Commerce or FTC, assess whether consumer education and business education would be helpful, and as appropriate, initiate an enforcement proceeding.
If the Department becomes aware of potential Privacy Shield violations by ticket agents, it will coordinate with the FTC on the matter. We will also advise the FTC and the Department of Commerce of the outcome of any Privacy Shield enforcement action.
B. Addressing False or Deceptive Membership Claims
The Department remains committed to investigating Privacy Shield violations, including false or deceptive claims of membership in the Privacy Shield Program. We will give priority consideration to referrals from the Department of Commerce regarding organizations that it identifies as improperly holding themselves out to be current members of Privacy Shield or using the Privacy Shield Framework certification mark without authorization.
In addition, we note that if an organization's privacy policy promises that it complies with the substantive Privacy Shield principles, its failure to make or maintain a registration with the Department of Commerce likely will not, by itself, excuse the organization from DOT enforcement of those commitments.
C. Monitoring and Making Public Enforcement Orders Concerning Privacy Shield Violations
The Department's Aviation Enforcement Office also remains committed to monitoring enforcement orders as needed to ensure compliance with the Privacy Shield program. Specifically, if the office issues an order directing an airline or ticket agent to cease and desist from future violations of Privacy Shield and section 41712, it will monitor the entity's compliance with the cease-and-desist provision in the order. In addition, the office will ensure that orders resulting from Privacy Shield cases are available on its website.
We look forward to our continued work with our federal partners and EU stakeholders on Privacy Shield matters.
I hope that this information proves helpful. If you have any questions or need further information, please feel free to contact me.
Sincerely
Anthony R. Foxx
Secretary of Transportation
(1) http://www.transportation.gov/airconsumer/privacy-complaints.
ANNEX VI
February 22, 2016
Mr Justin S. Antonipillai |
Counselor |
U.S. Department of Commerce |
1401 Constitution Ave., NW |
Washington, DC 20230 |
Mr Ted Dean |
Deputy Assistant Secretary |
International Trade Administration |
1401 Constitution Ave., NW |
Washington, DC 20230 |
Dear Mr Antonipillai and Mr Dean:
Over the last two and a half years, in the context of negotiations for the EU-U.S. Privacy Shield, the United States has provided substantial information about the operation of U.S. Intelligence Community signals intelligence collection activity. This has included information about the governing legal framework, the multi-layered oversight of those activities, the extensive transparency about those activities, and the overall protections for privacy and civil liberties, in order to assist the European Commission in making a determination about the adequacy of those protections as they relate to the national security exception to the Privacy Shield principles. This document summarizes the information that has been provided.
I. PPD-28 AND THE CONDUCT OF U.S. SIGNALS INTELLIGENCE ACTIVITY
The U.S. Intelligence Community collects foreign intelligence in a carefully controlled manner, in strict accordance with U.S. laws and subject to multiple layers of oversight, focusing on important foreign intelligence and national security priorities. A mosaic of laws and policies governs U.S. signals intelligence collection, including the U.S. Constitution, the Foreign Intelligence Surveillance Act (50 U.S.C. § 1801 et seq.) (FISA), Executive Order 12333 and its implementing procedures, Presidential guidance, and numerous procedures and guidelines, approved by the FISA Court and the Attorney General, that establish additional rules limiting the collection, retention, use, and dissemination of foreign intelligence information (1).
a. PPD 28 Overview
In January 2014, President Obama gave a speech outlining various reforms to U.S. signals intelligence activities, and issued Presidential Policy Directive 28 (PPD-28) concerning those activities (2). The President emphasized that U.S. signals intelligence activities help secure not only our country and our freedoms, but also the security and freedoms of other countries, including EU Member States, that rely on the information U.S. intelligence agencies obtain to protect their own citizens.
PPD-28 sets out a series of principles and requirements that apply to all U.S. signals intelligence activities and for all people, regardless of nationality or location. In particular, it sets certain requirements for procedures to address the collection, retention, and dissemination of personal information about non-U.S. persons acquired pursuant to U.S. signals intelligence. These requirements are set forth in more detail below, but in summary:
— |
The PPD reiterates that the United States collects signals intelligence only as authorized by statute, executive order, or other Presidential directive. |
— |
The PPD establishes procedures to ensure that signals intelligence activity is conducted only in furtherance of legitimate and authorized national security purposes. |
— |
The PPD also requires that privacy and civil liberties be integral concerns in the planning of signals intelligence collection activities. In particular, the United States does not collect intelligence to suppress or burden criticism or dissent; in order to disadvantage persons based on their ethnicity, race, gender, sexual orientation, or religion; or to afford a competitive commercial advantage to U.S. companies and U.S. business sectors. |
— |
The PPD directs that signals intelligence collection be as tailored as feasible and that signals intelligence collected in bulk can only be used for specific enumerated purposes. |
— |
The PPD directs that the Intelligence Community adopt procedures ‘reasonably designed to minimize the dissemination and retention of personal information collected from signals intelligence activities,’ and in particular extending certain protections afforded to the personal information of U.S. persons to non-US person information. |
— |
Agency procedures implementing PPD-28 have been adopted and made public. |
The applicability of the procedures and protections set out herein to the Privacy Shield is clear. When data has been transferred to corporations in the United States pursuant to the Privacy Shield, or indeed by any means, U.S. intelligence agencies can seek that data from those corporations only if the request complies with FISA or is made pursuant to one of the National Security Letter statutory provisions, which are discussed below (3). In addition, without confirming or denying media reports alleging that the U.S. Intelligence Community collects data from transatlantic cables while it is being transmitted to the United States, were the U.S. Intelligence Community to collect data from transatlantic cables, it would do so subject to the limitations and safeguards set out herein, including the requirements of PPD-28.
b. Collection Limitations
PPD-28 sets out a number of important general principles that govern the collection of signals intelligence:
— |
The collection of signals intelligence must be authorized by statute or Presidential authorization, and must be undertaken in accordance with the Constitution and law. |
— |
Privacy and civil liberties must be integral considerations in planning signals intelligence activities. |
— |
Signals intelligence will be collected only when there is a valid foreign intelligence or counterintelligence purpose. |
— |
The United States will not collect signals intelligence for the purpose of suppressing or burdening criticism or dissent. |
— |
The United States will not collect signals intelligence to disadvantage people based on their ethnicity, race, gender, sexual orientation, or religion. |
— |
The United States will not collect signals intelligence to afford a competitive commercial advantage to U.S. companies and business sectors. |
— |
U.S. signals intelligence activity must always be as tailored as feasible, taking into account the availability of other sources of information. This means, among other things, that whenever practicable, signals intelligence collection activities are conducted in a targeted manner rather than in bulk. |
The requirement that signals intelligence activity be ‘as tailored as feasible’ applies to the manner in which signals intelligence is collected, as well as to what is actually collected. For example, in determining whether to collect signals intelligence, the Intelligence Community must consider the availability of other information, including diplomatic or public sources, and prioritize collection through those means, where appropriate and feasible. Moreover, Intelligence Community element policies should require that wherever practicable, collection should be focused on specific foreign intelligence targets or topics through the use of discriminants (e.g., specific facilities, selection terms and identifiers).
It is important to view the information provided to the Commission as a whole. Decisions about what is ‘feasible’ or ‘practicable’ are not left to the discretion of individuals but are subject to the policies that agencies have issued under PPD-28 — which have been made publicly available — and to the other processes described therein (4). As PPD-28 says, bulk collection of signals intelligence is collection that ‘due to technical or operational considerations, is acquired without the use of discriminants (e.g., specific identifiers, selection terms, etc.).’ In this respect, PPD-28 recognizes that Intelligence community elements must collect bulk signals intelligence in certain circumstances in order to identify new or emerging threats and other vital national security information that is often hidden within the large and complex system of modern global communications. It also recognizes the privacy and civil liberties concerns raised when bulk signals intelligence is collected. PPD-28 therefore directs the Intelligence Community to prioritize alternatives that would allow the conduct of targeted signals intelligence rather than bulk signals intelligence collection. Accordingly, Intelligence Community elements should conduct targeted signals intelligence collection activities rather than bulk signal intelligence collection activities whenever practicable (5). These principles ensure that the exception for bulk collection will not swallow the general rule.
As for the concept of ‘reasonableness,’ it is a bedrock principle of U.S. law. It signifies that Intelligence Community elements will not be required to adopt any measure theoretically possible, but rather will have to balance their efforts to protect legitimate privacy and civil liberties interests with the practical necessities of signals intelligence activities. Here again, the agencies' policies have been made available, and can provide assurance that the term ‘reasonably designed to minimize the dissemination and retention of personal information’ does not undermine the general rule.
PPD-28 also provides that signals intelligence collected in bulk can only be used for six specific purposes: detecting and countering certain activities of foreign powers; counterterrorism; counter-proliferation; cybersecurity; detecting and countering threats to U.S. or allied armed forces; and combating transnational criminal threats, including sanctions evasion. The President's National Security Advisor, in consultation with the Director for National Intelligence (DNI), will annually review these permissible uses of signals intelligence collected in bulk to see whether they should be changed. The DNI will make this list publicly available to the maximum extent feasible, consistent with national security. This provides an important and transparent limitation on the use of bulk signals intelligence collection.
Additionally, the Intelligence Community elements implementing PPD-28 have reinforced existing analytic practices and standards for querying unevaluated signals intelligence (6). Analysts must structure their queries or other search terms and techniques to ensure that they are appropriate to identify intelligence information relevant to a valid foreign intelligence or law enforcement task. To that end, IC elements must focus queries about persons on the categories of signals intelligence information responsive to a foreign intelligence or law enforcement requirement, so as to prevent the use of personal information not pertinent to foreign intelligence or law enforcement requirements.
It is important to emphasize that any bulk collection activities regarding internet communications that the U.S. Intelligence Community performs through signals intelligence operate on a small proportion of the internet. Additionally, the use of targeted queries, as described above, ensures that only those items believed to be of potential intelligence value are ever presented for analysts to examine. These limits are intended to protect the privacy and civil liberties of all persons, whatever their nationality and regardless of where they might reside.
The United States has elaborate processes to ensure that signals intelligence activities are conducted only in furtherance of appropriate national security purposes. Each year the President sets the nation's highest priorities for foreign intelligence collection after an extensive, formal interagency process. The DNI is responsible for translating these intelligence priorities into the National Intelligence Priorities Framework, or NIPF. PPD-28 strengthened and enhanced the interagency process to ensure that all of the IC's intelligence priorities are reviewed and approved by high-level policymakers. Intelligence Community Directive (ICD) 204 provides further guidance on the NIPF and was updated in January 2015 to incorporate the requirements of PPD-28 (7). Although the NIPF is classified, information related to specific U.S. foreign intelligence priorities is reflected annually in the DNI's unclassified Worldwide Threat Assessment, which is also readily available on the ODNI website.
The priorities in the NIPF are at a fairly high level of generality. They include topics such as the pursuit of nuclear and ballistic missile capabilities by particular foreign adversaries, the effects of drug cartel corruption, and human rights abuses in specific countries. And they apply not just to signals intelligence, but to all intelligence activities. The organization that is responsible for translating the priorities in the NIPF into actual signals intelligence collection is called the National Signals Intelligence Committee, or SIGCOM. It operates under the auspices of the Director of the National Security Agency (NSA), who is designated by Executive Order 12333 as the ‘functional manager for signals intelligence,’ responsible for overseeing and coordinating signals intelligence across the Intelligence Community under the oversight of both the Secretary of Defense and the DNI. The SIGCOM has representatives from all elements of the IC and, as the United States fully implements PPD-28, also will have full representation from other departments and agencies with a policy interest in signals intelligence.
All U.S. departments and agencies that are consumers of foreign intelligence submit their requests for collection to the SIGCOM. The SIGCOM reviews those requests, ensures that they are consistent with the NIPF, and assigns them priorities using criteria such as:
— |
Can signals intelligence provide useful information in this case, or are there better or more cost-effective sources of information to address the requirement, such as imagery or open source information? |
— |
How critical is this information need? If it is a high priority in the NIPF, it will most often be a high signal intelligence priority. |
— |
What type of signals intelligence could be used? |
— |
Is the collection as tailored as feasible? Should there be time, geographic, or other limitations? |
The U.S. signals intelligence requirements process also requires explicit consideration of other factors, namely:
— |
Is the target of the collection, or the methodology used to collect, particularly sensitive? If so, it will require review by senior policymakers. |
— |
Will the collection present an unwarranted risk to privacy and civil liberties, regardless of nationality? |
— |
Are additional dissemination and retention safeguards necessary to protect privacy or national security interests? |
Finally, at the end of the process, trained NSA personnel take the priorities validated by the SIGCOM and research and identify specific selection terms, such as telephone numbers or e-mail addresses, which are expected to collect foreign intelligence responsive to these priorities. Any selector must be reviewed and approved before it is entered into NSA's collection systems. Even then, however, whether and when actual collection takes place will depend in part on additional considerations such as the availability of appropriate collection resources. This process ensures that U.S. signals intelligence collection targets reflect valid and important foreign intelligence needs. And, of course, when collection is conducted pursuant to FISA, NSA and other agencies must follow additional restrictions approved by the Foreign Intelligence Surveillance Court. In short, neither NSA nor any other U.S. intelligence agency decides on its own what to collect.
Overall, this process ensures that all U.S. intelligence priorities are set by senior policymakers who are in the best position to identify U.S. foreign intelligence requirements, and that those policymakers take into account not only the potential value of the intelligence collection but also the risks associated with that collection, including the risks to privacy, national economic interests, and foreign relations.
With respect to data transmitted to the United States pursuant to the Privacy Shield, although the United States cannot confirm or deny specific intelligence methods or operations, the requirements of PPD-28 apply to any signals intelligence operations the United States conducts, regardless of the type or source of data that is being collected. Further, the limitations and safeguards applicable to the collection of signals intelligence apply to signals intelligence collected for any authorized purpose, including both foreign relations and national security purposes.
The procedures discussed above demonstrate a clear commitment to prevent arbitrary and indiscriminate collection of signals intelligence information, and to implement — from the highest levels of our Government — the principle of reasonableness. PPD-28 and agency implementing procedures clarify new and existing limitations to and describe with greater specificity the purpose for which the United States collects and uses signals intelligence. These should provide assurance that signals intelligence activities are and will continue to be conducted only to further legitimate foreign intelligence goals.
c. Retention and Dissemination Limitations
Section 4 of PPD-28 requires that each element of the Intelligence Community have express limits on the retention and dissemination of personal information about non-U.S. persons collected by signals intelligence, comparable to the limits for U.S. persons. These rules are incorporated into procedures for each IC agency that were released in February 2015 and are publicly available. To qualify for retention or dissemination as foreign intelligence, personal information must relate to an authorized intelligence requirement, as determined in the NIPF process described above; be reasonably believed to be evidence of a crime; or meet one of the other standards for retention of U.S. person information identified in Executive Order 12333, section 2.3.
Information for which no such determination has been made may not be retained for more than five years, unless the DNI expressly determines that continued retention is in the national security interests of the United States. Thus, IC elements must delete non-U.S. person information collected through signals intelligence five years after collection, unless, for example, the information has been determined to be relevant to an authorized foreign intelligence requirement, or if the DNI determines, after considering the views of the ODNI Civil Liberties Protection Officer and agency privacy and civil liberties officials, that continued retention is in the interest of national security.
In addition, all agency policies implementing PPD-28 now explicitly require that information about a person may not be disseminated solely because an individual is a non-U.S. person, and ODNI has issued a directive to all IC elements (8) to reflect this requirement. Intelligence Community personnel are specifically required to consider the privacy interests of non-U.S. persons when drafting and disseminating intelligence reports. In particular, signals intelligence about the routine activities of a foreign person would not be considered foreign intelligence that could be disseminated or retained permanently by virtue of that fact alone unless it is otherwise responsive to an authorized foreign intelligence requirement. This recognizes an important limitation and is responsive to European Commission concerns about the breadth of the definition of foreign intelligence as set forth in Executive Order 12333.
d. Compliance and Oversight
The U.S. system of foreign intelligence oversight provides rigorous and multi-layered oversight to ensure compliance with applicable laws and procedures, including those pertaining to the collection, retention, and dissemination of non-U.S. person information acquired by signals intelligence as set forth in PPD-28. These include:
— |
The Intelligence Community employs hundreds of oversight personnel. NSA alone has over 300 people dedicated to compliance, and other elements also have oversight offices. In addition, the Department of Justice provides extensive oversight of intelligence activities, and oversight is also provided by the Department of Defense. |
— |
Each element of the Intelligence Community has its own Office of the Inspector General with responsibility for oversight of foreign intelligence activities, among other matters. Inspectors General are statutorily independent; have broad power to conduct investigations, audits and reviews of programs, including of fraud and abuse or violation of law; and can recommend corrective actions. While Inspector General recommendations are non-binding, the Inspector General's reports are often made public, and in any event are provided to Congress; this includes follow-up reports in case corrective action recommended in previous reports has not yet been completed. Congress is therefore informed of any non-compliance and can exert pressure, including through budgetary means, to achieve corrective action. A number of Inspector General reports about intelligence programs have been publicly released (9). |
— |
ODNI's Civil Liberties and Privacy Office (CLPO) is charged with ensuring that the IC operates in a manner that advances national security while protecting civil liberties and privacy rights (10). Other IC elements have their own privacy officers. |
— |
The Privacy and Civil Liberties Oversight Board (PCLOB), an independent body established by statute, is charged with analyzing and reviewing counterterrorism programs and policies, including the use of signals intelligence, to ensure that they adequately protect privacy and civil liberties. It has issued several public reports on intelligence activities. |
— |
As discussed more fully below, the Foreign Intelligence Surveillance Court, a court composed of independent federal judges, is responsible for oversight and compliance of any signals intelligence collection activities conducted pursuant to FISA. |
— |
Finally, the U.S. Congress, specifically the House and Senate Intelligence and Judiciary Committees, have significant oversight responsibilities regarding all U.S. foreign intelligence activities, including U.S. signals intelligence. |
Apart from these formal oversight mechanisms, the Intelligence Community has in place numerous mechanisms to ensure that the Intelligence Community is complying with the limitations on collection described above. For example:
— |
Cabinet officials are required to validate their signals intelligence requirements each year. |
— |
NSA checks signals intelligence targets throughout the collection process to determine if they are actually providing valuable foreign intelligence responsive to the priorities, and will stop collection against targets that are not. Additional procedures ensure that selection terms are reviewed periodically. |
— |
Based on a recommendation from an independent Review Group appointed by President Obama, the DNI has established a new mechanism to monitor the collection and dissemination of signals intelligence that is particularly sensitive because of the nature of the target or the means of collection, to ensure that it is consistent with the determinations of policymakers. |
— |
Finally, ODNI annually reviews the IC's allocation of resources against the NIPF priorities and the intelligence mission as a whole. This review includes assessments of the value of all types of intelligence collection, including signals intelligence, and looks both backward — how successful has the IC been in achieving its goals? — and forward — what will the IC need in the future? This ensures that signals intelligence resources are applied to the most important national priorities. |
As evidenced by this comprehensive overview, the Intelligence Community does not decide on its own which conversations to listen to, try to collect everything, or operate free from scrutiny. Its activities are focused on priorities set by policymakers, through a process that involves input from across the government, and that is overseen both within NSA and by the ODNI, Department of Justice, and Department of Defense.
PPD-28 also contains numerous other provisions to ensure that personal information collected pursuant to signals intelligence is protected, regardless of nationality. For instance, PPD-28 provides for data security, access, and quality procedures to protect personal information collected through signals intelligence, and provides for mandatory training to ensure that the workforce understands the responsibility to protect personal information, regardless of nationality. The PPD also provides for additional oversight and compliance mechanisms. These include periodic audit and reviews by appropriate oversight and compliance officials of the practices for protecting personal information contained in signals intelligence. The reviews also must examine the agencies' compliance with the procedures for protecting such information.
Additionally, PPD-28 provides that significant compliance issues related to non-U.S. persons will be addressed at senior levels of government. Should a significant compliance issue occur involving the personal information of any person collected as a result of signals intelligence activities, the issue must, in addition to any existing reporting requirements, be reported promptly to the DNI. If the issue involves the personal information of a non-U.S. person, the DNI, in consultation with the Secretary of State and the head of the relevant IC element, will determine whether steps should be taken to notify the relevant foreign government, consistent with the protection of sources and methods and of U.S. personnel. Moreover, as directed by PPD-28, the Secretary of State has identified a senior official, Under Secretary Catherine Novelli, to serve as a point of contact for foreign governments that wish to raise concerns regarding signals intelligence activities of the United States. This commitment to high-level engagement exemplifies the efforts the U.S. government has made over the past few years to instill confidence in the numerous and overlapping privacy protections in place for U.S. person and non-U.S. person information.
e. Summary
The United States' processes for collecting, retaining, and disseminating foreign intelligence provide important privacy protections for the personal information of all persons, regardless of nationality. In particular, these processes ensure that our Intelligence Community focuses on its national security mission as authorized by applicable laws, executive orders, and presidential directives; safeguards information from unauthorized access, use and disclosure; and conducts its activities under multiple layers of review and oversight, including by congressional oversight committees. PPD-28 and the procedures implementing it represent our efforts to extend certain minimization and other substantial data protection principles to the personal information of all persons regardless of nationality. Personal information obtained through U.S. signals intelligence collection is subject to the principles and requirements of U.S. law and Presidential direction, including the protections set forth in PPD-28. These principles and requirements ensure that all persons are treated with dignity and respect, regardless of their nationality or wherever they might reside, and recognize that all persons have legitimate privacy interests in the handling of their personal information.
II. FOREIGN INTELLIGENCE SURVEILLANCE ACT — SECTION 702
Collection under Section 702 of the Foreign Intelligence Surveillance Act (11) is not ‘mass and indiscriminate’ but is narrowly focused on the collection of foreign intelligence from individually identified legitimate targets; is clearly authorized by explicit statutory authority; and is subject to both independent judicial supervision and substantial review and oversight within the Executive Branch and Congress. Collection under Section 702 is considered signals intelligence subject to the requirements of PPD-28 (12).
Collection under Section 702 is one of the most valuable sources of intelligence protecting both the United States and our European partners. Extensive information about the operation and oversight of Section 702 is publicly available. Numerous court filings, judicial decisions and oversight reports relating to the program have been declassified and released on the ODNI's public disclosure website, www.icontherecord.tumblr.com. Moreover, Section 702 was comprehensively analyzed by the PCLOB, in a report which is available at https://www.pclob.gov/library/702-Report.pdf (13).
Section 702 was passed as part of the FISA Amendments Act of 2008 (14), after extensive public debate in Congress. It authorizes the acquisition of foreign intelligence information through targeting of non-U.S. persons located outside the United States, with the compelled assistance of U.S. electronic communications service providers. Section 702 authorizes the Attorney General and the DNI — two Cabinet-level officials appointed by the President and confirmed by the Senate — to submit annual certifications to the FISA Court (15). These certifications identify specific categories of foreign intelligence to be collected, such as intelligence related to counterterrorism or weapons of mass destruction, which must fall within the categories of foreign intelligence defined by the FISA statute (16). As the PCLOB noted, ‘[t]hese limitations do not permit unrestricted collection of information about foreigners’ (17).
The certifications also are required to include ‘targeting’ and ‘minimization’ procedures that must be reviewed and approved by the FISA Court (18). The targeting procedures are designed to ensure that the collection takes place only as authorized by statute and is within the scope of the certifications; the minimization procedures are designed to limit the acquisition, dissemination, and retention of information about U.S. persons, but also contain provisions that provide substantial protection to information about non-U.S. persons as well, described below. Moreover, as described above, in PPD-28 the President directed that the Intelligence Community provide additional protections for personal information about non-U.S. persons, and those protections apply to information collected under Section 702.
Once the court approves the targeting and minimization procedures, collection under Section 702 is not bulk or indiscriminate, but ‘consists entirely of targeting specific persons about whom an individualized determination has been made,’ as the PCLOB said (19). Collection is targeted through the use of individual selectors, such as e-mail addresses or telephone numbers, which U.S. intelligence personnel have determined are likely being used to communicate foreign intelligence information of the type covered by the certification submitted to the court (20). The basis for selection of the target must be documented, and the documentation for every selector is subsequently reviewed by the Department of Justice (21). The U.S. Government has released information showing that in 2014 there were approximately 90 000 individuals targeted under Section 702, a miniscule fraction of the over 3 billion internet users throughout the world (22).
Information collected under Section 702 is subject to the court-approved minimization procedures, which provide protections to non-U.S. persons as well as U.S. persons, and which have been publicly released (23). For example, communications acquired under Section 702, whether of U.S. persons or non-U.S. persons, are stored in databases with strict access controls. They may be reviewed only by intelligence personnel who have been trained in the privacy-protective minimization procedures and who have been specifically approved for that access in order to carry out their authorized functions (24). Use of the data is limited to identification of foreign intelligence information or evidence of a crime (25). Pursuant to PPD-28, this information may be disseminated only if there is a valid foreign intelligence or law enforcement purpose; the mere fact that one party to the communication is not a U.S. person is not sufficient (26). And the minimization procedures and PPD-28 also set limits on how long data acquired pursuant to Section 702 may be retained (27).
Oversight of Section 702 is extensive, and is conducted by all three branches of our government. Agencies implementing the statute have multiple levels of internal review, including by independent Inspectors General, and technological controls over access to the data. The Department of Justice and the ODNI closely review and scrutinize the use of Section 702 to verify compliance with legal rules; agencies are also under an independent obligation to report potential incidents of noncompliance. Those incidents are investigated, and all compliance incidents are reported to the Foreign Intelligence Surveillance Court, the President's Intelligence Oversight Board, and Congress, and remedied as appropriate (28). To date, there have been no incidents of willful attempts to violate the law or circumvent legal requirements (29).
The FISA Court plays an important role in implementing Section 702. It is composed of independent federal judges who serve for a term of seven years on the FISA Court but who, like all federal judges, have life tenure as judges. As noted above, the Court must review the annual certifications and targeting and minimization procedures for compliance with the law. In addition, as also noted above, the Government is required to notify the Court immediately of compliance issues (30), and several Court opinions have been declassified and released showing the exceptional degree of judicial scrutiny and independence it exercises in reviewing those incidents.
The Court's exacting processes have been described by its former Presiding Judge in a letter to Congress that has been publicly released (31). And as a result of the USA FREEDOM Act, described below, the Court is now explicitly authorized to appoint an outside lawyer as an independent advocate on behalf of privacy in cases that present novel or significant legal issues (32). This degree of involvement by a country's independent judiciary in foreign intelligence activities directed at persons who are neither citizens of that country nor located within it is unusual if not unprecedented, and helps ensure that Section 702 collection occurs within appropriate legal limits.
Congress exercises oversight through statutorily required reports to the Intelligence and Judiciary Committees, and frequent briefings and hearings. These include a semiannual report by the Attorney General documenting the use of Section 702 and any compliance incidents (33); a separate semiannual assessment by the Attorney General and the DNI documenting compliance with the targeting and minimization procedures, including compliance with the procedures designed to ensure that collection is for a valid foreign intelligence purpose (34); and an annual report by heads of intelligence elements which includes a certification that collection under Section 702 continues to produce foreign intelligence information (35).
In short, collection under Section 702 is authorized by law; subject to multiple levels of review, judicial supervision and oversight; and, as the FISA Court stated in a recently declassified opinion, is ‘not conducted in a bulk or indiscriminate manner,’ but ‘through. .. discrete targeting decisions for individual [communication] facilities’ (36).
III. USA FREEDOM ACT
The USA FREEDOM Act, signed into law in June 2015, significantly modified U.S. surveillance and other national security authorities, and increased public transparency on the use of these authorities and on decisions of the FISA Court, as set out below (37). The Act ensures that our intelligence and law enforcement professionals have the authorities they need to protect the Nation, while further ensuring that individuals' privacy is appropriately protected when these authorities are employed. It enhances privacy and civil liberties and increases transparency.
The Act prohibits bulk collection of any records, including of both U.S. and non-U.S. persons, pursuant to various provisions of FISA or through the use of National Security Letters, a form of statutorily authorized administrative subpoenas (38). This prohibition specifically includes telephone metadata relating to calls between persons inside the U.S. and persons outside the U.S., and would also include collection of Privacy Shield information pursuant to these authorities. The Act requires that the government base any application for records under those authorities on a ‘specific selection term’—a term that specifically identifies a person, account, address, or personal device in a way that limits the scope of information sought to the greatest extent reasonably practicable (39). This further ensures that collection of information for intelligence purposes is precisely focused and targeted.
The Act also made significant modifications to proceedings before the FISA Court, which both increase transparency and provide additional assurances that privacy will be protected. As noted above, it authorized creation of a standing panel of security-cleared lawyers with expertise in privacy and civil liberties, intelligence collection, communications technology, or other relevant areas, who may be appointed to appear before the court as amicus curiae in cases that involve significant or novel interpretations of law. These lawyers are authorized to make legal arguments that advance the protection of individual privacy and civil liberties, and will have access to any information, including classified information, that the court determines is necessary to their duties (40).
The Act also builds on the U.S. Government's unprecedented transparency about intelligence activities by requiring the DNI, in consultation with the Attorney General, to either declassify, or publish an unclassified summary of, each decision, order, or opinion issued by the FISA Court or the Foreign Intelligence Surveillance Court of Review that includes a significant construction or interpretation of any provision of law.
Moreover, the Act provides for extensive disclosures about FISA collection and National Security Letter requests. The United States must disclose to Congress and to the public each year the number of FISA orders and certifications sought and received; estimates of the number of U.S. persons and non-U.S. persons targeted and affected by surveillance; and the number of appointments of amici curiae, among other items of information (41). The Act also requires additional public reporting by the government about the numbers of National Security Letter requests about both U.S. and non-U.S. persons (42).
With regard to corporate transparency, the Act gives companies a range of options to report publicly the aggregate number of FISA orders and directives or National Security Letters they receive from the Government, as well as the number of customer accounts targeted by these orders (43). Several companies have already made such disclosures, which have revealed the limited number of customers whose records have been sought.
These corporate transparency reports demonstrate that U.S. intelligence requests affect only a miniscule fraction of data. For example, one major company's recent transparency report shows that it received national security requests (pursuant to FISA or National Security Letters) affecting fewer than 20 000 of its accounts, at a time when it had at least 400 million subscribers. In other words, all U.S. national security requests reported by this company affected fewer than 0,005 % of its subscribers. Even if every one of those requests had concerned Safe Harbor data, which of course is not the case, it is obvious that the requests are targeted and appropriate in scale, and are neither bulk nor indiscriminate.
Finally, while the statutes which authorize National Security Letters already restricted the circumstances under which a recipient of such a letter could be barred from disclosing it, the Act further provided that such non-disclosure requirements must be reviewed periodically; required that recipients of National Security Letters be notified when the facts no longer support a non-disclosure requirement; and codified procedures for recipients to challenge nondisclosure requirements (44).
In sum, the USA FREEDOM Act's important amendments to U.S. intelligence authorities is clear evidence of the extensive effort taken by the United States to place the protection of personal information, privacy, civil liberties, and transparency at the forefront of all U.S. intelligence practices.
IV. TRANSPARENCY
In addition to the transparency mandated by the USA FREEDOM Act, the U.S. Intelligence Community provides the public much additional information, setting a strong example with respect to transparency into its intelligence activities. The Intelligence Community has published many of its policies, procedures, Foreign Intelligence Surveillance Court decisions, and other declassified materials, providing an extraordinary degree of transparency. In addition, the Intelligence Community has substantially increased its disclosure of statistics on the government's use of national security collection authorities. On April 22, 2015, the Intelligence Community issued its second annual report presenting statistics on how often the government uses these important authorities. ODNI also has published, on the ODNI website and on IC On the Record, a set of concrete transparency principles (45) and an implementation plan that translates the principles into concrete, measurable initiatives (46). In October 2015, the Director of National Intelligence directed that each intelligence agency designate an Intelligence Transparency Officer within its leadership to foster transparency and lead transparency initiatives (47). The Transparency Officer will work closely with each intelligence agency's Privacy and Civil Liberties Officer to ensure that transparency, privacy, and civil liberties continue to remain top priorities.
As an example of these efforts, NSA's Chief Privacy and Civil Liberties Officer has released several unclassified reports over the past few years, including reports on activities under section 702, Executive Order 12333, and the USA FREEDOM Act (48). In addition, the IC works closely with the PCLOB, Congress, and the U.S. privacy advocacy community to provide further transparency relating to U.S. intelligence activities, wherever feasible and consistent with the protection of sensitive intelligence sources and methods. Taken as a whole, U.S. intelligence activities are as transparent as or more transparent than those of any other nation in the world and are as transparent as it is possible to be consistent with the need to protect sensitive sources and methods.
To summarize the extensive transparency that exists about U.S. intelligence activities:
— |
The IC has released and posted online thousands of pages of court opinions and agency procedures outlining the specific procedures and requirements of our intelligence activities. We have also released reports on intelligence agencies' compliance with applicable restrictions. |
— |
Senior intelligence officials regularly speak publicly about the roles and activities of their organizations, including descriptions of the compliance regimes and safeguards that govern their work. |
— |
The IC released numerous additional documents about intelligence activities pursuant to our Freedom of Information Act. |
— |
The President issued PPD-28, publicly setting out additional restrictions on our intelligence activities, and ODNI has issued two public reports on the implementation of those restrictions. |
— |
The IC is now required by law to release significant legal opinions issued by the FISA Court, or summaries of those opinions. |
— |
The government is required to report annually on the extent of its use of certain national security authorities, and companies are authorized to do so as well. |
— |
The PCLOB has issued several detailed public reports on intelligence activities, and will continue to do so. |
— |
The IC provides extensive classified information to Congressional oversight committees. |
— |
The DNI issued transparency principles to govern the activities of the Intelligence Community. |
This extensive transparency will continue going forward. Any information that is released publicly will, of course, be available to both the Department of Commerce and the European Commission. The annual review between Commerce and the European Commission on the implementation of the Privacy Shield will provide an opportunity for the European Commission to discuss any questions raised by any new information released, as well as any other matters concerning the Privacy Shield and its operation, and we understand that the Department may, in its discretion, invite representatives of other agencies, including the IC, to participate in that review. This is, of course, in addition to the mechanism provided in PPD-28 for EU Member States to raise surveillance-related concerns with a designated State Department official.
V. REDRESS
U.S. law provides a number of avenues of redress for individuals who have been the subject of unlawful electronic surveillance for national security purposes. Under FISA, the right to seek relief in U.S. court is not limited to U.S. persons. An individual who can establish standing to bring suit would have remedies to challenge unlawful electronic surveillance under FISA. For example, FISA allows persons subjected to unlawful electronic surveillance to sue U.S. government officials in their personal capacities for money damages, including punitive damages and attorney's fees. See 50 U.S.C. § 1810. Individuals who can establish their standing to sue also have a civil cause of action for money damages, including litigation costs, against the United States when information about them obtained in electronic surveillance under FISA has been unlawfully and willfully used or disclosed. See 18 U.S.C. § 2712. In the event the government intends to use or disclose any information obtained or derived from electronic surveillance of any aggrieved person under FISA against that person in judicial or administrative proceedings in the United States, it must provide advance notice of its intent to the tribunal and the person, who may then challenge the legality of the surveillance and seek to suppress the information. See 50 U.S.C. § 1806. Finally, FISA also provides criminal penalties for individuals who intentionally engage in unlawful electronic surveillance under color of law or who intentionally use or disclose information obtained by unlawful surveillance. See 50 U.S.C. § 1809.
EU citizens have other avenues to seek legal recourse against U.S. government officials for unlawful government use of or access to data, including government officials who violate the law in the course of unlawful access to or use of information for purported national security purposes. The Computer Fraud and Abuse Act prohibits intentional unauthorized access (or exceeding authorized access) to obtain information from a financial institution, a U.S. government computer system, or a computer accessed via the internet, as well as threats to damage protected computers for purposes of extortion or fraud. See 18 U.S.C. § 1030. Any person, of whatever nationality, who suffers damage or loss by reason of a violation of this law may sue the violator (including a government official) for compensatory damages and injunctive or other equitable relief under section 1030(g), regardless of whether a criminal prosecution has been pursued, provided the conduct involves at least one of several circumstances set forth in the statute. The Electronic Communications Privacy Act (ECPA) regulates government access to stored electronic communications and transactional records and subscriber information held by third-party communications providers. See 18 U.S.C. §§ 2701-2712. ECPA authorizes an aggrieved individual to sue government officials for intentional unlawful access to stored data. ECPA applies to all persons regardless of citizenship and aggrieved persons may receive damages and attorney's fees. The Right to Financial Privacy Act (RFPA) limits the U.S. government's access to the bank and broker-dealer records of individual customers. See 12 U.S.C. §§ 3401-3422. Under the RFPA, a bank or broker-dealer customer can sue the U.S. government for statutory, actual, and punitive damages for wrongfully obtaining access to the customer's records, and a finding that such wrongful access was willful automatically triggers an investigation of possible disciplinary action against the relevant government employees. See 12 U.S.C. § 3417.
Finally, the Freedom of Information Act (FOIA) provides a means for any person to seek access to existing federal agency records on any topic subject to certain categories of exemptions. See 5 U.S.C. § 552(b). These include limits on access to classified national security information, personal information of other individuals, and information concerning law enforcement investigations, and are comparable to the limitations imposed by nations with their own information access laws. These limitations apply equally to Americans and non-Americans. Disputes over the release of records requested pursuant to FOIA can be appealed administratively and then in federal court. The court is required to make a de novo determination of whether records are properly withheld, 5 U.S.C. § 552(a)(4)(B), and can compel the government to provide access to records. In some cases courts have overturned government assertions that information should be withheld as classified (49). Although no monetary damages are available, courts can award attorney's fees.
VI. CONCLUSION
The United States recognizes that our signals intelligence and other intelligence activities must take into account that all persons should be treated with dignity and respect, regardless of their nationality or place of residence, and that all persons have legitimate privacy interests in the handling of their personal information. The United States only uses signals intelligence to advance its national security and foreign policy interests and to protect its citizens and the citizens of its allies and partners from harm. In short, the IC does not engage in indiscriminate surveillance of anyone, including ordinary European citizens. Signals intelligence collection only takes place when duly authorized and in a manner that strictly complies with these limitations; only after consideration of the availability of alternative sources, including from diplomatic and public sources; and in a manner that prioritizes appropriate and feasible alternatives. And wherever practicable, signals intelligence only takes place through collection focused on specific foreign intelligence targets or topics through the use of discriminants.
U.S. policy in this regard was affirmed in PPD-28. Within this framework, U.S. intelligence agencies do not have the legal authority, the resources, the technical capability or the desire to intercept all of the world's communications. Those agencies are not reading the emails of everyone in the United States, or of everyone in the world. Consistent with PPD-28, the United States provides robust protections to the personal information of non-U.S. persons that is collected through signals intelligence activities. To the maximum extent feasible consistent with the national security, this includes policies and procedures to minimize the retention and dissemination of personal information concerning non-U.S. persons comparable to the protections enjoyed by U.S. persons. Moreover, as discussed above, the comprehensive oversight regime of the targeted Section 702 FISA authority is unparalleled. Finally, the significant amendments to U.S. intelligence law set forth in the USA FREEDOM Act and the ODNI-led initiatives to promote transparency within the Intelligence Community greatly enhance the privacy and civil liberties of all individuals, regardless of their nationality.
Sincerely,
Robert S. Litt
June 21, 2016
Mr Justin S. Antonipillai |
Counselor |
U.S. Department of Commerce |
1401 Constitution Avenue, N.W. |
Washington, DC 20230 |
Mr Ted Dean |
Deputy Assistant Secretary |
International Trade Administration |
1401 Constitution Avenue, N.W. |
Washington, DC 20230 |
Dear Mr Antonipillai and Mr Dean:
I am writing to provide further information about the manner in which the United States conducts bulk collection of signals intelligence. As explained in footnote 5 of Presidential Policy Directive 28 (PPD-28), ‘bulk’ collection refers to the acquisition of a relatively large volume of signals intelligence information or data under circumstances where the Intelligence Community cannot use an identifier associated with a specific target (such as the target's e-mail address or phone number) to focus the collection. However, this does not mean that this sort of collection is ‘mass’ or ‘indiscriminate.’ Indeed, PPD-28 also requires that ‘[s]ignals intelligence activities shall be as tailored as feasible.’ In furtherance of this mandate, the Intelligence Community takes steps to ensure that even when we cannot use specific identifiers to target collection, the data to be collected is likely to contain foreign intelligence that will be responsive to requirements articulated by U.S. policy-makers pursuant to the process explained in my earlier letter, and minimizes the amount of non-pertinent information that is collected.
As an example, the Intelligence Community may be asked to acquire signals intelligence about the activities of a terrorist group operating in a region of a Middle Eastern country, that is believed to be plotting attacks against Western European countries, but may not know the names, phone numbers, e-mail addresses or other specific identifiers of individuals associated with this terrorist group. We might choose to target that group by collecting communications to and from that region for further review and analysis to identify those communications that relate to the group. In so doing, the Intelligence Community would seek to narrow the collection as much as possible. This would be considered collection in ‘bulk’ because the use of discriminants is not feasible, but it is neither ‘mass’ nor ‘indiscriminate’; rather it is focused as precisely as possible.
Thus, even when targeting through the use of specific selectors is not possible, the United States does not collect all communications from all communications facilities everywhere in the world, but applies filters and other technical tools to focus its collection on those facilities that are likely to contain communications of foreign intelligence value. In so doing, the United States' signals intelligence activities touch only a fraction of the communications traversing the Internet.
Moreover, as noted in my earlier letter, because ‘bulk’ collection entails a greater risk of collecting non-pertinent communications, PPD-28 limits the use that the Intelligence Community may make of signals intelligence collected in bulk to six specified purposes. PPD-28, and agency policies implementing PPD-28, also place restrictions on the retention and dissemination of personal information acquired through signals intelligence, regardless of whether the information was collected in bulk or through targeted collection, and regardless of the individual's nationality.
Thus, the Intelligence Community's ‘bulk’ collection is not ‘mass’ or ‘indiscriminate,’ but involves the application of methods and tools to filter collection in order to focus the collection on material that will be responsive to policy-makers' articulated foreign intelligence requirements while minimizing the collection of non-pertinent information, and provides strict rules to protect the non-pertinent information that may be acquired. The policies and procedures described in this letter apply to all bulk signals intelligence collection, including any bulk collection of communications to and from Europe, without confirming or denying whether any such collection occurs.
You have also asked for more information about the Privacy and Civil Liberties Oversight Board (PCLOB) and Inspectors General, and their authorities. The PCLOB is an independent agency in the Executive Branch. Members of the bipartisan, five-member Board are appointed by the President and confirmed by the Senate (50). Each Member of the Board serves a six-year term. Members of the Board and staff are provided appropriate security clearances in order for them to fully execute their statutory duties and responsibilities (51).
The PCLOB's mission is to ensure that the federal government's efforts to prevent terrorism are balanced with the need to protect privacy and civil liberties. The Board has two fundamental responsibilities — oversight and advice. The PCLOB sets its own agenda and determines what oversight or advice activities it wishes to undertake.
In its oversight role, the PCLOB reviews and analyzes actions the Executive Branch takes to protect the nation from terrorism, ensuring that the need for such actions is balanced with the need to protect privacy and civil liberties (52). The PCLOB's most recent completed oversight review focused on surveillance programs operated under Section 702 of FISA (53). It is currently conducting a review of intelligence activities operated under Executive Order 12333 (54).
In its advisory role, the PCLOB ensures that liberty concerns are appropriately considered in the development and implementation of laws, regulations, and policies related to efforts to protect the nation from terrorism (55).
In order to carry out its mission, the Board is authorized by statute to have access to all relevant agency records, reports, audits, reviews, documents, papers, recommendations, and any other relevant materials, including classified information consistent with law (56). In addition, the Board may interview, take statements from, or take public testimony from any executive branch officer or employee (57). Additionally, the Board may request in writing that the Attorney General, on the Board's behalf, issues subpoenas compelling parties outside the Executive Branch to provide relevant information (58).
Finally, the PCLOB has statutory public transparency requirements. This includes keeping the public informed of its activities by holding public hearings and making its reports publicly available, to the greatest extent possible consistent with the protection of classified information (59). In addition, the PCLOB is required to report when an Executive Branch agency declines to follow its advice.
Inspectors General (IGs) in the Intelligence Community (IC) conduct audits, inspections, and reviews of the programs and activities in the IC to identify and address systemic risks, vulnerabilities, and deficiencies. In addition, IGs investigate complaints or information of allegations of violations of law, rules, or regulations, or mismanagement; gross waste of funds; abuse of authority, or a substantial and specific danger to the public health and safety in IC programs and activities. IG independence is a critical component to the objectivity and integrity of every report, finding, and recommendation an IG issues. Some of the most critical components to maintaining IG independence include the IG appointment and removal process; separate operational, budget, and personnel authorities; and dual reporting requirements to Executive Branch agency heads and Congress.
Congress established an independent IG office in each Executive Branch agency, including every IC element (60). With the passage of the Intelligence Authorization Act for Fiscal Year 2015, almost all IGs with oversight of an IC element are appointed by the President and confirmed by the Senate, including the Department of Justice, Central Intelligence Agency, National Security Agency, and the Intelligence Community (61). Further, these IGs are permanent, nonpartisan, officials who can only be removed by the President. While the U.S. Constitution requires that the President have IG removal authority, it has rarely been exercised and requires that the President provide Congress with a written justification 30 days before removing an IG (62). This IG appointment process ensures that there is no undue influence by Executive Branch officials in the selection, appointment, or removal of an IG.
Second, IGs have significant statutory authorities to conduct audits, investigations, and reviews of Executive Branch programs and operations. In addition to oversight investigations and reviews required by law, IGs have broad discretion to exercise oversight authority to review programs and activities of their choosing (63). In exercising this authority, the law ensures that IGs have the independent resources to execute their responsibilities, including the authority to hire their own staff and separately document their budget requests to Congress (64). The law ensures that IGs have access to the information needed to execute their responsibilities. This includes the authority to have direct access to all agency records and information detailing the programs and operations of the agency regardless of classification; the authority to subpoena information and documents; and the authority to administer oaths (65). In limited cases, the head of an Executive Branch agency may prohibit an IG's activity if, for example, an IG audit or investigation would significantly impair the national security interests of the United States. Again, the exercise of this authority is extremely unusual and requires the head of the agency to notify Congress within 30 days of the reasons for exercising it (66). Indeed, the Director of National Intelligence has never exercised this limitation authority over any IG activities.
Third, IGs have responsibilities to keep both heads of Executive Branch agencies and Congress fully and currently informed through reports of fraud and other serious problems, abuses, and deficiencies relating to Executive Branch programs and activities (67). Dual reporting bolsters IG independence by providing transparency into the IG oversight process and allowing agency heads an opportunity to implement IG recommendations before Congress can take legislative action. For example, IGs are required by law to complete semi-annual reports that describe such problems as well as corrective actions taken to date (68). Executive Branch agencies take IG findings and recommendations seriously and IGs are often able to include the agencies' acceptance and implementation of IG recommendations in these and other reports provided to Congress, and in some cases the public (69). In addition to this IG dual-report structure, IGs are also responsible for shepherding Executive Branch whistleblowers to the appropriate congressional oversight committees to make disclosures of alleged fraud, waste, or abuse in Executive Branch programs and activities. The identities of those who come forward are protected from disclosure to the Executive Branch, which shields the whistleblowers from potential prohibited personnel actions or security clearance actions taken in reprisal for reporting to the IG (70). As whistleblowers are often the sources for IG investigations, the ability to report their concerns to the Congress without Executive Branch influences increases the effectiveness of IG oversight. Because of this independence, IGs can promote economy, efficiency, and accountability in Executive Branch agencies with objectivity and integrity.
Finally, Congress has established the Council of Inspectors General on Integrity and Efficiency. This Council, among other things, develops IG standards for audits, investigations and reviews; promotes training; and has the authority to conduct reviews of allegations of IG misconduct, which serves as a critical eye on IGs, who are entrusted to watch all others (71).
I hope that this information is helpful to you.
Regards,
Robert S. Litt
General Counsel
(1) Further information concerning U.S. foreign intelligence activities is posted online and publicly accessible through IC on the Record (www.icontherecord.tumblr.com), the ODNI's public website dedicated to fostering greater public visibility into the intelligence activities of the government.
(2) Available at https://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activities.
(3) Law enforcement or regulatory agencies may request information from corporations for investigative purposes in the United States pursuant to other criminal, civil, and regulatory authorities that are beyond the scope of this paper, which is limited to national security authorities.
(4) Available at www.icontherecord.tumblr.com/ppd-28/2015/privacy-civil-liberties#ppd-28. These procedures implement the targeting and tailoring concepts discussed in this letter in a manner specific to each IC element.
(5) To cite but one example, the NSA's procedures implementing PPD-28 state that ‘[w]henever practicable, collection will occur through the use of one or more selection terms in order to focus the collection on specific foreign intelligence targets (e.g., a specific, known international terrorist or terrorist group) or specific foreign intelligence topics (e.g., the proliferation of weapons of mass destruction by a foreign power or its agents).’
(6) Available at http://www.dni.gov/files/documents/1017/PPD-28_Status_Report_Oct_2014.pdf.
(7) Available at http://www.dni.gov/files/documents/ICD/ICD%20204%20National%20Intelligence%20Priorities%20Framework.pdf.
(8) Intelligence Community Directive (ICD) 203, available at http://www.dni.gov/files/documents/ICD/ICD%20203%20Analytic%20Standards.pdf.
(9) See, e.g., U.S. Department of Justice Inspector General Report ‘A Review of the Federal Bureau of Investigation's Activities Under Section 702 of the Foreign Intelligence Surveillance Act of 2008’ (September 2012), available at https://oig.justice.gov/reports/2016/o1601a.pdf.
(10) See www.dni.gov/clpo.
(11) 50 U.S.C. § 1881a.
(12) The United States also may obtain court orders pursuant to other provisions of FISA for the production of data, including data transferred pursuant to the Privacy Shield. See 50 U.S.C. § 1801 et seq. Titles I and III of FISA, which respectively authorize electronic surveillance and physical searches, require a court order (except in emergency circumstances) and always require probable cause to believe that the target is a foreign power or an agent of a foreign power. Title IV of FISA authorizes the use of pen registers and trap and trace devices, pursuant to court order (except in emergency circumstances) in authorized foreign intelligence, counterintelligence, or counterterrorism investigations. Title V of FISA permits the FBI, pursuant to court order (except in emergency circumstances), to obtain business records that are relevant to an authorized foreign intelligence, counterintelligence, or counterterrorism investigations. As discussed below, the USA FREEDOM Act specifically prohibits the use of FISA pen register or business record orders for bulk collection, and imposes a requirement of a ‘specific selection term’ to ensure that those authorities are used in a targeted fashion.
(13) Privacy and Civil Liberties Board, ‘Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act’ (July 2, 2014) (‘PCLOB Report’).
(14) See Pub. L. No 110-261, 122 Stat. 2436 (2008).
(15) See 50 U.S.C. § 1881a(a) and (b).
(16) See id. § 1801(e).
(17) See PCLOB Report at 99.
(18) See 50 U.S.C. § 1881a(d) and (e).
(19) See PCLOB Report at 111.
(20) Id.
(21) Id. at 8; 50 U.S.C. § 1881a(l); see also NSA Director of Civil Liberties and Privacy Report, ‘NSA's Implementation of Foreign Intelligence Surveillance Act Section 702’ (hereinafter ‘NSA Report’) at 4, available at http://icontherecord.tumblr.com/ppd-28/2015/privacy-civil-liberties.
(22) Director of National Intelligence 2014 Transparency Report, available at http://icontherecord.tumblr.com/transparency/odni_transparencyreport_cy2014.
(23) Minimization procedures available at: http://www.dni.gov/files/documents/ppd-28/2014%20NSA%20702%20Minimization%20Procedures.pdf (‘NSA Minimization Procedures’); http://www.dni.gov/files/documents/ppd-28/2014%20FBI%20702%20Minimization%20Procedures.pdf; and http://www.dni.gov/files/documents/ppd-28/2014%20CIA%20702%20Minimization%20Procedures.pdf.
(24) See NSA Report at 4.
(25) See, e.g., NSA Minimization Procedures at 6.
(26) Intelligence Agency PPD-28 procedures available at http://icontherecord.tumblr.com/ppd-28/2015/privacy-civil-liberties.
(27) See NSA Minimization Procedures; PPD-28 Section 4.
(28) See 50 U.S.C. § 1881(l); see also PCLOB Report at 66-76.
(29) See Semiannual Assessment of Compliance with Procedures and Guidelines Issues Pursuant to Section 702 of the Foreign Intelligence Surveillance Act, Submitted by the Attorney General and the Director of National Intelligence at 2–3, available at http://www.dni.gov/files/documents/Semiannual%20Assessment%20of%20Compliance%20with%20procedures%20and%20guidelines%20issued%20pursuant%20to%20Sect%20702%20of%20FISA.pdf.
(30) Rule 13 of the Foreign Intelligence Surveillance Court Rules of Procedures, available at http://www.fisc.uscourts.gov/sites/default/files/FISC%20Rules%20of%20Procedure.pdf.
(31) July 29, 2013 Letter from The Honorable Reggie B. Walton to The Honorable Patrick J. Leahy, available at http://fas.org/irp/news/2013/07/fisc-leahy.pdf.
(32) See Section 401 of the USA FREEDOM Act, P.L. 114-23.
(33) See 50 U.S.C. § 1881f.
(34) See id. § 1881a(l)(1).
(35) See id. § 1881a(l)(3). Some of these reports are classified.
(36) Mem. Opinion and Order at 26 (FISC 2014), available at http://www.dni.gov/files/documents/0928/FISC%20Memorandum%20Opinion%20and%20Order%2026%20August%202014.pdf.
(37) See USA FREEDOM Act of 2015, Pub. L. No 114-23, § 401, 129 Stat. 268.
(38) See id. §§ 103, 201, 501. National Security Letters are authorized by a variety of statutes and allow the FBI to obtain information contained in credit reports, financial records, and electronic subscriber and transaction records from certain kinds of companies, only to protect against international terrorism or clandestine intelligence activities. See 12 U.S.C. § 3414; 15 U.S.C. §§ 1681u-1681v; 18 U.S.C. § 2709. National Security Letters are typically used by the FBI to gather critical non-content information at the early phases of counterterrorism and counterintelligence investigations — such as the identity of the subscriber to an account who may have been communicating with agents of a terrorist group such as ISIL. Recipients of a National Security Letter have the right to challenge them in court. See 18 U.S.C. § 3511.
(39) See id.
(40) See id. § 401.
(41) See id. § 602.
(42) See id.
(43) See id. § 603.
(44) See id. §§ 502(f)–503.
(45) Available at http://www.dni.gov/index.php/intelligence-community/intelligence-transparency-principles.
(46) Available at http://www.dni.gov/files/documents/Newsroom/Reports%20and%20Pubs/Principles%20of%20Intelligence%20Transparency%20Implementation%20Plan.pdf.
(47) See id.
(48) Available at https://www.nsa.gov/civil_liberties/_files/nsa_report_on_section_702_program.pdf; https://www.nsa.gov/civil_liberties/_files/UFA_Civil_Liberties_and_Privacy_Report.pdf; https://www.nsa.gov/civil_liberties/_files/UFA_Civil_Liberties_and_Privacy_Report.pdf.
(49) See, e.g., New York Times v. Department of Justice, 756 F.3d 100 (2d Cir. 2014); American Civil Liberties Union v. CIA, 710 F.3d 422 (D.C. Cir. 2014).
(50) 42 U.S.C. 2000ee(a), (h).
(51) 42 U.S.C. 2000ee(k).
(52) 42 U.S.C. 2000ee(d)(2).
(53) See generally https://www.pclob.gov/library.html#oversightreports.
(54) See generally https://www.pclob.gov/events/2015/may13.html.
(55) 42 U.S.C. 2000ee(d)(1); see also PCLOB Advisory Function Policy and Procedure, Policy 2015-004, available at https://www.pclob.gov/library/Policy-Advisory_Function_Policy_Procedure.pdf.
(56) 42 U.S.C. 2000ee(g)(1)(A).
(57) 42 U.S.C. 2000ee(g)(1)(B).
(58) 42 U.S.C. 2000ee(g)(1)(D).
(59) 42 U.S.C. 2000eee(f).
(60) Sections 2 and 4 of the Inspector General Act of 1978, as amended (hereinafter ‘IG Act’); Section 103H(b) and (e) of the National Security Act of 1947, as amended (hereinafter ‘Nat'l Sec. Act’); Section 17(a) of the Central Intelligence Act (hereinafter ‘CIA Act’).
(61) See Pub. L. No 113-293, 128 Stat. 3990, (Dec. 19, 2014). Only the IGs for the Defense Intelligence Agency and the National Geospatial-Intelligence Agency are not appointed by the President; however the DOD IG and the IC IG have concurrent jurisdiction over these agencies.
(62) Section 3 of the IG Act of 1978, as amended; Section 103H(c) of the Nat'l Sec. Act; and Section 17(b) of the CIA Act.
(63) See Sections 4(a) and 6(a)(2) of the IG Act of 1947; Section 103H(e) and (g)(2)(A) of the Nat'l Sec. Act; Section 17(a) and (c) of the CIA Act.
(64) Sections 3(d), 6(a)(7) and 6(f) of the IG Act; Sections 103H(d), (i), (j) and (m) of the Nat'l Sec. Act; Sections 17(e)(7) and (f) of the CIA Act.
(65) Section 6(a)(1), (3), (4), (5), and (6) of the IG Act; Sections 103H(g)(2) of the Nat'l Sec. Act; Section 17(e)(1), (2), (4), and (5) of CIA Act.
(66) See, e.g., Sections 8(b) and 8E(a) of the IG Act; Section 103H(f) of the Nat'l Sec. Act; Section 17(b) of the CIA Act.
(67) Section 4(a)(5) of the IG Act; Section 103H(a)(b)(3) and (4) of the Nat'l Sec. Act; Section 17(a)(2) and (4) of the CIA Act.
(68) Section 2(3), 4(a), and 5 of the IG Act; Section 103H(k) of the Nat'l Sec. Act; Section 17(d) of the CIA Act. The Inspector General of the Department of Justice makes its publicly released reports available on the internet at http://oig.justice.gov/reports/all.htm. Similarly, the Inspector General for the Intelligence Community makes it semi-annual reports publicly available at https://www.dni.gov/index.php/intelligence-community/ic-policies-reports/records-requested-under-foia#icig.
(69) Section 2(3), 4(a), and 5 of the IG Act; Section 103H(k) of the Nat'l Sec. Act; Section 17(d) of the CIA Act. The Inspector General of the Department of Justice makes its publicly released reports available on the internet at http://oig.justice.gov/reports/all.htm. Similarly, the Inspector General for the Intelligence Community makes it semi-annual reports publicly available at https://www.dni.gov/index.php/intelligence-community/ic-policies-reports/records-requested-under-foia#icig.
(70) Section 7 of the IG Act; Section 103H(g)(3) of the Nat'l Sec. Act; Section 17(e)(3) of the CIA Act.
(71) Section 11 of the IG Act.
ANNEX VII
February 19, 2016
Mr Justin S. Antonipillai |
Counselor |
U.S. Department of Commerce |
1401 Constitution Ave., NW |
Washington, DC 20230 |
Mr Ted Dean |
Deputy Assistant Secretary |
International Trade Administration |
1401 Constitution Ave., NW |
Washington, DC 20230 |
Dear Mr Antonipillai and Mr Dean:
This letter provides a brief overview of the primary investigative tools used to obtain commercial data and other record information from corporations in the United States for criminal law enforcement or public interest (civil and regulatory) purposes, including the access limitations set forth in those authorities (1). These legal processes are nondiscriminatory in that they are used to obtain information from corporations in the United States, including from companies that will self-certify through the US/EU Privacy Shield framework, without regard to the nationality of the data subject. Further, corporations that receive legal process in the United States may challenge it in court as discussed below (2).
Of particular note with respect to the seizure of data by public authorities is the Fourth Amendment to the United States Constitution, which provides that ‘[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.’ U.S. Const. amend. IV. As the United States Supreme Court stated in Berger v. State of New York, ‘[t]he basic purpose of this Amendment, as recognized in countless decisions of this Court, is to safeguard the privacy and security of individuals against arbitrary invasions by government officials.’ 388 U.S. 41, 53 (1967) (citing Camara v. Mun. Court of San Francisco, 387 U.S. 523, 528 (1967)). In domestic criminal investigations, the Fourth Amendment generally requires law enforcement officers to obtain a court-issued warrant before conducting a search. See Katz v. United States, 389 U.S. 347, 357 (1967). When the warrant requirement does not apply, government activity is subject to a ‘reasonableness’ test under the Fourth Amendment. The Constitution itself, therefore, ensures that the U.S. government does not have limitless, or arbitrary, power to seize private information.
Criminal Law Enforcement Authorities:
Federal prosecutors, who are officials of the Department of Justice (DOJ), and federal investigative agents including agents of the Federal Bureau of Investigation (FBI), a law enforcement agency within DOJ, are able to compel production of documents and other record information from corporations in the United States for criminal investigative purposes through several types of compulsory legal processes, including grand jury subpoenas, administrative subpoenas and search warrants, and may acquire other communications pursuant to federal criminal wiretap and pen register authorities.
Grand Jury or Trial Subpoenas: Criminal subpoenas are used to support targeted law enforcement investigations. A grand jury subpoena is an official request issued from a grand jury (usually at the request of a federal prosecutor) to support a grand jury investigation into a particular suspected violation of criminal law. Grand juries are an investigative arm of the court and are impaneled by a judge or magistrate. A subpoena may require someone to testify at a proceeding, or to produce or make available business records, electronically stored information, or other tangible items. The information must be relevant to the investigation and the subpoena cannot be unreasonable because it is overbroad, or because it is oppressive or burdensome. A recipient can file a motion to challenge a subpoena based on those grounds. See Fed. R. Crim. P. 17. In limited circumstances, trial subpoenas for documents may be used after the case has been indicted by the grand jury.
Administrative Subpoena Authority: Administrative subpoena authorities may be exercised in criminal or civil investigations. In the criminal law enforcement context, several federal statutes authorize the use of administrative subpoenas to produce or make available business records, electronically stored information, or other tangible items in investigations involving health care fraud, child abuse, Secret Service protection, controlled substance cases, and Inspector General investigations implicating government agencies. If the government seeks to enforce an administrative subpoena in court, the recipient of the administrative subpoena, like the recipient of a grand jury subpoena, can argue that the subpoena is unreasonable because it is overbroad, or because it is oppressive or burdensome.
Court Orders For Pen Register and Trap and Traces: Under criminal pen register and trap and trace provisions, law enforcement may obtain a court order to acquire real-time, non-content dialing, routing, addressing and signaling information about a phone number or e-mail upon certification that the information provided is relevant to a pending criminal investigation. See 18 U.S.C. §§ 3121-3127. The use or installation of such a device outside the law is a federal crime.
Electronic Communications Privacy Act (ECPA): Additional rules govern the government's access to subscriber information, traffic data and stored content of communications held by ISPs telephone companies, and other third party service providers, pursuant to Title II of ECPA, also called the Stored Communications Act (SCA), 18 U.S.C. §§ 2701–2712. The SCA sets forth a system of statutory privacy rights that limit law enforcement access to data beyond what is required under constitutional law from customers and subscribers of internet service providers. The SCA provides for increasing levels of privacy protections depending on the intrusiveness of the collection. For subscriber registration information, IP addresses and associated time stamps, and billing information, criminal law enforcement authorities must obtain a subpoena. For most other stored, non-content information, such as e-mail headers without the subject line, law enforcement must present specific facts to a judge demonstrating that the requested information is relevant and material to an ongoing criminal investigation. To obtain the stored content of electronic communications, generally, criminal law enforcement authorities obtain a warrant from a judge based on probable cause to believe the account in question contains evidence of a crime. The SCA also provides for civil liability and criminal penalties.
Court Orders for Surveillance Pursuant to Federal Wiretap Law: Additionally, law enforcement may intercept in real time wire, oral or electronic communications for criminal investigative purposes pursuant to the federal wiretap law. See 18 U.S.C. §§ 2510-2522. This authority is available only pursuant to a court order in which a judge finds, inter alia, that there is probable cause to believe that the wiretap or electronic interception will produce evidence of a federal crime, or the whereabouts of a fugitive fleeing from prosecution. The statute provides for civil liability and criminal penalties for violations of the wiretapping provisions.
Search Warrant — Rule 41: Law enforcement can physically search premises in the United States when authorized to do so by a judge. Law enforcement must demonstrate to the judge based on a showing of ‘probable cause’ that a crime was committed or is about to be committed and that items connected to the crime are likely to be found in the place specified by the warrant. This authority is often used when a physical search by police of a premise is needed due to the danger that evidence may be destroyed if a subpoena or other production order is served on the corporation. See U.S. Const. amend. IV (discussed in further detail above), Fed. R. Crim. P. 41. The subject of a search warrant may move to quash the warrant as overbroad, vexatious or otherwise improperly obtained and aggrieved parties with standing may move to suppress any evidence obtained in an unlawful search. See Mapp v. Ohio, 367 U.S. 643 (1961).
DOJ Guidelines and Policies: In addition to these Constitutional, statutory and rule-based limitations on government access to data, the Attorney General has issued guidelines that place further limits on law enforcement access to data, and that also contain privacy and civil liberty protections. For instance, the Attorney General's Guidelines for Domestic Federal Bureau of Investigation (FBI) Operations (September 2008) (hereinafter AG FBI Guidelines), available at http://www.justice.gov/archive/opa/docs/guidelines.pdf, set limits on use of investigative means to seek information related to investigations that involve federal crimes. These guidelines require that the FBI use the least intrusive investigative methods feasible, taking into account the effect on privacy and civil liberties and the potential damage to reputation. Further, they note that ‘it is axiomatic that the FBI must conduct its investigations and other activities in a lawful and reasonable manner that respects liberty and privacy and avoids unnecessary intrusions into the lives of law-abiding people.’ See AG FBI Guidelines at 5. The FBI has implemented these guidelines through the FBI Domestic Investigations and Operations Guide (DIOG), available at https://vault.fbi.gov/FBI%20Domestic%20Investigations%20and%20Operations%20Guide%20(DIOG), a comprehensive manual that includes detailed limits on use of investigative tools and guidance to assure that civil liberties and privacy are protected in every investigation. Additional rules and policies that prescribe limitations on the investigative activities of federal prosecutors are set out in the United States Attorneys' Manual (USAM), also available online at http://www.justice.gov/usam/united-states-attorneys-manual.
Civil and Regulatory Authorities (Public Interest):
There are also significant limits on civil or regulatory (i.e., ‘public interest’) access to data held by corporations in the United States. Agencies with civil and regulatory responsibilities may issue subpoenas to corporations for business records, electronically stored information, or other tangible items. These agencies are limited in their exercise of administrative or civil subpoena authority not only by their organic statutes, but also by independent judicial review of subpoenas prior to potential judicial enforcement. See, e.g., Fed. R. Civ. P. 45. Agencies may seek access only to data that is relevant to matters within their scope of authority to regulate. Further, a recipient of an administrative subpoena may challenge the enforcement of that subpoena in court by presenting evidence that the agency has not acted in accordance with basic standards of reasonableness, as discussed earlier.
There are other legal bases for companies to challenge data requests from administrative agencies based on their specific industries and the types of data they possess. For example, financial institutions can challenge administrative subpoenas seeking certain types of information as violations of the Bank Secrecy Act and its implementing regulations. See 31 U.S.C. § 5318, 31 C.F.R. Part X. Other businesses can rely on the Fair Credit Reporting Act, see 15 U.S.C. § 1681b, or a host of other sector specific laws. Misuse of an agency's subpoena authority can result in agency liability, or personal liability for agency officers. See, e.g., Right to Financial Privacy Act, 12 U.S.C. §§ 3401–3422. Courts in the United States thus stand as the guardians against improper regulatory requests and provide independent oversight of federal agency actions.
Finally, any statutory power that administrative authorities have to physically seize records from a company in the United States pursuant to an administrative search must meet the requirements of the Fourth Amendment. See See v. City of Seattle, 387 U.S. 541 (1967).
Conclusion
All law enforcement and regulatory activities in the United States must conform to applicable law, including the U.S. Constitution, statutes, rules, and regulations. Such activities must also comply with applicable policies, including any Attorney General Guidelines governing federal law enforcement activities. The legal framework described above limits the ability of U.S. law enforcement and regulatory agencies to acquire information from corporations in the United States — whether the information concerns U.S. persons or citizens of foreign countries — and in addition permits judicial review of any government requests for data pursuant to these authorities.
Sincerely,
Bruce C. Swartz
Deputy Assistant Attorney General and Counselor for International Affairs
(1) This overview does not describe the national security investigative tools used by law enforcement in terrorism and other national security investigations, including National Security Letters (NSLs) for certain record information in credit reports, financial records, and electronic subscriber and transaction records, see 12 U.S.C. § 3414; 15 U.S.C. § 1681u; 15 U.S.C. § 1681v; 18 U.S.C. § 2709, and for electronic surveillance, search warrants, business records, and other collection of communications pursuant to the Foreign Intelligence Surveillance Act, see 50 U.S.C. § 1801 et seq.
(2) This paper discusses federal law enforcement and regulatory authorities; violations of state law are investigated by states and are tried in state courts. State law enforcement authorities use warrants and subpoenas issued under state law in essentially the same manner as described herein, but with the possibility that state legal process may be subject to protections provided by State constitutions that exceed those of the U.S. Constitution. State law protections must be at least equal to those of the U.S. Constitution, including but not limited to the Fourth Amendment.