//

EU US PRIVACY SHIELD FRAMEWORK 3.1. Access and use by U.S. public authorities for national security purposes

  1. The Commission’s analysis shows that U.S. law contains a number of limitations on the access and use of personal data transferred under the EU-U.S. Privacy Shield for national security purposes as well as oversight and redress mechanisms that provide sufficient safeguards for those data to be effectively protected against unlawful interference and the risk of abuse[1]. Since 2013, when the Commission issued its two Communications (see recital 7), this legal framework has been significantly strengthened, as described below.

3.1.1.     Limitations

  1. Under the U.S. Constitution, ensuring national security falls within the President’s authority as Commander in Chief, as Chief Executive and, as regards foreign intelligence, to conduct U.S. foreign affairs[2]. While Congress has the power to impose limitations and has done so in various respects, within these boundaries the President may direct the activities of the U.S. Intelligence Community, in particular through Executive Orders or Presidential Directives. This of course also applies in those areas where no Congressional guidance exists. At present, the two central legal instruments in this regard are Executive Order 12333 (‘E.O. 12333’)[3] and Presidential Policy Directive 28.
  2. Presidential Policy Directive 28 (‘PPD-28’), issued on 17 January 2014, imposes a number of limitations for ‘signals intelligence’ operations[4]. This presidential directive has binding force for U.S. intelligence authorities[5] and remains effective upon a change in the U.S. Administration[6]. PPD-28 is of particular importance for non-US persons, including EU data subjects. Among others, it stipulates that:
    1. the collection of signals intelligence must be based on statute or Presidential authorisation, and must be undertaken in accordance with the U.S. Constitution (in particular the Fourth Amendment) and U.S. law;
    2. all persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside;
    3. all persons have legitimate privacy interests in the handling of their personal information;
    4. privacy and civil liberties shall be integral considerations in the planning of U.S. signals intelligence activities;
    5. S. signals intelligence activities must, therefore, include appropriate safeguards for the personal information of all individuals, regardless of their nationality or where they might reside.
  3. PPD-28 directs that signals intelligence may be collected exclusively where there is a foreign intelligence or counterintelligence purpose to support national and departmental missions, and not for any other purpose (e.g. to afford a competitive advantage to U.S. companies). In this regard, the ODNI explains that Intelligence Community elements ‘should require that, wherever practicable, the collection should be focused on specific foreign intelligence targets or topics through the use of discriminants (e.g. specific facilities, selection terms and identifiers)’[7]. Furthermore, the representations provide assurance that decisions about intelligence collection are not left to the discretion of individual intelligence agents, but are subject to the policies and procedures that the various U.S. Intelligence Community elements (agencies) are required to put in place to implement PPD-28[8]. Accordingly, the research and determination of appropriate selectors take place within the overall ‘National Intelligence Priorities Framework’ (NIPF) which ensures that intelligence priorities are set by high-level policymakers and regularly reviewed to remain responsive to actual national security threats and taking into account possible risks, including privacy risks[9]. On this basis, agency personnel researches and identifies specific selection terms expected to collect foreign intelligence responsive to the priorities[10]. Selection terms, or ‘selectors’, must be regularly reviewed to see if they still provide valuable intelligence in line with the priorities[11].
  4. Furthermore, the requirements stipulated in PPD-28 that intelligence collection shall always[12] be ‘as tailored as feasible’, and that the Intelligence Community shall prioritise the availability of other information and appropriate and feasible alternatives[13], reflect a general rule of prioritisation of targeted over the bulk collection. According to the assurance provided by the ODNI, they ensure in particular that bulk collection is neither ‘mass’ nor ‘indiscriminate’ and that the exception does not swallow the rule[14].
  5. While PPD-28 explains that Intelligence Community elements must sometimes collect bulk signals intelligence in certain circumstances, for instance in order to identify and assess new or emerging threats, it directs these elements to prioritise alternatives that would allow the conduct of targeted signals intelligence[15]. It follows that bulk collection will only occur where targeted collection via the use of discriminants — i.e. an identifier associated with a specific target (such as the target’s e-mail address or phone number) — is not possible ‘due to technical or operational considerations’ [16]. This applies both to the manner in which signals intelligence is collected and to what is actually collected.
  6. According to the representations from the ODNI, even where the Intelligence Community cannot use specific identifiers to target collection, it will seek to narrow the collection ‘as much as possible’. In order to ensure this, it ‘applies filters and other technical tools to focus the collection on those facilities that are likely to contain communications of foreign intelligence value’ (and thus will be responsive to requirements articulated by U.S. policy-makers pursuant to the process described above in 70). As a consequence, the bulk collection will be targeted in at least two ways: First, it will always relate to specific foreign intelligence objectives (e.g. to acquire signals intelligence about the activities of a terrorist group operating in a particular region) and focus collection on communications that have such a nexus. According to the assurance provided by the ODNI, this is reflected in the fact that the ‘United States’ signals intelligence activities touch only a fraction of the communications traversing the internet’[17]. Second, the ODNI representations explain that the filters and other technical tools used will be designed to focus the collection ‘as precisely as possible’ in order to ensure that the amount of ‘non-pertinent information’ collected will be minimised.
  7. Finally, even where the United States considers it necessary to collect signals intelligence in bulk, under the conditions set out in recitals 70-73, PPD-28 limits the use of such information to a specific list of six national security purposes with a view to protect the privacy and civil liberties of all persons, whatever their nationality and place of residence[18]. These permissible purposes comprise measures to detect and counter threats stemming from espionage, terrorism, weapons of mass destruction, threats to cybersecurity, to the Armed Forces or military personnel, as well as transnational criminal threats related to the other five purposes, and will be reviewed at least on an annual basis. According to the representations by the U.S. government, Intelligence Community elements have reinforced their analytic practices and standards for querying unevaluated signals intelligence to conform with these requirements; the use of targeted queries ‘ensures that only those items believed to be of potential intelligence value are ever presented to analysts to examine’[19].
  8. These limitations are particularly relevant to personal data transferred under the EU-U.S. Privacy Shield, in particular in case collection of personal data were to take place outside the United States, including during their transit on the transatlantic cables from the Union to the United States. As confirmed by the U.S. authorities in the representations of the ODNI, the limitations and safeguards set out therein — including those of PPD-28 — apply to such collection[20].
  9. Although not phrased in those legal terms, these principles capture the essence of the principles of necessity and proportionality. The targeted collection is clearly prioritised, while the bulk collection is limited to (exceptional) situations where targeted collection is not possible for technical or operational reasons. Even where the bulk collection cannot be avoided, further ‘use’ of such data through access is strictly limited to specific, legitimate national security purposes[21].
  10. As a directive issued by the President as the Chief Executive, these requirements bind the entire Intelligence Community and have been further implemented through agency rules and procedures that transpose the general principles into specific directions for day-to-day operations. Moreover, while Congress is itself not bound by PPD- 28, it has also taken steps to ensure that collection and access of personal data in the United States are targeted rather than carried out ‘on a generalised basis’.
  11. It follows from the available information, including the representations received from the U.S. government, that once the data has been transferred to organisations located in the United States and self-certified under the EU-U.S. Privacy Shield, U.S. intelligence agencies may only[22] seek personal data where their request complies with the Foreign Intelligence Surveillance Act (FISA) or is made by the Federal Bureau of Investigation (FBI) based on a so-called National Security Letter (NSL)[23]. Several legal bases exist under FISA that may be used to collect (and subsequently process) the personal data of EU data subjects transferred under the EU-U.S. Privacy Shield. Aside from Section 104 FISA[24] covering traditional individualised electronic surveillance and Section 402 FISA[25] on the installation of pen registers or trap and trace devices, the two central instruments are Section 501 FISA (ex-Section 215 U.S. PATRIOT ACT) and Section 702 FISA[26].
  12. In this respect, the USA FREEDOM Act, which was enacted on 2 June 2015, prohibits the collection in bulk of records based on Section 402 FISA (pen register and trap and trace authority), Section 501 FISA (formerly: Section 215 of the U.S. PATRIOT ACT)[27] and through the use of NSL, and instead requires the use of specific ‘selection terms’[28].
  13. While the FISA contains further legal authorisations to carry out national intelligence activities, including signals intelligence, the Commission’s assessment has shown that insofar as personal data to be transferred under the EU-U.S. Privacy Shield are concerned, these authorities equally restrict interference by public authorities to targeted collection and access.
  14. This is clear for traditional individualised electronic surveillance under Section 104 FISA[29]. As for Section 702 FISA, which provides the basis for two important intelligence programs run by the U.S. intelligence agencies (PRISM, UPSTREAM), searches are carried out in a targeted manner through the use of individual selectors that identify specific communications facilities, like the target’s e-mail address or telephone number, but not keywords or even the names of targeted individuals[30]. Therefore, as noted by the Privacy and Civil Liberties Oversight Board (PCLOB), Section 702 surveillance ‘consists entirely of targeting specific [non-U.S.] persons about whom an individualised determination has been made’[31]. Due to a ‘sunset’ clause, Section 702 FISA will have to be reviewed in 2017, at which time the Commission will have to reassess the safeguards available to EU data subjects.
  15. Moreover, in its representations, the U.S. government has given the European Commission explicit assurance that the U.S. Intelligence Community ‘does not engage in indiscriminate surveillance of anyone, including ordinary European citizens’[32]. As regards personal data collected within the United States, this statement is supported by empirical evidence which shows that access requests through NSL and under FISA, both individually and together, only concern a relatively small number of targets when compared to the overall flow of data on the internet[33].
  16. As regards access to collected data and data security, PPD-28 requires that access ‘shall be limited to authorized personnel with a need to know the information to perform their mission’ and that personal information ‘shall be processed and stored under conditions that provide adequate protection and prevent access by unauthorized persons, consistent with the applicable safeguards for sensitive information’. Intelligence personnel receive appropriate and adequate training in the principles set forth in PPD-28[34].
  17. Finally, as regards the storage and further dissemination of personal data from EU data subjects collected by U.S. intelligence authorities, PPD-28 states that all persons (including non-U.S. persons) should be treated with dignity and respect, that all persons have legitimate privacy interests in the handling of their personal data and that Intelligence Community elements, therefore, have to establish policies providing appropriate safeguards for such data ‘reasonably designed to minimize the[ir] dissemination and retention’[35].
  18. The U.S. government has explained that this reasonableness requirement signifies that Intelligence Community elements will not have to adopt ‘any measure theoretically possible’, but will need to ‘balance their efforts to protect legitimate privacy and civil liberties interests with the practical necessities of signals intelligence activities’[36]. In this respect, non-U.S. persons will be treated in the same way as U.S. persons, based on procedures approved by the Attorney-General[37].
  19. According to these rules, retention is generally limited to a maximum of five years, unless there is a specific determination in law or an express determination by the Director of National Intelligence after careful evaluation of privacy concerns — taking into account the views of the ODNI Civil Liberties Protection Officer as well as agency privacy and civil liberties officials — that continued retention is in the interest of national security[38]. Dissemination is limited to cases where the information is relevant to the underlying purpose of the collection and thus responsive to an authorised foreign intelligence or law enforcement requirement[39].
  20. According to the assurances given by the U.S. government, personal information may not be disseminated solely because the individual concerned is a non-U.S. person and ‘signals intelligence about the routine activities of a foreign person would not be considered foreign intelligence that could be disseminated or retained permanently by virtue of that fact alone unless it is otherwise responsive to an authorized foreign intelligence requirement’[40].
  21. On the basis of all of the above, the Commission concludes that there are rules in place in the United States designed to limit any interference for national security purposes with the fundamental rights of the persons whose personal data are transferred from the Union to the United States under the EU-U.S. Privacy Shield to what is strictly necessary to achieve the legitimate objective in question.
  22. As the above analysis has shown, U.S. law ensures that surveillance measures will only be employed to obtain foreign intelligence information — which is a legitimate policy objective[41] — and be tailored as much as possible. In particular, the bulk collection will only be authorised exceptionally where the targeted collection is not feasible and will be accompanied by additional safeguards to minimise the amount of data collected and subsequent access (which will have to be targeted and only be allowed for specific purposes).
  23. In the Commission’s assessment, this conforms with the standard set out by the Court of Justice in the Schrems judgment, according to which legislation involving interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter must impose ‘minimum safeguards’[42] and ‘is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail’[43]. Neither will there be unlimited collection and storage of data of all persons without any limitations, nor unlimited access. Moreover, the representations provided to the Commission, including the assurance that U.S. signals intelligence activities touch only a fraction of the communications traversing the internet, exclude that there would be access ‘on a generalised basis’[44] to the content of electronic communications.

3.1.2.     Effective legal protection

  1. The Commission has assessed both the oversight mechanisms that exist in the United States with regard to any interference by U.S. intelligence authorities with personal data transferred to the United States and the avenues available for EU data subjects to seek individual redress.

Oversight

  1. The U.S. intelligence community is subject to various review and oversight mechanisms that fall within the three branches of the State. These include internal and external bodies within the executive branch, a number of Congressional Committees, as well as judicial supervision the latter specifically with respect to activities under the Foreign Intelligence Surveillance Act.
  2. First, intelligence activities by U.S. authorities are subject to extensive oversight from within the executive branch.
  3. According to PPD-28, Section 4(a)(iv), the policies and procedures of Intelligence Community elements ‘shall include appropriate measures to facilitate oversight over the implementation of safeguards protecting personal information’; these measures should include periodic auditing[45].
  4. Multiple oversight layers have been put in place in this respect, including civil liberties or privacy officers, Inspector Generals, the ODNI Civil Liberties and Privacy Office, the PCLOB, and the President’s Intelligence Oversight Board. These oversight functions are supported by compliance staff in all the agencies[46].
  5. As explained by the U.S. government[47], civil liberties or privacy officers with oversight responsibilities exist at various departments with intelligence responsibilities and intelligence agencies[48]. While the specific powers of these officers may vary somewhat depending on the authorising statute, they typically encompass the supervision of procedures to ensure that the respective department/agency is adequately considering privacy and civil liberties concerns and has put in place adequate procedures to address complaints from individuals who consider that their privacy or civil liberties have been violated (and in some cases, like the ODNI, may themselves have the power to investigate complaints[49]). The head of the department/agency, in turn, has to ensure that the officer receives all the information and is given access to all material necessary to carry out his functions. Civil liberties and privacy officers periodically report to Congress and the PCLOB, including on the number and nature of the complaints received by the department/agency and a summary of the disposition of such complaints, the reviews and inquiries conducted and the impact of the activities carried out by the officer[50] According to the assessment by the national data protection authorities, the internal oversight exercised by the civil liberties or privacy officers can be considered as ‘fairly robust’, even though in their view they do not meet the required level of independence[51].
  6. In addition, each Intelligence Community element has its own Inspector General with responsibility, among others, to oversee foreign intelligence activities[52]. This includes, within the ODNI, an Office of the Inspector General with comprehensive jurisdiction over the entire Intelligence Community and authorised to investigate complaints or information concerning allegations of unlawful conduct, or abuse of authority, in connection with ODNI and/ or Intelligence Community programs and activities[53]. Inspectors General are statutorily independent[54] units responsible for conducting audits and investigations relating to the programs and operations carried out by the respective agency for national intelligence purposes, including for abuse or violation of the law[55]. They are authorised to have access to all records, reports, audits, reviews, documents, papers, recommendations or other relevant material, if need be by subpoena, and may take testimony[56]. While the Inspectors General can only issue non-binding recommendations for corrective action, their reports, including on follow-up action (or the lack thereof) are made public and moreover sent to Congress which can on this basis exercise its oversight function[57].
  7. Furthermore, the Privacy and Civil Liberties Oversight Board, an independent agency[58] within the executive branch composed of a bipartisan, five-member Board[59] appointed by the President for a fixed six-year term with Senate approval, is entrusted with responsibilities in the field of counterterrorism policies and their implementation, with a view to protect privacy and civil liberties. In its review of Intelligence Community action, it may access all relevant agency records, reports, audits, reviews, documents, papers and recommendations, including classified information, conduct interviews and hear testimony. It receives reports from the civil liberties and privacy officers of several federal departments/agencies[60], may issue recommendations to them, and regularly reports to Congressional committees and the President[61]. The PCLOB is also tasked, within the confines of its mandate, to prepare a report assessing the implementation of PPD-28.
  8. Finally, the aforementioned oversight mechanisms are complemented by the Intelligence Oversight Board established within the President’s Intelligence Advisory Board which oversees compliance by U.S. intelligence authorities with the Constitution and all applicable rules.
  9. To facilitate the oversight, Intelligence Community elements are encouraged to design information systems to allow for the monitoring, recording and reviewing of queries or other searches of personal information[62]. Oversight and compliance bodies will periodically check the practices of Intelligence Community elements for protecting personal information contained in signals intelligence and their compliance with those procedures[63].
  10. These oversight functions are moreover supported by extensive reporting requirements with respect to non- compliance. In particular, agency procedures must ensure that, when a significant compliance issue occurs involving personal information of any person, regardless of nationality, collected through signals intelligence, such issue shall be promptly reported to the head of the Intelligence Community element, which in turn will notify the Director of National Intelligence who, under PPD-28, shall determine if any corrective actions are necessary[64]. Moreover, according to E.O. 12333, all Intelligence Community elements are required to report to the Intelligence Oversight Board on non-compliance incidents[65]. These mechanisms ensure that the issue will be addressed at the highest level in the Intelligence Community. Where it involves a non-U.S. person, the Director of National Intelligence, in consultation with the Secretary of State and the head of the notifying department or agency, shall determine whether steps should be taken to notify the relevant foreign government, consistent with the protection of sources and methods and of U.S. personnel[66].
  11. Second, in addition to these oversight mechanisms within the executive branch, the U.S. Congress, specifically the House and Senate Intelligence and Judiciary Committees, have oversight responsibilities regarding all U.S. foreign intelligence activities, including U.S. signals intelligence. According to the National Security Act, ‘[t]he President shall ensure that the congressional intelligence committees are kept fully and currently informed of the intelligence activities of the United States, including any significant anticipated intelligence activity as required by this subchapter’[67]. Also, ‘[t]he President shall ensure that any illegal intelligence activity is reported promptly to the congressional intelligence committees, as well as any corrective action that has been taken or is planned in connection with such illegal activity’[68]. Members of these committees have access to classified information as well as intelligence methods and programs[69].
  12. Later statutes have extended and refined the reporting requirements, both regarding the Intelligence Community elements, the relevant Inspector Generals and the Attorney-General. For instance, FISA requires the Attorney General to ‘fully inform’ the Senate and House Intelligence and Judiciary Committees regarding the government’s activities under certain sections of FISA[70]. It also requires the government to provide the Congressional committees with ‘copies of all decisions, orders, or opinions of the Foreign Intelligence Surveillance Court or Foreign Intelligence Surveillance Court of Review that include significant construction or interpretation’ of FISA provisions. In particular, as regards surveillance under Section 702 FISA, oversight is exercised through statutorily required reports to the Intelligence and Judiciary Committees, as well as frequent briefings and hearings. These include a semi-annual report by the Attorney General describing the use of Section 702 FISA, with supporting documents including notably the Department of Justice and ODNI compliance reports and a description of any incidents of non-compliance[71], and a separate semi-annual assessment by the Attorney General and the DNI documenting compliance with the targeting and minimization procedures, including compliance with the procedures designed to ensure that collection is for a valid foreign intelligence purpose[72]. Congress also receives reports by the Inspector Generals who are authorised to evaluate the agencies’ compliance with targeting and minimization procedures and Attorney General Guidelines.
  13. According to the USA FREEDOM Act of 2015, the U.S. government must disclose to Congress (and the public) each year the number of FISA orders and directives sought and received, as well as estimates of the number of U.S. and non-U.S. persons targeted by surveillance, among others[73]. The Act also requires additional public reporting about the number of NSL issued, again both with regard to U.S. and non-U.S. persons (while at the same time allowing the recipients of FISA orders and certifications, as well as NSL requests, to issue transparency reports under certain conditions)[74].
  14. Third, intelligence activities by U.S. public authorities based on FISA allow for review, and in some cases prior authorisation of the measures, by the FISA Court (FISC)[75], an independent tribunal[76] whose decisions can be challenged before the Foreign Intelligence Court of Review (FISCR)[77] and, ultimately, the Supreme Court of the United States[78]. In case of prior authorisation, the requesting authorities (FBI, NSA, CIA, etc.) will have to submit a draft application to lawyers at the National Security Department of the Department of Justice who will scrutinise it and, if necessary, request additional information[79]. Once the application has been finalised, it will have to be approved by the Attorney General, Deputy Attorney General or the Assistant Attorney General for National Security[80]. The Department of Justice will then submit the application to the FISC that will assess the application and make a preliminary determination on how to proceed[81]. Where a hearing takes place, the FISC has the authority to take testimony which may include expert advice[82].
  15. The FISC (and FISCR) is supported by a standing panel of five individuals that have an expertise in national security matters as well as civil liberties[83]. From this group, the court shall appoint an individual to serve as amicus curiae to assist in the consideration of any application for an order or review that, in the opinion of the court, presents a novel or significant interpretation of the law, unless the court finds that such appointment is not appropriate[84]. This shall, in particular, ensure that privacy considerations are properly reflected in the court’s assessment. The court may also appoint an individual or organisation to serve as amicus curiae, including providing technical expertise, whenever it deems this appropriate or, upon motion, permit an individual or organisation leave to file an amicus curiae brief[85].
  16. As regards the two legal authorisations for surveillance under FISA that are most important for data transfers under the EU-U.S. Privacy Shield, oversight by the FISC differs.
  17. Under Section 501 FISA[86], which allows the collection of ‘any tangible things (including books, records, papers, documents, and other items)’, the application to the FISC must contain a statement of facts showing that there are reasonable grounds to believe that the tangible things sought for are relevant to an authorised investigation (other than a threat assessment) conducted to obtain foreign intelligence information not concerning a U.S. person or to protect against international terrorism or clandestine intelligence activities. Also, the application must contain an enumeration of the minimisation procedures adopted by the Attorney General for the retention and dissemination of the collected intelligence[87].
  18. Conversely, under Section 702 FISA[88], the FISC does not authorise individual surveillance measures; rather, it authorises surveillance programs (like PRISM, UPSTREAM) on the basis of annual certifications prepared by the Attorney General and the Director of National Intelligence. Section 702 FISA allows the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information[89]. Such targeting is carried out by the NSA in two steps: First, NSA analysts will identify non-U.S. persons located abroad whose surveillance will lead, based on the analysts’ assessment, to the relevant foreign intelligence specified in the certification. Second, once these individualised persons have been identified and their targeting has been approved by an extensive review mechanism within the NSA[90], selectors identifying communication facilities (such as e-mail addresses) used by the targets will be ‘tasked’ (i.e. developed and applied)[91]. As indicated, the certifications to be approved by the FISC contain no information about the individual persons to be targeted but rather identify categories of foreign intelligence information[92]. While the FISC does not assess — under a probable cause or any other standard — that individuals are properly targeted to acquire foreign intelligence information[93], its control extends to the condition that ‘a significant purpose of the acquisition is to obtain foreign intelligence information’[94]. Indeed, under Section 702 FISA, the NSA is allowed to collect communications of non-U.S. persons outside the U.S. only if it can be reasonably believed that a given means of communication is being used to communicate foreign intelligence information (e.g. related to international terrorism, nuclear proliferation or hostile cyber activities). Determinations to this effect are subject to judicial review[95]. Certifications also need to provide for targeting and minimization procedures[96]. The Attorney General and the Director of National Intelligence verify compliance and the agencies have the obligation to report any incidents of non-compliance to the FISC[97] (as well as the Congress and the President’s Intelligence Oversight Board), which on this basis can modify the authorisation[98].
  19. Furthermore, to increase the efficiency of the oversight by the FISC, the U.S. Administration has agreed to implement a recommendation by the PCLOB to supply to the FISC documentation of Section 702 targeting decisions, including a random sample of tasking sheets, so as to allow the FISC to assess how the foreign intelligence purpose requirement is being met in practice[99]. At the same time, the U.S. Administration accepted and has taken measures to revise NSA targeting procedures to better document the foreign intelligence reasons for targeting decisions[100].

Individual redress

  1. A number of avenues are available under U.S. law to EU data subjects if they have concerns whether their personal data have been processed (collected, accessed, etc.) by U.S. Intelligence Community elements, and if so, whether the limitations applicable in U.S. law have been complied with. These relate essentially to three areas: interference under FISA; unlawful, intentional access to personal data by government officials; and access to information under the Freedom of Information Act (FOIA)[101].
  2. First, the Foreign Intelligence Surveillance Act provides a number of remedies, available also to non-U.S. persons, to challenge unlawful electronic surveillance[102]. This includes the possibility for individuals to bring a civil cause of action for money damages against the United States when information about them has been unlawfully and willfully used or disclosed[103]; to sue U.S. government officials in their personal capacity (‘under colour of law’) for money damages[104]; and to challenge the legality of surveillance (and seek to suppress the information) in the event the U.S. government intends to use or disclose any information obtained or derived from electronic surveillance against the individual in judicial or administrative proceedings in the United States[105].
  3. Second, the U.S. government referred the Commission to a number of additional avenues that EU data subjects could use to seek legal recourse against government officials for unlawful government access to, or use of, personal data, including for purported national security purposes (i.e. the Computer Fraud and Abuse Act[106]; Electronic Communications Privacy Act[107]; and Right to Financial Privacy Act[108]). All of these causes of action concern specific data, targets and/or types of access (e.g. remote access of a Computer via the internet) and are available under certain conditions (e.g. intentional/wilful conduct, conduct outside of official capacity, harm suffered)[109]. A more general redress possibility is offered by the Administrative Procedure Act (5 U.S.C. § 702), according to which ‘any person suffering legal wrong because of agency action, or adversely affected or aggrieved by agency action’, is entitled to seek judicial review. This includes the possibility to ask the court to ‘hold unlawful and set aside agency action, findings, and conclusions found to be […] arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law’[110].
  4. Finally, the U.S. government has pointed to the FOIA as a means for non-U.S. persons to seek access to existing federal agency records, including where these contain the individual’s personal data[111]. Given its focus, the FOIA does not provide an avenue for individual recourse against interference with personal data as such, even though it could in principle enable individuals to get access to relevant information held by national intelligence agencies. Even in this respect the possibilities appear to be limited as agencies may withhold information that falls within certain enumerated exceptions, including access to classified national security information and information concerning law enforcement investigations[112]. This being said, the use of such exceptions by national intelligence agencies can be challenged by individuals who can seek both administrative and judicial review.
  5. While individuals, including EU data subjects, therefore have a number of avenues of redress when they have been the subject of unlawful (electronic) surveillance for national security purposes, it is equally clear that at least some legal bases that U.S. intelligence authorities may use (e.g. E.O. 12333) are not covered. Moreover, even where judicial redress possibilities in principle do exist for non-U.S. persons, such as for surveillance under FISA, the available causes of action are limited[113] and claims brought by individuals (including U.S. persons) will be declared inadmissible where they cannot show ‘standing’[114], which restricts access to ordinary courts[115].
  6. In order to provide for an additional redress avenue accessible for all EU data subjects, the U.S. government has decided to create a new Ombudsperson Mechanism as set out in the letter from the U.S. Secretary of State to the Commission which is contained in Annex III to this decision. This mechanism builds on the designation, under PPD-28, of a Senior Coordinator (at the level of Under-Secretary) in the State Department as a contact point for foreign governments to raise concerns regarding U.S. signals intelligence activities, but goes significantly beyond this original concept.
  7. In particular, according to the commitments from the U.S. government, the Ombudsperson Mechanism will ensure that individual complaints are properly investigated and addressed and that individuals receive independent confirmation that U.S. laws have been complied with or, in case of a violation of such laws, the non-compliance has been remedied[116]. The Mechanism includes ‘the Privacy Shield Ombudsperson’, i.e. the Under-Secretary and further staff as well as other oversight bodies competent to oversee the different elements of the Intelligence Community on whose cooperation the Privacy Shield Ombudsperson will rely in dealing with complaints. In particular, where an individual’s request relates to the compatibility of surveillance with U.S. law, the Privacy Shield Ombudsperson will be able to rely on independent oversight bodies with investigatory powers (such as the Inspector-Generals or the PCLOB). In each case, the Secretary of State ensures that the Ombudsperson will have the means to ensure that its response to individual requests is based on all the necessary information.
  8. Through this ‘composite structure’, the Ombudsperson Mechanism guarantees independent oversight and individual redress. Moreover, the cooperation with other oversight bodies ensures access to the necessary expertise. Finally, by imposing an obligation on the Privacy Shield Ombudsperson to confirm compliance or remediation of any non-compliance, the mechanism reflects a commitment from the U.S. government as a whole to address and resolve a complaint from EU individuals.
  9. First, differently from a pure government-to-government mechanism, the Privacy Shield Ombudsperson will receive and respond to individual complaints. Such complaints can be addressed to the supervisory authorities in the Member States competent for the oversight of national security services and/or the processing of personal data by public authorities that will submit them to a centralised EU body from where they will be channelled to the Privacy Shield Ombudsperson[117]. This will, in fact, benefit EU individuals who can turn to a national authority ‘close to home’ and in their own language. It will be the task of such an authority to support the individual in making a request to the Privacy Shield Ombudsperson that contains the basic information and thus can be considered ‘complete’. The individual does not have to demonstrate that his/her personal data have in fact been accessed by the U.S. government through signals intelligence activities.
  10. Second, the U.S. government commits to ensure that, in carrying out its functions, the Privacy Shield Ombudsperson will be able to rely on the cooperation from other oversight and compliance review mechanisms existing in U.S. law. This will sometimes involve national intelligence authorities, in particular where the request is to be interpreted as one for access to documents under the Freedom of Information Act. In other cases, particularly when requests related to the compatibility of surveillance with U.S. law, such cooperation will involve independent oversight bodies (e.g. Inspector Generals) with the responsibility and power to carry out a thorough investigation (in particular through access to all relevant documents and the power to request information and statements) and address non-compliance[118]. Also, the Privacy Shield Ombudsperson will be able to refer matters to the PCLOB for its consideration[119]. Where any non-compliance has been found by one of these oversight bodies, the Intelligence Community element (e.g. an intelligence agency) concerned will have to remedy the non- compliance as only this will allow the Ombudsperson to provide a ‘positive’ response to the individual (i.e. that any non-compliance has been remedied) to which the U.S. government has committed. Also, as part of the cooperation, the Privacy Shield Ombudsperson will be informed of the outcome of the investigation, and the Ombudsperson will have the means to ensure that it receives all the information necessary to prepare its response.
  11. Finally, the Privacy Shield Ombudsperson will be independent of, and thus free from instructions by, the U.S. Intelligence Community[120]. This is of significant importance, given that the Ombudsperson will have to ‘confirm’ that (i) the complaint has been properly investigated and that (ii) relevant U.S. law — including in particular the limitations and safeguards set out in Annex VI — has been complied with or, in the event of non- compliance, such violation has been remedied. In order to be able to provide that independent confirmation, the Privacy Shield Ombudsperson will have to receive the necessary information regarding the investigation to assess the accuracy of the response to the complaint. In addition, the Secretary of State has committed to ensuring that the Under-Secretary will carry out the function as Privacy Shield Ombudsperson objectively and free from any improper influence liable to have an effect on the response to be provided.
  12. Overall, this mechanism ensures that individual complaints will be thoroughly investigated and resolved and that at least in the field of surveillance this will involve independent oversight bodies with the necessary expertise and investigatory powers and an Ombudsperson that will be able to carry out its functions free from improper, in particular political, influence. Moreover, individuals will be able to bring complaints without having to demonstrate, or just to provide indications, that they have been the object of surveillance[121]. In the light of these features, the Commission is satisfied that there are adequate and effective guarantees against abuse.
  13. On the basis of all the above, the Commission concludes that the United States ensures effective legal protection against interferences by its intelligence authorities with the fundamental rights of the persons whose data are transferred from the Union to the United States under the EU-U.S. Privacy Shield.
  14. In this respect, the Commission takes note of the Court of Justice’s judgment in the Schrems case according to which ‘legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter’[122]. The Commission’s assessment has confirmed that such legal remedies are provided for in the United States, including through the introduction of the Ombudsperson mechanism. The Ombudsperson mechanism provides for independent oversight with investigatory powers. In the framework of the Commission’s continuous monitoring of the Privacy Shield, including through the annual joint review which shall also involve the Ombudsperson, the effectiveness of this mechanism will be reassessed.

[1] See Schrems, paragraph 91.

[2] U.S. Const., Article II. See also the introduction to PPD-28.

[3] E.O. 12333: United States Intelligence Activities, Federal Register Vol. 40, No 235 (8 December 1981). To the extent that the Executive Order is publicly accessible, it defines the goals, directions, duties and responsibilities of U.S. intelligence efforts (including the role of the various Intelligence Community elements) and sets out the general parameters for the conduct of intelligence activities (in particular the need to promulgate specific procedural rules). According to Sec. 3.2 of E.O. 12333, the President, supported by the National Security Council, and the DNI shall issue such appropriate directives, procedures and guidance as are necessary to implement the order.

[4] According to E.O. 12333, the Director of the National Security Agency (NSA) is the Functional Manager for signals intelligence and shall operate a unified organization for signals intelligence activities.

[5] For the definition of the term ‘Intelligence Community’, see Sec. 3.5 (h) of E.O. 12333 with n. 1 of PPD-28.

[6] See Memorandum by the Office of Legal Counsel, Department of Justice (DOJ), to President Clinton, 29 January 2000. According to this legal opinion, presidential directives have the ‘same substantive legal effect as an Executive Order’.

[7] ODNI Representations (Annex VI), p. 3.

[8] See Sec. 4(b),(c) of PPD-28. According to public information, the 2015 review confirmed the existing six purposes. See ODNI, Signals Intelligence Reform, 2016 Progress Report.

[9] ODNI Representations (Annex VI), p. 6 (with reference to Intelligence Community Directive 204). See also Sec. 3 of PPD-28.

[10] ODNI Representations (Annex VI), p. 6. See, for instance, NSA Civil Liberties and Privacy Office (NSA CLPO), NSA’s Civil Liberties and Privacy Protections for Targeted SIGINT Activities under Executive Order 12333, 7 October 2014. See also ODNI Status Report 2014. For access requests under Sec. 702 FISA, queries are governed by the FISC-approved minimization procedures. See NSA CLPO, NSA’s Implementation of Foreign Intelligence Surveillance Act Section 702, 16 April 2014.

[11] See Signal Intelligence Reform, 2015 Anniversary Report. See also ODNI Representations (Annex VI), pp. 6, 8-9, 11.

[12] See ODNI Representations (Annex VI), p. 3.

[13] It should also be noted that, according to Sec. 2.4 of E.O. 12333, elements of the IC ‘shall use the least intrusive collection techniques feasible within the United States’. As regards the limitations for substituting all bulk collection with targeted collections, see the results of an assessment by the National Research Council as reported by the European Union Agency for Fundamental Rights, Surveillance by intelligence services: fundamental rights, safeguards and remedies in the EU (2015), p. 18.

[14] ODNI Representations (Annex VI), p. 4.

[15] See also Sec. 5(d) of PPD-28 which directs the Director of National Intelligence, in coordination with the heads of relevant Intelligence Community elements and the Office of Science and Technology Policy, to provide the President with a ‘report assessing the feasibility of creating software that would allow the Intelligence Community more easily to conduct targeted information acquisition rather than bulk collection.’ According to public information, the result of this report was that ‘there is no software-based alternative which will provide a complete substitute for bulk collection in the detection of some national security threats.’ See Signals Intelligence Reform, 2015 Anniversary Report.

[16] See footnote 68.

[17] ODNI Representations (Annex VI). This specifically addresses the concern expressed by the national data protection authorities in their opinion on the draft adequacy decision. See Article 29 Data Protection Working Party, Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy decision (adopted 13 April 2016), p. 38 with n. 47.

[18] See Sec. 2 of PPD-28.

[19] ODNI Representations (Annex VI), p. 4. See also Intelligence Community Directive 203.

[20] ODNI Representations (Annex VI), p. 2. Likewise, the limitations stipulated in E.O. 12333 (e.g. the need for collected information to respond to intelligence priorities set by the President) apply.

[21] See Schrems, paragraph 93.

[22] In addition, the collection of data by the FBI may also be based on law enforcement authorizations (see Section 3.2 of this decision).

[23] For further explanations on the use of NSL see ODNI Representations (Annex VI), pp. 13-14 with n. 38. As indicated therein, the FBI may resort to NSLs only to request non-content information relevant to an authorized national security investigation to protect against international terrorism or clandestine intelligence activities. As regards data transfers under the EU-U.S. Privacy Shield, the most relevant legal authorization appears to be the Electronic Communications Privacy Act (18 U.S.C. § 2709), which requires that any request for subscriber information or transactional records uses a ‘term that specifically identifies a person, entity, telephone number, or account’.

[24] 50 U.S.C. § 1804. While this legal authority requires a ‘statement of the facts and circumstances relied upon by the applicant to justify his belief that (A) the target of the electronic surveillance is a foreign power or an agent of a foreign power’, the latter may include non-U.S. persons that engage in international terrorism or the international proliferation of weapons of mass destruction (including preparatory acts) (50 U.S.C. § 1801 (b)(1)). Still, there is only a theoretical link to personal data transferred under the EU-U.S. Privacy Shield, given that the statement of facts also has to justify the belief that ‘each of the facilities or places at which the electronic surveillance is directed is being used, or is about to be used, by a foreign power or an agent of a foreign power’. In any event, the use of this authority requires application to the FISC which will assess, among others, whether on the basis of the submitted facts there is probable cause that this is indeed the case.

[25] 50 U.S.C. § 1842 with § 1841(2) and Sec. 3127 of Title 18. This authority does not concern the contents of communications, but rather aims at information about the customer or subscriber using a service (such as name, address, subscriber number, length/type of service received, source/mechanism of payment). It requires an application for an order by the FISC (or a U.S. Magistrate Judge) and the use of a specific selection term in the sense of § 1841(4), i.e. a term that specifically identifies a person, account, etc. and is used to limit, to the greatest extent reasonably possible, the scope of the information sought.

[26] While Sec. 501 FISA (ex-Sec. 215 U.S. PATRIOT ACT) authorizes the FBI to request a court order aiming at the production of ‘tangible things’ (in particular telephone metadata, but also business records) for foreign intelligence purposes, Sec. 702 FISA allows US Intelligence Community elements to seek access to information, including the content of internet communications, from within the United States, but targeting certain non-U.S. persons outside the United States.

[27] Based on this provision, the FBI may request ‘tangible things’ (e.g. records, papers, documents) based on a showing to the Foreign Intelligence Surveillance Court (FISC) that there are reasonable grounds to believe that they are relevant to a specific FBI investigation. In carrying out its search, the FBI must use FISC-approved selection terms for which there is a ‘reasonable, articulable suspicion’ that such term is associated with one or more foreign powers or their agents engaged in international terrorism or activities in preparation therefore. See PCLOB, Sec. 215 Report, p. 59; NSA CLPO, Transparency Report: The USA Freedom Act Business Records FISA Implementation, 15 January 2016, pp. 4-6.

[28] ODNI Representations (Annex VI), p. 13 (n. 38).

[29] See footnote 81.

[30] PCLOB, Sec. 702 Report, pp. 32-33 with further references. According to its privacy office, the NSA must verify that there is a connection between the target and the selector, must document the foreign intelligence information expected to be acquired, this information must be reviewed and approved by two senior NSA analysts, and the overall process will be tracked for subsequent compliance reviews by the ODNI and Department of Justice. See NSA CLPO, NSA’s Implementation of Foreign Intelligence Act Section 702, 16 April 2014.

[31] PLCOB, Sec. 702 Report, p. 111. See also ODNI Representations (Annex VI), p. 9 (‘Collection under Section 702 of the [FISA] is not “mass and indiscriminate” but is narrowly focused on the collection of foreign intelligence from individually identified legitimate targets’) and p. 13, n. 36 (with reference to a 2014 FISC Opinion); NSA CLPO, NSA’s Implementation of Foreign Intelligence Act Section 702, 16 April 2014. Even in the case of UPSTREAM, the NSA may only request the interception of electronic communications to, from, or about tasked selectors.

[32] ODNI Representations (Annex VI), p. 18. See also p. 6, according to which the applicable procedures ‘demonstrate a clear commitment to prevent arbitrary and indiscriminate collection of signals intelligence information, and to implement — from the highest levels of our Government — the principle of reasonableness.’

[33] See Statistical Transparency Report Regarding Use of National Security Authorities, 22 April 2015. For the overall flow of data on the internet, see for example Fundamental Rights Agency, Surveillance by Intelligence Services: Fundamental Rights Safeguards and Remedies in the EU (2015), at pp. 15-16. As regards the UPSTREAM program, according to a declassified FISC opinion of 2011, over 90 % of the electronic communications acquired under Sec. 702 FISA came from the PRISM program, whereas less than 10 % came from UPSTREAM. See FISC, Memorandum Opinion, 2011 WL 10945618 (FISA Ct., 3.10.2011), n. 21 (available at: http://www.dni. gov/files/documents/0716/October-2011-Bates-Opinion-and%20Order-20140716.pdf).

[34] See Sec. 4(a)(ii) of PPD-28. See also ODNI, Safeguarding the Personal Information of all People: A Status Report on the Development and Implementation of Procedures under Presidential Policy Directive 28, July 2014, p. 5, according to which ‘Intelligence Community element policies should reinforce existing analytic practices and standards whereby analysts must seek to structure queries or other search terms and techniques to identify intelligence information relevant to a valid intelligence or law enforcement task; focus queries about persons on the categories of intelligence information responsive to an intelligence or law enforcement requirement; and minimize the review of personal information not pertinent to intelligence or law enforcement requirements.’ See e.g. CIA, Signals Intelligence Activities, p. 5; FBI, Presidential Policy Directive 28 Policies and Procedures, p. 3. According to the 2016 Progress Report on the Signals Intelligence Reform, IC elements (including the FBI, CIA and NSA) have taken steps to sensitise their personnel to the requirements of PPD-28 by creating new or modifying existing training policies.

[35] According to the ODNI Representations, these restrictions apply regardless of whether the information was collected in bulk or through targeted collection, and of the individual’s nationality.

[36] See ODNI Representations (Annex VI).

[37] See Sec. 4(a)(i) of PPD-28 with Sec 2.3 of E.O. 12333.

[38] Sec. 4(a)(i) of PPD-28; ODNI Representations (Annex VI), p. 7. For instance, for personal information collected under Sec. 702 FISA, the NSA’s FISC-approved minimization procedures foresee as a rule that the metadata and unevaluated content for PRISM is retained for no more than five years, whereas UPSTREAM data is retained for no more than two years. The NSA complies with these storage limits through an automated process that deletes collected data at the end of the respective retention period. See NSA Sec. 702 FISA Minimization Procedures, Sec. 7 with Sec. 6(a)(1); NSA CLPO, NSA’s Implementation of Foreign Intelligence Surveillance Act Section 702, 16 April 2014. Likewise, retention under Sec. 501 FISA (ex-Sec. 215 U.S. PATRIOT ACT) is limited to five years, unless the personal data form part of properly approved dissemination of foreign intelligence information or the DOJ advises the NSA in writing that the records are subject to a preservation obligation in pending or anticipated litigation. See NSA, CLPO, Transparency Report: The USA Freedom Act Business Records FISA Implementation, 15 January 2016.

[39] In particular, in case of Sec. 501 FISA (ex-Sec. 215 U.S. PATRIOT ACT), dissemination of personal information may take place only for counterterrorism purposes or as evidence of a crime; in case of Sec. 702 FISA only if there is a valid foreign intelligence or law enforcement purpose. Cf. NSA, CLPO, NSA’s Implementation of Foreign Intelligence Surveillance Act Section 702, 16 April 2014; Transparency Report: The USA Freedom Act Business Records FISA Implementation, 15 January 2016. See also NSA’s Civil Liberties and Privacy Protections for Targeted SIGINT Activities under Executive Order 12333, 7 October 2014.

[40] ODNI Representations (Annex VI), p. 7 (with reference to Intelligence Community Directive (ICD) 203).

[41] The Court of Justice has clarified that national security constitutes a legitimate policy objective. See Schrems, paragraph 88. See also Digital Rights Ireland and Others, paragraphs 42-44 and 51, in which the Court of Justice considered that the fight against serious crime, in particular organised crime and terrorism, may depend to a large extent on the use of modern investigation techniques. Moreover, unlike for criminal investigations that typically concern the retrospective determination of responsibility and guilt for past conduct, intelligence activities often focus on preventing threats to national security before harm has occurred. Therefore, such investigations may often have to cover a broader range of possible actors (‘targets’) and a wider geographic area. Cf. ECtHR, Weber and Saravia v Germany, Decision of 29 June 2006, Application no. 54934/00, paragraphs 105-118 (on so-called ‘strategic monitoring’).

[42] Schrems, paragraph 91, with further references.

[43] Schrems, paragraph 93.

[44] Cf. Schrems, paragraph 94.

[45] ODNI, Safeguarding the Personal Information of all People: A Status Report on the Development and Implementation of Procedures under Presidential Policy Directive 28, p. 7. See e.g. CIA, Signals Intelligence Activities, p. 6 (Compliance); FBI, Presidential Policy Directive 28 Policies and Procedures, Sec. III (A)(4), (B)(4); NSA, PPD-28 Section 4 Procedures, 12 January 2015, Sec. 8.1, 8.6(c).

[46] For instance, the NSA employs more than 300 compliance staff in the Directorate for Compliance. See ODNI Representations (Annex VI), p. 7.

[47] See Ombudsperson Mechanism (Annex III), Sec. 6(b) (i) to (iii).

[48] See 42 U.S.C. § 2000ee-1. This includes for instance the Department of State, the Department of Justice (including the FBI), the Department of Homeland Security, the Department of Defense, the NSA, CIA and the ODNI.

[49] According to the U.S. government, if the ODNI Civil Liberties and Privacy Office receives a complaint, it will also coordinate with other Intelligence Community elements on how that complaint should be further processed within the IC. See Ombudsperson Mechanism (Annex III), Sec. 6(b)(ii).

[50] See 42 U.S.C. § 2000ee-1 (f)(1),(2).

[51] Article 29 Data Protection Working Party, Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy decision (adopted 13 April 2016), p. 41.

[52] ODNI Representations (Annex VI), p. 7. See e.g. NSA, PPD-28 Section 4 Procedures, 12 January 2015, Sec. 8.1; CIA, Signals Intelligence Activities, p. 7 (Responsibilities).

[53] This Inspector General (IG) (which was created in October 2010) is appointed by the President, with Senate confirmation, and can be removed only by the President, not the DNI.

[54] These IGs have secure tenure and may only be removed by the President who must communicate to Congress in writing the reasons for any such removal. This does not necessarily mean that they are completely free from instructions. In some cases, the head of the department may prohibit the Inspector General from initiating, carrying out, or completing an audit or investigation where this is considered necessary to preserve important national (security) interests. However, Congress must be informed of the exercise of this authority and on this basis could hold the respective director responsible. See, e.g. Inspector General Act of 1978, § 8 (IG of the Department of Defense); § 8E (IG of the DOJ), § 8G (d)(2)(A),(B) (IG of the NSA); 50. U.S.C. § 403q (b) (IG for the CIA); Intelligence Authorization Act For Fiscal Year 2010, Sec 405(f) (IG for the Intelligence Community). According to the assessment by the national data protection authorities, the Inspector-Generals ‘are likely to meet the criterion for organisational independence as defined by the CJEU and the European Court of Human Rights (ECtHR), at least from the moment the new nomination process applies to all.’ See Article 29 Data Protection Working Party, Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy decision (adopted 13 April 2016), p. 40.

[55] See ODNI Representations (Annex VI), p. 7. See also Inspector General Act of 1978, as amended, Pub. L. 113-126 of 7 July 2014.

[56] See Inspector General Act of 1978, § 6.

[57] See ODNI Representations (Annex VI), p. 7. See also Inspector General Act of 1978, §§ 4(5), 5. According to Sec. 405(b)(3),(4) of the Intelligence Authorization Act For Fiscal Year 2010, Pub. L. 111-259 of 7 October 2010, the IG for the Intelligence Community will keep the DNI as well as Congress informed of the necessity for, and the progress of, corrective actions.

[58] According to the assessment by the national data protection authorities, the PCLOB has in the past ‘demonstrated its independent powers’. See Article 29 Data Protection Working Party, Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy decision (adopted 13 April 2016), p. 42.

[59] In addition, the PCLOB employs some 20 regular staff. See https://www.pclob.gov/about-us/staff.html.

[60] These include at least the Department of Justice, the Department of Defense, the Department of Homeland Security, the Director of National Intelligence and the Central Intelligence Agency, plus any other department, agency or element of the executive branch designated by the PCLOB to be appropriate for coverage.

[61] See 42 U.S.C. § 2000ee. See also Ombudsperson Mechanism (Annex III), Sec. 6(b) (iv). Among others, the PCLOB is required to report when an Executive Branch agency declines to follow its advice.

[62] ODNI, Safeguarding the Personal Information of all People: A Status Report on the Development and Implementation of Procedures under Presidential Policy Directive 28, pp. 7-8.

[63] Id. at p. 8. See also ODNI Representations (Annex VI), p. 9.

[64] ODNI, Safeguarding the Personal Information of all People: A Status Report on the Development and Implementation of Procedures under Presidential Policy Directive 28, p. 7. See, e.g. NSA, PPD-28 Section 4 Procedures, 12 January 2015, Sec. 7.3, 8.7(c),(d); FBI, Presidential Policy Directive 28 Policies and Procedures, Sec. III.(A)(4), (B)(4); CIA, Signals Intelligence Activities, p. 6 (Compliance) and p. 8 (Responsibilities).

[65] See E.O. 12333, Sec. 1.6(c).

[66] PPD-28, Sec. 4(a)(iv).

[67] See Sec. 501(a)(1) (50 U.S.C. § 413(a)(1)). This provision contains the general requirements as regards Congressional oversight in the area of national security.

[68] See Sec. 501(b) (50 U.S.C. § 413(b)).

[69] Cf. Sec. 501(d) (50 U.S.C. § 413(d)).

[70] See 50 U.S.C. §§ 1808, 1846, 1862, 1871, 1881f.

[71] See 50 U.S.C. § 1881f.

[72] See 50 U.S.C. § 1881a(l)(1).

[73] See USA FREEDOM Act of 2015, Pub. L. No 114-23, Sec. 602(a). In addition, according to Sec 402, ‘the Director of National Intelligence, in consultation with the Attorney General, shall conduct a declassification review of each decision, order, or opinion issued by the Foreign Intelligence Surveillance Court or the Foreign Intelligence Surveillance Court of Review (as defined in section 601(e)) that includes a significant construction or interpretation of any provision of law, including any novel or significant construction or interpretation of the term “specific selection term”, and, consistent with that review, make publicly available to the greatest extent practicable each such decision, order, or opinion.’

[74] USA FREEDOM Act, Sec. 602(a), 603(a).

[75] For certain types of surveillance, alternatively a U.S. Magistrate Judge publicly designated by the Chief Justice of the United States may have the power to hear applications and grant orders.

[76] The FISC is comprised of eleven judges appointed by the Chief Justice of the United States from among sitting U.S. district court judges, who previously have been appointed by the President and confirmed by the Senate. The judges, who have life tenure and can only be removed for good cause, serve on the FISC for staggered seven-year terms. FISA requires that the judges be drawn from at least seven different U.S. judicial circuits. See Sec 103 FISA (50 U.S.C. 1803 (a)); PCLOB, Sec. 215 Report, pp. 174-187. The judges are supported by experienced judicial law clerks that constitute the court’s legal staff and prepare legal analysis on collection requests. See PCLOB, Sec. 215 Report, p. 178; Letter from the Honourable Reggie B. Walton, Presiding Judge, U.S. Foreign Intelligence Surveillance Court, to the Honourable Patrick J. Leahy, Chairman, Committee on the Judiciary, U.S. Senate (July 29, 2013) (‘Walton Letter’), pp. 2-3.

[77] The FISCR is composed of three judges appointed by the Chief Justice of the United States and drawn from U.S. district courts or courts of appeals, serving for a staggered seven year term. See Sec. 103 FISA (50 U.S.C. § 1803 (b)).

[78] See 50 U.S.C. §§ 1803 (b), 1861 a (f), 1881 a (h), 1881 a (i)(4).

[79] For instance, additional factual details about the target of the surveillance, technical information about the surveillance methodology, or assurances about how the information acquired will be used and disseminated. See PCLOB, Sec. 215 Report, p. 177.

[80] 50 U.S.C. §§ 1804 (a), 1801 (g).

[81] The FISC may approve the application, request further information, determine the necessity of a hearing or indicate a possible denial of the application. On the basis of this preliminary determination, the government will make its final application. The latter may include substantial changes to the original application on the basis of the judge’s preliminary comments. Although a large percentage of final applications are approved by the FISC, a substantial part of these contain substantive changes to the original application, e.g. 24 % of applications approved for the period from July to September 2013. See PCLOB, Sec. 215 Report, p. 179; Walton Letter, p. 3.

[82] PCLOB, Sec. 215 Report, p. 179, n. 619.

[83] 50 U.S.C. § 1803 (i)(1),(3)(A). This new legislation implemented recommendations by the PCLOB to establish a pool of privacy and civil liberties experts that can serve as amicus curiae, in order to provide the court with legal arguments to the advancement of privacy and civil liberties. See PCLOB, Sec. 215 Report, pp. 183-187.

[84] 50 U.S.C. § 1803 (i)(2)(A). According to information by the ODNI, such appointments have already taken place. See Signals Intelligence Reform, 2016 Progress Report.

[85] 50 U.S.C. § 1803 (i)(2)(B).

[86] 50 U.S.C. § 1861

[87] 50 U.S.C. § 1861 (b).

[88] 50 U.S.C. § 1881.

[89] 50 U.S.C. § 1881a (a).

[90] PCLOB, Sec. 702 Report, p. 46.

[91] 50 U.S.C. § 1881a (h).

[92] 50 U.S.C. § 1881a (g). According to the PCLOB, these categories have so far mainly concerned international terrorism and topics such as the acquisition of weapons of mass destruction. See PCLOB, Sec. 702 Report, p. 25.

[93] PCLOB, Sec. 702 Report, p. 27.

[94] 50 U.S.C. § 1881a.

[95] ‘Liberty and Security in a Changing World’, Report and Recommendations of the President’s Review Group on Intelligence and Communications Technologies, 12 December 2013, p. 152.

[96] 50 U.S.C.1881a (i).

[97] Rule 13(b) of the FISC Rules of Procedure requires the government to file a written notice with the Court immediately upon discovering that any authority or approval granted by the Court has been implemented in a manner that does not comply with the Court’s authorization or approval, or with applicable law. It also requires the government to notify the Court in writing of the facts and circumstances relevant to such non-compliance. Typically, the government will file a final Rule 13(a) notice once the relevant facts are known and any unauthorized collection has been destroyed. See Walton Letter, p. 10.

[98] 50 U.S.C. § 1881 (l). See also PCLOB, Sec. 702 Report, pp. 66-76; NSA CLPO, NSA’s Implementation of Foreign Intelligence Surveillance Act Section 702, 16 April 2014. The collection of personal data for intelligence purposes under Sec 702 FISA is subject to both internal and external oversight within the executive branch. Among others, the internal oversight includes internal compliance programs to evaluate and oversee compliance with targeting and minimization procedures; reporting of non-compliance incidents, both internally and externally to the ODNI, Department of Justice, Congress and the FISC; and annual reviews sent to the same bodies. As for external oversight, it mainly consists in targeting and minimization reviews conducted by the ODNI, DOJ and Inspectors General, which in turn report to Congress and the FISC, including on non-compliance incidents. Significant compliance incidents must be reported to the FISC immediately, others in a quarterly report. See PCLOB, Sec. 702 Report, pp. 66-77.

[99] PCLOB, Recommendations Assessment Report, 29 January 2015, p. 20.

[100] PCLOB, Recommendations Assessment Report, 29 January 2015, p. 16.

[101] In addition, Sec. 10 of the Classified Information Procedures Act provides that, in any prosecution in which the United States must establish that material constitutes classified information (e.g. because it requires protection against unauthorized disclosure for reasons of national security), the United States shall notify the defendant of the portions of the material that it reasonably expects to rely upon to establish the classified information element of the offense.

[102] See for the following ODNI Representations (Annex VI), p. 16.

[103] 18 U.S.C. § 2712.

[104] 50 U.S.C. § 1810.

[105] 50 U.S.C. § 1806.

[106] 18 U.S.C. § 1030.

[107] 18 U.S.C. §§ 2701-2712.

[108] 12 U.S.C. § 3417.

[109] ODNI Representations (Annex VI), p. 17.

[110] 5 U.S.C. § 706(2)(A).

[111] 5 U.S.C. § 552. Similar laws exist at State level.

[112] If this is the case, the individual will normally only receive a standard reply by which the agency declines either to confirm or deny the existence of any records. See ACLU v CIA, 710 F.3d 422 (D.C. Cir. 2014).

[113] See ODNI Representations (Annex VI), p. 16. According to the explanations provided, the available causes of action either require the existence of damage (18 U.S.C. § 2712; 50 U.S.C. § 1810) or a showing that the government intends to use or disclose information obtained or derived from electronic surveillance of the person concerned against that person in judicial or administrative proceedings in the United States (50 U.S.C. § 1806). However, as the Court of Justice has repeatedly stressed, to establish the existence of an interference with the fundamental right to privacy, it does not matter whether the person concerned has suffered any adverse consequences on account of that interference. See Schrems, paragraph 89 with further references.

[114] This admissibility criterion stems from the ‘case or controversy’ requirement of the U.S. Const., Article III.

[115] See Clapper v Amnesty Int’l USA, 133 S.Ct. 1138, 1144 (2013). As regards the use of NSLs, the USA FREEDOM Act (Sec. 502(f)-503) provides that non-disclosure requirements must be periodically reviewed, and that recipients of NSL be notified when the facts no longer support a non-disclosure requirement (see ODNI Representations (Annex VI), p. 13). However, this does not ensure that the EU data subject would be informed that (s)he has been the target of an investigation.

[116] In case the complainant seeks access to documents held by U.S. public authorities, the rules and procedures set out in the Freedom of Information Act apply. This includes the possibility to seek judicial redress (rather than independent oversight) in case the request is rejected, under the conditions set out in the FOIA.

[117] According to the Ombudsperson Mechanism (Annex III), Sec. 4(f), the Privacy Shield Ombudsperson will communicate directly with the EU individual complaint handling body, who will in turn be responsible for communicating with the individual submitting the request. If direct communications are part of the ‘underlying processes’ that may provide the requested relief (e.g. a FOIA access request, see Sec. 5), those communications will take place in accordance with the applicable procedures.

[118] See Ombudsperson Mechanism (Annex III), Sec. 2(a). See also recitals 0-0.

[119] See Ombudsperson Mechanism (Annex III), Sec. 2(c). According to the explanations provided by the U.S. government, the PCLOB shall continually review the policies and procedures, as well as their implementation, of those U.S. authorities responsible for counterterrorism to determine whether their actions ‘appropriately protect privacy and civil liberties and are consistent with governing laws, regulations, and policies regarding privacy and civil liberties.’ It also shall ‘receive and review reports and other information from privacy officers and civil liberties officers and, when appropriate, make recommendations to them regarding their activities.’

[120] See Roman Zakharov v Russia, Judgment of 4 December 2015 (Grand Chamber), Application No 47143/06, paragraph 275 (‘although it is in principle desirable to entrust supervisory control to a judge, supervision by non-judicial bodies may be considered compatible with the Convention, provided that the supervisory body is independent of the authorities carrying out the surveillance and is vested with sufficient and effective oversight powers’).

[121] See Kennedy v the United Kingdom, Judgment of 18 May 2010, Application No 26839/05, paragraph 167.

[122] Schrems, paragraph 95. As is clear from paragraphs 91, 96 of the judgment, paragraph 95 concerns the level of protection guaranteed in the Union legal order, to which the level of protection in the third country must be ‘essentially equivalent’. According to paragraphs 73 and 74 of the judgment, this does not require that the level of protection or the means to which the third country has recourse must be identical, even though the means to be employed have to prove, in practice, effective.