Privacy Shield Framework, 51041-51074 [2016-17961]

Download as PDF Vol. 81 Tuesday, No. 148 August 2, 2016 Part III Department of Commerce mstockstill on DSK3G9T082PROD with NOTICES2 International Trade Administration Privacy Shield Framework; Notice VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\02AUN2.SGM 02AUN2 51042 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices DEPARTMENT OF COMMERCE International Trade Administration [Docket No. 160721646–6646–01] RIN 0625–XC022 Privacy Shield Framework International Trade Administration, Department of Commerce. ACTION: Notice of Availability of Privacy Shield Framework Documents. AGENCY: The International Trade Administration (ITA) is publishing this notice to announce the availability of the Privacy Shield Framework documents. The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with European Union data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. The Privacy Shield Framework documents published in this notice include the Privacy Shield Principles and Annex I describing the new arbitral model available under the Privacy Shield, letters from the Secretary of Commerce and Acting Under Secretary for International Trade describing the Department of Commerce’s administration of the Privacy Shield, letters from the Chairwoman of the Federal Trade Commission and Secretary of Transportation describing their enforcement of the Privacy Shield, a letter from the Secretary of State regarding the Privacy Shield Ombudsperson, two letters from the Office of the Director of National Intelligence regarding safeguards and limitations applicable to U.S. national security authorities, and a letter from the Department of Justice regarding safeguards and limitations on U.S. Government access for law enforcement and public interest purposes. DATES: The Department of Commerce will begin accepting self-certifications to the Privacy Shield on August 1, 2016. FOR FURTHER INFORMATION CONTACT: Shannon Coe, International Trade Administration, 202–482–6013 or Shannon.Coe@trade.gov. SUPPLEMENTARY INFORMATION: mstockstill on DSK3G9T082PROD with NOTICES2 SUMMARY: July 7, 2016 ˇ ´ Ms. Vera Jourova Commissioner for Justice, Consumers and Gender Equality European Commission Rue de la Loi/Westraat 200 1049 Brussels VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 Belgium ´ Dear Commissioner Jourova: On behalf of the United States, I am pleased to transmit herewith a package of EU-U.S. Privacy Shield materials that is the product of two years of productive discussions among our teams. This package, along with other materials available to the Commission from public sources, provides a very strong basis for a new adequacy finding by the European Commission.1 We should both be proud of the improvements to the Framework. The Privacy Shield is based on Principles that have strong consensus support on both sides of the Atlantic, and we have strengthened their operation. Through our work together, we have the real opportunity to improve the protection of privacy around the world. The Privacy Shield Package includes the Privacy Shield Principles, along with a letter, attached as Annex 1, from the International Trade Administration (ITA) of the Department of Commerce, which administers the program, describing the commitments that our Department has made to ensure that the Privacy Shield operates effectively. The Package also includes Annex 2, which includes other Department of Commerce commitments relating to the new arbitral model available under the Privacy Shield. I have directed my staff to devote all necessary resources to implement the Privacy Shield Framework expeditiously and fully and to ensure the commitments in Annex 1 and Annex 2 are met in a timely fashion. The Privacy Shield Package also includes other documents from other United States agencies, namely: • A letter from the Federal Trade Commission (FTC) describing its enforcement of the Privacy Shield; • A letter from the Department of Transportation describing its enforcement of the Privacy Shield; • Two letters prepared by the Office of the Director of National Intelligence (ODNI) regarding safeguards and limitations applicable to U.S. national security authorities; • A letter from the Department of State and accompanying memorandum describing the State Department’s commitment to establish a new Privacy Shield Ombudsperson for submission of inquiries regarding the United States’ signals intelligence practices; and • A letter prepared by the Department of Justice regarding safeguards and limitations on U.S. Government access for law enforcement and public interest purposes. You can be assured that the United States takes these commitments seriously. Within 30 days of final approval of the adequacy determination, the full Privacy Shield Package will be delivered to the Federal Register for publication. We look forward to working with you as the Privacy Shield is implemented and as we embark on the next phase of this process together. 1 Provided that the Commission Decision on the adequacy of the protection provided by the EU-U.S. Privacy Shield applies to Iceland, Liechtenstein and Norway, the Privacy Shield Package will cover both the European Union, as well as these three countries. PO 00000 Frm 00002 Fmt 4701 Sfmt 4703 Sincerely, Penny Pritzker Annex 1: Letter From Acting Under Secretary for International Trade Ken Hyatt ˇ ´ The Honorable Vera Jourova Commissioner for Justice, Consumers and Gender Equality European Commission Rue de la Loi/Westraat 200 1049 Brussels Belgium ´ Dear Commissioner Jourova: On behalf of the International Trade Administration, I am pleased to describe the enhanced protection of personal data that the EU-U.S. Privacy Shield Framework (‘‘Privacy Shield’’ or ‘‘Framework’’) provides and the commitments the Department of Commerce (‘‘Department’’) has made to ensure that the Privacy Shield operates effectively. Finalizing this historic arrangement is a major achievement for privacy and for businesses on both sides of the Atlantic. It offers confidence to EU individuals that their data will be protected and that they will have legal remedies to address any concerns. It offers certainty that will help grow the transatlantic economy by ensuring that thousands of European and American businesses can continue to invest and do business across our borders. The Privacy Shield is the result of over two years of hard work and collaboration with you, our colleagues in the European Commission (‘‘Commission’’). We look forward to continuing to work with the Commission to ensure that the Privacy Shield functions as intended. We have worked with the Commission to develop the Privacy Shield to allow organizations established in the United States to meet the adequacy requirements for data protection under EU law. The new Framework will yield several significant benefits for both individuals and businesses. First, it provides an important set of privacy protections for the data of EU individuals. It requires participating U.S. organizations to develop a conforming privacy policy, publicly commit to comply with the Privacy Shield Principles so that the commitment becomes enforceable under U.S. law, annually re-certify their compliance to the Department, provide free independent dispute resolution to EU individuals, and be subject to the authority of the U.S. Federal Trade Commission (‘‘FTC’’), Department of Transportation (‘‘DOT’’), or another enforcement agency. Second, the Privacy Shield will enable thousands of companies in the United States and subsidiaries of European companies in the United States to receive personal data from the European Union to facilitate data flows that support transatlantic trade. The transatlantic economic relationship is already the world’s largest, accounting for half of global economic output and nearly one trillion dollars in goods and services trade, supporting millions of jobs on both sides of the Atlantic. Businesses that rely on transatlantic data flows come from all industry sectors and include major Fortune 500 firms as well as many small and E:\FR\FM\02AUN2.SGM 02AUN2 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices mstockstill on DSK3G9T082PROD with NOTICES2 medium-sized enterprises (SMEs). Transatlantic data flows allow U.S. organizations to process data required to offer goods, services, and employment opportunities to European individuals. The Privacy Shield supports shared privacy principles, bridging the differences in our legal approaches, while furthering trade and economic objectives of both Europe and the United States. While a company’s decision to self-certify to this new Framework will be voluntary, once a company publicly commits to the Privacy Shield, its commitment is enforceable under U.S. law by either the Federal Trade Commission or Department of Transportation, depending on which authority has jurisdiction over the Privacy Shield organization. Enhancements Under the Privacy Shield Principles The resulting Privacy Shield strengthens the protection of privacy by: • Requiring additional information be provided to individuals in the Notice Principle, including a declaration of the organization’s participation in the Privacy Shield, a statement of the individual’s right to access personal data, and the identification of the relevant independent dispute resolution body; • strengthening protection of personal data that is transferred from a Privacy Shield organization to a third party controller by requiring the parties to enter into a contract that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles; • strengthening protection of personal data that is transferred from a Privacy Shield organization to a third party agent, including by requiring a Privacy Shield organization to: take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles; upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request; • providing that a Privacy Shield organization is responsible for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf, and that the Privacy Shield organization shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage; • clarifying that Privacy Shield organizations must limit personal information to the information that is relevant for the purposes of processing; • requiring an organization to annually certify with the Department its commitment to apply the Principles to information it received while it participated in the Privacy VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 Shield if it leaves the Privacy Shield and chooses to keep such data; • requiring that independent recourse mechanisms be provided at no cost to the individual; • requiring organizations and their selected independent recourse mechanisms to respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield; • requiring organizations to respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department; and • requiring a Privacy Shield organization to make public any relevant Privacy Shieldrelated sections of any compliance or assessment report submitted to the FTC if it becomes subject to an FTC or court order based on non-compliance. Administration and Supervision of the Privacy Shield Program by the Department of Commerce The Department reiterates its commitment to maintain and make available to the public an authoritative list of U.S. organizations that have self-certified to the Department and declared their commitment to adhere to the Principles (the ‘‘Privacy Shield List’’). The Department will keep the Privacy Shield List up to date by removing organizations when they voluntarily withdraw, fail to complete the annual re-certification in accordance with the Department’s procedures, or are found to persistently fail to comply. The Department will also maintain and make available to the public an authoritative record of U.S. organizations that had previously selfcertified to the Department, but that have been removed from the Privacy Shield List, including those that were removed for persistent failure to comply with the Principles. The Department will identify the reason each organization was removed. In addition, the Department commits to strengthening the administration and supervision of the Privacy Shield. Specifically, the Department will: Provide Additional Information on the Privacy Shield Web Site • Maintain the Privacy Shield List, as well as a record of those organizations that previously self-certified their adherence to the Principles, but which are no longer assured of the benefits of the Privacy Shield; • include a prominently placed explanation clarifying that all organizations removed from the Privacy Shield List are no longer assured of the benefits of the Privacy Shield, but must nevertheless continue to apply the Principles to the personal information that they received while they participated in the Privacy Shield for as long as they retain such information; and • provide a link to the list of Privacy Shield-related FTC cases maintained on the FTC Web site. Verify Self-Certification Requirements • Prior to finalizing an organization’s selfcertification (or annual re-certification) and placing an organization on the Privacy Shield List, verify that the organization has: Æ Provided required organization contact information; PO 00000 Frm 00003 Fmt 4701 Sfmt 4703 51043 Æ described the activities of the organization with respect to personal information received from the EU; Æ indicated what personal information is covered by its self-certification; Æ if the organization has a public Web site, provided the web address where the privacy policy is available and the privacy policy is accessible at the web address provided, or if an organization does not have a public Web site, provided where the privacy policy is available for viewing by the public; Æ included in its relevant privacy policy a statement that it adheres to the Principles and if the privacy policy is available online, a hyperlink to the Department’s Privacy Shield Web site; Æ identified the specific statutory body that has jurisdiction to hear any claims against the organization regarding possible unfair or deceptive practices and violations of laws or regulations governing privacy (and that is listed in the Principles or a future annex to the Principles); Æ if the organization elects to satisfy the requirements in points (a)(i) and (a)(iii) of the Recourse, Enforcement and Liability Principle by committing to cooperate with the appropriate EU data protection authorities (‘‘DPAs’’), indicated its intention to cooperate with DPAs in the investigation and resolution of complaints brought under the Privacy Shield, notably to respond to their inquiries when EU data subjects have brought their complaints directly to their national DPAs; Æ identified any privacy program in which the organization is a member; Æ identified the method of verification of assuring compliance with the Principles (e.g., in-house, third party); Æ identified, both in its self-certification submission and in its privacy policy, the independent recourse mechanism that is available to investigate and resolve complaints; Æ included in its relevant privacy policy, if the policy is available online, a hyperlink to the Web site or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints; and Æ if the organization has indicated that it intends to receive human resources information transferred from the EU for use in the context of the employment relationship, declared its commitment to cooperate and comply with DPAs to resolve complaints concerning its activities with regard to such data, provided the Department with a copy of its human resources privacy policy, and provided where the privacy policy is available for viewing by its affected employees. • work with independent recourse mechanisms to verify that the organizations have in fact registered with the relevant mechanism indicated in their selfcertification submissions, where such registration is required. Expand Efforts To Follow Up With Organizations That Have Been Removed From the Privacy Shield List • notify organizations that are removed from the Privacy Shield List for ‘‘persistent failure to comply’’ that they are not entitled E:\FR\FM\02AUN2.SGM 02AUN2 mstockstill on DSK3G9T082PROD with NOTICES2 51044 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices to retain information collected under the Privacy Shield; and • send questionnaires to organizations whose self-certifications lapse or who have voluntarily withdrawn from the Privacy Shield to verify whether the organization will return, delete, or continue to apply the Principles to the personal information that they received while they participated in the Privacy Shield, and if personal information will be retained, verify who within the organization will serve as an ongoing point of contact for Privacy Shield-related questions. Search for and Address False Claims of Participation • Review the privacy policies of organizations that have previously participated in the Privacy Shield program, but that have been removed from the Privacy Shield List to identify any false claims of Privacy Shield participation; • on an ongoing basis, when an organization: (a) Withdraws from participation in the Privacy Shield, (b) fails to recertify its adherence to the Principles, or (c) is removed as a participant in the Privacy Shield notably for ‘‘persistent failure to comply,’’ undertake, on an ex officio basis, to verify that the organization has removed from any relevant published privacy policy any references to the Privacy Shield that imply that the organization continues to actively participate in the Privacy Shield and is entitled to its benefits. Where the Department finds that such references have not been removed, the Department will warn the organization that the Department will, as appropriate, refer matters to the relevant agency for potential enforcement action if it continues to make the claim of Privacy Shield certification. If the organization neither removes the references nor selfcertifies its compliance under the Privacy Shield, the Department will ex officio refer the matter to the FTC, DOT, or other appropriate enforcement agency or, in appropriate cases, take action to enforce the Privacy Shield certification mark; • undertake other efforts to identify false claims of Privacy Shield participation and improper use of the Privacy Shield certification mark, including by conducting Internet searches to identify where images of the Privacy Shield certification mark are being displayed and references to Privacy Shield in organizations’ privacy policies; • promptly address any issues that we identify during our ex officio monitoring of false claims of participation and misuse of the certification mark, including warning organizations misrepresenting their participation in the Privacy Shield program as described above; • take other appropriate corrective action, including pursuing any legal recourse the Department is authorized to take and referring matters to the FTC, DOT, or another appropriate enforcement agency; and • promptly review and address complaints about false claims of participation that we receive. The Department will undertake reviews of privacy policies of organizations to more effectively identify and address false claims of Privacy Shield participation. Specifically, VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 the Department will review the privacy policies of organizations whose selfcertification has lapsed due to their failure to re-certify adherence to the Principles. The Department will conduct this type of review to verify that such organizations have removed from any relevant published privacy policy any references that imply that the organizations continue to actively participate in the Privacy Shield. As a result of these types of reviews, we will identify organizations that have not removed such references and send those organizations a letter from the Department’s Office of General Counsel warning of potential enforcement action if the references are not removed. The Department will take follow-up action to ensure that the organizations either remove the inappropriate references or re-certify their adherence to the Principles. In addition, the Department will undertake efforts to identify false claims of Privacy Shield participation by organizations that have never participated in the Privacy Shield program, and will take similar corrective action with respect to such organizations. Conduct Periodic ex officio Compliance Reviews and Assessments of the Program • On an ongoing basis, monitor effective compliance, including through sending detailed questionnaires to participating organizations, to identify issues that may warrant further follow-up action. In particular, such compliance reviews shall take place when: (a) The Department has received specific non-frivolous complaints about an organization’s compliance with the Principles, (b) an organization does not respond satisfactorily to inquiries by the Department for information relating to the Privacy Shield, or (c) there is credible evidence that an organization does not comply with its commitments under the Privacy Shield. The Department shall, when appropriate, consult with the competent data protection authorities about such compliance reviews; and • assess periodically the administration and supervision of the Privacy Shield program to ensure that monitoring efforts are appropriate to address new issues as they arise. The Department has increased the resources that will be devoted to the administration and supervision of the Privacy Shield program, including doubling the number of staff responsible for the administration and supervision of the program. We will continue to dedicate appropriate resources to such efforts to ensure effective monitoring and administration of the program. Tailor the Privacy Shield Web Site to Targeted Audiences The Department will tailor the Privacy Shield Web site to focus on three target audiences: EU individuals, EU businesses, and U.S. businesses. The inclusion of material targeted directly to EU individuals and EU businesses will facilitate transparency in a number of ways. With regard to EU individuals, it will clearly explain: (1) The rights the Privacy Shield provides to EU individuals; (2) the recourse mechanisms available to EU individuals PO 00000 Frm 00004 Fmt 4701 Sfmt 4703 when they believe an organization has breached its commitment to comply with the Principles; and (3) how to find information pertaining to an organization’s Privacy Shield self-certification. With regard to EU businesses, it will facilitate verification of: (1) Whether an organization is assured of the benefits of the Privacy Shield; (2) the type of information covered by an organization’s Privacy Shield self-certification; (3) the privacy policy that applies to the covered information; and (4) the method the organization uses to verify its adherence to the Principles. Increase Cooperation With DPAs To increase opportunities for cooperation with DPAs, the Department will establish a dedicated contact at the Department to act as a liaison with DPAs. In instances where a DPA believes that an organization is not complying with the Principles, including following a complaint from an EU individual, the DPA can reach out to the dedicated contact at the Department to refer the organization for further review. The contact will also receive referrals regarding organizations that falsely claim to participate in the Privacy Shield, despite never having self-certified their adherence to the Principles. The contact will assist DPAs seeking information related to a specific organization’s self-certification or previous participation in the program, and the contact will respond to DPA inquiries regarding the implementation of specific Privacy Shield requirements. Second, the Department will provide DPAs with material regarding the Privacy Shield for inclusion on their own Web sites to increase transparency for EU individuals and EU businesses. Increased awareness regarding the Privacy Shield and the rights and responsibilities it creates should facilitate the identification of issues as they arise, so that these can be appropriately addressed. Facilitate Resolution of Complaints About Non-Compliance The Department, through the dedicated contact, will receive complaints referred to the Department by a DPA that a Privacy Shield organization is not complying with the Principles. The Department will make its best effort to facilitate resolution of the complaint with the Privacy Shield organization. Within 90 days after receipt of the complaint, the Department will provide an update to the DPA. To facilitate the submission of such complaints, the Department will create a standard form for DPAs to submit to the Department’s dedicated contact. The dedicated contact will track all referrals from DPAs received by the Department, and the Department will provide in the annual review described below a report analyzing in aggregate the complaints it receives each year. Adopt Arbitral Procedures and Select Arbitrators in Consultation With the Commission The Department will fulfill its commitments under Annex I and publish the procedures after agreement has been reached. E:\FR\FM\02AUN2.SGM 02AUN2 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices Joint Review Mechanism of the Functioning of the Privacy Shield The Department of Commerce, the FTC, and other agencies, as appropriate, will hold annual meetings with the Commission, interested DPAs, and appropriate representatives from the Article 29 Working Party, where the Department will provide updates on the Privacy Shield program. The annual meetings will include discussion of current issues related to the functioning, implementation, supervision, and enforcement of the Privacy Shield, including referrals received by the Department from DPAs, the results of ex officio compliance reviews, and may also include discussion of relevant changes of law. The first annual review and subsequent reviews as appropriate will include a dialogue on other topics, such as in the area of automated decision-making, including aspects relating to similarities and differences in approaches in the EU and the US. Update of Laws The Department will make reasonable efforts to inform the Commission of material developments in the law in the United States so far as they are relevant to the Privacy Shield in the field of data privacy protection and the limitations and safeguards applicable to access to personal data by U.S. authorities and its subsequent use. mstockstill on DSK3G9T082PROD with NOTICES2 National Security Exception With respect to the limitations to the adherence to the Privacy Shield Principles for national security purposes, the General Counsel of the Office of the Director of National Intelligence, Robert Litt, has also sent two letters addressed to Justin Antonipillai and Ted Dean of the Department of Commerce, and these have been forwarded to you. These letters extensively discuss, among other things, the policies, safeguards, and limitations that apply to signals intelligence activities conducted by the U.S. In addition, these letters describe the transparency provided by the Intelligence Community about these matters. As the Commission is assessing the Privacy Shield Framework, the information in these letters provides assurance to conclude that the Privacy Shield will operate appropriately, in accordance with the Principles therein. We understand that you may raise information that has been released publicly by the Intelligence Community, along with other information, in the future to inform the annual review of the Privacy Shield Framework. On the basis of the Privacy Shield Principles and the accompanying letters and materials, including the Department’s commitments regarding the administration and supervision of the Privacy Shield Framework, our expectation is that the Commission will determine that the EU-U.S. Privacy Shield Framework provides adequate protection for the purposes of EU law and data transfers from the European Union will continue to organizations that participate in the Privacy Shield. Sincerely, Ken Hyatt VerDate Sep<11>2014 Annex 2: Arbitral Model Annex I This Annex I provides the terms under which Privacy Shield organizations are obligated to arbitrate claims, pursuant to the Recourse, Enforcement and Liability Principle. The binding arbitration option described below applies to certain ‘‘residual’’ claims as to data covered by the EU-U.S. Privacy Shield. The purpose of this option is to provide a prompt, independent, and fair mechanism, at the option of individuals, for resolution of claimed violations of the Principles not resolved by any of the other Privacy Shield mechanisms, if any. A. Scope This arbitration option is available to an individual to determine, for residual claims, whether a Privacy Shield organization has violated its obligations under the Principles as to that individual, and whether any such violation remains fully or partially unremedied. This option is available only for these purposes. This option is not available, for example, with respect to the exceptions to the Principles 1 or with respect to an allegation about the adequacy of the Privacy Shield. B. Available Remedies Under this arbitration option, the Privacy Shield Panel (consisting of one or three arbitrators, as agreed by the parties) has the authority to impose individual-specific, nonmonetary equitable relief (such as access, correction, deletion, or return of the individual’s data in question) necessary to remedy the violation of the Principles only with respect to the individual. These are the only powers of the arbitration panel with respect to remedies. In considering remedies, the arbitration panel is required to consider other remedies that already have been imposed by other mechanisms under the Privacy Shield. No damages, costs, fees, or other remedies are available. Each party bears its own attorney’s fees. C. Pre-Arbitration Requirements An individual who decides to invoke this arbitration option must take the following steps prior to initiating an arbitration claim: (1) Raise the claimed violation directly with the organization and afford the organization an opportunity to resolve the issue within the timeframe set forth in Section III.11(d)(i) of the Principles; (2) make use of the independent recourse mechanism under the Principles, which is at no cost to the individual; and (3) raise the issue through their Data Protection Authority to the Department of Commerce and afford the Department of Commerce an opportunity to use best efforts to resolve the issue within the timeframes set forth in the Letter from the International Trade Administration of the Department of Commerce, at no cost to the individual. This arbitration option may not be invoked if the individual’s same claimed violation of the Principles (1) has previously been subject to binding arbitration; (2) was the subject of a final judgment entered in a court action to 1 Section 20:41 Aug 01, 2016 Jkt 238001 PO 00000 which the individual was a party; or (3) was previously settled by the parties. In addition, this option may not be invoked if an EU Data Protection Authority (1) has authority under Sections III.5 or III.9 of the Principles; or (2) has the authority to resolve the claimed violation directly with the organization. A DPA’s authority to resolve the same claim against an EU data controller does not alone preclude invocation of this arbitration option against a different legal entity not bound by the DPA authority. D. Binding Nature of Decisions An individual’s decision to invoke this binding arbitration option is entirely voluntary. Arbitral decisions will be binding on all parties to the arbitration. Once invoked, the individual forgoes the option to seek relief for the same claimed violation in another forum, except that if non-monetary equitable relief does not fully remedy the claimed violation, the individual’s invocation of arbitration will not preclude a claim for damages that is otherwise available in the courts. E. Review and Enforcement Individuals and Privacy Shield organizations will be able to seek judicial review and enforcement of the arbitral decisions pursuant to U.S. law under the Federal Arbitration Act.2 Any such cases 2 Chapter 2 of the Federal Arbitration Act (‘‘FAA’’) provides that ‘‘[a]n arbitration agreement or arbitral award arising out of a legal relationship, whether contractual or not, which is considered as commercial, including a transaction, contract, or agreement described in [section 2 of the FAA], falls under the Convention [on the Recognition and Enforcement of Foreign Arbitral Awards of June 10, 1958, 21 U.S.T. 2519, T.I.A.S. No. 6997 (‘‘New York Convention’’)].’’ 9 U.S.C. 202. The FAA further provides that ‘‘[a]n agreement or award arising out of such a relationship which is entirely between citizens of the United States shall be deemed not to fall under the [New York] Convention unless that relationship involves property located abroad, envisages performance or enforcement abroad, or has some other reasonable relation with one or more foreign states.’’ Id. Under Chapter 2, ‘‘any party to the arbitration may apply to any court having jurisdiction under this chapter for an order confirming the award as against any other party to the arbitration. The court shall confirm the award unless it finds one of the grounds for refusal or deferral of recognition or enforcement of the award specified in the said [New York] Convention.’’ Id. § 207. Chapter 2 further provides that ‘‘[t]he district courts of the United States . . . shall have original jurisdiction over . . . an action or proceeding [under the New York Convention], regardless of the amount in controversy.’’ Id. section 203. Chapter 2 also provides that ‘‘Chapter 1 applies to actions and proceedings brought under this chapter to the extent that chapter is not in conflict with this chapter or the [New York] Convention as ratified by the United States.’’ Id. section 208. Chapter 1, in turn, provides that ‘‘[a] written provision in . . . a contract evidencing a transaction involving commerce to settle by arbitration a controversy thereafter arising out of such contract or transaction, or the refusal to perform the whole or any part thereof, or an agreement in writing to submit to arbitration an existing controversy arising out of such a contract, transaction, or refusal, shall be valid, irrevocable, and enforceable, save upon such grounds as exist at law or in equity for the revocation of any I.5 of the Principles. Frm 00005 Fmt 4701 Sfmt 4703 51045 Continued E:\FR\FM\02AUN2.SGM 02AUN2 51046 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices must be brought in the federal district court whose territorial coverage includes the primary place of business of the Privacy Shield organization. This arbitration option is intended to resolve individual disputes, and arbitral decisions are not intended to function as persuasive or binding precedent in matters involving other parties, including in future arbitrations or in EU or U.S. courts, or FTC proceedings. mstockstill on DSK3G9T082PROD with NOTICES2 F. The Arbitration Panel The parties will select the arbitrators from the list of arbitrators discussed below. Consistent with applicable law, the U.S. Department of Commerce and the European Commission will develop a list of at least 20 arbitrators, chosen on the basis of independence, integrity, and expertise. The following shall apply in connection with this process: Arbitrators: (1) Will remain on the list for a period of 3 years, absent exceptional circumstances or for cause, renewable for one additional period of 3 years; (2) shall not be subject to any instructions from, or be affiliated with, either party, or any Privacy Shield organization, or the U.S., EU, or any EU Member State or any other governmental authority, public authority, or enforcement authority; and (3) must be admitted to practice law in the U.S. and be experts in U.S. privacy law, with expertise in EU data protection law. G. Arbitration Procedures Consistent with applicable law, within 6 months from the adoption of the adequacy decision, the Department of Commerce and the European Commission will agree to adopt an existing, well-established set of U.S. arbitral procedures (such as AAA or JAMS) to govern proceedings before the Privacy Shield Panel, subject to each of the following considerations: 1. An individual may initiate binding arbitration, subject to the pre-arbitration requirements provision above, by delivering a ‘‘Notice’’ to the organization. The Notice shall contain a summary of steps taken under Paragraph C to resolve the claim, a description of the alleged violation, and, at the choice of the individual, any supporting documents and materials and/or a discussion of law relating to the alleged claim. 2. Procedures will be developed to ensure that an individual’s same claimed violation does not receive duplicative remedies or procedures. 3. FTC action may proceed in parallel with arbitration. 4. No representative of the U.S., EU, or any EU Member State or any other governmental authority, public authority, or enforcement authority may participate in these arbitrations, provided, that at the request of an EU individual, EU DPAs may provide assistance in the preparation only of the contract.’’ Id. section 2. Chapter 1 further provides that ‘‘any party to the arbitration may apply to the court so specified for an order confirming the award, and thereupon the court must grant such an order unless the award is vacated, modified, or corrected as prescribed in sections 10 and 11 of [the FAA].’’ Id. section 9. VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 Notice but EU DPAs may not have access to discovery or any other materials related to these arbitrations. 5. The location of the arbitration will be the United States, and the individual may choose video or telephone participation, which will be provided at no cost to the individual. In-person participation will not be required. 6. The language of the arbitration will be English unless otherwise agreed by the parties. Upon a reasoned request, and taking into account whether the individual is represented by an attorney, interpretation at the arbitral hearing as well as translation of arbitral materials will be provided at no cost to the individual, unless the panel finds that, under the circumstances of the specific arbitration, this would lead to unjustified or disproportionate costs. 7. Materials submitted to arbitrators will be treated confidentially and will only be used in connection with the arbitration. 8. Individual-specific discovery may be permitted if necessary, and such discovery will be treated confidentially by the parties and will only be used in connection with the arbitration. 9. Arbitrations should be completed within 90 days of the delivery of the Notice to the organization at issue, unless otherwise agreed to by the parties. H. Costs Arbitrators should take reasonable steps to minimize the costs or fees of the arbitrations. Subject to applicable law, the Department of Commerce will facilitate the establishment of a fund, into which Privacy Shield organizations will be required to pay an annual contribution, based in part on the size of the organization, which will cover the arbitral cost, including arbitrator fees, up to maximum amounts (‘‘caps’’), in consultation with the European Commission. The fund will be managed by a third party, which will report regularly on the operations of the fund. At the annual review, the Department of Commerce and European Commission will review the operation of the fund, including the need to adjust the amount of the contributions or of the caps, and will consider, among other things, the number of arbitrations and the costs and timing of the arbitrations, with the mutual understanding that there will be no excessive financial burden imposed on Privacy Shield organizations. Attorney’s fees are not covered by this provision or any fund under this provision. EU-U.S. Privacy Shield Principles EU-U.S. Privacy Shield Framework Principles Issued by the U.S. Department of Commerce I. Overview 1. While the United States and the European Union share the goal of enhancing privacy protection, the United States takes a different approach to privacy from that taken by the European Union. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self-regulation. Given those differences and to provide organizations in the United States with a PO 00000 Frm 00006 Fmt 4701 Sfmt 4703 reliable mechanism for personal data transfers to the United States from the European Union while ensuring that EU data subjects continue to benefit from effective safeguards and protection as required by European legislation with respect to the processing of their personal data when they have been transferred to non-EU countries, the Department of Commerce is issuing these Privacy Shield Principles, including the Supplemental Principles (collectively ‘‘the Principles’’) under its statutory authority to foster, promote, and develop international commerce (15 U.S.C. 1512). The Principles were developed in consultation with the European Commission, and with industry and other stakeholders, to facilitate trade and commerce between the United States and European Union. They are intended for use solely by organizations in the United States receiving personal data from the European Union for the purpose of qualifying for the Privacy Shield and thus benefitting from the European Commission’s adequacy decision.1 The Principles do not affect the application of national provisions implementing Directive 95/46/EC (‘‘the Directive’’) that apply to the processing of personal data in the Member States. Nor do the Principles limit privacy obligations that otherwise apply under U.S. law. 2. In order to rely on the Privacy Shield to effectuate transfers of personal data from the EU, an organization must self-certify its adherence to the Principles to the Department of Commerce (or its designee) (‘‘the Department’’). While decisions by organizations to thus enter the Privacy Shield are entirely voluntary, effective compliance is compulsory: Organizations that self-certify to the Department and publicly declare their commitment to adhere to the Principles must comply fully with the Principles. In order to enter the Privacy Shield, an organization must (a) be subject to the investigatory and enforcement powers of the Federal Trade Commission (the ‘‘FTC’’), the Department of Transportation or another statutory body that will effectively ensure compliance with the Principles (other U.S. statutory bodies recognized by the EU may be included as an annex in the future); (b) publicly declare its commitment to comply with the Principles; (c) publicly disclose its privacy policies in line with these Principles; and (d) fully implement them. An organization’s failure to comply is enforceable under Section 5 of the Federal Trade Commission Act prohibiting unfair and deceptive acts in or affecting commerce (15 U.S.C. 45(a)) or other laws or regulations prohibiting such acts. 3. The Department of Commerce will maintain and make available to the public an authoritative list of U.S. organizations that have self-certified to the Department and declared their commitment to adhere to the Principles (‘‘the Privacy Shield List’’). Privacy Shield benefits are assured from the 1 Provided that the Commission Decision on the adequacy of the protection provided by the EU-U.S. Privacy Shield applies to Iceland, Liechtenstein and Norway, the Privacy Shield Package will cover both the European Union, as well as these three countries. Consequently, references to the EU and its Member States will be read as including Iceland, Liechtenstein and Norway. E:\FR\FM\02AUN2.SGM 02AUN2 mstockstill on DSK3G9T082PROD with NOTICES2 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices date that the Department places the organization on the Privacy Shield List. The Department will remove an organization from the Privacy Shield List if it voluntarily withdraws from the Privacy Shield or if it fails to complete its annual re-certification to the Department. An organization’s removal from the Privacy Shield List means it may no longer benefit from the European Commission’s adequacy decision to receive personal information from the EU. The organization must continue to apply the Principles to the personal information it received while it participated in the Privacy Shield, and affirm to the Department on an annual basis its commitment to do so, for as long as it retains such information; otherwise, the organization must return or delete the information or provide ‘‘adequate’’ protection for the information by another authorized means. The Department will also remove from the Privacy Shield List those organizations that have persistently failed to comply with the Principles; these organizations do not qualify for Privacy Shield benefits and must return or delete the personal information they received under the Privacy Shield. 4. The Department will also maintain and make available to the public an authoritative record of U.S. organizations that had previously self-certified to the Department, but that have been removed from the Privacy Shield List. The Department will provide a clear warning that these organizations are not participants in the Privacy Shield; that removal from the Privacy Shield List means that such organizations cannot claim to be Privacy Shield compliant and must avoid any statements or misleading practices implying that they participate in the Privacy Shield; and that such organizations are no longer entitled to benefit from the European Commission’s adequacy decision that would enable those organizations to receive personal information from the EU. An organization that continues to claim participation in the Privacy Shield or makes other Privacy Shield-related misrepresentations after it has been removed from the Privacy Shield List may be subject to enforcement action by the FTC, the Department of Transportation, or other enforcement authorities. 5. Adherence to these Principles may be limited: (a) To the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization; or (c) if the effect of the Directive or Member State law is to allow exceptions or derogations, provided such exceptions or derogations are applied in comparable contexts. Consistent with the goal of enhancing privacy protection, organizations should strive to implement these Principles fully and transparently, including indicating in their privacy policies where exceptions to the Principles permitted by (b) above will apply VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 on a regular basis. For the same reason, where the option is allowable under the Principles and/or U.S. law, organizations are expected to opt for the higher protection where possible. 6. Organizations are obligated to apply the Principles to all personal data transferred in reliance on the Privacy Shield after they enter the Privacy Shield. An organization that chooses to extend Privacy Shield benefits to human resources personal information transferred from the EU for use in the context of an employment relationship must indicate this when it self-certifies to the Department and conform to the requirements set forth in the Supplemental Principle on Self-Certification. 7. U.S. law will apply to questions of interpretation and compliance with the Principles and relevant privacy policies by Privacy Shield organizations, except where such organizations have committed to cooperate with European data protection authorities (‘‘DPAs’’). Unless otherwise stated, all provisions of the Principles apply where they are relevant. 8. Definitions: a. ‘‘Personal data’’ and ‘‘personal information’’ are data about an identified or identifiable individual that are within the scope of the Directive, received by an organization in the United States from the European Union, and recorded in any form. b. ‘‘Processing’’ of personal data means any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction. c. ‘‘Controller’’ means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data. 9. The effective date of the Principles is the date of final approval of the European Commission’s adequacy determination. II. Principles 1. Notice a. An organization must inform individuals about: i. Its participation in the Privacy Shield and provide a link to, or the web address for, the Privacy Shield List, ii. the types of personal data collected and, where applicable, the entities or subsidiaries of the organization also adhering to the Principles, iii. its commitment to subject to the Principles all personal data received from the EU in reliance on the Privacy Shield, iv. the purposes for which it collects and uses personal information about them, v. how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU that can respond to such inquiries or complaints, vi. the type or identity of third parties to which it discloses personal information, and the purposes for which it does so, vii. the right of individuals to access their personal data, viii. the choices and means the organization offers individuals for limiting the use and disclosure of their personal data, PO 00000 Frm 00007 Fmt 4701 Sfmt 4703 51047 ix. the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) The panel established by DPAs, (2) an alternative dispute resolution provider based in the EU, or (3) an alternative dispute resolution provider based in the United States, x. being subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or any other U.S. authorized statutory body, xi. the possibility, under certain conditions, for the individual to invoke binding arbitration, xii. the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and xiii. its liability in cases of onward transfers to third parties. b. This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party. 2. Choice a. An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Individuals must be provided with clear, conspicuous, and readily available mechanisms to exercise choice. b. By derogation to the previous paragraph, it is not necessary to provide choice when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of the organization. However, an organization shall always enter into a contract with the agent. c. For sensitive information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), organizations must obtain affirmative express consent (opt in) from individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. In addition, an organization should treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive. 3. Accountability for Onward Transfer a. To transfer personal information to a third party acting as a controller, organizations must comply with the Notice and Choice Principles. Organizations must also enter into a contract with the third-party controller that provides that such data may E:\FR\FM\02AUN2.SGM 02AUN2 51048 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate. b. To transfer personal data to a third party acting as an agent, organizations must: (i) Transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles; (iv) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request. 4. Security a. Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. mstockstill on DSK3G9T082PROD with NOTICES2 5. Data Integrity and Purpose Limitation a. Consistent with the Principles, personal information must be limited to the information that is relevant for the purposes of processing.2 An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. An organization must adhere to the Principles for as long as it retains such information. b. Information may be retained in a form identifying or making identifiable 3 the 2 Depending on the circumstances, examples of compatible processing purposes may include those that reasonably serve customer relations, compliance and legal considerations, auditing, security and fraud prevention, preserving or defending the organization’s legal rights, or other purposes consistent with the expectations of a reasonable person given the context of the collection. 3 In this context, if, given the means of identification reasonably likely to be used (considering, among other things, the costs of and the amount of time required for identification and the available technology at the time of the VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 individual only for as long as it serves a purpose of processing within the meaning of 5a. This obligation does not prevent organizations from processing personal information for longer periods for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research, and statistical analysis. In these cases, such processing shall be subject to the other Principles and provisions of the Framework. Organizations should take reasonable and appropriate measures in complying with this provision. 6. Access a. Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated. 7. Recourse, Enforcement and Liability a. Effective privacy protection must include robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by noncompliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum such mechanisms must include: i. Readily available independent recourse mechanisms by which each individual’s complaints and disputes are investigated and expeditiously resolved at no cost to the individual and by reference to the Principles, and damages awarded where the applicable law or private-sector initiatives so provide; ii. follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of non-compliance; and iii. obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations. b. Organizations and their selected independent recourse mechanisms will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield. All organizations must respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. Organizations that have chosen to cooperate with DPAs, including organizations that process human resources data, must respond directly to such authorities with regard to the investigation and resolution of complaints. processing) and the form in which the data is retained, an individual could reasonably be identified by the organization, or a third party if it would have access to the data, then the individual is ‘‘identifiable.’’ PO 00000 Frm 00008 Fmt 4701 Sfmt 4703 c. Organizations are obligated to arbitrate claims and follow the terms as set forth in Annex I, provided that an individual has invoked binding arbitration by delivering notice to the organization at issue and following the procedures and subject to conditions set forth in Annex I. d. In the context of an onward transfer, a Privacy Shield organization has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. The Privacy Shield organization shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage. e. When an organization becomes subject to an FTC or court order based on noncompliance, the organization shall make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements. The Department has established a dedicated point of contact for DPAs for any problems of compliance by Privacy Shield organizations. The FTC will give priority consideration to referrals of non-compliance with the Principles from the Department and EU Member State authorities, and will exchange information regarding referrals with the referring state authorities on a timely basis, subject to existing confidentiality restrictions. III. Supplemental Principles 1. Sensitive Data a. An organization is not required to obtain affirmative express consent (opt in) with respect to sensitive data where the processing is: i. In the vital interests of the data subject or another person; ii. necessary for the establishment of legal claims or defenses; iii. required to provide medical care or diagnosis; iv. carried out in the course of legitimate activities by a foundation, association or any other non-profit body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to the persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; v. necessary to carry out the organization’s obligations in the field of employment law; or vi. related to data that are manifestly made public by the individual. 2. Journalistic Exceptions a. Given U.S. constitutional protections for freedom of the press and the Directive’s exemption for journalistic material, where the rights of a free press embodied in the First Amendment of the U.S. Constitution intersect with privacy protection interests, the First Amendment must govern the balancing of these interests with regard to the activities of U.S. persons or organizations. E:\FR\FM\02AUN2.SGM 02AUN2 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices b. Personal information that is gathered for publication, broadcast, or other forms of public communication of journalistic material, whether used or not, as well as information found in previously published material disseminated from media archives, is not subject to the requirements of the Privacy Shield Principles. 3. Secondary Liability a. Internet Service Providers (‘‘ISPs’’), telecommunications carriers, and other organizations are not liable under the Privacy Shield Principles when on behalf of another organization they merely transmit, route, switch, or cache information. As is the case with the Directive itself, the Privacy Shield does not create secondary liability. To the extent that an organization is acting as a mere conduit for data transmitted by third parties and does not determine the purposes and means of processing those personal data, it would not be liable. mstockstill on DSK3G9T082PROD with NOTICES2 4. Performing Due Diligence and Conducting Audits a. The activities of auditors and investment bankers may involve processing personal data without the consent or knowledge of the individual. This is permitted by the Notice, Choice, and Access Principles under the circumstances described below. b. Public stock corporations and closely held companies, including Privacy Shield organizations, are regularly subject to audits. Such audits, particularly those looking into potential wrongdoing, may be jeopardized if disclosed prematurely. Similarly, a Privacy Shield organization involved in a potential merger or takeover will need to perform, or be the subject of, a ‘‘due diligence’’ review. This will often entail the collection and processing of personal data, such as information on senior executives and other key personnel. Premature disclosure could impede the transaction or even violate applicable securities regulation. Investment bankers and attorneys engaged in due diligence, or auditors conducting an audit, may process information without knowledge of the individual only to the extent and for the period necessary to meet statutory or public interest requirements and in other circumstances in which the application of these Principles would prejudice the legitimate interests of the organization. These legitimate interests include the monitoring of organizations’ compliance with their legal obligations and legitimate accounting activities, and the need for confidentiality connected with possible acquisitions, mergers, joint ventures, or other similar transactions carried out by investment bankers or auditors. 5. The Role of the Data Protection Authorities a. Organizations will implement their commitment to cooperate with European Union data protection authorities (‘‘DPAs’’) as described below. Under the Privacy Shield, U.S. organizations receiving personal data from the EU must commit to employ effective mechanisms for assuring compliance with the Privacy Shield Principles. More specifically as set out in the Recourse, Enforcement and Liability Principle, participating organizations must VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 provide: (a)(i) Recourse for individuals to whom the data relate; (a)(ii) follow up procedures for verifying that the attestations and assertions they have made about their privacy practices are true; and (a)(iii) obligations to remedy problems arising out of failure to comply with the Principles and consequences for such organizations. An organization may satisfy points (a)(i) and (a)(iii) of the Recourse, Enforcement and Liability Principle if it adheres to the requirements set forth here for cooperating with the DPAs. b. An organization commits to cooperate with the DPAs by declaring in its Privacy Shield self-certification submission to the Department of Commerce (see Supplemental Principle on Self-Certification) that the organization: i. Elects to satisfy the requirement in points (a)(i) and (a)(iii) of the Privacy Shield Recourse, Enforcement and Liability Principle by committing to cooperate with the DPAs; ii. will cooperate with the DPAs in the investigation and resolution of complaints brought under the Privacy Shield; and iii. will comply with any advice given by the DPAs where the DPAs take the view that the organization needs to take specific action to comply with the Privacy Shield Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles, and will provide the DPAs with written confirmation that such action has been taken. c. Operation of DPA Panels i. The cooperation of the DPAs will be provided in the form of information and advice in the following way: 1. The advice of the DPAs will be delivered through an informal panel of DPAs established at the European Union level, which will inter alia help ensure a harmonized and coherent approach. 2. The panel will provide advice to the U.S. organizations concerned on unresolved complaints from individuals about the handling of personal information that has been transferred from the EU under the Privacy Shield. This advice will be designed to ensure that the Privacy Shield Principles are being correctly applied and will include any remedies for the individual(s) concerned that the DPAs consider appropriate. 3. The panel will provide such advice in response to referrals from the organizations concerned and/or to complaints received directly from individuals against organizations which have committed to cooperate with DPAs for Privacy Shield purposes, while encouraging and if necessary helping such individuals in the first instance to use the in-house complaint handling arrangements that the organization may offer. 4. Advice will be issued only after both sides in a dispute have had a reasonable opportunity to comment and to provide any evidence they wish. The panel will seek to deliver advice as quickly as this requirement for due process allows. As a general rule, the panel will aim to provide advice within 60 days after receiving a complaint or referral and more quickly where possible. PO 00000 Frm 00009 Fmt 4701 Sfmt 4703 51049 5. The panel will make public the results of its consideration of complaints submitted to it, if it sees fit. 6. The delivery of advice through the panel will not give rise to any liability for the panel or for individual DPAs. ii. As noted above, organizations choosing this option for dispute resolution must undertake to comply with the advice of the DPAs. If an organization fails to comply within 25 days of the delivery of the advice and has offered no satisfactory explanation for the delay, the panel will give notice of its intention either to refer the matter to the Federal Trade Commission, the Department of Transportation, or other U.S. federal or state body with statutory powers to take enforcement action in cases of deception or misrepresentation, or to conclude that the agreement to cooperate has been seriously breached and must therefore be considered null and void. In the latter case, the panel will inform the Department of Commerce so that the Privacy Shield List can be duly amended. Any failure to fulfill the undertaking to cooperate with the DPAs, as well as failures to comply with the Privacy Shield Principles, will be actionable as a deceptive practice under Section 5 of the FTC Act or other similar statute. d. An organization that wishes its Privacy Shield benefits to cover human resources data transferred from the EU in the context of the employment relationship must commit to cooperate with the DPAs with regard to such data (see Supplemental Principle on Human Resources Data). e. Organizations choosing this option will be required to pay an annual fee which will be designed to cover the operating costs of the panel, and they may additionally be asked to meet any necessary translation expenses arising out of the panel’s consideration of referrals or complaints against them. The annual fee will not exceed USD 500 and will be less for smaller companies. 6. Self-Certification a. Privacy Shield benefits are assured from the date on which the Department has placed the organization’s self-certification submission on the Privacy Shield List after having determined that the submission is complete. b. To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information: i. Name of organization, mailing address, email address, telephone, and fax numbers; ii. description of the activities of the organization with respect to personal information received from the EU; and iii. description of the organization’s privacy policy for such personal information, including: 1. If the organization has a public Web site, the relevant web address where the privacy policy is available, or if the organization does not have a public Web site, where the privacy policy is available for viewing by the public; 2. its effective date of implementation; E:\FR\FM\02AUN2.SGM 02AUN2 mstockstill on DSK3G9T082PROD with NOTICES2 51050 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices 3. a contact office for the handling of complaints, access requests, and any other issues arising under the Privacy Shield; 4. the specific statutory body that has jurisdiction to hear any claims against the organization regarding possible unfair or deceptive practices and violations of laws or regulations governing privacy (and that is listed in the Principles or a future annex to the Principles); 5. name of any privacy program in which the organization is a member; 6. method of verification (e.g., in-house, third party) (see Supplemental Principle on Verification; and 7. the independent recourse mechanism that is available to investigate unresolved complaints. c. Where the organization wishes its Privacy Shield benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims against the organization arising out of the processing of human resources information. In addition, the organization must indicate this in its self-certification submission and declare its commitment to cooperate with the EU authority or authorities concerned in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities as applicable and that it will comply with the advice given by such authorities. The organization must also provide the Department with a copy of its human resources privacy policy and provide information where the privacy policy is available for viewing by its affected employees. d. The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement. Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured. Both the Privacy Shield List and the self-certification submissions by the organizations will be made publicly available. All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles. If available online, an organization’s privacy policy must include a hyperlink to the Department’s Privacy Shield Web site and a hyperlink to the Web site or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. e. The Privacy Principles apply immediately upon certification. Recognizing that the Principles will impact commercial relationships with third parties, organizations that certify to the Privacy VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 Shield Framework in the first two months following the Framework’s effective date shall bring existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle as soon as possible, and in any event no later than nine months from the date upon which they certify to the Privacy Shield. During that interim period, where organizations transfer data to a third party, they shall (i) apply the Notice and Choice Principles, and (ii) where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles. f. An organization must subject to the Privacy Shield Principles all personal data received from the EU in reliance upon the Privacy Shield. The undertaking to adhere to the Privacy Shield Principles is not timelimited in respect of personal data received during the period in which the organization enjoys the benefits of the Privacy Shield. Its undertaking means that it will continue to apply the Principles to such data for as long as the organization stores, uses or discloses them, even if it subsequently leaves the Privacy Shield for any reason. An organization that withdraws from the Privacy Shield but wants to retain such data must affirm to the Department on an annual basis its commitment to continue to apply the Principles or provide ‘‘adequate’’ protection for the information by another authorized means (for example, using a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission); otherwise, the organization must return or delete the information. An organization that withdraws from the Privacy Shield must remove from any relevant privacy policy any references to the Privacy Shield that imply that the organization continues to actively participate in the Privacy Shield and is entitled to its benefits. g. An organization that will cease to exist as a separate legal entity as a result of a merger or a takeover must notify the Department of this in advance. The notification should also indicate whether the acquiring entity or the entity resulting from the merger will (i) continue to be bound by the Privacy Shield Principles by the operation of law governing the takeover or merger or (ii) elect to self-certify its adherence to the Privacy Shield Principles or put in place other safeguards, such as a written agreement that will ensure adherence to the Privacy Shield Principles. Where neither (i) nor (ii) applies, any personal data that has been acquired under the Privacy Shield must be promptly deleted. h. When an organization leaves the Privacy Shield for any reason, it must remove all statements implying that the organization continues to participate in the Privacy Shield or is entitled to the benefits of the Privacy Shield. The EU-U.S. Privacy Shield certification mark, if used, must also be removed. Any misrepresentation to the general public concerning an organization’s adherence to the Privacy Shield Principles may be actionable by the FTC or other relevant government body. Misrepresentations to the Department may be PO 00000 Frm 00010 Fmt 4701 Sfmt 4703 actionable under the False Statements Act (18 U.S.C. 1001). 7. Verification a. Organizations must provide follow up procedures for verifying that the attestations and assertions they make about their Privacy Shield privacy practices are true and those privacy practices have been implemented as represented and in accordance with the Privacy Shield Principles. b. To meet the verification requirements of the Recourse, Enforcement and Liability Principle, an organization must verify such attestations and assertions either through self-assessment or outside compliance reviews. c. Under the self-assessment approach, such verification must indicate that an organization’s published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy policy conforms to the Privacy Shield Principles; that individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints; that it has in place procedures for training employees in its implementation, and disciplining them for failure to follow it; and that it has in place internal procedures for periodically conducting objective reviews of compliance with the above. A statement verifying the self-assessment must be signed by a corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. d. Where the organization has chosen outside compliance review, such a review must demonstrate that its privacy policy regarding personal information received from the EU conforms to the Privacy Shield Principles, that it is being complied with, and that individuals are informed of the mechanisms through which they may pursue complaints. The methods of review may include, without limitation, auditing, random reviews, use of ‘‘decoys’’, or use of technology tools as appropriate. A statement verifying that an outside compliance review has been successfully completed must be signed either by the reviewer or by the corporate officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about compliance. e. Organizations must retain their records on the implementation of their Privacy Shield privacy practices and make them available upon request in the context of an investigation or a complaint about noncompliance to the independent body responsible for investigating complaints or to the agency with unfair and deceptive practices jurisdiction. Organizations must also respond promptly to inquiries and other requests for information from the Department relating to the organization’s adherence to the Principles. E:\FR\FM\02AUN2.SGM 02AUN2 mstockstill on DSK3G9T082PROD with NOTICES2 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices 8. Access a. The Access Principle in Practice i. Under the Privacy Shield Principles, the right of access is fundamental to privacy protection. In particular, it allows individuals to verify the accuracy of information held about them. The Access Principle means that individuals have the right to: 1. Obtain from an organization confirmation of whether or not the organization is processing personal data relating to them; 4 2. have communicated to them such data so that they could verify its accuracy and the lawfulness of the processing; and 3. have the data corrected, amended or deleted where it is inaccurate or processed in violation of the Principles. ii. Individuals do not have to justify requests for access to their personal data. In responding to individuals’ access requests, organizations should first be guided by the concern(s) that led to the requests in the first place. For example, if an access request is vague or broad in scope, an organization may engage the individual in a dialogue so as to better understand the motivation for the request and to locate responsive information. The organization might inquire about which part(s) of the organization the individual interacted with or about the nature of the information or its use that is the subject of the access request. iii. Consistent with the fundamental nature of access, organizations should always make good faith efforts to provide access. For example, where certain information needs to be protected and can be readily separated from other personal information subject to an access request, the organization should redact the protected information and make available the other information. If an organization determines that access should be restricted in any particular instance, it should provide the individual requesting access with an explanation of why it has made that determination and a contact point for any further inquiries. b. Burden or Expense of Providing Access i. The right of access to personal data may be restricted in exceptional circumstances where the legitimate rights of persons other than the individual would be violated or where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question. Expense and burden are important factors and should be taken into account but they are not controlling factors in determining whether providing access is reasonable. ii. For example, if the personal information is used for decisions that will significantly affect the individual (e.g., the denial or grant of important benefits, such as insurance, a mortgage, or a job), then consistent with the other provisions of these Supplemental Principles, the organization would have to disclose that information even if it is 4 The organization should answer requests from an individual concerning the purposes of the processing, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data is disclosed. VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 relatively difficult or expensive to provide. If the personal information requested is not sensitive or not used for decisions that will significantly affect the individual, but is readily available and inexpensive to provide, an organization would have to provide access to such information. c. Confidential Commercial Information i. Confidential commercial information is information that an organization has taken steps to protect from disclosure, where disclosure would help a competitor in the market. Organizations may deny or limit access to the extent that granting full access would reveal its own confidential commercial information, such as marketing inferences or classifications generated by the organization, or the confidential commercial information of another that is subject to a contractual obligation of confidentiality. ii. Where confidential commercial information can be readily separated from other personal information subject to an access request, the organization should redact the confidential commercial information and make available the nonconfidential information. d. Organization of Data Bases i. Access can be provided in the form of disclosure of the relevant personal information by an organization to the individual and does not require access by the individual to an organization’s data base. ii. Access needs to be provided only to the extent that an organization stores the personal information. The Access Principle does not itself create any obligation to retain, maintain, reorganize, or restructure personal information files. e. When Access May be Restricted i. As organizations must always make good faith efforts to provide individuals with access to their personal data, the circumstances in which organizations may restrict such access are limited, and any reasons for restricting access must be specific. As under the Directive, an organization can restrict access to information to the extent that disclosure is likely to interfere with the safeguarding of important countervailing public interests, such as national security; defense; or public security. In addition, where personal information is processed solely for research or statistical purposes, access may be denied. Other reasons for denying or limiting access are: 1. Interference with the execution or enforcement of the law or with private causes of action, including the prevention, investigation or detection of offenses or the right to a fair trial; 2. disclosure where the legitimate rights or important interests of others would be violated; 3. breaching a legal or other professional privilege or obligation; 4. prejudicing employee security investigations or grievance proceedings or in connection with employee succession planning and corporate re-organizations; or 5. prejudicing the confidentiality necessary in monitoring, inspection or regulatory functions connected with sound management, or in future or ongoing negotiations involving the organization. PO 00000 Frm 00011 Fmt 4701 Sfmt 4703 51051 ii. An organization which claims an exception has the burden of demonstrating its necessity, and the reasons for restricting access and a contact point for further inquiries should be given to individuals. f. Right to Obtain Confirmation and Charging a Fee to Cover the Costs for Providing Access i. An individual has the right to obtain confirmation of whether or not this organization has personal data relating to him or her. An individual also has the right to have communicated to him or her personal data relating to him or her. An organization may charge a fee that is not excessive. ii. Charging a fee may be justified, for example, where requests for access are manifestly excessive, in particular because of their repetitive character. iii. Access may not be refused on cost grounds if the individual offers to pay the costs. g. Repetitious or Vexatious Requests for Access i. An organization may set reasonable limits on the number of times within a given period that access requests from a particular individual will be met. In setting such limitations, an organization should consider such factors as the frequency with which information is updated, the purpose for which the data are used, and the nature of the information. h. Fraudulent Requests for Access i. An organization is not required to provide access unless it is supplied with sufficient information to allow it to confirm the identity of the person making the request. i. Timeframe for Responses i. Organizations should respond to access requests within a reasonable time period, in a reasonable manner, and in a form that is readily intelligible to the individual. An organization that provides information to data subjects at regular intervals may satisfy an individual access request with its regular disclosure if it would not constitute an excessive delay. 9. Human Resources Data a. Coverage by the Privacy Shield i. Where an organization in the EU transfers personal information about its employees (past or present) collected in the context of the employment relationship, to a parent, affiliate, or unaffiliated service provider in the United States participating in the Privacy Shield, the transfer enjoys the benefits of the Privacy Shield. In such cases, the collection of the information and its processing prior to transfer will have been subject to the national laws of the EU country where it was collected, and any conditions for or restrictions on its transfer according to those laws will have to be respected. ii. The Privacy Shield Principles are relevant only when individually identified or identifiable records are transferred or accessed. Statistical reporting relying on aggregate employment data and containing no personal data or the use of anonymized data does not raise privacy concerns. b. Application of the Notice and Choice Principles i. A U.S. organization that has received employee information from the EU under the E:\FR\FM\02AUN2.SGM 02AUN2 mstockstill on DSK3G9T082PROD with NOTICES2 51052 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices Privacy Shield may disclose it to third parties or use it for different purposes only in accordance with the Notice and Choice Principles. For example, where an organization intends to use personal information collected through the employment relationship for nonemployment-related purposes, such as marketing communications, the U.S. organization must provide the affected individuals with the requisite choice before doing so, unless they have already authorized the use of the information for such purposes. Such use must not be incompatible with the purposes for which the personal information has been collected or subsequently authorised by the individual. Moreover, such choices must not be used to restrict employment opportunities or take any punitive action against such employees. ii. It should be noted that certain generally applicable conditions for transfer from some EU Member States may preclude other uses of such information even after transfer outside the EU and such conditions will have to be respected. iii. In addition, employers should make reasonable efforts to accommodate employee privacy preferences. This could include, for example, restricting access to the personal data, anonymizing certain data, or assigning codes or pseudonyms when the actual names are not required for the management purpose at hand. iv. To the extent and for the period necessary to avoid prejudicing the ability of the organization in making promotions, appointments, or other similar employment decisions, an organization does not need to offer notice and choice. c. Application of the Access Principle i. The Supplemental Principle on Access provides guidance on reasons which may justify denying or limiting access on request in the human resources context. Of course, employers in the European Union must comply with local regulations and ensure that European Union employees have access to such information as is required by law in their home countries, regardless of the location of data processing and storage. The Privacy Shield requires that an organization processing such data in the United States will cooperate in providing such access either directly or through the EU employer. d. Enforcement i. In so far as personal information is used only in the context of the employment relationship, primary responsibility for the ` data vis-a-vis the employee remains with the organization in the EU. It follows that, where European employees make complaints about violations of their data protection rights and are not satisfied with the results of internal review, complaint, and appeal procedures (or any applicable grievance procedures under a contract with a trade union), they should be directed to the state or national data protection or labor authority in the jurisdiction where the employees work. This includes cases where the alleged mishandling of their personal information is the responsibility of the U.S. organization that has received the information from the employer and thus involves an alleged breach of the Privacy Shield Principles. This VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 will be the most efficient way to address the often overlapping rights and obligations imposed by local labor law and labor agreements as well as data protection law. ii. A U.S. organization participating in the Privacy Shield that uses EU human resources data transferred from the European Union in the context of the employment relationship and that wishes such transfers to be covered by the Privacy Shield must therefore commit to cooperate in investigations by and to comply with the advice of competent EU authorities in such cases. e. Application of the Accountability for Onward Transfer Principle i. For occasional employment-related operational needs of the Privacy Shield organization with respect to personal data transferred under the Privacy Shield, such as the booking of a flight, hotel room, or insurance coverage, transfers of personal data of a small number of employees can take place to controllers without application of the Access Principle or entering into a contract with the third-party controller, as otherwise required under the Accountability for Onward Transfer Principle, provided that the Privacy Shield organization has complied with the Notice and Choice Principles. 10. Obligatory Contracts for Onward Transfers a. Data Processing Contracts i. When personal data is transferred from the EU to the United States only for processing purposes, a contract will be required, regardless of participation by the processor in the Privacy Shield. ii. Data controllers in the European Union are always required to enter into a contract when a transfer for mere processing is made, whether the processing operation is carried out inside or outside the EU, and whether or not the processor participates in the Privacy Shield. The purpose of the contract is to make sure that the processor: 1. Acts only on instructions from the controller; 2. provides appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alternation, unauthorized disclosure or access, and understands whether onward transfer is allowed; and 3. taking into account the nature of the processing, assists the controller in responding to individuals exercising their rights under the Principles. iii. Because adequate protection is provided by Privacy Shield participants, contracts with Privacy Shield participants for mere processing do not require prior authorization (or such authorization will be granted automatically by the EU Member States), as would be required for contracts with recipients not participating in the Privacy Shield or otherwise not providing adequate protection. b. Transfers within a Controlled Group of Corporations or Entities i. When personal information is transferred between two controllers within a controlled group of corporations or entities, a contract is not always required under the Accountability for Onward Transfer PO 00000 Frm 00012 Fmt 4701 Sfmt 4703 Principle. Data controllers within a controlled group of corporations or entities may base such transfers on other instruments, such as EU Binding Corporate Rules or other intra-group instruments (e.g., compliance and control programs), ensuring the continuity of protection of personal information under the Principles. In case of such transfers, the Privacy Shield organization remains responsible for compliance with the Principles. c. Transfers between Controllers i. For transfers between controllers, the recipient controller need not be a Privacy Shield organization or have an independent recourse mechanism. The Privacy Shield organization must enter into a contract with the recipient third-party controller that provides for the same level of protection as is available under the Privacy Shield, not including the requirement that the third party controller be a Privacy Shield organization or have an independent recourse mechanism, provided it makes available an equivalent mechanism. 11. Dispute Resolution and Enforcement a. The Recourse, Enforcement and Liability Principle sets out the requirements for Privacy Shield enforcement. How to meet the requirements of point (a)(ii) of the Principle is set out in the Supplemental Principle on Verification. This Supplemental Principle addresses points (a)(i) and (a)(iii), both of which require independent recourse mechanisms. These mechanisms may take different forms, but they must meet the Recourse, Enforcement and Liability Principle’s requirements. Organizations satisfy the requirements through the following: (i) Compliance with private sector developed privacy programs that incorporate the Privacy Shield Principles into their rules and that include effective enforcement mechanisms of the type described in the Recourse, Enforcement and Liability Principle; (ii) compliance with legal or regulatory supervisory authorities that provide for handling of individual complaints and dispute resolution; or (iii) commitment to cooperate with data protection authorities located in the European Union or their authorized representatives. b. This list is intended to be illustrative and not limiting. The private sector may design additional mechanisms to provide enforcement, so long as they meet the requirements of the Recourse, Enforcement and Liability Principle and the Supplemental Principles. Please note that the Recourse, Enforcement and Liability Principle’s requirements are additional to the requirement that self-regulatory efforts must be enforceable under Section 5 of the Federal Trade Commission Act, which prohibits unfair and deceptive acts, or another law or regulation prohibiting such acts. c. In order to help ensure compliance with their Privacy Shield commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the Privacy Shield when requested by the Department. In addition, organizations must respond E:\FR\FM\02AUN2.SGM 02AUN2 mstockstill on DSK3G9T082PROD with NOTICES2 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices expeditiously to complaints regarding their compliance with the Principles referred through the Department by DPAs. The response should address whether the complaint has merit and, if so, how the organization will rectify the problem. The Department will protect the confidentiality of information it receives in accordance with U.S. law. d. Recourse Mechanisms i. Consumers should be encouraged to raise any complaints they may have with the relevant organization before proceeding to independent recourse mechanisms. Organizations must respond to a consumer within 45 days of receiving a complaint. Whether a recourse mechanism is independent is a factual question that can be demonstrated notably by impartiality, transparent composition and financing, and a proven track record. As required by the Recourse, Enforcement and Liability Principle, the recourse available to individuals must be readily available and free of charge to individuals. Dispute resolution bodies should look into each complaint received from individuals unless they are obviously unfounded or frivolous. This does not preclude the establishment of eligibility requirements by the organization operating the recourse mechanism, but such requirements should be transparent and justified (for example, to exclude complaints that fall outside the scope of the program or are for consideration in another forum), and should not have the effect of undermining the commitment to look into legitimate complaints. In addition, recourse mechanisms should provide individuals with full and readily available information about how the dispute resolution procedure works when they file a complaint. Such information should include notice about the mechanism’s privacy practices, in conformity with the Privacy Shield Principles. They should also cooperate in the development of tools such as standard complaint forms to facilitate the complaint resolution process. ii. Independent recourse mechanisms must include on their public Web sites information regarding the Privacy Shield Principles and the services that they provide under the Privacy Shield. This information must include: (1) Information on or a link to the Privacy Shield Principles’ requirements for independent recourse mechanisms; (2) a link to the Department’s Privacy Shield Web site; (3) an explanation that their dispute resolution services under the Privacy Shield are free of charge to individuals; (4) a description of how a Privacy Shield-related complaint can be filed; (5) the timeframe in which Privacy Shield-related complaints are processed; and (6) a description of the range of potential remedies. iii. Independent recourse mechanisms must publish an annual report providing aggregate statistics regarding their dispute resolution services. The annual report must include: (1) The total number of Privacy Shield-related complaints received during the reporting year; (2) the types of complaints received; (3) dispute resolution quality measures, such as the length of time taken to process complaints; and (4) the outcomes of the complaints received, notably the number and types of remedies or sanctions imposed. VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 iv. As set forth in Annex I, an arbitration option is available to an individual to determine, for residual claims, whether a Privacy Shield organization has violated its obligations under the Principles as to that individual, and whether any such violation remains fully or partially unremedied. This option is available only for these purposes. This option is not available, for example, with respect to the exceptions to the Principles 5 or with respect to an allegation about the adequacy of the Privacy Shield. Under this arbitration option, the Privacy Shield Panel (consisting of one or three arbitrators, as agreed by the parties) has the authority to impose individual-specific, nonmonetary equitable relief (such as access, correction, deletion, or return of the individual’s data in question) necessary to remedy the violation of the Principles only with respect to the individual. Individuals and Privacy Shield organizations will be able to seek judicial review and enforcement of the arbitral decisions pursuant to U.S. law under the Federal Arbitration Act. e. Remedies and Sanctions i. The result of any remedies provided by the dispute resolution body should be that the effects of non-compliance are reversed or corrected by the organization, insofar as feasible, and that future processing by the organization will be in conformity with the Principles and, where appropriate, that processing of the personal data of the individual who brought the complaint will cease. Sanctions need to be rigorous enough to ensure compliance by the organization with the Principles. A range of sanctions of varying degrees of severity will allow dispute resolution bodies to respond appropriately to varying degrees of non-compliance. Sanctions should include both publicity for findings of non-compliance and the requirement to delete data in certain circumstances.6 Other sanctions could include suspension and removal of a seal, compensation for individuals for losses incurred as a result of non-compliance and injunctive awards. Private sector dispute resolution bodies and self-regulatory bodies must notify failures of Privacy Shield organizations to comply with their rulings to the governmental body with applicable jurisdiction or to the courts, as appropriate, and to notify the Department. f. FTC Action ii. The FTC has committed to reviewing on a priority basis referrals alleging noncompliance with the Principles received from: (i) Privacy self-regulatory organizations and other independent dispute resolution bodies; (ii) EU Member States; and (iii) the Department, to determine whether Section 5 of the FTC Act prohibiting unfair or deceptive acts or practices in commerce has been violated. If the FTC concludes that it has reason to believe Section 5 has been 5 Section I.5 of the Principles. resolution bodies have discretion about the circumstances in which they use these sanctions. The sensitivity of the data concerned is one factor to be taken into consideration in deciding whether deletion of data should be required, as is whether an organization has collected, used, or disclosed information in blatant contravention of the Privacy Shield Principles. 6 Dispute PO 00000 Frm 00013 Fmt 4701 Sfmt 4703 51053 violated, it may resolve the matter by seeking an administrative cease and desist order prohibiting the challenged practices or by filing a complaint in a federal district court, which if successful could result in a federal court order to same effect. This includes false claims of adherence to the Privacy Shield Principles or participation in the Privacy Shield by organizations, which either are no longer on the Privacy Shield List or have never self-certified to the Department. The FTC may obtain civil penalties for violations of an administrative cease and desist order and may pursue civil or criminal contempt for violation of a federal court order. The FTC will notify the Department of any such actions it takes. The Department encourages other government bodies to notify it of the final disposition of any such referrals or other rulings determining adherence to the Privacy Shield Principles. g. Persistent Failure to Comply i. If an organization persistently fails to comply with the Principles, it is no longer entitled to benefit from the Privacy Shield. Organizations that have persistently failed to comply with the Principles will be removed from the Privacy Shield List by the Department and must return or delete the personal information they received under the Privacy Shield. ii. Persistent failure to comply arises where an organization that has self-certified to the Department refuses to comply with a final determination by any privacy self-regulatory, independent dispute resolution, or government body, or where such a body determines that an organization frequently fails to comply with the Principles to the point where its claim to comply is no longer credible. In these cases, the organization must promptly notify the Department of such facts. Failure to do so may be actionable under the False Statements Act (18 U.S.C. 1001). An organization’s withdrawal from a private-sector privacy self-regulatory program or independent dispute resolution mechanism does not relieve it of its obligation to comply with the Principles and would constitute a persistent failure to comply. iii. The Department will remove an organization from the Privacy Shield List in response to any notification it receives of persistent failure to comply, whether it is received from the organization itself, from a privacy self-regulatory body or another independent dispute resolution body, or from a government body, but only after first providing 30 days’ notice and an opportunity to respond to the organization that has failed to comply. Accordingly, the Privacy Shield List maintained by the Department will make clear which organizations are assured and which organizations are no longer assured of Privacy Shield benefits. iv. An organization applying to participate in a self-regulatory body for the purposes of requalifying for the Privacy Shield must provide that body with full information about its prior participation in the Privacy Shield. 12. Choice—Timing of Opt Out a. Generally, the purpose of the Choice Principle is to ensure that personal information is used and disclosed in ways E:\FR\FM\02AUN2.SGM 02AUN2 51054 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices mstockstill on DSK3G9T082PROD with NOTICES2 that are consistent with the individual’s expectations and choices. Accordingly, an individual should be able to exercise ‘‘opt out’’ choice of having personal information used for direct marketing at any time subject to reasonable limits established by the organization, such as giving the organization time to make the opt out effective. An organization may also require sufficient information to confirm the identity of the individual requesting the ‘‘opt out.’’ In the United States, individuals may be able to exercise this option through the use of a central ‘‘opt out’’ program such as the Direct Marketing Association’s Mail Preference Service. Organizations that participate in the Direct Marketing Association’s Mail Preference Service should promote its availability to consumers who do not wish to receive commercial information. In any event, an individual should be given a readily available and affordable mechanism to exercise this option. b. Similarly, an organization may use information for certain direct marketing purposes when it is impracticable to provide the individual with an opportunity to opt out before using the information, if the organization promptly gives the individual such opportunity at the same time (and upon request at any time) to decline (at no cost to the individual) to receive any further direct marketing communications and the organization complies with the individual’s wishes. 13. Travel Information a. Airline passenger reservation and other travel information, such as frequent flyer or hotel reservation information and special handling needs, such as meals to meet religious requirements or physical assistance, may be transferred to organizations located outside the EU in several different circumstances. Under Article 26 of the Directive, personal data may be transferred ‘‘to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2)’’ on the condition that it (i) is necessary to provide the services requested by the consumer or to fulfill the terms of an agreement, such as a ‘‘frequent flyer’’ agreement; or (ii) has been unambiguously consented to by the consumer. U.S. organizations subscribing to the Privacy Shield provide adequate protection for personal data and may therefore receive data transfers from the EU without meeting these conditions or other conditions set out in Article 26 of the Directive. Since the Privacy Shield includes specific rules for sensitive information, such information (which may need to be collected, for example, in connection with customers’ needs for physical assistance) may be included in transfers to Privacy Shield participants. In all cases, however, the organization transferring the information has to respect the law in the EU Member State in which it is operating, which may inter alia impose special conditions for the handling of sensitive data. 14. Pharmaceutical and Medical Products a. Application of EU Member State Laws or the Privacy Shield Principles VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 i. EU Member State law applies to the collection of the personal data and to any processing that takes place prior to the transfer to the United States. The Privacy Shield Principles apply to the data once they have been transferred to the United States. Data used for pharmaceutical research and other purposes should be anonymized when appropriate. b. Future Scientific Research i. Personal data developed in specific medical or pharmaceutical research studies often play a valuable role in future scientific research. Where personal data collected for one research study are transferred to a U.S. organization in the Privacy Shield, the organization may use the data for a new scientific research activity if appropriate notice and choice have been provided in the first instance. Such notice should provide information about any future specific uses of the data, such as periodic follow-up, related studies, or marketing. ii. It is understood that not all future uses of the data can be specified, since a new research use could arise from new insights on the original data, new medical discoveries and advances, and public health and regulatory developments. Where appropriate, the notice should therefore include an explanation that personal data may be used in future medical and pharmaceutical research activities that are unanticipated. If the use is not consistent with the general research purpose(s) for which the personal data were originally collected, or to which the individual has consented subsequently, new consent must be obtained. c. Withdrawal from a Clinical Trial i. Participants may decide or be asked to withdraw from a clinical trial at any time. Any personal data collected previous to withdrawal may still be processed along with other data collected as part of the clinical trial, however, if this was made clear to the participant in the notice at the time he or she agreed to participate. d. Transfers for Regulatory and Supervision Purposes i. Pharmaceutical and medical device companies are allowed to provide personal data from clinical trials conducted in the EU to regulators in the United States for regulatory and supervision purposes. Similar transfers are allowed to parties other than regulators, such as company locations and other researchers, consistent with the Principles of Notice and Choice. e. ‘‘Blinded’’ Studies i. To ensure objectivity in many clinical trials, participants, and often investigators as well, cannot be given access to information about which treatment each participant may be receiving. Doing so would jeopardize the validity of the research study and results. Participants in such clinical trials (referred to as ‘‘blinded’’ studies) do not have to be provided access to the data on their treatment during the trial if this restriction has been explained when the participant entered the trial and the disclosure of such information would jeopardize the integrity of the research effort. ii. Agreement to participate in the trial under these conditions is a reasonable forgoing of the right of access. Following the PO 00000 Frm 00014 Fmt 4701 Sfmt 4703 conclusion of the trial and analysis of the results, participants should have access to their data if they request it. They should seek it primarily from the physician or other health care provider from whom they received treatment within the clinical trial, or secondarily from the sponsoring organization. f. Product Safety and Efficacy Monitoring i. A pharmaceutical or medical device company does not have to apply the Privacy Shield Principles with respect to the Notice, Choice, Accountability for Onward Transfer, and Access Principles in its product safety and efficacy monitoring activities, including the reporting of adverse events and the tracking of patients/subjects using certain medicines or medical devices, to the extent that adherence to the Principles interferes with compliance with regulatory requirements. This is true both with respect to reports by, for example, health care providers to pharmaceutical and medical device companies, and with respect to reports by pharmaceutical and medical device companies to government agencies like the Food and Drug Administration. g. Key-coded Data i. Invariably, research data are uniquely key-coded at their origin by the principal investigator so as not to reveal the identity of individual data subjects. Pharmaceutical companies sponsoring such research do not receive the key. The unique key code is held only by the researcher, so that he or she can identify the research subject under special circumstances (e.g., if follow-up medical attention is required). A transfer from the EU to the United States of data coded in this way would not constitute a transfer of personal data that would be subject to the Privacy Shield Principles. 15. Public Record and Publicly Available Information a. An organization must apply the Privacy Shield Principles of Security, Data Integrity and Purpose Limitation, and Recourse, Enforcement and Liability to personal data from publicly available sources. These Principles shall apply also to personal data collected from public records, i.e., those records kept by government agencies or entities at any level that are open to consultation by the public in general. b. It is not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to public record information, as long as it is not combined with non-public record information, and any conditions for consultation established by the relevant jurisdiction are respected. Also, it is generally not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to publicly available information unless the European transferor indicates that such information is subject to restrictions that require application of those Principles by the organization for the uses it intends. Organizations will have no liability for how such information is used by those obtaining such information from published materials. c. Where an organization is found to have intentionally made personal information public in contravention of the Principles so E:\FR\FM\02AUN2.SGM 02AUN2 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices that it or others may benefit from these exceptions, it will cease to qualify for the benefits of the Privacy Shield. d. It is not necessary to apply the Access Principle to public record information as long as it is not combined with other personal information (apart from small amounts used to index or organize the public record information); however, any conditions for consultation established by the relevant jurisdiction are to be respected. In contrast, where public record information is combined with other non-public record information (other than as specifically noted above), an organization must provide access to all such information, assuming it is not subject to other permitted exceptions. e. As with public record information, it is not necessary to provide access to information that is already publicly available to the public at large, as long as it is not combined with non-publicly available information. Organizations that are in the business of selling publicly available information may charge the organization’s customary fee in responding to requests for access. Alternatively, individuals may seek access to their information from the organization that originally compiled the data. 16. Access Requests by Public Authorities a. In order to provide transparency in respect of lawful requests by public authorities to access personal information, Privacy Shield organizations may voluntarily issue periodic transparency reports on the number of requests for personal information they receive by public authorities for law enforcement or national security reasons, to the extent such disclosures are permissible under applicable law. b. The information provided by the Privacy Shield organizations in these reports together with information that has been released by the intelligence community, along with other information, can be used to inform the annual joint review of the functioning of the Privacy Shield in accordance with the Principles. c. Absence of notice in accordance with point (a)(xii) of the Notice Principle shall not prevent or impair an organization’s ability to respond to any lawful request. mstockstill on DSK3G9T082PROD with NOTICES2 Annex I: Arbitral Model Annex I This Annex I provides the terms under which Privacy Shield organizations are obligated to arbitrate claims, pursuant to the Recourse, Enforcement and Liability Principle. The binding arbitration option described below applies to certain ‘‘residual’’ claims as to data covered by the EU-U.S. Privacy Shield. The purpose of this option is to provide a prompt, independent, and fair mechanism, at the option of individuals, for resolution of claimed violations of the Principles not resolved by any of the other Privacy Shield mechanisms, if any. A. Scope This arbitration option is available to an individual to determine, for residual claims, whether a Privacy Shield organization has violated its obligations under the Principles VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 as to that individual, and whether any such violation remains fully or partially unremedied. This option is available only for these purposes. This option is not available, for example, with respect to the exceptions to the Principles 7 or with respect to an allegation about the adequacy of the Privacy Shield. B. Available Remedies Under this arbitration option, the Privacy Shield Panel (consisting of one or three arbitrators, as agreed by the parties) has the authority to impose individual-specific, nonmonetary equitable relief (such as access, correction, deletion, or return of the individual’s data in question) necessary to remedy the violation of the Principles only with respect to the individual. These are the only powers of the arbitration panel with respect to remedies. In considering remedies, the arbitration panel is required to consider other remedies that already have been imposed by other mechanisms under the Privacy Shield. No damages, costs, fees, or other remedies are available. Each party bears its own attorney’s fees. C. Pre-Arbitration Requirements An individual who decides to invoke this arbitration option must take the following steps prior to initiating an arbitration claim: (1) Raise the claimed violation directly with the organization and afford the organization an opportunity to resolve the issue within the timeframe set forth in Section III.11(d)(i) of the Principles; (2) make use of the independent recourse mechanism under the Principles, which is at no cost to the individual; and (3) raise the issue through their Data Protection Authority to the Department of Commerce and afford the Department of Commerce an opportunity to use best efforts to resolve the issue within the timeframes set forth in the Letter from the International Trade Administration of the Department of Commerce, at no cost to the individual. This arbitration option may not be invoked if the individual’s same claimed violation of the Principles (1) has previously been subject to binding arbitration; (2) was the subject of a final judgment entered in a court action to which the individual was a party; or (3) was previously settled by the parties. In addition, this option may not be invoked if an EU Data Protection Authority (1) has authority under Sections III.5 or III.9 of the Principles; or (2) has the authority to resolve the claimed violation directly with the organization. A DPA’s authority to resolve the same claim against an EU data controller does not alone preclude invocation of this arbitration option against a different legal entity not bound by the DPA authority. D. Binding Nature of Decisions An individual’s decision to invoke this binding arbitration option is entirely voluntary. Arbitral decisions will be binding on all parties to the arbitration. Once invoked, the individual forgoes the option to seek relief for the same claimed violation in another forum, except that if non-monetary 7 Section PO 00000 I.5 of the Principles. Frm 00015 Fmt 4701 Sfmt 4703 51055 equitable relief does not fully remedy the claimed violation, the individual’s invocation of arbitration will not preclude a claim for damages that is otherwise available in the courts. E. Review and Enforcement Individuals and Privacy Shield organizations will be able to seek judicial review and enforcement of the arbitral decisions pursuant to U.S. law under the Federal Arbitration Act.8 Any such cases must be brought in the federal district court whose territorial coverage includes the primary place of business of the Privacy Shield organization. This arbitration option is intended to resolve individual disputes, and arbitral decisions are not intended to function as persuasive or binding precedent in matters involving other parties, including in future arbitrations or in EU or U.S. courts, or FTC proceedings. F. The Arbitration Panel The parties will select the arbitrators from the list of arbitrators discussed below. Consistent with applicable law, the U.S. Department of Commerce and the European 8 Chapter 2 of the Federal Arbitration Act (‘‘FAA’’) provides that ‘‘[a]n arbitration agreement or arbitral award arising out of a legal relationship, whether contractual or not, which is considered as commercial, including a transaction, contract, or agreement described in [section 2 of the FAA], falls under the Convention [on the Recognition and Enforcement of Foreign Arbitral Awards of June 10, 1958, 21 U.S.T. 2519, T.I.A.S. No. 6997 (‘‘New York Convention’’)].’’ 9 U.S.C. 202. The FAA further provides that ‘‘[a]n agreement or award arising out of such a relationship which is entirely between citizens of the United States shall be deemed not to fall under the [New York] Convention unless that relationship involves property located abroad, envisages performance or enforcement abroad, or has some other reasonable relation with one or more foreign states.’’ Id. Under Chapter 2, ‘‘any party to the arbitration may apply to any court having jurisdiction under this chapter for an order confirming the award as against any other party to the arbitration. The court shall confirm the award unless it finds one of the grounds for refusal or deferral of recognition or enforcement of the award specified in the said [New York] Convention.’’ Id. section 207. Chapter 2 further provides that ‘‘[t]he district courts of the United States . . . shall have original jurisdiction over . . . an action or proceeding [under the New York Convention], regardless of the amount in controversy.’’ Id. section 203. Chapter 2 also provides that ‘‘Chapter 1 applies to actions and proceedings brought under this chapter to the extent that chapter is not in conflict with this chapter or the [New York] Convention as ratified by the United States.’’ Id. section 208. Chapter 1, in turn, provides that ‘‘[a] written provision in . . . a contract evidencing a transaction involving commerce to settle by arbitration a controversy thereafter arising out of such contract or transaction, or the refusal to perform the whole or any part thereof, or an agreement in writing to submit to arbitration an existing controversy arising out of such a contract, transaction, or refusal, shall be valid, irrevocable, and enforceable, save upon such grounds as exist at law or in equity for the revocation of any contract.’’ Id. section 2. Chapter 1 further provides that ‘‘any party to the arbitration may apply to the court so specified for an order confirming the award, and thereupon the court must grant such an order unless the award is vacated, modified, or corrected as prescribed in sections 10 and 11 of [the FAA].’’ Id. section 9. E:\FR\FM\02AUN2.SGM 02AUN2 51056 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices mstockstill on DSK3G9T082PROD with NOTICES2 Commission will develop a list of at least 20 arbitrators, chosen on the basis of independence, integrity, and expertise. The following shall apply in connection with this process: Arbitrators: (1) Will remain on the list for a period of 3 years, absent exceptional circumstances or for cause, renewable for one additional period of 3 years; (2) shall not be subject to any instructions from, or be affiliated with, either party, or any Privacy Shield organization, or the U.S., EU, or any EU Member State or any other governmental authority, public authority, or enforcement authority; and (3) must be admitted to practice law in the U.S. and be experts in U.S. privacy law, with expertise in EU data protection law. G. Arbitration Procedures Consistent with applicable law, within 6 months from the adoption of the adequacy decision, the Department of Commerce and the European Commission will agree to adopt an existing, well-established set of U.S. arbitral procedures (such as AAA or JAMS) to govern proceedings before the Privacy Shield Panel, subject to each of the following considerations: 1. An individual may initiate binding arbitration, subject to the pre-arbitration requirements provision above, by delivering a ‘‘Notice’’ to the organization. The Notice shall contain a summary of steps taken under Paragraph C to resolve the claim, a description of the alleged violation, and, at the choice of the individual, any supporting documents and materials and/or a discussion of law relating to the alleged claim. 2. Procedures will be developed to ensure that an individual’s same claimed violation does not receive duplicative remedies or procedures. 3. FTC action may proceed in parallel with arbitration. 4. No representative of the U.S., EU, or any EU Member State or any other governmental authority, public authority, or enforcement authority may participate in these arbitrations, provided, that at the request of an EU individual, EU DPAs may provide assistance in the preparation only of the Notice but EU DPAs may not have access to discovery or any other materials related to these arbitrations. 5. The location of the arbitration will be the United States, and the individual may choose video or telephone participation, which will be provided at no cost to the individual. In-person participation will not be required. 6. The language of the arbitration will be English unless otherwise agreed by the parties. Upon a reasoned request, and taking into account whether the individual is represented by an attorney, interpretation at the arbitral hearing as well as translation of arbitral materials will be provided at no cost to the individual, unless the panel finds that, under the circumstances of the specific arbitration, this would lead to unjustified or disproportionate costs. 7. Materials submitted to arbitrators will be treated confidentially and will only be used in connection with the arbitration. VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 8. Individual-specific discovery may be permitted if necessary, and such discovery will be treated confidentially by the parties and will only be used in connection with the arbitration. 9. Arbitrations should be completed within 90 days of the delivery of the Notice to the organization at issue, unless otherwise agreed to by the parties. H. Costs Arbitrators should take reasonable steps to minimize the costs or fees of the arbitrations. Subject to applicable law, the Department of Commerce will facilitate the establishment of a fund, into which Privacy Shield organizations will be required to pay an annual contribution, based in part on the size of the organization, which will cover the arbitral cost, including arbitrator fees, up to maximum amounts (‘‘caps’’), in consultation with the European Commission. The fund will be managed by a third party, which will report regularly on the operations of the fund. At the annual review, the Department of Commerce and European Commission will review the operation of the fund, including the need to adjust the amount of the contributions or of the caps, and will consider, among other things, the number of arbitrations and the costs and timing of the arbitrations, with the mutual understanding that there will be no excessive financial burden imposed on Privacy Shield organizations. Attorney’s fees are not covered by this provision or any fund under this provision. Letter From U.S. Secretary of State John Kerry July 7, 2016 ´ Dear Commissioner Jourova, I am pleased we have reached an understanding on the European UnionUnited States Privacy Shield that will include an Ombudsperson mechanism through which authorities in the EU will be able to submit requests on behalf of EU individuals regarding U.S. signals intelligence practices. On January 17, 2014, President Barack Obama announced important intelligence reforms included in Presidential Policy Directive 28 (PPD–28). Under PPD–28, I designated Under Secretary of State Catherine A. Novelli, who also serves as Senior Coordinator for International Information Technology Diplomacy, as our point of contact for foreign governments that wish to raise concerns regarding U.S. signals intelligence activities. Building on this role, I have established a Privacy Shield Ombudsperson mechanism in accordance with the terms set out in Annex A, which have been updated since my letter of February 22, 2016. I have directed Under Secretary Novelli to perform this function. Under Secretary Novelli is independent from the U.S. intelligence community, and reports directly to me. I have directed my staff to devote the necessary resources to implement this new Ombudsperson mechanism, and am confident it will be an effective means to address EU individuals’ concerns. Sincerely, PO 00000 Frm 00016 Fmt 4701 Sfmt 4703 John F. Kerry Annex A: EU-U.S. Privacy Shield Ombudsperson Mechanism EU-U.S. Privacy Shield Ombudsperson Mechanism Regarding Signals Intelligence In recognition of the importance of the EUU.S. Privacy Shield Framework, this Memorandum sets forth the process for implementing a new mechanism, consistent with Presidential Policy Directive 28 (PPD– 28), regarding signals intelligence.9 On January 17, 2014, President Obama gave a speech announcing important intelligence reforms. In that speech, he pointed out that ‘‘[o]ur efforts help protect not only our nation, but our friends and allies as well. Our efforts will only be effective if ordinary citizens in other countries have confidence that the United States respects their privacy too.’’ President Obama announced the issuance of a new presidential directive—PPD–28—to ‘‘clearly prescribe what we do, and do not do, when it comes to our overseas surveillance.’’ Section 4(d) of PPD–28 directs the Secretary of State to designate a ‘‘Senior Coordinator for International Information Technology Diplomacy’’ (Senior Coordinator) ‘‘to . . . serve as a point of contact for foreign governments who wish to raise concerns regarding signals intelligence activities conducted by the United States.’’ As of January 2015, Under Secretary C. Novelli has served as the Senior Coordinator. This Memorandum describes a new mechanism that the Senior Coordinator will follow to facilitate the processing of requests relating to national security access to data transmitted from the EU to the United States pursuant to the Privacy Shield, standard contractual clauses (SCCs), binding corporate rules (BCRs), ‘‘Derogations,’’ 10 or ‘‘Possible Future Derogations,’’ 11 through established 9 Provided that the Commission Decision on the adequacy of the protection provided by the EU-U.S. Privacy Shield applies to Iceland, Liechtenstein and Norway, the Privacy Shield Package will cover both the European Union, as well as these three countries. Consequently, references to the EU and its Member States will be read as including Iceland, Liechtenstein and Norway. 10 ‘‘Derogations’’ in this context mean a commercial transfer or transfers that take place on the condition that: (a) the data subject has given his consent unambiguously to the proposed transfer; or (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject’s request; or (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or (d) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defense of legal claims; or (e) the transfer is necessary in order to protect the vital interests of the data subject; or (f) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case. 11 ‘‘Possible Future Derogations’’ in this context mean a commercial transfer or transfers that take E:\FR\FM\02AUN2.SGM 02AUN2 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices mstockstill on DSK3G9T082PROD with NOTICES2 avenues under applicable United States laws and policy, and the response to those requests. 1. The Privacy Shield Ombudsperson. The Senior Coordinator will serve as the Privacy Shield Ombudsperson and designate additional State Department officials, as appropriate to assist in her performance of the responsibilities detailed in this memorandum. (Hereinafter, the Coordinator and any officials performing such duties will be referred to as ‘‘Privacy Shield Ombudsperson.’’) The Privacy Shield Ombudsperson will work closely with appropriate officials from other departments and agencies who are responsible for processing requests in accordance with applicable United States law and policy. The Ombudsperson is independent from the Intelligence Community. The Ombudsperson reports directly to the Secretary of State who will ensure that the Ombudsperson carries out its function objectively and free from improper influence that is liable to have an effect on the response to be provided. 2. Effective Coordination. The Privacy Shield Ombudsperson will be able to effectively use and coordinate with the oversight bodies, described below, in order to ensure that the Ombudsperson’s response to requests from the submitting EU individual complaint handing body is based on the necessary information. When the request relates to the compatibility of surveillance with U.S. law, the Privacy Shield Ombudsperson will be able to cooperate with one of the independent oversight bodies with investigatory powers. a. The Privacy Shield Ombudsperson will work closely with other United States Government officials, including appropriate independent oversight bodies, to ensure that completed requests are processed and resolved in accordance with applicable laws and policies. In particular, the Privacy Shield Ombudsperson will be able to coordinate closely with the Office of the Director of National Intelligence, the Department of Justice, and other departments and agencies involved in United States national security as appropriate, and Inspectors General, Freedom of Information Act Officers, and Civil Liberties and Privacy Officers. place on one of the following conditions, to the extent the condition constitutes lawful grounds for transfers of personal data from the EU to the U.S.: (a) The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards; or (b) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or (c) in case of a transfer to a third country or an international organization and none of the other derogations or possible future derogations is applicable, only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 b. The United States Government will rely on mechanisms for coordinating and overseeing national security matters across departments and agencies to help ensure that the Privacy Shield Ombudsperson is able to respond within the meaning of Section 4(e) to completed requests under Section 3(b). c. The Privacy Shield Ombudsperson may refer matters related to requests to the Privacy and Civil Liberties Oversight Board for its consideration. 3. Submitting Requests. a. A request will initially be submitted to the supervisory authorities in the Member States competent for the oversight of national security services and/or the processing of personal data by public authorities. The request will be submitted to the Ombudsperson by a EU centralized body (hereafter together: The ‘‘EU individual complaint handling body’’). b. The EU individual complaint handling body will ensure, in compliance with the following actions, that the request is complete: (i) Verifying the identity of the individual, and that the individual is acting on his/her own behalf, and not as a representative of a governmental or intergovernmental organization. (ii) Ensuring the request is made in writing, and that it contains the following basic information: • Any information that forms the basis for the request, • the nature of information or relief sought, • the United States Government entities believed to be involved, if any, and • the other measures pursued to obtain the information or relief requested and the response received through those other measures. (iii) Verifying that the request pertains to data reasonably believed to have been transferred from the EU to the United States pursuant to the Privacy Shield, SCCs, BCRs, Derogations, or Possible Future Derogations. (iv) Making an initial determination that the request is not frivolous, vexatious, or made in bad faith. c. To be completed for purposes of further handling by the Privacy Shield Ombudsperson under this memorandum, the request need not demonstrate that the requester’s data has in fact been accessed by the United States Government through signal intelligence activities. 4. Commitments to Communicate with Submitting EU Individual Complaint Handling Body. a. The Privacy Shield Ombudsperson will acknowledge receipt of the request to the submitting EU individual complaint handling body. b. The Privacy Shield Ombudsperson will conduct an initial review to verify that the request has been completed in conformance with Section 3(b). If the Privacy Shield Ombudsperson notes any deficiencies or has any questions regarding the completion of the request, the Privacy Shield Ombudsperson will seek to address and resolve those concerns with the submitting EU individual complaint handling body. c. If, to facilitate appropriate processing of the request, the Privacy Shield PO 00000 Frm 00017 Fmt 4701 Sfmt 4703 51057 Ombudsperson needs more information about the request, or if specific action is needed to be taken by the individual who originally submitted the request, the Privacy Shield Ombudsperson will so inform the submitting EU individual complaint handling body. d. The Privacy Shield Ombudsperson will track the status of requests and provide updates as appropriate to the submitting EU individual complaint handling body. e. Once a request has been completed as described in Section 3 of this Memorandum, the Privacy Shield Ombudsperson will provide in a timely manner an appropriate response to the submitting EU individual complaint handling body, subject to the continuing obligation to protect information under applicable laws and policies. The Privacy Shield Ombudsperson will provide a response to the submitting EU individual complaint handling body confirming (i) that the complaint has been properly investigated, and (ii) that the U.S. law, statutes, executives orders, presidential directives, and agency policies, providing the limitations and safeguards described in the ODNI letter, have been complied with, or, in the event of noncompliance, such non-compliance has been remedied. The Privacy Shield Ombudsperson will neither confirm nor deny whether the individual has been the target of surveillance nor will the Privacy Shield Ombudsperson confirm the specific remedy that was applied. As further explained in Section 5, FOIA requests will be processed as provided under that statute and applicable regulations. f. The Privacy Shield Ombudsperson will communicate directly with the EU individual complaint handling body, who will in turn be responsible for communicating with the individual submitting the request. If direct communications are part of one of the underlying processes described below, then those communications will take place in accordance with existing procedures. g. Commitments in this Memorandum will not apply to general claims that the EU-U.S. Privacy Shield is inconsistent with European Union data protection requirements. The commitments in this Memorandum are made based on the common understanding by the European Commission and the U.S. government that given the scope of commitments under this mechanism, there may be resource constraints that arise, including with respect to Freedom of Information Act (FOIA) requests. Should the carrying-out of the Privacy Shield Ombudsperson’s functions exceed reasonable resource constraints and impede the fulfillment of these commitments, the U.S. government will discuss with the European Commission any adjustments that may be appropriate to address the situation. 5. Requests for Information. Requests for access to United States Government records may be made and processed under the Freedom of Information Act (FOIA). a. FOIA provides a means for any person to seek access to existing federal agency records, regardless of the nationality of the requester. This statute is codified in the United States Code at 5 U.S.C. 552. The statute, together with additional information about FOIA, is available at www.FOIA.gov E:\FR\FM\02AUN2.SGM 02AUN2 51058 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices mstockstill on DSK3G9T082PROD with NOTICES2 and https://www.justice.gov/oip/foiaresources. Each agency has a Chief FOIA Officer, and has provided information on its public Web site about how to submit a FOIA request to the agency. Agencies have processes for consulting with one another on FOIA requests that involve records held by another agency. b. By way of example: (i) The Office of the Director of National Intelligence (ODNI) has established the ODNI FOIA Portal for the ODNI: https:// www.dni.gov/index.php/about-this-site/foia. This portal provides information on submitting a request, checking on the status of an existing request, and accessing information that has been released and published by the ODNI under FOIA. The ODNI FOIA Portal includes links to other FOIA Web sites for IC elements: https:// www.dni.gov/index.php/about-this-site/foia/ other-ic-foia-sites. (ii) The Department of Justice’s Office of Information Policy provides comprehensive information about FOIA: https:// www.justice.gov/oip. This includes not only information about submitting a FOIA request to the Department of Justice, but also provides guidance to the United States government on interpreting and applying FOIA requirements. c. Under FOIA, access to government records is subject to certain enumerated exemptions. These include limits on access to classified national security information, personal information of third parties, and information concerning law enforcement investigations, and are comparable to the limitations imposed by each EU Member State with its own information access law. These limitations apply equally to Americans and non-Americans. d. Disputes over the release of records requested pursuant to FOIA can be appealed administratively and then in federal court. The court is required to make a de novo determination of whether records are properly withheld, 5 U.S.C. 552(a)(4)(B), and can compel the government to provide access to records. In some cases courts have overturned government assertions that information should be withheld as classified. Although no monetary damages are available, courts can award attorney’s fees. 6. Requests for Further Action. A request alleging violation of law or other misconduct will be referred to the appropriate United States Government body, including independent oversight bodies, with the power to investigate the respective request and address non-compliance as described below. a. Inspectors General are statutorily independent; have broad power to conduct investigations, audits and reviews of programs, including of fraud and abuse or violation of law; and can recommend corrective actions. (i) The Inspector General Act of 1978, as amended, statutorily established the Federal Inspectors General (IG) as independent and objective units within most agencies whose duties are to combat waste, fraud, and abuse in the programs and operations of their respective agencies. To this end, each IG is VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 responsible for conducting audits and investigations relating to the programs and operations of its agency. Additionally, IGs provide leadership and coordination and recommend policies for activities designed to promote economy, efficiency, and effectiveness, and prevent and detect fraud and abuse, in agency programs and operations. (ii) Each element of the Intelligence Community has its own Office of the Inspector General with responsibility for oversight of foreign intelligence activities, among other matters. A number of Inspector General reports about intelligence programs have been publicly released. (iii) By way of example: • The Office of the Inspector General of the Intelligence Community (IC IG) was established pursuant to Section 405 of the Intelligence Authorization Act of Fiscal Year 2010. The IC IG is responsible for conducting IC-wide audits, investigations, inspections, and reviews that identify and address systemic risks, vulnerabilities, and deficiencies that cut across IC agency missions, in order to positively impact ICwide economies and efficiencies. The IC IG is authorized to investigate complaints or information concerning allegations of a violation of law, rule, regulation, waste, fraud, abuse of authority, or a substantial or specific danger to public health and safety in connection with ODNI and/or IC intelligence programs and activities. The IC IG provides information on how to contact the IC IG directly to submit a report: https:// www.dni.gov/index.php/about-this-site/ contact-the-ig. • The Office of the Inspector General (OIG) in the U.S. Department of Justice (DOJ) is a statutorily created independent entity whose mission is to detect and deter waste, fraud, abuse, and misconduct in DOJ programs and personnel, and to promote economy and efficiency in those programs. The OIG investigates alleged violations of criminal and civil laws by DOJ employees and also audits and inspects DOJ programs. The OIG has jurisdiction over all complaints of misconduct against Department of Justice employees, including the Federal Bureau of Investigation; Drug Enforcement Administration; Federal Bureau of Prisons; U.S. Marshals Service; Bureau of Alcohol, Tobacco, Firearms, and Explosives; United States Attorneys Offices; and employees who work in other Divisions or Offices in the Department of Justice. (The one exception is that allegations of misconduct by a Department attorney or law enforcement personnel that relate to the exercise of the Department attorney’s authority to investigate, litigate, or provide legal advice are the responsibility of the Department’s Office of Professional Responsibility.) In addition, section 1001 of the USA Patriot Act, signed into law on October 26, 2001, directs the Inspector General to review information and receive complaints alleging abuses of civil rights and civil liberties by Department of Justice employees. The OIG maintains a public Web site—https:// www.oig.justice.gov—which includes a ‘‘Hotline’’ for submitting complaints— https://www.oig.justice.gov/hotline/ index.htm. PO 00000 Frm 00018 Fmt 4701 Sfmt 4703 b. Privacy and Civil Liberties offices and entities in the United States Government also have relevant responsibilities. By way of example: (i) Section 803 of the Implementing Recommendations of the 9/11 Commission Act of 2007, codified in the United States Code at 42 U.S.C. 2000-ee1, establishes privacy and civil liberties officers at certain departments and agencies (including the Department of State, Department of Justice, and ODNI). Section 803 specifies that these privacy and civil liberties officers will serve as the principal advisor to, among other things, ensure that such department, agency, or element has adequate procedures to address complaints from individuals who allege such department, agency, or element has violated their privacy or civil liberties. (ii) The ODNI’s Civil Liberties and Privacy Office (ODNI CLPO) is led by the ODNI Civil Liberties Protection Officer, a position established by the National Security Act of 1948, as amended. The duties of the ODNI CLPO include ensuring that the policies and procedures of the elements of the Intelligence Community include adequate protections for privacy and civil liberties, and reviewing and investigating complaints alleging abuse or violation of civil liberties and privacy in ODNI programs and activities. The ODNI CLPO provides information to the public on its Web site, including instructions for how to submit a complaint: www.dni.gov/clpo. If the ODNI CLPO receives a privacy or civil liberties complaint involving IC programs and activities, it will coordinate with other IC elements on how that complaint should be further processed within the IC. Note that the National Security Agency (NSA) also has a Civil Liberties and Privacy Office, which provides information about its responsibilities on its Web site—https:// www.nsa.gov/civil_liberties/. If information indicates that an agency is out of compliance with privacy requirements (e.g., a requirement under Section 4 of PPD–28), then agencies have compliance mechanisms to review and remedy the incident. Agencies are required to report compliance incidents under PPD–28 to the ODNI. (iii) The Office of Privacy and Civil Liberties (OPCL) at the Department of Justice supports the duties and responsibilities of the Department’s Chief Privacy and Civil Liberties Officer (CPCLO). The principal mission of OPCL is to protect the privacy and civil liberties of the American people through review, oversight, and coordination of the Department’s privacy operations. OPCL provides legal advice and guidance to Departmental components; ensures the Department’s privacy compliance, including compliance with the Privacy Act of 1974, the privacy provisions of both the E-Government Act of 2002 and the Federal Information Security Management Act, as well as administration policy directives issued in furtherance of those Acts; develops and provides Departmental privacy training; assists the CPCLO in developing Departmental privacy policy; prepares privacy-related reporting to the President and Congress; and reviews the information handling practices of the Department to ensure that such practices are consistent with E:\FR\FM\02AUN2.SGM 02AUN2 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices mstockstill on DSK3G9T082PROD with NOTICES2 the protection of privacy and civil liberties. OPCL provides information to the public about its responsibilities at https:// www.justice.gov/opcl. (iv) According to 42 U.S.C. 2000ee et seq., the Privacy and Civil Liberties Oversight Board shall continually review (i) the policies and procedures, as well as their implementation, of the departments, agencies and elements of the executive branch relating to efforts to protect the Nation from terrorism to ensure that privacy and civil liberties are protected, and (ii) other actions by the executive branch relating to such efforts to determine whether such actions appropriately protect privacy and civil liberties and are consistent with governing laws, regulations, and policies regarding privacy and civil liberties. It shall receive and review reports and other information from privacy officers and civil liberties officers and, when appropriate, make recommendations to them regarding their activities. Section 803 of the Implementing Recommendations of the 9/11 Commission Act of 2007, codified at 42 U.S.C. 2000ee–1, directs the privacy and civil liberties officers of eight federal agencies (including the Secretary of Defense, Secretary of Homeland Security, Director of National Intelligence, and Director of the Central Intelligence Agency), and any additional agency designated by the Board, to submit periodic reports to the PCLOB, including the number, nature, and disposition of the complaints received by the respective agency for alleged violations. The PCLOB’s enabling statute directs the Board to receive these reports and, when appropriate, make recommendations to the privacy and civil liberties officers regarding their activities. Letter From Federal Trade Commission Chairwoman Edith Ramirez July 7, 2016 VIA EMAIL ˇ ´ Vera Jourova, Commissioner for Justice, Consumers and Gender Equality, European Commission, Rue de la Loi/Wetstraat 200, 1049 Brussels, Belgium ´ Dear Commissioner Jourova: The United States Federal Trade Commission (‘‘FTC’’) appreciates the opportunity to describe its enforcement of the new EU-U.S. Privacy Shield Framework (the ‘‘Privacy Shield Framework’’ or ‘‘Framework’’). We believe the Framework will play a critical role in facilitating privacyprotective commercial transactions in an increasingly interconnected world. It will enable businesses to conduct important operations in the global economy, while at the same time ensuring that EU consumers retain important privacy protections. The FTC has long committed to protecting privacy across borders and will make enforcement of the new Framework a high priority. Below, we explain the FTC’s history of strong privacy enforcement generally, including our enforcement of the original Safe Harbor program, as well as the FTC’s approach to enforcement of the new Framework. The FTC first publicly expressed its commitment to enforce the Safe Harbor program in 2000. At that time, then-FTC VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 Chairman Robert Pitofsky sent the European Commission a letter outlining the FTC’s pledge to vigorously enforce the Safe Harbor Privacy Principles. The FTC has continued to uphold this commitment through nearly 40 enforcement actions, numerous additional investigations, and cooperation with individual European data protection authorities (‘‘EU DPAs’’) on matters of mutual interest. After the European Commission raised concerns in November 2013 about the administration and enforcement of the Safe Harbor program, we and the U.S. Department of Commerce began consultations with officials from the European Commission to explore ways to strengthen it. While those consultations were proceeding, on October 6, 2015, the European Court of Justice issued a decision in the Schrems case that, among other things, invalidated the European Commission’s decision on the adequacy of the Safe Harbor program. Following the decision, we continued to work closely with the Department of Commerce and the European Commission in an effort to strengthen the privacy protections provided to EU individuals. The Privacy Shield Framework is a result of these ongoing consultations. As was the case with the Safe Harbor program, the FTC hereby commits to vigorous enforcement of the new Framework. This letter memorializes that commitment. Notably, we affirm our commitment in four key areas: (1) Referral prioritization and investigations; (2) addressing false or deceptive Privacy Shield membership claims; (3) continued order monitoring; and (4) enhanced engagement and enforcement cooperation with EU DPAs. We provide below detailed information about each of these commitments and relevant background about the FTC’s role in protecting consumer privacy and enforcing Safe Harbor, as well as the broader privacy landscape in the United States.12 I. Background A. FTC Privacy Enforcement and Policy Work The FTC has broad civil enforcement authority to promote consumer protection and competition in the commercial sphere. As part of its consumer protection mandate, the FTC enforces a wide range of laws to protect the privacy and security of consumer data. The primary law enforced by the FTC, the FTC Act, prohibits ‘‘unfair’’ and ‘‘deceptive’’ acts or practices in or affecting commerce.13 A representation, omission, or practice is deceptive if it is material and likely to mislead consumers acting reasonably under the circumstances.14 An act or practice is unfair if it causes, or is likely to cause, substantial injury that is not reasonably avoidable by consumers or 12 We provide additional information about U.S. federal and state privacy laws in Attachment A. In addition, a summary of our recent privacy and security enforcement actions is available on the FTC’s Web site at https://www.ftc.gov/reports/ privacy-data-security-update-2015. 13 15 U.S.C. 45(a). 14 See FTC Policy Statement on Deception, appended to Cliffdale Assocs., Inc., 103 F.T.C. 110, 174 (1984), available at https://www.ftc.gov/publicstatements/1983/10/ftc-policy-statement-deception. PO 00000 Frm 00019 Fmt 4701 Sfmt 4703 51059 outweighed by countervailing benefits to consumers or competition.15 The FTC also enforces targeted statutes that protect information relating to health, credit and other financial matters, as well as children’s online information, and has issued regulations implementing each of these statutes. The FTC’s jurisdiction under the FTC Act applies to matters ‘‘in or affecting commerce.’’ The FTC does not have jurisdiction over criminal law enforcement or national security matters. Nor can the FTC reach most other governmental actions. In addition, there are exceptions to the FTC’s jurisdiction over commercial activities, including with respect to banks, airlines, the business of insurance, and the common carrier activities of telecommunications service providers. The FTC also does not have jurisdiction over most non-profit organizations, but it does have jurisdiction over sham charities or other non-profits that in actuality operate for profit. The FTC also has jurisdiction over non-profit organizations that operate for the profit of their for-profit members, including by providing substantial economic benefits to those members.16 In some instances, the FTC’s jurisdiction is concurrent with that of other law enforcement agencies. We have developed strong working relationships with federal and state authorities and work closely with them to coordinate investigations or make referrals where appropriate. Enforcement is the lynchpin of the FTC’s approach to privacy protection. To date, the FTC has brought over 500 cases protecting the privacy and security of consumer information. This body of cases covers both offline and online information and includes enforcement actions against companies large and small, alleging that they failed to properly dispose of sensitive consumer data, failed to secure consumers’ personal information, deceptively tracked consumers online, spammed consumers, installed spyware or other malware on consumers’ computers, violated Do Not Call and other telemarketing rules, and improperly collected and shared consumer information on mobile devices. The FTC’s enforcement actions—in both the physical and digital worlds—send an important message to companies about the need to protect consumer privacy. The FTC has also pursued numerous policy initiatives aimed at enhancing consumer privacy that inform its enforcement work. The FTC has hosted workshops and issued reports recommending best practices aimed at improving privacy in the mobile ecosystem; increasing transparency of the data broker industry; maximizing the benefits of big data while mitigating its risks, particularly for lowincome and underserved consumers; and highlighting the privacy and security 15 See 15 U.S.C 45(n); FTC Policy Statement on Unfairness, appended to Int’l Harvester Co., 104 F.T.C. 949, 1070 (1984), available at https://www. ftc.gov/public-statements/1980/12/ftc-policystatement-unfairness. 16 See California Dental Ass’n v. FTC, 526 U.S. 756 (1999). E:\FR\FM\02AUN2.SGM 02AUN2 51060 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices implications of facial recognition and the Internet of Things, among other areas. The FTC also engages in consumer and business education to enhance the impact of its enforcement and policy development initiatives. The FTC has used a variety of tools— publications, online resources, workshops, and social media—to provide educational materials on a wide range of topics, including mobile apps, children’s privacy, and data security. Most recently, the Commission launched its ‘‘Start With Security’’ initiative, which includes new guidance for businesses drawing on lessons learned from the agency’s data security cases, as well as a series of workshops across the country. In addition, the FTC has long been a leader in educating consumers about basic computer security. Last year, our OnGuard Online site and its Spanish language ´ counterpart, Alerta en Lınea, had more than 5 million page views. B. U.S. Legal Protections Benefiting EU Consumers The Framework will operate in the context of the larger U.S. privacy landscape, which protects EU consumers in a number of ways. The FTC Act’s prohibition on unfair or deceptive acts or practices is not limited to protecting U.S. consumers from U.S. companies, as it includes those practices that (1) cause or are likely to cause reasonably foreseeable injury in the United States, or (2) involve material conduct in the United States. Further, the FTC can use all remedies, including restitution, that are available to protect domestic consumers when protecting foreign consumers. Indeed, the FTC’s enforcement work significantly benefits both U.S. and foreign consumers. For example, our cases enforcing Section 5 of the FTC Act have protected the privacy of U.S. and foreign consumers alike. In a case against an information broker, Accusearch, the FTC alleged that the company’s sale of confidential telephone records to third parties without consumers’ knowledge or consent was an unfair practice in violation of Section 5 of the FTC Act. Accusearch sold information relating to both U.S. and foreign consumers.17 The court granted injunctive relief against Accusearch prohibiting, among other things, the marketing or sale of consumers’ personal information without written consent, unless it was lawfully obtained from publicly available information, and ordered disgorgement of almost $200,000.18 The FTC’s settlement with TRUSTe is another example. It ensures that consumers, including those in the European Union, can rely on representations that a global selfregulatory organization makes about its mstockstill on DSK3G9T082PROD with NOTICES2 17 See Office of the Privacy Commissioner of Canada, Complaint under PIPEDA against Accusearch, Inc., doing business as Abika.com, https://www.priv.gc.ca/cf-dc/2009/ 20090090731e.asp. The Office of the Privacy Commissioner of Canada filed an amicus curiae brief in the appeal of the FTC action and conducted its own investigation, concluding that Accusearch’s practices also violated Canadian law. 18 See FTC v. Accusearch, Inc., No. 06CV015D (D. Wyo. Dec. 20, 2007), aff’d 570 F.3d 1187 (10th Cir. 2009). VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 review and certification of domestic and foreign online services.19 Importantly, our action against TRUSTe also strengthens the privacy self-regulatory system more broadly by ensuring the accountability of entities that play an important role in self-regulatory schemes, including cross-border privacy frameworks. The FTC also enforces other targeted laws whose protections extend to non-U.S. consumers, such as the Children’s Online Privacy Protection Act (‘‘COPPA’’). Among other things, COPPA requires that operators of child-directed Web sites and online services, or general audience sites that knowingly collect personal information from children under the age of 13, provide parental notice and obtain verifiable parental consent. U.S.-based Web sites and services that are subject to COPPA and collect personal information from foreign children are required to comply with COPPA. Foreignbased Web sites and online services must also comply with COPPA if they are directed to children in the United States, or if they knowingly collect personal information from children in the United States. In addition to the U.S. federal laws enforced by the FTC, certain other federal and state consumer protection and privacy laws may provide additional benefits to EU consumers. C. Safe Harbor Enforcement As part of its privacy and security enforcement program, the FTC has also sought to protect EU consumers by bringing enforcement actions that involved Safe Harbor violations. The FTC has brought 39 Safe Harbor enforcement actions: 36 alleging false certification claims, and three cases— against Google, Facebook, and Myspace— involving alleged violations of Safe Harbor Privacy Principles.20 These cases demonstrate the enforceability of certifications and the repercussions for noncompliance. Twenty-year consent orders require Google, Facebook, and Myspace to implement comprehensive privacy programs that must be reasonably designed to address privacy risks related to the development and management of new and existing products and services and to protect the privacy and confidentiality of personal information. The comprehensive privacy programs mandated under these orders must identify foreseeable material risks and have controls to address those risks. The companies must also submit to ongoing, independent assessments of their privacy programs, which must be provided to 19 See In the Matter of True Ultimate Standards Everywhere, Inc., No. C–4512 (F.T.C. Mar. 12, 2015) (decision and order), available at https:// wwwftc.gov/system/files/documents/cases/ 150318trust-edo.pdf. 20 See In the Matter of Google, Inc., No. C–4336 (F.T.C. Oct. 13 2011) (decision and order), available at https://wwwftc.gov/news-events/press-releases/ 2011/03/ftc-charges-deceptive-privacy-practicesgoogles-rollout-its- buzz; In the Matter of Facebook, Inc., No. C–4365 (F.T.C. July 27, 2012) (decision and order), available at https://wwwftc.gov/newsevents/press-releases/2012/08/ftc-approves-finalsettlement-facebook; In the Matter of Myspace LLC, No. C–4369 (F.T.C. Aug. 30, 2012) (decision and order), available at https://www.ftc.gov/newsevents/press-releases/2012/09/ftc-finalizes-privacysettlement-myspace. PO 00000 Frm 00020 Fmt 4701 Sfmt 4703 the FTC. The orders also prohibit these companies from misrepresenting their privacy practices and their participation in any privacy or security program. This prohibition would also apply to companies’ acts and practices under the new Privacy Shield Framework. The FTC can enforce these orders by seeking civil penalties. In fact, Google paid a record $22.5 million civil penalty in 2012 to resolve allegations it had violated its order. Consequently, these FTC orders help protect over a billion consumers worldwide, hundreds of millions of whom reside in Europe. The FTC’s cases have also focused on false, deceptive, or misleading claims of Safe Harbor participation. The FTC takes these claims seriously. For example, in FTC v. Karnani, the FTC brought an action in 2011 against an Internet marketer in the United States alleging that he and his company tricked British consumers into believing that the company was based in the United Kingdom, including by using .uk web extensions and referencing British currency and the UK postal system.21 However, when consumers received the products, they discovered unexpected import duties, warranties that were not valid in the United Kingdom, and charges associated with obtaining refunds. The FTC also charged that the defendants deceived consumers about their participation in the Safe Harbor program. Notably, all of the consumer victims were in the United Kingdom. Many of our other Safe Harbor enforcement cases involved organizations that joined the Safe Harbor program but failed to renew their annual certification while they continued to represent themselves as current members. As discussed further below, the FTC also commits to addressing false claims of participation in the Privacy Shield Framework. This strategic enforcement activity will complement the Department of Commerce’s increased actions to verify compliance with program requirements for certification and re-certification, its monitoring of effective compliance, including through the use of questionnaires to Framework participants, and its increased efforts to identify false Framework membership claims and misuse of any Framework certification mark.22 II. Referral Prioritization and Investigations As we did under the Safe Harbor program, the FTC commits to give priority to Privacy Shield referrals from EU Member States. We will also prioritize referrals of noncompliance with self-regulatory guidelines relating to the Privacy Shield Framework from privacy self- regulatory organizations 21 See FTC v. Karnani, No. 2:09-cv-05276 (C.D. Cal. May 20, 2011) (stipulated final order), available at https://www.ftc.gov/sites/default/files/ documents/cases/2011/06/110609karnanistip.pdf; see also Lesley Fair, FTC Business Center Blog, Around the World in Shady Ways, https:// www.business.ftc.gov/blog/2011/06/around-worldshady-ways (June 9, 2011). 22 Letter from Ken Hyatt, Acting Under Secretary of Commerce for International Trade, International ˇ ´ Trade Administration, to Vera Jourova, Commissioner for Justice, Consumers and Gender Equality. E:\FR\FM\02AUN2.SGM 02AUN2 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices mstockstill on DSK3G9T082PROD with NOTICES2 and other independent dispute resolution bodies. To facilitate referrals under the Framework from EU Member States, the FTC is creating a standardized referral process and providing guidance to EU Member States on the type of information that would best assist the FTC in its inquiry into a referral. As part of this effort, the FTC will designate an agency point of contact for EU Member State referrals. It is most useful when the referring authority has conducted a preliminary inquiry into the alleged violation and can cooperate with the FTC in an investigation. Upon receipt of a referral from an EU Member State or self-regulatory organization, the FTC can take a range of actions to address the issues raised. For example, we may review the company’s privacy policies, obtain further information directly from the company or from third parties, follow up with the referring entity, assess whether there is a pattern of violations or significant number of consumers affected, determine whether the referral implicates issues within the purview of the Department of Commerce, assess whether consumer and business education would be helpful, and, as appropriate, initiate an enforcement proceeding. The FTC also commits to exchange information on referrals with referring enforcement authorities, including the status of referrals, subject to confidentiality laws and restrictions. To the extent feasible given the number and type of referrals received, the information provided will include an evaluation of the referred matters, including a description of significant issues raised and any action taken to address law violations within the jurisdiction of the FTC. The FTC will also provide feedback to the referring authority on the types of referrals received in order to increase the effectiveness of efforts to address unlawful conduct. If a referring enforcement authority seeks information about the status of a particular referral for purposes of pursuing its own enforcement proceeding, the FTC will respond, taking into account the number of referrals under consideration and subject to confidentiality and other legal requirements. The FTC will also work closely with EU DPAs to provide enforcement assistance. In appropriate cases, this could include information sharing and investigative assistance pursuant to the U.S. SAFE WEB Act, which authorizes FTC assistance to foreign law enforcement agencies when the foreign agency is enforcing laws prohibiting practices that are substantially similar to those prohibited by laws the FTC enforces.23 As part of this assistance, the FTC can share information obtained in connection with an 23 In determining whether to exercise its U.S. SAFE WEB Act authority, the FTC considers, inter alia: ‘‘(A) whether the requesting agency has agreed to provide or will provide reciprocal assistance to the Commission; (B) whether compliance with the request would prejudice the public interest of the United States; and (C) whether the requesting agency’s investigation or enforcement proceeding concerns acts or practices that cause or are likely to cause injury to a significant number of persons.’’ 15 U.S.C. 46(j)(3). This authority does not apply to enforcement of competition laws. VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 FTC investigation, issue compulsory process on behalf of the EU DPA conducting its own investigation, and seek oral testimony from witnesses or defendants in connection with the DPA’s enforcement proceeding, subject to the requirements of the U.S. SAFE WEB Act. The FTC regularly uses this authority to assist other authorities around the world in privacy and consumer protection cases.24 In addition to prioritizing Privacy Shield referrals from EU Member States and privacy self-regulatory organizations,25 the FTC commits to investigating possible Framework violations on its own initiative where appropriate using a range of tools. For well over a decade, the FTC has maintained a robust program of investigating privacy and security issues involving commercial organizations. As part of these investigations, the FTC routinely examined whether the entity at issue was making Safe Harbor representations. If the entity was making such representations and the investigation revealed apparent violations of the Safe Harbor Privacy Principles, the FTC included allegations of Safe Harbor violations in its enforcement actions. We will continue this proactive approach under the new Framework. Importantly, the FTC conducts many more investigations than ultimately result in public enforcement actions. Many FTC investigations are closed because staff does not identify an apparent law violation. Because FTC investigations are non-public and confidential, the closing of an investigation is often not made public. The nearly 40 enforcement actions initiated by the FTC involving the Safe Harbor program evidence the agency’s commitment to proactive enforcement of cross-border privacy programs. The FTC will look for potential Framework violations as part of the privacy and security investigations we undertake on a regular basis. III. Addressing False or Deceptive Privacy Shield Membership Claims As referenced above, the FTC will take action against entities that misrepresent their participation in the Framework. The FTC will give priority consideration to referrals from the Department of Commerce regarding organizations that it identifies as improperly holding themselves out to be current members of the Framework or using any 24 In fiscal years 2012–2015, for example, the FTC used its U.S. SAFE WEB Act authority to share information in response to almost 60 requests from foreign agencies and it issued nearly 60 civil investigative demands (equivalent to administrative subpoenas) to aid 25 foreign investigations. 25 Although the FTC does not resolve or mediate individual consumer complaints, the FTC affirms that it will prioritize Privacy Shield referrals from EU DPAs. In addition, the FTC uses complaints in its Consumer Sentinel database, which is accessible by many other law enforcement agencies, to identify trends, determine enforcement priorities, and identify potential investigative targets. EU individuals can use the same complaint system available to U.S. citizens to submit a complaint to the FTC at www.ftc.gov/complaint. For individual Privacy Shield complaints, however, it may be most useful for EU individuals to submit complaints to their Member State DPA or alternative dispute resolution provider. PO 00000 Frm 00021 Fmt 4701 Sfmt 4703 51061 Framework certification mark without authorization. In addition, we note that if an organization’s privacy policy promises that it complies with the Privacy Shield Principles, its failure to make or maintain a registration with the Department of Commerce likely will not, by itself, excuse the organization from FTC enforcement of those Framework commitments. IV. Order Monitoring The FTC also affirms its commitment to monitor enforcement orders to ensure compliance with the Privacy Shield Framework. We will require compliance with the Framework through a variety of appropriate injunctive provisions in future FTC Framework orders. This includes prohibiting misrepresentations regarding the Framework and other privacy programs when these are the basis for the underlying FTC action. The FTC’s cases enforcing the original Safe Harbor program are instructive. In the 36 cases involving false or deceptive claims of Safe Harbor certification, each order prohibits the defendant from misrepresenting its participation in Safe Harbor or any other privacy or security program and requires the company to make compliance reports available to the FTC. In cases that involved violations of Safe Harbor Privacy Principles, companies have been required to implement comprehensive privacy programs and obtain independent third-party assessments of those programs every other year for twenty years, which they must provide to the FTC. Violations of the FTC’s administrative orders can lead to civil penalties of up to $16,000 per violation, or $16,000 per day for a continuing violation,26 which, in the case of practices affecting many consumers, can amount to millions of dollars. Each consent order also has reporting and compliance provisions. The entities under order must retain documents demonstrating their compliance for a specified number of years. The orders must also be disseminated to employees responsible for ensuring order compliance. The FTC systematically monitors compliance with Safe Harbor orders, as it does with all of its orders. The FTC takes enforcement of its privacy and data security orders seriously and brings actions to enforce them when necessary. For example, as noted above, Google paid a $22.5 million civil penalty to resolve allegations it had violated its FTC order. Importantly, FTC orders will continue to protect all consumers worldwide who interact with a business, not just those consumers who have lodged complaints. Finally, the FTC will continue to maintain an online list of companies subject to orders obtained in connection with enforcement of both the Safe Harbor program and the new Privacy Shield Framework.27 In addition, the Privacy Shield Principles now require companies subject to an FTC or court order based on non-compliance with the Principles 26 15 U.S.C. 45(m); 16 CFR 1.98. FTC, Business Center, Legal Resources, https://www.ftc.gov/tips-advice/business-center/ legal- resources?type=case&field consumer protection topics tid=251. 27 See E:\FR\FM\02AUN2.SGM 02AUN2 51062 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices to make public any relevant Frameworkrelated sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality laws and rules. V. Engagement With EU DPAs and Enforcement Cooperation The FTC recognizes the important role that EU DPAs play with respect to Framework compliance and encourages increased consultation and enforcement cooperation. In addition to any consultation with referring DPAs on case-specific matters, the FTC commits to participate in periodic meetings with designated representatives of the Article 29 Working Party to discuss in general terms how to improve enforcement cooperation with respect to the Framework. The FTC will also participate, along with the Department of Commerce, the European Commission, and Article 29 Working Party representatives, in the annual review of the Framework to discuss its implementation. The FTC also encourages the development of tools that will enhance enforcement cooperation with EU DPAs, as well as other privacy enforcement authorities around the world. In particular, the FTC, along with enforcement partners in the European Union and around the globe, last year launched an alert system within the Global Privacy Enforcement Network (‘‘GPEN’’) to share information about investigations and promote enforcement coordination. This GPEN Alert tool could be particularly useful in the context of the Privacy Shield Framework. The FTC and EU DPAs could use it to coordinate with respect to the Framework and other privacy investigations, including as a starting point for sharing information in order to deliver coordinated and more effective privacy protection for consumers. We look forward to continuing to work with participating EU authorities to deploy the GPEN Alert system more broadly and develop other tools to improve enforcement cooperation in privacy cases, including those involving the Framework. * * * The FTC is pleased to affirm its commitment to enforcing the new Privacy Shield Framework. We also look forward to continuing engagement with our EU colleagues as we work together to protect consumer privacy on both sides of the Atlantic. Sincerely, Edith Ramirez, Chairwoman mstockstill on DSK3G9T082PROD with NOTICES2 Attachment A The EU-U.S. Privacy Shield Framework in Context: An Overview of the U.S. Privacy and Security Landscape The protections provided by the EU-U.S. Privacy Shield Framework (the ‘‘Framework’’) exist in the context of the broader privacy protections afforded under the U.S. legal system as a whole. First, the U.S. Federal Trade Commission (‘‘FTC’’) has a robust privacy and data security program for U.S. commercial practices that protects consumers worldwide. Second, the landscape of consumer privacy and security protection in the United States has evolved VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 substantially since 2000 when the original U.S.-EU Safe Harbor program was adopted. Since that time, many federal and state privacy and security laws have been enacted, and public and private litigation to enforce privacy rights has increased significantly. The broad scope of U.S. legal protections for consumer privacy and security applicable to commercial data practices complements the protections provided to EU individuals by the new Framework. I. The FTC’s General Privacy and Security Enforcement Program The FTC is the leading U.S. consumer protection agency focused on commercial sector privacy. The FTC has authority to prosecute unfair and deceptive acts or practices that violate consumer privacy, as well as to enforce more targeted privacy laws that protect certain financial and health information, information about children, and information used to make certain eligibility decisions about consumers. The FTC has unparalleled experience in consumer privacy enforcement. The FTC’s enforcement actions have addressed unlawful practices in offline and online environments. For example, the FTC has brought enforcement actions against wellknown companies, such as Google, Facebook, Twitter, Microsoft, Wyndham, Oracle, HTC, and Snapchat, as well as lesser-known companies. The FTC has sued businesses that allegedly spammed consumers, installed spyware on computers, failed to secure consumers’ personal information, deceptively tracked consumers online, violated children’s privacy, unlawfully collected information on consumers’ mobile devices, and failed to secure Internetconnected devices used to store personal information. The resulting orders have typically provided for ongoing monitoring by the FTC for a period of twenty years, prohibited further law violations, and subjected the businesses to substantial financial penalties for order violations.1 Importantly, FTC orders do not just protect the individuals who may have complained about a problem; rather, they protect all consumers dealing with the business going forward. In the cross-border context, the FTC has jurisdiction to protect consumers worldwide from practices taking place in the United States.2 To date, the FTC has brought over 130 spam and spyware cases, over 120 ‘‘Do Not Call’’ telemarketing cases, over 100 Fair Credit Reporting Act actions, almost 60 data security cases, more than 50 general privacy actions, almost 30 cases for violations of the Gramm-Leach-Bliley Act, and over 20 actions enforcing the Children’s Online Privacy 1 Any entity that fails to comply with an FTC order is subject to a civil penalty of up to $16,000 per violation, or $16,000 per day for a continuing violation. See 15 U.S.C. 45(l); 16 CFR 1.98(c). 2 Congress has expressly affirmed the FTC’s authority to seek legal remedies, including restitution, for any acts or practices involving foreign commerce that (1) cause or are likely to cause reasonably foreseeable injury in the United States, or (2) involve material conduct occurring within the United States. See 15 U.S.C. 45(a)(4). PO 00000 Frm 00022 Fmt 4701 Sfmt 4703 Protection Act (‘‘COPPA’’).3 In addition to these cases, the FTC has also issued and publicized warning letters.4 As part of its history of strong privacy enforcement, the FTC has also regularly looked for potential violations of the Safe Harbor program. Since the Safe Harbor program was adopted, the FTC has undertaken numerous investigations into Safe Harbor compliance on its own initiative and has brought 39 cases against U.S. companies for Safe Harbor violations. The FTC will continue this proactive approach by making enforcement of the new Framework a priority. II. Federal and State Protections for Consumer Privacy The Safe Harbor Enforcement Overview, which appears as an annex to the European Commission’s Safe Harbor adequacy decision, provides a summary of many of the federal and state privacy laws in place at the time the Safe Harbor program was adopted in 2000.5 At that time, many federal statutes regulated the commercial collection and use of personal information, beyond Section 5 of the FTC Act, including: the Cable Communications Policy Act, the Driver’s Privacy Protection Act, the Electronic Communications Privacy Act, the Electronic Funds Transfer Act, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Right to Financial Privacy Act, the Telephone Consumer Protection Act, and the Video Privacy Protection Act. Many states had analogous laws in these areas as well. Since 2000, there have been numerous developments at both the federal and state level that provide additional consumer privacy protections.6 At the federal level, for example, the FTC amended the COPPA Rule in 2013 to provide a number of additional protections for children’s personal information. The FTC also issued two rules implementing the Gramm-Leach-Bliley Act— the Privacy Rule and the Safeguards Rule— 3 In some instances, the Commission’s privacy and data security cases allege that a company engaged in both deceptive and unfair practices; these cases also sometimes involve alleged violations of multiple statues, such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and COPPA. 4 See, e.g., Press Release, Fed. Trade Comm’n, FTC Warns Children’s App Maker BabyBus About Potential COPPA Violations (Dec. 22, 2014), https:// www.ftc.gov/news-events/press-releases/2014/12/ ftc-warns-childrens-app-maker-babybus-aboutpotential-coppa; Press Release, Fed. Trade Comm’n, FTC Warns Data Broker Operations of Possible Privacy Violations (May 7, 2013), https:// www.ftc.gov/news-events/press-releases/2013/05/ ftc-warns-data-broker-operations-possible-privacyviolations; Press Release, Fed. Trade Comm’n, FTC Warns Data Brokers That Provide Tenant Rental Histories They May Be Subject to Fair Credit Reporting Act (Apr. 3, 2013), https://www.ftc.gov/ news-events/press-releases/2013/04/ftc-warns-databrokers-provide-tenant-rental-histories-they-may. 5 See U.S. Dep’t of Commerce, Safe Harbor Enforcement Overview, https://build.export.gov/ main/safeharbor/eu/eg main 018481. 6 For a more comprehensive summary of the legal protections in the United States, see Daniel J. Solove & Paul Schwartz, Information Privacy Law (5th ed. 2015). E:\FR\FM\02AUN2.SGM 02AUN2 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices mstockstill on DSK3G9T082PROD with NOTICES2 which require financial institutions 7 to make disclosures about their information sharing practices and to implement a comprehensive information security program to protect consumer information.8 Similarly, the Fair and Accurate Credit Transactions Act (‘‘FACTA’’), enacted in 2003, supplements longstanding U.S. credit laws to establish requirements for the masking, sharing, and disposal of certain sensitive financial data. The FTC promulgated a number of rules under FACTA regarding, among other things, consumers’ right to a free annual credit report; secure disposal requirements for consumer report information; consumers’ right to opt out of receiving certain offers of credit and insurance; consumers’ right to opt out of the use of information provided by an affiliated company to market its products and services; and requirements for financial institutions and creditors to implement identity theft detection and prevention programs.9 In addition, rules promulgated under the Health Insurance Portability and Accountability Act were revised in 2013, adding additional safeguards to protect the privacy and security of personal health information.10 Rules protecting consumers from unwanted telemarketing calls, robocalls, and spam have also gone into effect. Congress has also enacted laws requiring certain companies that collect health information to provide consumers with notification in the event of a breach.11 States have also been very active in passing laws related to privacy and security. Since 2000, forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted laws requiring businesses to notify individuals of security breaches of personal information.12 At least thirty-two states and Puerto Rico have data 7 Financial institutions are defined very broadly under the Gramm-Leach-Bliley Act to include all businesses that are ‘‘significantly engaged’’ in providing financial products or services. This includes, for example, check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, and professional tax preparers. 8 Under the Consumer Financial Protection Act of 2010 (‘‘CFPA’’), Title X of Pub. L. 111–203, 124 Stat. 1955 (July 21, 2010) (also known as the ‘‘DoddFrank Wall Street Reform and Consumer Protection Act’’), most of the FTC’s Gramm-Leach-Bliley Act rulemaking authority was transferred to the Consumer Financial Protection Bureau (‘‘CFPB’’). The FTC retains enforcement authority under the Gramm-Leach-Bliley Act as well as rulemaking authority for the Safeguards Rule and limited rulemaking authority under the Privacy Rule with respect to auto dealers. 9 Under the CFPA, the Commission shares its FCRA enforcement role with the CFPB, but rulemaking authority transferred in large part to the CFPB (with the exception of the Red Flags and Disposal Rules). 10 See 45 CFR parts 160, 162, and 164. 11 See e.g., American Recovery & Reinvestment Act of 2009, Pub. L. No. 111–5, 123 Stat. 115 (2009) and relevant regulations, 45 CFR 16.404–164.414; 16 CFR part 318. 12 See, e.g., National Conference of State Legislatures (‘‘NCSL’’), State Security Breach Notification Laws (Jan. 4, 2016), available at https:// www.ncsl.org/research/telecommunications-andinformation-technology/security-breachnotification-laws.aspx. VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 disposal laws, establishing requirements for the destruction or disposal of personal information.13 A number of states also have enacted general data security laws. In addition, California has enacted various privacy laws, including a law requiring companies to have privacy policies and disclose their Do Not Track practices,14 a ‘‘Shine the Light’’ law requiring greater transparency for data brokers,15 and a law that mandates an ‘‘eraser button’’ allowing minors to request the deletion of certain social media information.16 Using these laws and other authorities, federal and state governments have levied significant fines against companies that have failed to protect the privacy and security of consumers’ personal information.17 Private lawsuits have also led to successful judgments and settlements that provide additional privacy and data security protection for consumers. For example, in 2015, Target agreed to pay $10 million as part of a settlement with customers who claimed their personal financial information was compromised by a widespread data breach. In 2013, AOL agreed to pay a $5 million settlement to resolve a class action involving alleged inadequate de-identification related to the release of search queries of hundreds of thousands of AOL members. Additionally, a federal court approved a $9 million payment by Netflix for allegedly keeping rental history records in violation of the Video Privacy Protection Act of 1988. Federal courts in California approved two separate settlements with Facebook, one for $20 million and another for $9.5 million, involving the company’s collection, use, and sharing of its users’ personal information. And, in 2008, a California state court approved a $20 million settlement with LensCrafters for unlawful disclosure of consumers’ medical information. In sum, as this summary illustrates, the United States provides significant legal protection for consumer privacy and security. The new Privacy Shield Framework, which ensures meaningful safeguards for EU individuals, will operate against this larger backdrop in which the protection of consumers’ privacy and security continues to be an important priority. Letter From U.S. Secretary of Transportation Anthony Foxx February 19, 2016 ´ Commissioner Vera Jourova European Commission Rue de la LoiI Wetstraat 200 1 049 l 049 Brussels 13 NCSL, Data Disposal Laws (Jan. 12, 2016), available at https://www.ncsl.org/research/ telecommunications-and-information-technology/ data-disposal-laws.aspx. 14 Cal. Bus. & Professional Code sections 22575– 22579. 15 Cal. Civ. Code sections 1798.80–1798.84. 16 Cal. Bus. & Professional Code sections 22580– 22582. 17 See Jay Cline, U.S. Takes the Gold in Doling Out Privacy Fines, Computerworld (Feb. 17, 2014), available at https://www.computerworld.com/s/ article/9246393/Jay Cline U.S. takes the gold in doling out privac y fines?taxonomyId=17&pageNumber=1. PO 00000 Frm 00023 Fmt 4701 Sfmt 4703 51063 Belgium Re: EU-U.S. Privacy Shield Framework ´ Dear Commissioner Jourova: The United States Department of Transportation (‘‘Department’’ or ‘‘DOT’’) appreciates the opportunity to describe its role in enforcing the EU-U.S. Privacy Shield Framework. This Framework plays a critical role in protecting personal data provided during commercial transactions in an increasingly interconnected world. It enables businesses to conduct important operations in the global economy, while at the same time ensuring that EU consumers retain important privacy protections. The DOT first publicly expressed its commitment to enforcement of the Safe Harbor Framework in a letter sent to the European Commission over 15 years ago. The DOT pledged to vigorously enforce the Safe Harbor Privacy Principles in that letter. The DOT continues to uphold this commitment and this letter memorializes that commitment. Notably, the DOT renews its commitment in the following key areas: (1) Prioritization of investigation of alleged Privacy Shield violations; (2) appropriate enforcement action against entities making false or deceptive Privacy Shield certification claims; and (3) monitoring and making public enforcement orders concerning Privacy Shield violations. We provide information about each of these commitments and, for necessary context, pertinent background about the DOT’s role in protecting consumer privacy and enforcing the Privacy Shield Framework. I. Background A. DOT’s Privacy Authority The Department is strongly committed to ensuring the privacy of information provided by consumers to airlines and ticket agents. The DOT’s authority to take action in this area is found in 49 U.S.C. 41712, which prohibits a carrier or ticket agent from engaging in ‘‘an unfair or deceptive practice or an unfair method of competition’’ in the sale of air transportation that results or is likely to result in consumer harm. Section 41712 is patterned after Section 5 of the Federal Trade Commission (FTC) Act (15 U.S.C. 45). We interpret our unfair or deceptive practice statute as prohibiting an airline or ticket agent from: (1) Violating the terms of its privacy policy; or (2) gathering or disclosing private information in a way that violates public policy, is immoral, or causes substantial consumer injury not offset by any countervailing benefits. We also interpret section 41712 as prohibiting carriers and ticket agents from: (l) violating any rule issued by the Department that identifies specific privacy practices as unfair or deceptive; or (2) violating the Children’s Online Privacy Protection Act (COPPA) or FTC rules implementing COPPA. Under federal law, the DOT has exclusive authority to regulate the privacy practices of airlines, and it shares jurisdiction with the FTC with respect to the privacy practices of ticket agents in the sale of air transportation. As such, once a carrier or seller of air transportation publicly commits to the E:\FR\FM\02AUN2.SGM 02AUN2 51064 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices Privacy Shield Framework’s privacy principles the Department is able to use the statutory powers of section 41712 to ensure compliance with those principles. Therefore, once a passenger provides information to a carrier or ticket agent that has committed to honoring the Privacy Shield Framework’s privacy principles, any failure to do so by the carrier or ticket agent would be a violation of section 41712. mstockstill on DSK3G9T082PROD with NOTICES2 B. Enforcement Practices The Department’s Office of Aviation Enforcement and Proceedings (Aviation Enforcement Office) investigates and prosecutes cases under 49 U.S.C. 41712. It enforces the statutory prohibition in section 41712 against unfair and deceptive practices primarily through negotiation, preparing cease and desist orders, and drafting orders assessing civil penalties. The office learns of potential violations largely from complaints it receives from individuals, travel agents, airlines, and U.S. and foreign government agencies. Consumers may use the DOT’s Web site to file privacy complaints against airlines and ticket agents.1 If a reasonable and appropriate settlement in a case is not reached, the Aviation Enforcement Office has the authority to institute an enforcement proceeding involving an evidentiary hearing before a DOT administrative law judge (ALJ). The ALJ has the authority to issue cease-and desist orders and civil penalties. Violations of section 41712 can result in the issuance of cease and desist orders and the imposition of civil penalties of up to $27,500 for each violation of section 41712. The Department does not have the authority to award damages or provide pecuniary relief to individual complainants. However, the Department does have the authority to approve settlements resulting from investigations brought by its Aviation Enforcement Office that directly benefit consumers (e.g., cash, vouchers) as an offset to monetary penalties otherwise payable to the U.S. Government. This has occurred in the past, and may also occur in the context of the Privacy Shield Framework principles when circumstances warrant. Repeated violations of section 41712 by an airline would also raise questions regarding the airline’s compliance disposition which could, in egregious situations, result in an airline being found to be no longer fit to operate and, therefore, losing its economic operating authority. To date, the DOT has received relatively few complaints involving alleged privacy violations by ticket agents or airlines. When they arise, they are investigated according to the principles set forth above. C. DOT Legal Protections Benefiting EU Consumers Under section 41712, the prohibition on unfair or deceptive practices in air transportation or the sale of air transportation applies to U.S. and foreign air carriers as well as ticket agents. The DOT frequently takes action against U.S. and foreign airlines for 1 https://www.transportation.gov/airconsumer/ privacy-complaints. VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 practices that affect both foreign and U.S. consumers on the basis that the airline’s practices took place in the course of providing transportation to or from the United States. The DOT does and will continue to use all remedies that are available to protect both foreign and U.S. consumers from unfair or deceptive practices in air transportation by regulated entities. The DOT also enforces, with respect to airlines, other targeted laws whose protections extend to non-U.S. consumers such as COPPA. Among other things, COPPA requires that operators of child-directed Web sites and online services, or general audience sites that knowingly collect personal information from children under 13 provide parental notice and obtain verifiable parental consent. U.S.-based Web sites and services that are subject to COPPA and collect personal information from foreign children are required to comply with COPPA. Foreignbased Web sites and online services must also comply with COPPA if they are directed to children in the United States, or if they knowingly collect personal information from children in the United States. To the extent that U.S. or foreign airlines doing business in the United States violate COPPA, the DOT would have jurisdiction to take enforcement action. II. Privacy Shield Enforcement If an airline or ticket agent chooses to participate in the Privacy Shield Framework and the Department receives a complaint that such an airline or ticket agent had allegedly violated the Framework, the Department would take the following steps to vigorously enforce the Framework. A. Prioritizing Investigation of Alleged Violations The Department’s Aviation Enforcement Office will investigate each complaint alleging Privacy Shield violations (including complaints received from EU Data Protection Authorities) and take enforcement action where there is evidence of a violation. Further, the Aviation Enforcement Office will cooperate with the FTC and Department of Commerce and give priority consideration to allegations that the regulated entities are not complying with privacy commitments made as part of the Privacy Shield Framework. Upon receipt of an allegation of a violation of the Privacy Shield Framework, the Department’s Aviation Enforcement Office may take a range of actions as part of its investigation. For example, it may review the ticket agent or airline’s privacy policies, obtain further information from the ticket agent or airline or from third parties, follow up with the referring entity, and assess whether there is a pattern of violations or significant number of consumers affected. In addition, it would determine whether the issue implicates matters within the purview of the Department of Commerce or FTC, assess whether consumer education and business education would be helpful, and as appropriate, initiate an enforcement proceeding. If the Department becomes aware of potential Privacy Shield violations by ticket agents, it will coordinate with the FTC on the PO 00000 Frm 00024 Fmt 4701 Sfmt 4703 matter. We will also advise the FTC and the Department of Commerce of the outcome of any Privacy Shield enforcement action. B. Addressing False or Deceptive Membership Claims The Department remains committed to investigating Privacy Shield violations, including false or deceptive claims of membership in the Privacy Shield Program. We will give priority consideration to referrals from the Department of Commerce regarding organizations that it identifies as improperly holding themselves out to be current members of Privacy Shield or using the Privacy Shield Framework certification mark without authorization. In addition, we note that if an organization’s privacy policy promises that it complies with the substantive Privacy Shield principles, its failure to make or maintain a registration with the Department of Commerce likely will not, by itself, excuse the organization from DOT enforcement of those commitments. C. Monitoring and Making Public Enforcement Orders Concerning Privacy Shield Violations The Department’s Aviation Enforcement Office also remains committed to monitoring enforcement orders as needed to ensure compliance with the Privacy Shield program. Specifically, if the office issues an order directing an airline or ticket agent to cease and desist from future violations of Privacy Shield and section 41712, it will monitor the entity’s compliance with the cease-and-desist provision in the order. In addition, the office will ensure that orders resulting from Privacy Shield cases are available on its Web site. We look forward to our continued work with our federal partners and EU stakeholders on Privacy Shield matters. I hope that this information proves helpful. If you have any questions or need further information, please feel free to contact me. Sincerely, Anthony R. Foxx Secretary of Transportation Letter From General Counsel Robert Litt, Office of the Director of National Intelligence Mr. Justin S. Antonipillai Counselor U.S. Department of Commerce 1401 Constitution Ave. NW. Washington, DC 20230 Mr. Ted Dean Deputy Assistant Secretary International Trade Administration 1401 Constitution Ave. NW. Washington, DC 20230 Dear Mr. Antonipillai and Mr. Dean: Over the last two and a half years, in the context of negotiations for the EU-U.S. Privacy Shield, the United States has provided substantial information about the operation of U.S. Intelligence Community signals intelligence collection activity. This has included information about the governing legal framework, the multi-layered oversight of those activities, the extensive transparency about those activities, and the overall protections for privacy and civil liberties, in order to assist the European E:\FR\FM\02AUN2.SGM 02AUN2 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices Commission in making a determination about the adequacy of those protections as they relate to the national security exception to the Privacy Shield principles. This document summarizes the information that has been provided. I. PPD–28 and the Conduct of U.S. Signals Intelligence Activity The U.S. Intelligence Community collects foreign intelligence in a carefully controlled manner, in strict accordance with U.S. laws and subject to multiple layers of oversight, focusing on important foreign intelligence and national security priorities. A mosaic of laws and policies governs U.S. signals intelligence collection, including the U.S. Constitution, the Foreign Intelligence Surveillance Act (50 U.S.C. 1801 et seq.) (FISA), Executive Order 12333 and its implementing procedures, Presidential guidance, and numerous procedures and guidelines, approved by the FISA Court and the Attorney General, that establish additional rules limiting the collection, retention, use, and dissemination of foreign intelligence information.2 mstockstill on DSK3G9T082PROD with NOTICES2 a. PPD 28 Overview In January 2014, President Obama gave a speech outlining various reforms to U.S. signals intelligence activities, and issued Presidential Policy Directive 28 (PPD–28) concerning those activities.3 The President emphasized that U.S. signals intelligence activities help secure not only our country and our freedoms, but also the security and freedoms of other countries, including EU Member States, that rely on the information U.S. intelligence agencies obtain to protect their own citizens. PPD–28 sets out a series of principles and requirements that apply to all U.S. signals intelligence activities and for all people, regardless of nationality or location. In particular, it sets certain requirements for procedures to address the collection, retention, and dissemination of personal information about non-U.S. persons acquired pursuant to U.S. signals intelligence. These requirements are set forth in more detail below, but in summary: • The PPD reiterates that the United States collects signals intelligence only as authorized by statute, executive order, or other Presidential directive. • The PPD establishes procedures to ensure that signals intelligence activity is conducted only in furtherance of legitimate and authorized national security purposes. • The PPD also requires that privacy and civil liberties be integral concerns in the planning of signals intelligence collection activities. In particular, the United States does not collect intelligence to suppress or burden criticism or dissent; in order to 2 Further information concerning U.S. foreign intelligence activities is posted online and publicly accessible through IC on the Record (www.icontherecord.tumbir.com), the ODNI’s public website dedicated to fostering greater public visibility into the intelligence activities of the government. 3 Available at https://www.whitehouse.gov/thepress-office/2014/01/17/presidential-policydirective-signals-intelligence-activities. VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 disadvantage persons based on their ethnicity, race, gender, sexual orientation, or religion; or to afford a competitive commercial advantage to U.S. companies and U.S. business sectors. • The PPD directs that signals intelligence collection be as tailored as feasible and that signals intelligence collected in bulk can only be used for specific enumerated purposes. • The PPD directs that the Intelligence Community adopt procedures ‘‘reasonably designed to minimize the dissemination and retention of personal information collected from signals intelligence activities,’’ and in particular extending certain protections afforded to the personal information of U.S. persons to non-US person information. • Agency procedures implementing PPD– 28 have been adopted and made public. The applicability of the procedures and protections set out herein to the Privacy Shield is clear. When data has been transferred to corporations in the United States pursuant to the Privacy Shield, or indeed by any means, U.S. intelligence agencies can seek that data from those corporations only if the request complies with FISA or is made pursuant to one of the National Security Letter statutory provisions, which are discussed below.4 In addition, without confirming or denying media reports alleging that the U.S. Intelligence Community collects data from transatlantic cables while it is being transmitted to the United States, were the U.S. Intelligence Community to collect data from transatlantic cables, it would do so subject to the limitations and safeguards set out herein, including the requirements of PPD–28. b. Collection Limitations PPD–28 sets out a number of important general principles that govern the collection of signals intelligence: • The collection of signals intelligence must be authorized by statute or Presidential authorization, and must be undertaken in accordance with the Constitution and law. • Privacy and civil liberties must be integral considerations in planning signals intelligence activities. • Signals intelligence will be collected only when there is a valid foreign intelligence or counterintelligence purpose. • The United States will not collect signals intelligence for the purpose of suppressing or burdening criticism or dissent. • The United States will not collect signals intelligence to disadvantage people based on their ethnicity, race, gender, sexual orientation, or religion. • The United States will not collect signals intelligence to afford a competitive commercial advantage to U.S. companies and business sectors. • U.S. signals intelligence activity must always be as tailored as feasible, taking into account the availability of other sources of information. This means, among other things, 4 Law enforcement or regulatory agencies may request information from corporations for investigative purposes in the United States pursuant to other criminal, civil, and regulatory authorities that are beyond the scope of this paper, which is limited to national security authorities. PO 00000 Frm 00025 Fmt 4701 Sfmt 4703 51065 that whenever practicable, signals intelligence collection activities are conducted in a targeted manner rather than in bulk. The requirement that signals intelligence activity be ‘‘as tailored as feasible’’ applies to the manner in which signals intelligence is collected, as well as to what is actually collected. For example, in determining whether to collect signals intelligence, the Intelligence Community must consider the availability of other information, including diplomatic or public sources, and prioritize collection through those means, where appropriate and feasible. Moreover, Intelligence Community element policies should require that wherever practicable, collection should be focused on specific foreign intelligence targets or topics through the use of discriminants (e.g., specific facilities, selection terms and identifiers). It is important to view the information provided to the Commission as a whole. Decisions about what is ‘‘feasible’’ or ‘‘practicable’’ are not left to the discretion of individuals but are subject to the policies that agencies have issued under PPD–28— which have been made publicly available— and to the other processes described therein.5 As PPD–28 says, bulk collection of signals intelligence is collection that ‘‘due to technical or operational considerations, is acquired without the use of discriminants (e.g., specific identifiers, selection terms, etc.).’’ In this respect, PPD–28 recognizes that Intelligence community elements must collect bulk signals intelligence in certain circumstances in order to identify new or emerging threats and other vital national security information that is often hidden within the large and complex system of modern global communications. It also recognizes the privacy and civil liberties concerns raised when bulk signals intelligence is collected. PPD–28 therefore directs the Intelligence Community to prioritize alternatives that would allow the conduct of targeted signals intelligence rather than bulk signals intelligence collection. Accordingly, Intelligence Community elements should conduct targeted signals intelligence collection activities rather than bulk signal intelligence collection activities whenever practicable.6 These principles ensure that the exception for bulk collection will not swallow the general rule. As for the concept of ‘‘reasonableness,’’ it is a bedrock principle of U.S. law. It signifies that Intelligence Community elements will not be required to adopt any measure theoretically possible, but rather will have to balance their efforts to protect legitimate 5 Available at www.icontherecord.tumblr.com/ ppd-28/2015/privacy-civil-liberties#ppd-28. These procedures implement the targeting and tailoring concepts discussed in this letter in a manner specific to each IC element. 6 To cite but one example, the NSA’s procedures implementing PPD–28 state that ‘‘[w]henever practicable, collection will occur through the use of one or more selection terms in order to focus the collection on specific foreign intelligence targets (e.g., a specific, known international terrorist or terrorist group) or specific foreign intelligence topics (e.g., the proliferation of weapons of mass destruction by a foreign power or its agents).’’ E:\FR\FM\02AUN2.SGM 02AUN2 mstockstill on DSK3G9T082PROD with NOTICES2 51066 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices privacy and civil liberties interests with the practical necessities of signals intelligence activities. Here again, the agencies’ policies have been made available, and can provide assurance that the term ‘‘reasonably designed to minimize the dissemination and retention of personal information’’ does not undermine the general rule. PPD–28 also provides that signals intelligence collected in bulk can only be used for six specific purposes: Detecting and countering certain activities of foreign powers; counterterrorism; counterproliferation; cybersecurity; detecting and countering threats to U.S. or allied armed forces; and combating transnational criminal threats, including sanctions evasion. The President’s National Security Advisor, in consultation with the Director for National Intelligence (DNI), will annually review these permissible uses of signals intelligence collected in bulk to see whether they should be changed. The DNI will make this list publicly available to the maximum extent feasible, consistent with national security. This provides an important and transparent limitation on the use of bulk signals intelligence collection. Additionally, the Intelligence Community elements implementing PPD–28 have reinforced existing analytic practices and standards for querying unevaluated signals intelligence.7 Analysts must structure their queries or other search terms and techniques to ensure that they are appropriate to identify intelligence information relevant to a valid foreign intelligence or law enforcement task. To that end, IC elements must focus queries about persons on the categories of signals intelligence information responsive to a foreign intelligence or law enforcement requirement, so as to prevent the use of personal information not pertinent to foreign intelligence or law enforcement requirements. It is important to emphasize that any bulk collection activities regarding Internet communications that the U.S. Intelligence Community performs through signals intelligence operate on a small proportion of the Internet. Additionally, the use of targeted queries, as described above, ensures that only those items believed to be of potential intelligence value are ever presented for analysts to examine. These limits are intended to protect the privacy and civil liberties of all persons, whatever their nationality and regardless of where they might reside. The United States has elaborate processes to ensure that signals intelligence activities are conducted only in furtherance of appropriate national security purposes. Each year the President sets the nation’s highest priorities for foreign intelligence collection after an extensive, formal interagency process. The DNI is responsible for translating these intelligence priorities into the National Intelligence Priorities Framework, or NIPF. PPD–28 strengthened and enhanced the interagency process to ensure that all of the IC’s intelligence priorities are reviewed and approved by high-level policymakers. Intelligence Community Directive (ICD) 204 provides further guidance on the NIPF and was updated in January 2015 to incorporate the requirements of PPD–28.8 Although the NIPF is classified, information related to specific U.S. foreign intelligence priorities is reflected annually in the DNI’s unclassified Worldwide Threat Assessment, which is also readily available on the ODNI Web site. The priorities in the NIPF are at a fairly high level of generality. They include topics such as the pursuit of nuclear and ballistic missile capabilities by particular foreign adversaries, the effects of drug cartel corruption, and human rights abuses in specific countries. And they apply not just to signals intelligence, but to all intelligence activities. The organization that is responsible for translating the priorities in the NIPF into actual signals intelligence collection is called the National Signals Intelligence Committee, or SIGCOM. It operates under the auspices of the Director of the National Security Agency (NSA), who is designated by Executive Order 12333 as the ‘‘functional manager for signals intelligence,’’ responsible for overseeing and coordinating signals intelligence across the Intelligence Community under the oversight of both the Secretary of Defense and the DNI. The SIGCOM has representatives from all elements of the IC and, as the United States fully implements PPD–28, also will have full representation from other departments and agencies with a policy interest in signals intelligence. All U.S. departments and agencies that are consumers of foreign intelligence submit their requests for collection to the SIGCOM. The SIGCOM reviews those requests, ensures that they are consistent with the NIPF, and assigns them priorities using criteria such as: • Can signals intelligence provide useful information in this case, or are there better or more cost-effective sources of information to address the requirement, such as imagery or open source information? • How critical is this information need? If it is a high priority in the NIPF, it will most often be a high signal intelligence priority. • What type of signals intelligence could be used? • Is the collection as tailored as feasible? Should there be time, geographic, or other limitations? The U.S. signals intelligence requirements process also requires explicit consideration of other factors, namely: • Is the target of the collection, or the methodology used to collect, particularly sensitive? If so, it will require review by senior policymakers. • Will the collection present an unwarranted risk to privacy and civil liberties, regardless of nationality? • Are additional dissemination and retention safeguards necessary to protect privacy or national security interests? Finally, at the end of the process, trained NSA personnel take the priorities validated 7 Available at https://www.dni.gov/files/ documents/1017/PPD-28_Status_Report_Oct_ 2014.pdf. 8 Available at https://www.dni.gov/files/ documents/ICD/ICD%20204%20National% 20Intelligence%20Priorities%20Framework.pdf. VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 PO 00000 Frm 00026 Fmt 4701 Sfmt 4703 by the SIGCOM and research and identify specific selection terms, such as telephone numbers or email addresses, which are expected to collect foreign intelligence responsive to these priorities. Any selector must be reviewed and approved before it is entered into NSA’s collection systems. Even then, however, whether and when actual collection takes place will depend in part on additional considerations such as the availability of appropriate collection resources. This process ensures that U.S. signals intelligence collection targets reflect valid and important foreign intelligence needs. And, of course, when collection is conducted pursuant to FISA, NSA and other agencies must follow additional restrictions approved by the Foreign Intelligence Surveillance Court. In short, neither NSA nor any other U.S. intelligence agency decides on its own what to collect. Overall, this process ensures that all U.S. intelligence priorities are set by senior policymakers who are in the best position to identify U.S. foreign intelligence requirements, and that those policymakers take into account not only the potential value of the intelligence collection but also the risks associated with that collection, including the risks to privacy, national economic interests, and foreign relations. With respect to data transmitted to the United States pursuant to the Privacy Shield, although the United States cannot confirm or deny specific intelligence methods or operations, the requirements of PPD–28 apply to any signals intelligence operations the United States conducts, regardless of the type or source of data that is being collected. Further, the limitations and safeguards applicable to the collection of signals intelligence apply to signals intelligence collected for any authorized purpose, including both foreign relations and national security purposes. The procedures discussed above demonstrate a clear commitment to prevent arbitrary and indiscriminate collection of signals intelligence information, and to implement—from the highest levels of our Government—the principle of reasonableness. PPD–28 and agency implementing procedures clarify new and existing limitations to and describe with greater specificity the purpose for which the United States collects and uses signals intelligence. These should provide assurance that signals intelligence activities are and will continue to be conducted only to further legitimate foreign intelligence goals. c. Retention and Dissemination Limitations Section 4 of PPD–28 requires that each element of the Intelligence Community have express limits on the retention and dissemination of personal information about non-U.S. persons collected by signals intelligence, comparable to the limits for U.S. persons. These rules are incorporated into procedures for each IC agency that were released in February 2015 and are publicly available. To qualify for retention or dissemination as foreign intelligence, personal information must relate to an authorized intelligence requirement, as determined in the NIPF process described E:\FR\FM\02AUN2.SGM 02AUN2 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices mstockstill on DSK3G9T082PROD with NOTICES2 above; be reasonably believed to be evidence of a crime; or meet one of the other standards for retention of U.S. person information identified in Executive Order 12333, section 2.3. Information for which no such determination has been made may not be retained for more than five years, unless the DNI expressly determines that continued retention is in the national security interests of the United States. Thus, IC elements must delete non-U.S. person information collected through signals intelligence five years after collection, unless, for example, the information has been determined to be relevant to an authorized foreign intelligence requirement, or if the DNI determines, after considering the views of the ODNI Civil Liberties Protection Officer and agency privacy and civil liberties officials, that continued retention is in the interest of national security. In addition, all agency policies implementing PPD–28 now explicitly require that information about a person may not be disseminated solely because an individual is a non-U.S. person, and ODNI has issued a directive to all IC elements 9 to reflect this requirement. Intelligence Community personnel are specifically required to consider the privacy interests of non-U.S. persons when drafting and disseminating intelligence reports. In particular, signals intelligence about the routine activities of a foreign person would not be considered foreign intelligence that could be disseminated or retained permanently by virtue of that fact alone unless it is otherwise responsive to an authorized foreign intelligence requirement. This recognizes an important limitation and is responsive to European Commission concerns about the breadth of the definition of foreign intelligence as set forth in Executive Order 12333. d. Compliance and Oversight The U.S. system of foreign intelligence oversight provides rigorous and multilayered oversight to ensure compliance with applicable laws and procedures, including those pertaining to the collection, retention, and dissemination of non-U.S. person information acquired by signals intelligence as set forth in PPD–28. These include: • The Intelligence Community employs hundreds of oversight personnel. NSA alone has over 300 people dedicated to compliance, and other elements also have oversight offices. In addition, the Department of Justice provides extensive oversight of intelligence activities, and oversight is also provided by the Department of Defense. • Each element of the Intelligence Community has its own Office of the Inspector General with responsibility for oversight of foreign intelligence activities, among other matters. Inspectors General are statutorily independent; have broad power to conduct investigations, audits and reviews of programs, including of fraud and abuse or violation of law; and can recommend 9 Intelligence Community Directive (ICD) 203, available at https://www.dni.gov/files/documents/ ICD/ICD%20203%20Analytic%20Standards.pdf. VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 corrective actions. While Inspector General recommendations are non-binding, the Inspector General’s reports are often made public, and in any event are provided to Congress; this includes follow-up reports in case corrective action recommended in previous reports has not yet been completed. Congress is therefore informed of any noncompliance and can exert pressure, including through budgetary means, to achieve corrective action. A number of Inspector General reports about intelligence programs have been publicly released.10 • ODNI’s Civil Liberties and Privacy Office (CLPO) is charged with ensuring that the IC operates in a manner that advances national security while protecting civil liberties and privacy rights.11 Other IC elements have their own privacy officers. • The Privacy and Civil Liberties Oversight Board (PCLOB), an independent body established by statute, is charged with analyzing and reviewing counterterrorism programs and policies, including the use of signals intelligence, to ensure that they adequately protect privacy and civil liberties. It has issued several public reports on intelligence activities. • As discussed more fully below, the Foreign Intelligence Surveillance Court, a court composed of independent federal judges, is responsible for oversight and compliance of any signals intelligence collection activities conducted pursuant to FISA. • Finally, the U.S. Congress, specifically the House and Senate Intelligence and Judiciary Committees, have significant oversight responsibilities regarding all U.S. foreign intelligence activities, including U.S. signals intelligence. Apart from these formal oversight mechanisms, the Intelligence Community has in place numerous mechanisms to ensure that the Intelligence Community is complying with the limitations on collection described above. For example: • Cabinet officials are required to validate their signals intelligence requirements each year. • NSA checks signals intelligence targets throughout the collection process to determine if they are actually providing valuable foreign intelligence responsive to the priorities, and will stop collection against targets that are not. Additional procedures ensure that selection terms are reviewed periodically. • Based on a recommendation from an independent Review Group appointed by President Obama, the DNI has established a new mechanism to monitor the collection and dissemination of signals intelligence that is particularly sensitive because of the nature of the target or the means of collection, to ensure that it is consistent with the determinations of policymakers. • Finally, ODNI annually reviews the IC’s allocation of resources against the NIPF 10 See e.g., U.S. Department of Justice Inspector General Report ‘‘A Review of the Federal Bureau of Investigation’s Activities Under Section 702 of the Foreign Intelligence Surveillance Act of 2008’’ (September 2012), available at https:// oig.justice.gov/reports/2016/o1601a.pdf. 11 See www.dni.gov/clpo. PO 00000 Frm 00027 Fmt 4701 Sfmt 4703 51067 priorities and the intelligence mission as a whole. This review includes assessments of the value of all types of intelligence collection, including signals intelligence, and looks both backward—how successful has the IC been in achieving its goals?—and forward—what will the IC need in the future? This ensures that signals intelligence resources are applied to the most important national priorities. As evidenced by this comprehensive overview, the Intelligence Community does not decide on its own which conversations to listen to, try to collect everything, or operate free from scrutiny. Its activities are focused on priorities set by policymakers, through a process that involves input from across the government, and that is overseen both within NSA and by the ODNI, Department of Justice, and Department of Defense. PPD–28 also contains numerous other provisions to ensure that personal information collected pursuant to signals intelligence is protected, regardless of nationality. For instance, PPD–28 provides for data security, access, and quality procedures to protect personal information collected through signals intelligence, and provides for mandatory training to ensure that the workforce understands the responsibility to protect personal information, regardless of nationality. The PPD also provides for additional oversight and compliance mechanisms. These include periodic audit and reviews by appropriate oversight and compliance officials of the practices for protecting personal information contained in signals intelligence. The reviews also must examine the agencies’ compliance with the procedures for protecting such information. Additionally, PPD–28 provides that significant compliance issues related to nonU.S. persons will be addressed at senior levels of government. Should a significant compliance issue occur involving the personal information of any person collected as a result of signals intelligence activities, the issue must, in addition to any existing reporting requirements, be reported promptly to the DNI. If the issue involves the personal information of a non-U.S. person, the DNI, in consultation with the Secretary of State and the head of the relevant IC element, will determine whether steps should be taken to notify the relevant foreign government, consistent with the protection of sources and methods and of U.S. personnel. Moreover, as directed by PPD–28, the Secretary of State has identified a senior official, Under Secretary Catherine Novelli, to serve as a point of contact for foreign governments that wish to raise concerns regarding signals intelligence activities of the United States. This commitment to high-level engagement exemplifies the efforts the U.S. government has made over the past few years to instill confidence in the numerous and overlapping privacy protections in place for U.S. person and non-U.S. person information. e. Summary The United States’ processes for collecting, retaining, and disseminating foreign intelligence provide important privacy E:\FR\FM\02AUN2.SGM 02AUN2 51068 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices protections for the personal information of all persons, regardless of nationality. In particular, these processes ensure that our Intelligence Community focuses on its national security mission as authorized by applicable laws, executive orders, and presidential directives; safeguards information from unauthorized access, use and disclosure; and conducts its activities under multiple layers of review and oversight, including by congressional oversight committees. PPD–28 and the procedures implementing it represent our efforts to extend certain minimization and other substantial data protection principles to the personal information of all persons regardless of nationality. Personal information obtained through U.S. signals intelligence collection is subject to the principles and requirements of U.S. law and Presidential direction, including the protections set forth in PPD–28. These principles and requirements ensure that all persons are treated with dignity and respect, regardless of their nationality or wherever they might reside, and recognize that all persons have legitimate privacy interests in the handling of their personal information. II. Foreign Intelligence Surveillance Act— Section 702 Collection under Section 702 of the Foreign Intelligence Surveillance Act 12 is not ‘‘mass and indiscriminate’’ but is narrowly focused on the collection of foreign intelligence from individually identified legitimate targets; is clearly authorized by explicit statutory authority; and is subject to both independent judicial supervision and substantial review and oversight within the Executive Branch and Congress. Collection under Section 702 is considered signals intelligence subject to the requirements of PPD–28.13 Collection under Section 702 is one of the most valuable sources of intelligence protecting both the United States and our European partners. Extensive information about the operation and oversight of Section 702 is publicly available. Numerous court filings, judicial decisions and oversight reports relating to the program have been 12 50 U.S.C. 1881a. United States also may obtain court orders pursuant to other provisions of FISA for the production of data, including data transferred pursuant to the Privacy Shield. See 50 U.S.C. 1801 et seq. Titles I and III of FISA, which respectively authorize electronic surveillance and physical searches, require a court order (except in emergency circumstances) and always require probable cause to believe that the target is a foreign power or an agent of a foreign power. Title IV of FISA authorizes the use of pen registers and trap and trace devices, pursuant to court order (except in emergency circumstances) in authorized foreign intelligence, counterintelligence, or counterterrorism investigations. Title V of FISA permits the FBI, pursuant to court order (except in emergency circumstances), to obtain business records that are relevant to an authorized foreign intelligence, counterintelligence, or counterterrorism investigations. As discussed below, the USA FREEDOM Act specifically prohibits the use of FISA pen register or business record orders for bulk collection, and imposes a requirement of a ‘‘specific selection term’’ to ensure that those authorities are used in a targeted fashion. mstockstill on DSK3G9T082PROD with NOTICES2 13 The VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 declassified and released on the ODNI’s public disclosure Web site, www.icontherecord.tumblr.com. Moreover, Section 702 was comprehensively analyzed by the PCLOB, in a report which is available at https://www.pclob.gov/library/702Report.pdf.14 Section 702 was passed as part of the FISA Amendments Act of 2008,15 after extensive public debate in Congress. It authorizes the acquisition of foreign intelligence information through targeting of non-U.S. persons located outside the United States, with the compelled assistance of U.S. electronic communications service providers. Section 702 authorizes the Attorney General and the DNI—two Cabinet-level officials appointed by the President and confirmed by the Senate—to submit annual certifications to the FISA Court.16 These certifications identify specific categories of foreign intelligence to be collected, such as intelligence related to counterterrorism or weapons of mass destruction, which must fall within the categories of foreign intelligence defined by the FISA statute.17 As the PCLOB noted, ‘‘[t]hese limitations do not permit unrestricted collection of information about foreigners.’’ 18 The certifications also are required to include ‘‘targeting’’ and ‘‘minimization’’ procedures that must be reviewed and approved by the FISA Court.19 The targeting procedures are designed to ensure that the collection takes place only as authorized by statute and is within the scope of the certifications; the minimization procedures are designed to limit the acquisition, dissemination, and retention of information about U.S. persons, but also contain provisions that provide substantial protection to information about non-U.S. persons as well, described below. Moreover, as described above, in PPD–28 the President directed that the Intelligence Community provide additional protections for personal information about non-U.S. persons, and those protections apply to information collected under Section 702. Once the court approves the targeting and minimization procedures, collection under Section 702 is not bulk or indiscriminate, but ‘‘consists entirely of targeting specific persons about whom an individualized determination has been made,’’ as the PCLOB said.20 Collection is targeted through the use of individual selectors, such as email addresses or telephone numbers, which U.S. intelligence personnel have determined are likely being used to communicate foreign intelligence information of the type covered by the certification submitted to the court.21 The basis for selection of the target must be documented, and the documentation for 14 Privacy and Civil Liberties Board, ‘‘Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act’’ (July 2, 2014) (‘‘PCLOB Report’’). 15 See Pub. L. 110–261, 122 Stat. 2436 (2008). 16 See 50 U.S.C. 1881a(a) and (b). 17 See id. 1801(e). 18 See PCLOB Report at 99. 19 See 50 U.S.C. 1881a(d) and (e). 20 See PCLOB Report at 111. 21 Id. PO 00000 Frm 00028 Fmt 4701 Sfmt 4703 every selector is subsequently reviewed by the Department of Justice.22 The U.S. Government has released information showing that in 2014 there were approximately 90,000 individuals targeted under Section 702, a miniscule fraction of the over 3 billion internet users throughout the world.23 Information collected under Section 702 is subject to the court-approved minimization procedures, which provide protections to non-U.S. persons as well as U.S. persons, and which have been publicly released.24 For example, communications acquired under Section 702, whether of U.S. persons or nonU.S. persons, are stored in databases with strict access controls. They may be reviewed only by intelligence personnel who have been trained in the privacy-protective minimization procedures and who have been specifically approved for that access in order to carry out their authorized functions.25 Use of the data is limited to identification of foreign intelligence information or evidence of a crime.26 Pursuant to PPD–28, this information may be disseminated only if there is a valid foreign intelligence or law enforcement purpose; the mere fact that one party to the communication is not a U.S. person is not sufficient.27 And the minimization procedures and PPD–28 also set limits on how long data acquired pursuant to Section 702 may be retained.28 Oversight of Section 702 is extensive, and is conducted by all three branches of our government. Agencies implementing the statute have multiple levels of internal review, including by independent Inspectors General, and technological controls over access to the data. The Department of Justice and the ODNI closely review and scrutinize the use of Section 702 to verify compliance with legal rules; agencies are also under an independent obligation to report potential incidents of noncompliance. Those incidents are investigated, and all compliance incidents are reported to the Foreign Intelligence Surveillance Court, the President’s Intelligence Oversight Board, and 22 Id. at 8; 50 U.S.C. 1881a(l); see also NSA Director of Civil Liberties and Privacy Report, ‘‘NSA’s Implementation of Foreign Intelligence Surveillance Act Section 702’’ (hereinafter ‘‘NSA Report’’) at 4, available at https:// icontherecord.tumblr.com/ppd-28/2015/privacycivil-liberties. 23 Director of National Intelligence 2014 Transparency Report, available at https:// icontherecord.tumblr.com/transparency/odni_ transparencyreport_cy2014. 24 Minimization procedures available at: https:// www.dni.gov/files/documents/ppd-28/ 2014%20NSA%20702%20 Minimization%20Procedures.pdf (‘‘NSA Minimization Procedures’’); https://www.dni.gov/ files/documents/ppd-28/2014%20FBI%20702%20 Minimization%20Procedures.pdf; and https:// www.dni.gov/files/documents/ppd-28/ 2014%20CIA%20702%20 Minimization%20Procedures.pdf. 25 See NSA Report at 4. 26 See, e.g., NSA Minimization Procedures at 6. 27 Intelligence Agency PPD–28 procedures available at https://icontherecord.tumblr.com/ppd28/2015/privacy-civil-liberties. 28 See NSA Minimization Procedures; PPD–28 Section 4. E:\FR\FM\02AUN2.SGM 02AUN2 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices Congress, and remedied as appropriate. 29 To date, there have been no incidents of willful attempts to violate the law or circumvent legal requirements. 30 The FISA Court plays an important role in implementing Section 702. It is composed of independent federal judges who serve for a term of seven years on the FISA Court but who, like all federal judges, have life tenure as judges. As noted above, the Court must review the annual certifications and targeting and minimization procedures for compliance with the law. In addition, as also noted above, the Government is required to notify the Court immediately of compliance issues,31 and several Court opinions have been declassified and released showing the exceptional degree of judicial scrutiny and independence it exercises in reviewing those incidents. The Court’s exacting processes have been described by its former Presiding Judge in a letter to Congress that has been publicly released.32 And as a result of the USA FREEDOM Act, described below, the Court is now explicitly authorized to appoint an outside lawyer as an independent advocate on behalf of privacy in cases that present novel or significant legal issues.33 This degree of involvement by a country’s independent judiciary in foreign intelligence activities directed at persons who are neither citizens of that country nor located within it is unusual if not unprecedented, and helps ensure that Section 702 collection occurs within appropriate legal limits. Congress exercises oversight through statutorily required reports to the Intelligence and Judiciary Committees, and frequent briefings and hearings. These include a semiannual report by the Attorney General documenting the use of Section 702 and any compliance incidents; 34 a separate semiannual assessment by the Attorney General and the DNI documenting compliance with the targeting and minimization procedures, including compliance with the procedures designed to ensure that collection is for a valid foreign intelligence purpose; 35 and an annual report by heads of intelligence elements which includes a certification that collection under mstockstill on DSK3G9T082PROD with NOTICES2 29 See 50 U.S.C. 1881(l); see also PCLOB Report at 66–76. 30 See Semiannual Assessment of Compliance with Procedures and Guidelines Issues Pursuant to Section 702 of the Foreign Intelligence Surveillance Act, Submitted by the Attorney General and the Director of National Intelligence at 2–3, available at https://www.dni.gov/files/documents/ Semiannual%20Assessment%20of%20 Compliance%20with%20procedures%20 and%20guidelines%20issued%20pursuant %20to%20Sect%20702%20of%20FISA.pdf. 31 Rule 13 of the Foreign Intelligence Surveillance Court Rules of Procedures, available at https:// www.fisc.uscourts.gov/sites/default/files/ FISC%20Rules%20of%20Procedure.pdf. 32 July 29, 2013 Letter from The Honorable Reggie B. Walton to The Honorable Patrick J. Leahy, available at https://fas.org/irp/news/2013/07/fiscleahy.pdf. 33 See Section 401 of the USA FREEDOM Act, Public Law 114–23. 34 See 50 U.S.C. 1881f. 35 See id. 1881a(l)(1). VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 Section 702 continues to produce foreign intelligence information.36 In short, collection under Section 702 is authorized by law; subject to multiple levels of review, judicial supervision and oversight; and, as the FISA Court stated in a recently declassified opinion, is ‘‘not conducted in a bulk or indiscriminate manner,’’ but ‘‘through . . . discrete targeting decisions for individual [communication] facilities.’’ 37 III. USA Freedom Act The USA FREEDOM Act, signed into law in June 2015, significantly modified U.S. surveillance and other national security authorities, and increased public transparency on the use of these authorities and on decisions of the FISA Court, as set out below.38 The Act ensures that our intelligence and law enforcement professionals have the authorities they need to protect the Nation, while further ensuring that individuals’ privacy is appropriately protected when these authorities are employed. It enhances privacy and civil liberties and increases transparency. The Act prohibits bulk collection of any records, including of both U.S. and non-U.S. persons, pursuant to various provisions of FISA or through the use of National Security Letters, a form of statutorily authorized administrative subpoenas.39 This prohibition specifically includes telephone metadata relating to calls between persons inside the U.S. and persons outside the U.S., and would also include collection of Privacy Shield information pursuant to these authorities. The Act requires that the government base any application for records under those authorities on a ‘‘specific selection term’’—a term that specifically identifies a person, account, address, or personal device in a way that limits the scope of information sought to the greatest extent reasonably practicable.40 This further ensures that collection of information for intelligence purposes is precisely focused and targeted. The Act also made significant modifications to proceedings before the FISA Court, which both increase transparency and provide additional assurances that privacy will be protected. As noted above, it 36 See id. 1881a(l)(3). Some of these reports are classified. 37 Mem. Opinion and Order at 26 (FISC 2014), available at https://www.dni.gov/files/documents/ 0928/FISC%20Memorandum%20Opinion%20and %20Order%2026%20August%202014.pdf. 38 See USA FREEDOM Act of 2015, Pub. L. 114– 23, 401, 129 Stat. 268. 39 See id. 103, 201, 501. National Security Letters are authorized by a variety of statutes and allow the FBI to obtain information contained in credit reports, financial records, and electronic subscriber and transaction records from certain kinds of companies, only to protect against international terrorism or clandestine intelligence activities. See 12 U.S.C. 3414; 15 U.S.C. 1681u-1681v; 18 U.S.C. 2709. National Security Letters are typically used by the FBI to gather critical non-content information at the early phases of counterterrorism and counterintelligence investigations—such as the identity of the subscriber to an account who may have been communicating with agents of a terrorist group such as ISIL. Recipients of a National Security Letter have the right to challenge them in court. See 18 U.S.C. 3511. 40 See id. PO 00000 Frm 00029 Fmt 4701 Sfmt 4703 51069 authorized creation of a standing panel of security-cleared lawyers with expertise in privacy and civil liberties, intelligence collection, communications technology, or other relevant areas, who may be appointed to appear before the court as amicus curiae in cases that involve significant or novel interpretations of law. These lawyers are authorized to make legal arguments that advance the protection of individual privacy and civil liberties, and will have access to any information, including classified information, that the court determines is necessary to their duties.41 The Act also builds on the U.S. Government’s unprecedented transparency about intelligence activities by requiring the DNI, in consultation with the Attorney General, to either declassify, or publish an unclassified summary of, each decision, order, or opinion issued by the FISA Court or the Foreign Intelligence Surveillance Court of Review that includes a significant construction or interpretation of any provision of law. Moreover, the Act provides for extensive disclosures about FISA collection and National Security Letter requests. The United States must disclose to Congress and to the public each year the number of FISA orders and certifications sought and received; estimates of the number of U.S. persons and non-U.S. persons targeted and affected by surveillance; and the number of appointments of amici curiae, among other items of information.42 The Act also requires additional public reporting by the government about the numbers of National Security Letter requests about both U.S. and non-U.S. persons.43 With regard to corporate transparency, the Act gives companies a range of options to report publicly the aggregate number of FISA orders and directives or National Security Letters they receive from the Government, as well as the number of customer accounts targeted by these orders.44 Several companies have already made such disclosures, which have revealed the limited number of customers whose records have been sought. These corporate transparency reports demonstrate that U.S. intelligence requests affect only a miniscule fraction of data. For example, one major company’s recent transparency report shows that it received national security requests (pursuant to FISA or National Security Letters) affecting fewer than 20,000 of its accounts, at a time when it had at least 400 million subscribers. In other words, all U.S. national security requests reported by this company affected fewer than .005% of its subscribers. Even if every one of those requests had concerned Safe Harbor data, which of course is not the case, it is obvious that the requests are targeted and appropriate in scale, and are neither bulk nor indiscriminate. Finally, while the statutes which authorize National Security Letters already restricted the circumstances under which a recipient of such a letter could be barred from disclosing 41 See id. section 401. id. section 602. 43 See id. 44 See id. section 603. 42 See E:\FR\FM\02AUN2.SGM 02AUN2 51070 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices it, the Act further provided that such nondisclosure requirements must be reviewed periodically; required that recipients of National Security Letters be notified when the facts no longer support a non-disclosure requirement; and codified procedures for recipients to challenge nondisclosure requirements.45 In sum, the USA FREEDOM Act’s important amendments to U.S. intelligence authorities is clear evidence of the extensive effort taken by the United States to place the protection of personal information, privacy, civil liberties, and transparency at the forefront of all U.S. intelligence practices. IV. Transparency In addition to the transparency mandated by the USA FREEDOM Act, the U.S. Intelligence Community provides the public much additional information, setting a strong example with respect to transparency into its intelligence activities. The Intelligence Community has published many of its policies, procedures, Foreign Intelligence Surveillance Court decisions, and other declassified materials, providing an extraordinary degree of transparency. In addition, the Intelligence Community has substantially increased its disclosure of statistics on the government’s use of national security collection authorities. On April 22, 2015, the Intelligence Community issued its second annual report presenting statistics on how often the government uses these important authorities. ODNI also has published, on the ODNI Web site and on IC On the Record, a set of concrete transparency principles46 and an implementation plan that translates the principles into concrete, measurable initiatives.47 In October 2015, the Director of National Intelligence directed that each intelligence agency designate an Intelligence Transparency Officer within its leadership to foster transparency and lead transparency initiatives.48 The Transparency Officer will work closely with each intelligence agency’s Privacy and Civil Liberties Officer to ensure that transparency, privacy, and civil liberties continue to remain top priorities. As an example of these efforts, NSA’s Chief Privacy and Civil Liberties Officer has released several unclassified reports over the past few years, including reports on activities under section 702, Executive Order 12333, and the USA FREEDOM Act.49 In addition, the IC works closely with the PCLOB, Congress, and the U.S. privacy advocacy community to provide further transparency relating to U.S. intelligence activities, 45 See id. sections 502(f)–503. at http:\\www.dni.gov/index.php/ intelligence-community/intelligence-transparencyprinciples. 47 Available at http:\\www.dni.gov/files/ documents/Newsroom/Reports%20and%20Pubs/ Principles%20of%20Intelligence%20Transparency %20Implementation%20Plan.pdf. 48 See id. 49 Available at https://www.nsa.gov/civil_ liberties/_files/nsa_report_on_section_702_ program.pdf; https://www.nsa.gov/civil_liberties/_ files/UFA_Civil_Liberties_and_Privacy_Report.pdf; https://www.nsa.gov/civil_liberties/_files/UFA_ Civil_Liberties_and_Privacy_Report.pdf. mstockstill on DSK3G9T082PROD with NOTICES2 46 Available VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 wherever feasible and consistent with the protection of sensitive intelligence sources and methods. Taken as a whole, U.S. intelligence activities are as transparent as or more transparent than those of any other nation in the world and are as transparent as it is possible to be consistent with the need to protect sensitive sources and methods. To summarize the extensive transparency that exists about U.S. intelligence activities: • The IC has released and posted online thousands of pages of court opinions and agency procedures outlining the specific procedures and requirements of our intelligence activities. We have also released reports on intelligence agencies’ compliance with applicable restrictions. • Senior intelligence officials regularly speak publicly about the roles and activities of their organizations, including descriptions of the compliance regimes and safeguards that govern their work. • The IC released numerous additional documents about intelligence activities pursuant to our Freedom of Information Act. • The President issued PPD–28, publicly setting out additional restrictions on our intelligence activities, and ODNI has issued two public reports on the implementation of those restrictions. • The IC is now required by law to release significant legal opinions issued by the FISA Court, or summaries of those opinions. • The government is required to report annually on the extent of its use of certain national security authorities, and companies are authorized to do so as well. • The PCLOB has issued several detailed public reports on intelligence activities, and will continue to do so. • The IC provides extensive classified information to Congressional oversight committees. • The DNI issued transparency principles to govern the activities of the Intelligence Community. This extensive transparency will continue going forward. Any information that is released publicly will, of course, be available to both the Department of Commerce and the European Commission. The annual review between Commerce and the European Commission on the implementation of the Privacy Shield will provide an opportunity for the European Commission to discuss any questions raised by any new information released, as well as any other matters concerning the Privacy Shield and its operation, and we understand that the Department may, in its discretion, invite representatives of other agencies, including the IC, to participate in that review. This is, of course, in addition to the mechanism provided in PPD–28 for EU Member States to raise surveillance-related concerns with a designated State Department official. V. Redress U.S. law provides a number of avenues of redress for individuals who have been the subject of unlawful electronic surveillance for national security purposes. Under FISA, the right to seek relief in U.S. court is not limited to U.S. persons. An individual who can establish standing to bring suit would have remedies to challenge unlawful PO 00000 Frm 00030 Fmt 4701 Sfmt 4703 electronic surveillance under FISA. For example, FISA allows persons subjected to unlawful electronic surveillance to sue U.S. government officials in their personal capacities for money damages, including punitive damages and attorney’s fees. See 50 U.S.C. 1810. Individuals who can establish their standing to sue also have a civil cause of action for money damages, including litigation costs, against the United States when information about them obtained in electronic surveillance under FISA has been unlawfully and willfully used or disclosed. See 18 U.S.C. 2712. In the event the government intends to use or disclose any information obtained or derived from electronic surveillance of any aggrieved person under FISA against that person in judicial or administrative proceedings in the United States, it must provide advance notice of its intent to the tribunal and the person, who may then challenge the legality of the surveillance and seek to suppress the information. See 50 U.S.C. 1806. Finally, FISA also provides criminal penalties for individuals who intentionally engage in unlawful electronic surveillance under color of law or who intentionally use or disclose information obtained by unlawful surveillance. See 50 U.S.C. 1809. EU citizens have other avenues to seek legal recourse against U.S. government officials for unlawful government use of or access to data, including government officials who violate the law in the course of unlawful access to or use of information for purported national security purposes. The Computer Fraud and Abuse Act prohibits intentional unauthorized access (or exceeding authorized access) to obtain information from a financial institution, a U.S. government computer system, or a computer accessed via the Internet, as well as threats to damage protected computers for purposes of extortion or fraud. See 18 U.S.C. 1030. Any person, of whatever nationality, who suffers damage or loss by reason of a violation of this law may sue the violator (including a government official) for compensatory damages and injunctive or other equitable relief under section 1030(g), regardless of whether a criminal prosecution has been pursued, provided the conduct involves at least one of several circumstances set forth in the statute. The Electronic Communications Privacy Act (ECPA) regulates government access to stored electronic communications and transactional records and subscriber information held by third-party communications providers. See 18 U.S.C. 2701–2712. ECPA authorizes an aggrieved individual to sue government officials for intentional unlawful access to stored data. ECPA applies to all persons regardless of citizenship and aggrieved persons may receive damages and attorney’s fees. The Right to Financial Privacy Act (RFPA) limits the U.S. government’s access to the bank and broker-dealer records of individual customers. See 12 U.S.C. 3401–3422. Under the RFPA, a bank or broker-dealer customer can sue the U.S. government for statutory, actual, and punitive damages for wrongfully obtaining access to the customer’s records, and a finding that such wrongful access was willful automatically triggers an investigation E:\FR\FM\02AUN2.SGM 02AUN2 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices mstockstill on DSK3G9T082PROD with NOTICES2 of possible disciplinary action against the relevant government employees. See 12 U.S.C. 3417. Finally, the Freedom of Information Act (FOIA) provides a means for any person to seek access to existing federal agency records on any topic subject to certain categories of exemptions. See 5 U.S.C. 552(b). These include limits on access to classified national security information, personal information of other individuals, and information concerning law enforcement investigations, and are comparable to the limitations imposed by nations with their own information access laws. These limitations apply equally to Americans and nonAmericans. Disputes over the release of records requested pursuant to FOIA can be appealed administratively and then in federal court. The court is required to make a de novo determination of whether records are properly withheld, 5 U.S.C. 552(a)(4)(B), and can compel the government to provide access to records. In some cases courts have overturned government assertions that information should be withheld as classified.50 Although no monetary damages are available, courts can award attorney’s fees. VI. Conclusion The United States recognizes that our signals intelligence and other intelligence activities must take into account that all persons should be treated with dignity and respect, regardless of their nationality or place of residence, and that all persons have legitimate privacy interests in the handling of their personal information. The United States only uses signals intelligence to advance its national security and foreign policy interests and to protect its citizens and the citizens of its allies and partners from harm. In short, the IC does not engage in indiscriminate surveillance of anyone, including ordinary European citizens. Signals intelligence collection only takes place when duly authorized and in a manner that strictly complies with these limitations; only after consideration of the availability of alternative sources, including from diplomatic and public sources; and in a manner that prioritizes appropriate and feasible alternatives. And wherever practicable, signals intelligence only takes place through collection focused on specific foreign intelligence targets or topics through the use of discriminants. U.S. policy in this regard was affirmed in PPD–28. Within this framework, U.S. intelligence agencies do not have the legal authority, the resources, the technical capability or the desire to intercept all of the world’s communications. Those agencies are not reading the emails of everyone in the United States, or of everyone in the world. Consistent with PPD–28, the United States provides robust protections to the personal information of non-U.S. persons that is collected through signals intelligence activities. To the maximum extent feasible consistent with the national security, this 50 See, e.g., New York Times v. Department of Justice, 756 F.3d 100 (2d Cir. 2014); American Civil Liberties Union v. CIA, 710 F.3d 422 (D.C. Cir. 2014). VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 includes policies and procedures to minimize the retention and dissemination of personal information concerning non-U.S. persons comparable to the protections enjoyed by U.S. persons. Moreover, as discussed above, the comprehensive oversight regime of the targeted Section 702 FISA authority is unparalleled. Finally, the significant amendments to U.S. intelligence law set forth in the USA FREEDOM Act and the ODNI-led initiatives to promote transparency within the Intelligence Community greatly enhance the privacy and civil liberties of all individuals, regardless of their nationality. Sincerely, Robert S. Litt Mr. Justin S. Antonipillai Counselor U.S. Department of Commerce 1401 Constitution Avenue, NW. Washington, DC 20230 Mr. Ted Dean Deputy Assistant Secretary International Trade Administration 1401 Constitution Avenue, NW. Washington, DC 20230 Dear Mr. Antonipillai and Mr. Dean: I am writing to provide further information about the manner in which the United States conducts bulk collection of signals intelligence. As explained in footnote 5 of Presidential Policy Directive 28 (PPD–28), ‘‘bulk’’ collection refers to the acquisition of a relatively large volume of signals intelligence information or data under circumstances where the Intelligence Community cannot use an identifier associated with a specific target (such as the target’s email address or phone number) to focus the collection. However, this does not mean that this sort of collection is ‘‘mass’’ or ‘‘indiscriminate.’’ Indeed, PPD–28 also requires that ‘‘[s]ignals intelligence activities shall be as tailored as feasible.’’ In furtherance of this mandate, the Intelligence Community takes steps to ensure that even when we cannot use specific identifiers to target collection, the data to be collected is likely to contain foreign intelligence that will be responsive to requirements articulated by U.S. policy-makers pursuant to the process explained in my earlier letter, and minimizes the amount of non-pertinent information that is collected. As an example, the Intelligence Community may be asked to acquire signals intelligence about the activities of a terrorist group operating in a region of a Middle Eastern country, that is believed to be plotting attacks against Western European countries, but may not know the names, phone numbers, email addresses or other specific identifiers of individuals associated with this terrorist group. We might choose to target that group by collecting communications to and from that region for further review and analysis to identify those communications that relate to the group. In so doing, the Intelligence Community would seek to narrow the collection as much as possible. This would be considered collection in ‘‘bulk’’ because the use of discriminants is not feasible, but it is neither PO 00000 Frm 00031 Fmt 4701 Sfmt 4703 51071 ‘‘mass’’ nor ‘‘indiscriminate’’; rather it is focused as precisely as possible. Thus, even when targeting through the use of specific selectors is not possible, the United States does not collect all communications from all communications facilities everywhere in the world, but applies filters and other technical tools to focus its collection on those facilities that are likely to contain communications of foreign intelligence value. In so doing, the United States’ signals intelligence activities touch only a fraction of the communications traversing the Internet. Moreover, as noted in my earlier letter, because ‘‘bulk’’ collection entails a greater risk of collecting non-pertinent communications, PPD–28 limits the use that the Intelligence Community may make of signals intelligence collected in bulk to six specified purposes. PPD–28, and agency policies implementing PPD–28, also place restrictions on the retention and dissemination of personal information acquired through signals intelligence, regardless of whether the information was collected in bulk or through targeted collection, and regardless of the individual’s nationality. Thus, the Intelligence Community’s ‘‘bulk’’ collection is not ‘‘mass’’ or ‘‘indiscriminate,’’ but involves the application of methods and tools to filter collection in order to focus the collection on material that will be responsive to policy-makers’ articulated foreign intelligence requirements while minimizing the collection of non-pertinent information, and provides strict rules to protect the nonpertinent information that may be acquired. The policies and procedures described in this letter apply to all bulk signals intelligence collection, including any bulk collection of communications to and from Europe, without confirming or denying whether any such collection occurs. You have also asked for more information about the Privacy and Civil Liberties Oversight Board (PCLOB) and Inspectors General, and their authorities. The PCLOB is an independent agency in the Executive Branch. Members of the bipartisan, fivemember Board are appointed by the President and confirmed by the Senate.1 Each Member of the Board serves a six-year term. Members of the Board and staff are provided appropriate security clearances in order for them to fully execute their statutory duties and responsibilities.2 The PCLOB’s mission is to ensure that the federal government’s efforts to prevent terrorism are balanced with the need to protect privacy and civil liberties. The Board has two fundamental responsibilities— oversight and advice. The PCLOB sets its own agenda and determines what oversight or advice activities it wishes to undertake. In its oversight role, the PCLOB reviews and analyzes actions the Executive Branch takes to protect the nation from terrorism, ensuring that the need for such actions is balanced with the need to protect privacy and civil liberties.3 The PCLOB’s most recent 1 42 U.S.C. 2000ee(a), (h). U.S.C. 2000ee(k). 3 42 U.S.C. 2000ee(d)(2). 2 42 E:\FR\FM\02AUN2.SGM 02AUN2 51072 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices mstockstill on DSK3G9T082PROD with NOTICES2 completed oversight review focused on surveillance programs operated under Section 702 of FISA.4 It is currently conducting a review of intelligence activities operated under Executive Order 12333.5 In its advisory role, the PCLOB ensures that liberty concerns are appropriately considered in the development and implementation of laws, regulations, and policies related to efforts to protect the nation from terrorism.6 In order to carry out its mission, the Board is authorized by statute to have access to all relevant agency records, reports, audits, reviews, documents, papers, recommendations, and any other relevant materials, including classified information consistent with law.7 In addition, the Board may interview, take statements from, or take public testimony from any executive branch officer or employee.8 Additionally, the Board may request in writing that the Attorney General, on the Board’s behalf, issues subpoenas compelling parties outside the Executive Branch to provide relevant information.9 Finally, the PCLOB has statutory public transparency requirements. This includes keeping the public informed of its activities by holding public hearings and making its reports publicly available, to the greatest extent possible consistent with the protection of classified information.10 In addition, the PCLOB is required to report when an Executive Branch agency declines to follow its advice. Inspectors General (IGs) in the Intelligence Community (IC) conduct audits, inspections, and reviews of the programs and activities in the IC to identify and address systemic risks, vulnerabilities, and deficiencies. In addition, IGs investigate complaints or information of allegations of violations of law, rules, or regulations, or mismanagement; gross waste of funds; abuse of authority, or a substantial and specific danger to the public health and safety in IC programs and activities. IG independence is a critical component to the objectivity and integrity of every report, finding, and recommendation an IG issues. Some of the most critical components to maintaining IG independence include the IG appointment and removal process; separate operational, budget, and personnel authorities; and dual reporting requirements to Executive Branch agency heads and Congress. Congress established an independent IG office in each Executive Branch agency, including every IC element.11 With the 4 See generally https://www.pclob.gov/ library.html#oversightreports. 5 See generally https://www.pclob.gov/events/ 2015/may13.html. 6 42 U.S.C. 2000ee(d)(1); see also PCLOB Advisory Function Policy and Procedure, Policy 2015–004, available at https://www.pclob.gov/ library/Policy-Advisory_Function_Policy_ Procedure.pdf. 7 42 U.S.C. 2000ee(g)(1)(A). 8 42 U.S.C. 2000ee(g)(1)(B). 9 42 U.S.C. 2000ee(g)(1)(D). 10 42 U.S.C. 2000eee(f). 11 Sections 2 and 4 of the Inspector General Act of 1978, as amended (hereinafter ‘‘IG Act’’); Section 103H(b) and (e) of the National Security Act of 1947, as amended (hereinafter ‘‘Nat’l Sec. Act’’); VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 passage of the Intelligence Authorization Act for Fiscal Year 2015, almost all IGs with oversight of an IC element are appointed by the President and confirmed by the Senate, including the Department of Justice, Central Intelligence Agency, National Security Agency, and the Intelligence Community.12 Further, these IGs are permanent, nonpartisan, officials who can only be removed by the President. While the U.S. Constitution requires that the President have IG removal authority, it has rarely been exercised and requires that the President provide Congress with a written justification 30 days before removing an IG.13 This IG appointment process ensures that there is no undue influence by Executive Branch officials in the selection, appointment, or removal of an IG. Second, IGs have significant statutory authorities to conduct audits, investigations, and reviews of Executive Branch programs and operations. In addition to oversight investigations and reviews required by law, IGs have broad discretion to exercise oversight authority to review programs and activities of their choosing.14 In exercising this authority, the law ensures that IGs have the independent resources to execute their responsibilities, including the authority to hire their own staff and separately document their budget requests to Congress.15 The law ensures that IGs have access to the information needed to execute their responsibilities. This includes the authority to have direct access to all agency records and information detailing the programs and operations of the agency regardless of classification; the authority to subpoena information and documents; and the authority to administer oaths.16 In limited cases, the head of an Executive Branch agency may prohibit an IG’s activity if, for example, an IG audit or investigation would significantly impair the national security interests of the United States. Again, the exercise of this authority is extremely unusual and requires the head of the agency to notify Congress within 30 days of the reasons for exercising it.17 Indeed, the Director of National Intelligence has never exercised this limitation authority over any IG activities. Third, IGs have responsibilities to keep both heads of Executive Branch agencies and Section 17(a) of the Central Intelligence Act (hereinafter ‘‘CIA Act’’). 12 See Public Law 113–293, 128 Stat. 3990, (Dec. 19, 2014). Only the IGs for the Defense Intelligence Agency and the National Geospatial-Intelligence Agency are not appointed by the President; however the DOD IG and the IC IG have concurrent jurisdiction over these agencies. 13 Section 3 of the IG Act of 1978, as amended; Section 103H(c) of the Nat’l Sec. Act; and Section 17(b) of the CIA Act. 14 See Sections 4(a) and 6(a)(2) of the IG Act of 1947; Section 103H(e) and (g)(2)(A) of the Nat’l Sec. Act; Section 17(a) and (c) of the CIA Act. 15 Sections 3(d), 6(a)(7) and 6(f) of the IG Act; Sections 103H(d), (i), (j) and (m) of the Nat’l Sec. Act; Sections 17(e)(7) and (f) of the CIA Act. 16 Section 6(a)(1), (3), (4), (5), and (6) of the IG Act; Sections 103H(g)(2) of the Nat’l Sec. Act; Section 17(e)(1), (2), (4), and (5) of CIA Act. 17 See, e.g., Sections 8(b) and 8E(a) of the IG Act; Section 103H(f) of the Nat’l Sec. Act; Section 17(b) of the CIA Act. PO 00000 Frm 00032 Fmt 4701 Sfmt 4703 Congress fully and currently informed through reports of fraud and other serious problems, abuses, and deficiencies relating to Executive Branch programs and activities.18 Dual reporting bolsters IG independence by providing transparency into the IG oversight process and allowing agency heads an opportunity to implement IG recommendations before Congress can take legislative action. For example, IGs are required by law to complete semi-annual reports that describe such problems as well as corrective actions taken to date.19 Executive Branch agencies take IG findings and recommendations seriously and IGs are often able to include the agencies’ acceptance and implementation of IG recommendations in these and other reports provided to Congress, and in some cases the public.20 In addition to this IG dual-report structure, IGs are also responsible for shepherding Executive Branch whistleblowers to the appropriate congressional oversight committees to make disclosures of alleged fraud, waste, or abuse in Executive Branch programs and activities. The identities of those who come forward are protected from disclosure to the Executive Branch, which shields the whistleblowers from potential prohibited personnel actions or security clearance actions taken in reprisal for reporting to the IG.21 As whistleblowers are often the sources for IG investigations, the ability to report their concerns to the Congress without Executive Branch influences increases the effectiveness of IG oversight. Because of this independence, IGs can promote economy, efficiency, and accountability in Executive Branch agencies with objectivity and integrity. Finally, Congress has established the Council of Inspectors General on Integrity and Efficiency. This Council, among other things, develops IG standards for audits, investigations and reviews; promotes training; and has the authority to conduct reviews of allegations of IG misconduct, which serves as a critical eye on IGs, who are entrusted to watch all others.22 I hope that this information is helpful to you. 18 Section 4(a)(5) of the IG Act; Section 103H(a)(b)(3) and (4) of the Nat’l Sec. Act; Section 17(a)(2) and (4) of the CIA Act. 19 Section 2(3), 4(a), and 5 of the IG Act; Section 103H(k) of the Nat’l Sec. Act; Section 17(d) of the CIA Act. The Inspector General of the Department of Justice makes its publicly released reports available on the Internet at https://oig.justice.gov/ reports/all.htm. Similarly, the Inspector General for the Intelligence Community makes it semi-annual reports publicly available at https://www.dni.gov/ index.php/intelligence-community/ic-policiesreports/records-requested-under-foia#icig. 20 Section 2(3), 4(a), and 5 of the IG Act; Section 103H(k) of the Nat’l Sec. Act; Section 17(d) of the CIA Act. The Inspector General of the Department of Justice makes its publicly released reports available on the Internet at https://oig.justice.gov/ reports/all.htm. Similarly, the Inspector General for the Intelligence Community makes it semi-annual reports publicly available at https://www.dni.gov/ index.php/intelligence-community/ic-policiesreports/records-requested-under-foia#icig. 21 Section 7 of the IG Act; Section 103H(g)(3) of the Nat’l Sec. Act; Section 17(e)(3) of the CIA Act. 22 Section 11 of the IG Act. E:\FR\FM\02AUN2.SGM 02AUN2 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices Regards, Robert S. Litt General Counsel mstockstill on DSK3G9T082PROD with NOTICES2 Letter From Deputy Assistant Attorney General and Counselor for International Affairs Bruce Swartz, U.S. Department of Justice February 19, 2016 Mr. Justin S. Antonipillai Counselor U.S. Department of Commerce 1401 Constitution Ave. NW. Washington, DC 20230 Mr. Ted Dean Deputy Assistant Secretary International Trade Administration 1401 Constitution Ave. NW. Washington, DC 20230 Dear Mr. Antonipillai and Mr. Dean: This letter provides a brief overview of the primary investigative tools used to obtain commercial data and other record information from corporations in the United States for criminal law enforcement or public interest (civil and regulatory) purposes, including the access limitations set forth in those authorities.1 These legal processes are nondiscriminatory in that they are used to obtain information from corporations in the United States, including from companies that will self-certify through the US/EU Privacy Shield framework, without regard to the nationality of the data subject. Further, corporations that receive legal process in the United States may challenge it in court as discussed below.2 Of particular note with respect to the seizure of data by public authorities is the Fourth Amendment to the United States Constitution, which provides that ‘‘[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.’’ U.S. Const. amend. IV. As the United States Supreme Court stated in Berger v. State of New York, ‘‘[t]he basic 1 This overview does not describe the national security investigative tools used by law enforcement in terrorism and other national security investigations, including National Security Letters (NSLs) for certain record information in credit reports, financial records, and electronic subscriber and transaction records, see 12 U.S.C. 3414; 15 U.S.C. 1681u; 15 U.S.C. 1681v; 18 U.S.C. 2709, and for electronic surveillance, search warrants, business records, and other collection of communications pursuant to the Foreign Intelligence Surveillance Act, see 50 U.S.C. 1801 et seq. 2 This paper discusses federal law enforcement and regulatory authorities; violations of state law are investigated by states and are tried in state courts. State law enforcement authorities use warrants and subpoenas issued under state law in essentially the same manner as described herein, but with the possibility that state legal process may be subject to protections provided by State constitutions that exceed those of the U.S. Constitution. State law protections must be at least equal to those of the U.S. Constitution, including but not limited to the Fourth Amendment. VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 purpose of this Amendment, as recognized in countless decisions of this Court, is to safeguard the privacy and security of individuals against arbitrary invasions by government officials.’’ 388 U.S. 41, 53 (1967) (citing Camara v. Mun. Court of San Francisco, 387 U.S. 523, 528 (1967)). In domestic criminal investigations, the Fourth Amendment generally requires law enforcement officers to obtain a court-issued warrant before conducting a search. See Katz v. United States, 389 U.S. 347, 357 (1967). When the warrant requirement does not apply, government activity is subject to a ‘‘reasonableness’’ test under the Fourth Amendment. The Constitution itself, therefore, ensures that the U.S. government does not have limitless, or arbitrary, power to seize private information. Criminal Law Enforcement Authorities: Federal prosecutors, who are officials of the Department of Justice (DOJ), and federal investigative agents including agents of the Federal Bureau of Investigation (FBI), a law enforcement agency within DOJ, are able to compel production of documents and other record information from corporations in the United States for criminal investigative purposes through several types of compulsory legal processes, including grand jury subpoenas, administrative subpoenas and search warrants, and may acquire other communications pursuant to federal criminal wiretap and pen register authorities. Grand Jury or Trial Subpoenas: Criminal subpoenas are used to support targeted law enforcement investigations. A grand jury subpoena is an official request issued from a grand jury (usually at the request of a federal prosecutor) to support a grand jury investigation into a particular suspected violation of criminal law. Grand juries are an investigative arm of the court and are impaneled by a judge or magistrate. A subpoena may require someone to testify at a proceeding, or to produce or make available business records, electronically stored information, or other tangible items. The information must be relevant to the investigation and the subpoena cannot be unreasonable because it is overbroad, or because it is oppressive or burdensome. A recipient can file a motion to challenge a subpoena based on those grounds. See Fed. R. Crim. P. 17. In limited circumstances, trial subpoenas for documents may be used after the case has been indicted by the grand jury. Administrative Subpoena Authority: Administrative subpoena authorities may be exercised in criminal or civil investigations. In the criminal law enforcement context, several federal statutes authorize the use of administrative subpoenas to produce or make available business records, electronically stored information, or other tangible items in investigations involving health care fraud, child abuse, Secret Service protection, controlled substance cases, and Inspector General investigations implicating government agencies. If the government seeks to enforce an administrative subpoena in court, the recipient of the administrative subpoena, like the recipient of a grand jury subpoena, can argue that the subpoena is unreasonable because it is overbroad, or because it is oppressive or burdensome. PO 00000 Frm 00033 Fmt 4701 Sfmt 4703 51073 Court Orders For Pen Register and Trap and Traces: Under criminal pen register and trap and trace provisions, law enforcement may obtain a court order to acquire real-time, non-content dialing, routing, addressing and signaling information about a phone number or email upon certification that the information provided is relevant to a pending criminal investigation. See 18 U.S.C. 3121– 3127. The use or installation of such a device outside the law is a federal crime. Electronic Communications Privacy Act (ECPA): Additional rules govern the government’s access to subscriber information, traffic data and stored content of communications held by ISPs telephone companies, and other third party service providers, pursuant to Title II of ECPA, also called the Stored Communications Act (SCA), 18 U.S.C. 2701–2712. The SCA sets forth a system of statutory privacy rights that limit law enforcement access to data beyond what is required under constitutional law from customers and subscribers of Internet service providers. The SCA provides for increasing levels of privacy protections depending on the intrusiveness of the collection. For subscriber registration information, IP addresses and associated time stamps, and billing information, criminal law enforcement authorities must obtain a subpoena. For most other stored, non-content information, such as email headers without the subject line, law enforcement must present specific facts to a judge demonstrating that the requested information is relevant and material to an ongoing criminal investigation. To obtain the stored content of electronic communications, generally, criminal law enforcement authorities obtain a warrant from a judge based on probable cause to believe the account in question contains evidence of a crime. The SCA also provides for civil liability and criminal penalties. Court Orders for Surveillance Pursuant to Federal Wiretap Law: Additionally, law enforcement may intercept in real time wire, oral or electronic communications for criminal investigative purposes pursuant to the federal wiretap law. See 18 U.S.C. 2510– 2522. This authority is available only pursuant to a court order in which a judge finds, inter alia, that there is probable cause to believe that the wiretap or electronic interception will produce evidence of a federal crime, or the whereabouts of a fugitive fleeing from prosecution. The statute provides for civil liability and criminal penalties for violations of the wiretapping provisions. Search Warrant—Rule 41: Law enforcement can physically search premises in the United States when authorized to do so by a judge. Law enforcement must demonstrate to the judge based on a showing of ‘‘probable cause’’ that a crime was committed or is about to be committed and that items connected to the crime are likely to be found in the place specified by the warrant. This authority is often used when a physical search by police of a premise is needed due to the danger that evidence may be destroyed if a subpoena or other production order is served on the corporation. See U.S. Const. amend. IV E:\FR\FM\02AUN2.SGM 02AUN2 51074 Federal Register / Vol. 81, No. 148 / Tuesday, August 2, 2016 / Notices mstockstill on DSK3G9T082PROD with NOTICES2 (discussed in further detail above), Fed. R. Crim. P. 41. The subject of a search warrant may move to quash the warrant as overbroad, vexatious or otherwise improperly obtained and aggrieved parties with standing may move to suppress any evidence obtained in an unlawful search. See Mapp v. Ohio, 367 U.S. 643 (1961). DOJ Guidelines and Policies: In addition to these Constitutional, statutory and rule-based limitations on government access to data, the Attorney General has issued guidelines that place further limits on law enforcement access to data, and that also contain privacy and civil liberty protections. For instance, the Attorney General’s Guidelines for Domestic Federal Bureau of Investigation (FBI) Operations (September 2008) (hereinafter AG FBI Guidelines), available at https:// www.justice.gov/archive/opa/docs/ guidelines.pdf, set limits on use of investigative means to seek information related to investigations that involve federal crimes. These guidelines require that the FBI use the least intrusive investigative methods feasible, taking into account the effect on privacy and civil liberties and the potential damage to reputation. Further, they note that ‘‘it is axiomatic that the FBI must conduct its investigations and other activities in a lawful and reasonable manner that respects liberty and privacy and avoids unnecessary intrusions into the lives of law-abiding people.’’ See AG FBI Guidelines at 5. The FBI has implemented these guidelines through the FBI Domestic Investigations and Operations Guide (DIOG), available at https://vault.fbi.gov/ FBI%20Domestic%20Investigations %20and%20Operations%20Guide%20 (DIOG), a comprehensive manual that includes detailed limits on use of investigative tools and guidance to assure that civil liberties and privacy are protected in every investigation. Additional rules and VerDate Sep<11>2014 20:41 Aug 01, 2016 Jkt 238001 policies that prescribe limitations on the investigative activities of federal prosecutors are set out in the United States Attorneys’ Manual (USAM), also available online at https://www.justice.gov/usam/united-statesattorneys-manual. Civil and Regulatory Authorities (Public Interest): There are also significant limits on civil or regulatory (i.e., ‘‘public interest’’) access to data held by corporations in the United States. Agencies with civil and regulatory responsibilities may issue subpoenas to corporations for business records, electronically stored information, or other tangible items. These agencies are limited in their exercise of administrative or civil subpoena authority not only by their organic statutes, but also by independent judicial review of subpoenas prior to potential judicial enforcement. See, e.g., Fed. R. Civ. P. 45. Agencies may seek access only to data that is relevant to matters within their scope of authority to regulate. Further, a recipient of an administrative subpoena may challenge the enforcement of that subpoena in court by presenting evidence that the agency has not acted in accordance with basic standards of reasonableness, as discussed earlier. There are other legal bases for companies to challenge data requests from administrative agencies based on their specific industries and the types of data they possess. For example, financial institutions can challenge administrative subpoenas seeking certain types of information as violations of the Bank Secrecy Act and its implementing regulations. See 31 U.S.C. 5318, 31 CFR chapter X. Other businesses can rely on the Fair Credit Reporting Act, see 15 U.S.C. 1681b, or a host of other sector specific laws. Misuse of an agency’s subpoena authority can result in agency liability, or personal liability for agency PO 00000 Frm 00034 Fmt 4701 Sfmt 9990 officers. See, e.g., Right to Financial Privacy Act, 12 U.S.C. 3401–3422. Courts in the United States thus stand as the guardians against improper regulatory requests and provide independent oversight of federal agency actions. Finally, any statutory power that administrative authorities have to physically seize records from a company in the United States pursuant to an administrative search must meet the requirements of the Fourth Amendment. See See v. City of Seattle, 387 U.S. 541 (1967). Conclusion All law enforcement and regulatory activities in the United States must conform to applicable law, including the U.S. Constitution, statutes, rules, and regulations. Such activities must also comply with applicable policies, including any Attorney General Guidelines governing federal law enforcement activities. The legal framework described above limits the ability of U.S. law enforcement and regulatory agencies to acquire information from corporations in the United States—whether the information concerns U.S. persons or citizens of foreign countries—and in addition permits judicial review of any government requests for data pursuant to these authorities. Sincerely, Bruce C. Swartz Deputy Assistant Attorney General and Counselor for International Affairs Dated: July 25, 2016. Edward M Dean, Deputy Assistant Secretary for Services, International Trade Administration, U.S. Department of Commerce. [FR Doc. 2016–17961 Filed 8–1–16; 8:45 am] BILLING CODE 3510–DR–P E:\FR\FM\02AUN2.SGM 02AUN2

Agencies

[Federal Register Volume 81, Number 148 (Tuesday, August 2, 2016)]
[Notices]
[Pages 51041-51074]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-17961]



[[Page 51041]]

Vol. 81

Tuesday,

No. 148

August 2, 2016

Part III





 Department of Commerce





-----------------------------------------------------------------------





International Trade Administration





 Privacy Shield Framework; Notice

Federal Register / Vol. 81 , No. 148 / Tuesday, August 2, 2016 / 
Notices

[[Page 51042]]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

International Trade Administration

[Docket No. 160721646-6646-01]
RIN 0625-XC022


Privacy Shield Framework

AGENCY: International Trade Administration, Department of Commerce.

ACTION: Notice of Availability of Privacy Shield Framework Documents.

-----------------------------------------------------------------------

SUMMARY: The International Trade Administration (ITA) is publishing 
this notice to announce the availability of the Privacy Shield 
Framework documents. The EU-U.S. Privacy Shield Framework was designed 
by the U.S. Department of Commerce and European Commission to provide 
companies on both sides of the Atlantic with a mechanism to comply with 
European Union data protection requirements when transferring personal 
data from the European Union to the United States in support of 
transatlantic commerce. The Privacy Shield Framework documents 
published in this notice include the Privacy Shield Principles and 
Annex I describing the new arbitral model available under the Privacy 
Shield, letters from the Secretary of Commerce and Acting Under 
Secretary for International Trade describing the Department of 
Commerce's administration of the Privacy Shield, letters from the 
Chairwoman of the Federal Trade Commission and Secretary of 
Transportation describing their enforcement of the Privacy Shield, a 
letter from the Secretary of State regarding the Privacy Shield 
Ombudsperson, two letters from the Office of the Director of National 
Intelligence regarding safeguards and limitations applicable to U.S. 
national security authorities, and a letter from the Department of 
Justice regarding safeguards and limitations on U.S. Government access 
for law enforcement and public interest purposes.

DATES: The Department of Commerce will begin accepting self-
certifications to the Privacy Shield on August 1, 2016.

FOR FURTHER INFORMATION CONTACT: Shannon Coe, International Trade 
Administration, 202-482-6013 or Shannon.Coe@trade.gov.

SUPPLEMENTARY INFORMATION: 
July 7, 2016
Ms. V[ecaron]ra Jourov[aacute]
Commissioner for Justice, Consumers and Gender Equality
European Commission
Rue de la Loi/Westraat 200
1049 Brussels
Belgium

Dear Commissioner Jourov[aacute]:
    On behalf of the United States, I am pleased to transmit 
herewith a package of EU-U.S. Privacy Shield materials that is the 
product of two years of productive discussions among our teams. This 
package, along with other materials available to the Commission from 
public sources, provides a very strong basis for a new adequacy 
finding by the European Commission.\1\
---------------------------------------------------------------------------

    \1\ Provided that the Commission Decision on the adequacy of the 
protection provided by the EU-U.S. Privacy Shield applies to 
Iceland, Liechtenstein and Norway, the Privacy Shield Package will 
cover both the European Union, as well as these three countries.
---------------------------------------------------------------------------

    We should both be proud of the improvements to the Framework. 
The Privacy Shield is based on Principles that have strong consensus 
support on both sides of the Atlantic, and we have strengthened 
their operation. Through our work together, we have the real 
opportunity to improve the protection of privacy around the world.
    The Privacy Shield Package includes the Privacy Shield 
Principles, along with a letter, attached as Annex 1, from the 
International Trade Administration (ITA) of the Department of 
Commerce, which administers the program, describing the commitments 
that our Department has made to ensure that the Privacy Shield 
operates effectively. The Package also includes Annex 2, which 
includes other Department of Commerce commitments relating to the 
new arbitral model available under the Privacy Shield.
    I have directed my staff to devote all necessary resources to 
implement the Privacy Shield Framework expeditiously and fully and 
to ensure the commitments in Annex 1 and Annex 2 are met in a timely 
fashion.
    The Privacy Shield Package also includes other documents from 
other United States agencies, namely:
     A letter from the Federal Trade Commission (FTC) 
describing its enforcement of the Privacy Shield;
     A letter from the Department of Transportation 
describing its enforcement of the Privacy Shield;
     Two letters prepared by the Office of the Director of 
National Intelligence (ODNI) regarding safeguards and limitations 
applicable to U.S. national security authorities;
     A letter from the Department of State and accompanying 
memorandum describing the State Department's commitment to establish 
a new Privacy Shield Ombudsperson for submission of inquiries 
regarding the United States' signals intelligence practices; and
     A letter prepared by the Department of Justice 
regarding safeguards and limitations on U.S. Government access for 
law enforcement and public interest purposes.
    You can be assured that the United States takes these 
commitments seriously.
    Within 30 days of final approval of the adequacy determination, 
the full Privacy Shield Package will be delivered to the Federal 
Register for publication.
    We look forward to working with you as the Privacy Shield is 
implemented and as we embark on the next phase of this process 
together.
Sincerely,
Penny Pritzker

Annex 1: Letter From Acting Under Secretary for International Trade Ken 
Hyatt

The Honorable V[ecaron]ra Jourov[aacute]

Commissioner for Justice, Consumers and Gender Equality
European Commission
Rue de la Loi/Westraat 200
1049 Brussels
Belgium

Dear Commissioner Jourov[aacute]:
    On behalf of the International Trade Administration, I am 
pleased to describe the enhanced protection of personal data that 
the EU-U.S. Privacy Shield Framework (``Privacy Shield'' or 
``Framework'') provides and the commitments the Department of 
Commerce (``Department'') has made to ensure that the Privacy Shield 
operates effectively. Finalizing this historic arrangement is a 
major achievement for privacy and for businesses on both sides of 
the Atlantic. It offers confidence to EU individuals that their data 
will be protected and that they will have legal remedies to address 
any concerns. It offers certainty that will help grow the 
transatlantic economy by ensuring that thousands of European and 
American businesses can continue to invest and do business across 
our borders. The Privacy Shield is the result of over two years of 
hard work and collaboration with you, our colleagues in the European 
Commission (``Commission''). We look forward to continuing to work 
with the Commission to ensure that the Privacy Shield functions as 
intended.
    We have worked with the Commission to develop the Privacy Shield 
to allow organizations established in the United States to meet the 
adequacy requirements for data protection under EU law. The new 
Framework will yield several significant benefits for both 
individuals and businesses. First, it provides an important set of 
privacy protections for the data of EU individuals. It requires 
participating U.S. organizations to develop a conforming privacy 
policy, publicly commit to comply with the Privacy Shield Principles 
so that the commitment becomes enforceable under U.S. law, annually 
re-certify their compliance to the Department, provide free 
independent dispute resolution to EU individuals, and be subject to 
the authority of the U.S. Federal Trade Commission (``FTC''), 
Department of Transportation (``DOT''), or another enforcement 
agency. Second, the Privacy Shield will enable thousands of 
companies in the United States and subsidiaries of European 
companies in the United States to receive personal data from the 
European Union to facilitate data flows that support transatlantic 
trade. The transatlantic economic relationship is already the 
world's largest, accounting for half of global economic output and 
nearly one trillion dollars in goods and services trade, supporting 
millions of jobs on both sides of the Atlantic. Businesses that rely 
on transatlantic data flows come from all industry sectors and 
include major Fortune 500 firms as well as many small and

[[Page 51043]]

medium-sized enterprises (SMEs). Transatlantic data flows allow U.S. 
organizations to process data required to offer goods, services, and 
employment opportunities to European individuals. The Privacy Shield 
supports shared privacy principles, bridging the differences in our 
legal approaches, while furthering trade and economic objectives of 
both Europe and the United States.
    While a company's decision to self-certify to this new Framework 
will be voluntary, once a company publicly commits to the Privacy 
Shield, its commitment is enforceable under U.S. law by either the 
Federal Trade Commission or Department of Transportation, depending 
on which authority has jurisdiction over the Privacy Shield 
organization.

Enhancements Under the Privacy Shield Principles

    The resulting Privacy Shield strengthens the protection of 
privacy by:
     Requiring additional information be provided to 
individuals in the Notice Principle, including a declaration of the 
organization's participation in the Privacy Shield, a statement of 
the individual's right to access personal data, and the 
identification of the relevant independent dispute resolution body;
     strengthening protection of personal data that is 
transferred from a Privacy Shield organization to a third party 
controller by requiring the parties to enter into a contract that 
provides that such data may only be processed for limited and 
specified purposes consistent with the consent provided by the 
individual and that the recipient will provide the same level of 
protection as the Principles;
     strengthening protection of personal data that is 
transferred from a Privacy Shield organization to a third party 
agent, including by requiring a Privacy Shield organization to: take 
reasonable and appropriate steps to ensure that the agent 
effectively processes the personal information transferred in a 
manner consistent with the organization's obligations under the 
Principles; upon notice, take reasonable and appropriate steps to 
stop and remediate unauthorized processing; and provide a summary or 
a representative copy of the relevant privacy provisions of its 
contract with that agent to the Department upon request;
     providing that a Privacy Shield organization is 
responsible for the processing of personal information it receives 
under the Privacy Shield and subsequently transfers to a third party 
acting as an agent on its behalf, and that the Privacy Shield 
organization shall remain liable under the Principles if its agent 
processes such personal information in a manner inconsistent with 
the Principles, unless the organization proves that it is not 
responsible for the event giving rise to the damage;
     clarifying that Privacy Shield organizations must limit 
personal information to the information that is relevant for the 
purposes of processing;
     requiring an organization to annually certify with the 
Department its commitment to apply the Principles to information it 
received while it participated in the Privacy Shield if it leaves 
the Privacy Shield and chooses to keep such data;
     requiring that independent recourse mechanisms be 
provided at no cost to the individual;
     requiring organizations and their selected independent 
recourse mechanisms to respond promptly to inquiries and requests by 
the Department for information relating to the Privacy Shield;
     requiring organizations to respond expeditiously to 
complaints regarding compliance with the Principles referred by EU 
Member State authorities through the Department; and
     requiring a Privacy Shield organization to make public 
any relevant Privacy Shield-related sections of any compliance or 
assessment report submitted to the FTC if it becomes subject to an 
FTC or court order based on non-compliance.

Administration and Supervision of the Privacy Shield Program by the 
Department of Commerce

    The Department reiterates its commitment to maintain and make 
available to the public an authoritative list of U.S. organizations 
that have self-certified to the Department and declared their 
commitment to adhere to the Principles (the ``Privacy Shield 
List''). The Department will keep the Privacy Shield List up to date 
by removing organizations when they voluntarily withdraw, fail to 
complete the annual re-certification in accordance with the 
Department's procedures, or are found to persistently fail to 
comply. The Department will also maintain and make available to the 
public an authoritative record of U.S. organizations that had 
previously self-certified to the Department, but that have been 
removed from the Privacy Shield List, including those that were 
removed for persistent failure to comply with the Principles. The 
Department will identify the reason each organization was removed.
    In addition, the Department commits to strengthening the 
administration and supervision of the Privacy Shield. Specifically, 
the Department will:

Provide Additional Information on the Privacy Shield Web Site

     Maintain the Privacy Shield List, as well as a record 
of those organizations that previously self-certified their 
adherence to the Principles, but which are no longer assured of the 
benefits of the Privacy Shield;
     include a prominently placed explanation clarifying 
that all organizations removed from the Privacy Shield List are no 
longer assured of the benefits of the Privacy Shield, but must 
nevertheless continue to apply the Principles to the personal 
information that they received while they participated in the 
Privacy Shield for as long as they retain such information; and
     provide a link to the list of Privacy Shield-related 
FTC cases maintained on the FTC Web site.

Verify Self-Certification Requirements

     Prior to finalizing an organization's self-
certification (or annual re-certification) and placing an 
organization on the Privacy Shield List, verify that the 
organization has:
    [cir] Provided required organization contact information;
    [cir] described the activities of the organization with respect 
to personal information received from the EU;
    [cir] indicated what personal information is covered by its 
self-certification;
    [cir] if the organization has a public Web site, provided the 
web address where the privacy policy is available and the privacy 
policy is accessible at the web address provided, or if an 
organization does not have a public Web site, provided where the 
privacy policy is available for viewing by the public;
    [cir] included in its relevant privacy policy a statement that 
it adheres to the Principles and if the privacy policy is available 
online, a hyperlink to the Department's Privacy Shield Web site;
    [cir] identified the specific statutory body that has 
jurisdiction to hear any claims against the organization regarding 
possible unfair or deceptive practices and violations of laws or 
regulations governing privacy (and that is listed in the Principles 
or a future annex to the Principles);
    [cir] if the organization elects to satisfy the requirements in 
points (a)(i) and (a)(iii) of the Recourse, Enforcement and 
Liability Principle by committing to cooperate with the appropriate 
EU data protection authorities (``DPAs''), indicated its intention 
to cooperate with DPAs in the investigation and resolution of 
complaints brought under the Privacy Shield, notably to respond to 
their inquiries when EU data subjects have brought their complaints 
directly to their national DPAs;
    [cir] identified any privacy program in which the organization 
is a member;
    [cir] identified the method of verification of assuring 
compliance with the Principles (e.g., in-house, third party);
    [cir] identified, both in its self-certification submission and 
in its privacy policy, the independent recourse mechanism that is 
available to investigate and resolve complaints;
    [cir] included in its relevant privacy policy, if the policy is 
available online, a hyperlink to the Web site or complaint 
submission form of the independent recourse mechanism that is 
available to investigate unresolved complaints; and
    [cir] if the organization has indicated that it intends to 
receive human resources information transferred from the EU for use 
in the context of the employment relationship, declared its 
commitment to cooperate and comply with DPAs to resolve complaints 
concerning its activities with regard to such data, provided the 
Department with a copy of its human resources privacy policy, and 
provided where the privacy policy is available for viewing by its 
affected employees.
     work with independent recourse mechanisms to verify 
that the organizations have in fact registered with the relevant 
mechanism indicated in their self-certification submissions, where 
such registration is required.

Expand Efforts To Follow Up With Organizations That Have Been Removed 
From the Privacy Shield List

     notify organizations that are removed from the Privacy 
Shield List for ``persistent failure to comply'' that they are not 
entitled

[[Page 51044]]

to retain information collected under the Privacy Shield; and
     send questionnaires to organizations whose self-
certifications lapse or who have voluntarily withdrawn from the 
Privacy Shield to verify whether the organization will return, 
delete, or continue to apply the Principles to the personal 
information that they received while they participated in the 
Privacy Shield, and if personal information will be retained, verify 
who within the organization will serve as an ongoing point of 
contact for Privacy Shield-related questions.

Search for and Address False Claims of Participation

     Review the privacy policies of organizations that have 
previously participated in the Privacy Shield program, but that have 
been removed from the Privacy Shield List to identify any false 
claims of Privacy Shield participation;
     on an ongoing basis, when an organization: (a) 
Withdraws from participation in the Privacy Shield, (b) fails to 
recertify its adherence to the Principles, or (c) is removed as a 
participant in the Privacy Shield notably for ``persistent failure 
to comply,'' undertake, on an ex officio basis, to verify that the 
organization has removed from any relevant published privacy policy 
any references to the Privacy Shield that imply that the 
organization continues to actively participate in the Privacy Shield 
and is entitled to its benefits. Where the Department finds that 
such references have not been removed, the Department will warn the 
organization that the Department will, as appropriate, refer matters 
to the relevant agency for potential enforcement action if it 
continues to make the claim of Privacy Shield certification. If the 
organization neither removes the references nor self-certifies its 
compliance under the Privacy Shield, the Department will ex officio 
refer the matter to the FTC, DOT, or other appropriate enforcement 
agency or, in appropriate cases, take action to enforce the Privacy 
Shield certification mark;
     undertake other efforts to identify false claims of 
Privacy Shield participation and improper use of the Privacy Shield 
certification mark, including by conducting Internet searches to 
identify where images of the Privacy Shield certification mark are 
being displayed and references to Privacy Shield in organizations' 
privacy policies;
     promptly address any issues that we identify during our 
ex officio monitoring of false claims of participation and misuse of 
the certification mark, including warning organizations 
misrepresenting their participation in the Privacy Shield program as 
described above;
     take other appropriate corrective action, including 
pursuing any legal recourse the Department is authorized to take and 
referring matters to the FTC, DOT, or another appropriate 
enforcement agency; and
     promptly review and address complaints about false 
claims of participation that we receive.
    The Department will undertake reviews of privacy policies of 
organizations to more effectively identify and address false claims 
of Privacy Shield participation. Specifically, the Department will 
review the privacy policies of organizations whose self-
certification has lapsed due to their failure to re-certify 
adherence to the Principles. The Department will conduct this type 
of review to verify that such organizations have removed from any 
relevant published privacy policy any references that imply that the 
organizations continue to actively participate in the Privacy 
Shield. As a result of these types of reviews, we will identify 
organizations that have not removed such references and send those 
organizations a letter from the Department's Office of General 
Counsel warning of potential enforcement action if the references 
are not removed. The Department will take follow-up action to ensure 
that the organizations either remove the inappropriate references or 
re-certify their adherence to the Principles. In addition, the 
Department will undertake efforts to identify false claims of 
Privacy Shield participation by organizations that have never 
participated in the Privacy Shield program, and will take similar 
corrective action with respect to such organizations.

Conduct Periodic ex officio Compliance Reviews and Assessments of the 
Program

     On an ongoing basis, monitor effective compliance, 
including through sending detailed questionnaires to participating 
organizations, to identify issues that may warrant further follow-up 
action. In particular, such compliance reviews shall take place 
when: (a) The Department has received specific non-frivolous 
complaints about an organization's compliance with the Principles, 
(b) an organization does not respond satisfactorily to inquiries by 
the Department for information relating to the Privacy Shield, or 
(c) there is credible evidence that an organization does not comply 
with its commitments under the Privacy Shield. The Department shall, 
when appropriate, consult with the competent data protection 
authorities about such compliance reviews; and
     assess periodically the administration and supervision 
of the Privacy Shield program to ensure that monitoring efforts are 
appropriate to address new issues as they arise.
    The Department has increased the resources that will be devoted 
to the administration and supervision of the Privacy Shield program, 
including doubling the number of staff responsible for the 
administration and supervision of the program. We will continue to 
dedicate appropriate resources to such efforts to ensure effective 
monitoring and administration of the program.

Tailor the Privacy Shield Web Site to Targeted Audiences

    The Department will tailor the Privacy Shield Web site to focus 
on three target audiences: EU individuals, EU businesses, and U.S. 
businesses. The inclusion of material targeted directly to EU 
individuals and EU businesses will facilitate transparency in a 
number of ways. With regard to EU individuals, it will clearly 
explain: (1) The rights the Privacy Shield provides to EU 
individuals; (2) the recourse mechanisms available to EU individuals 
when they believe an organization has breached its commitment to 
comply with the Principles; and (3) how to find information 
pertaining to an organization's Privacy Shield self-certification. 
With regard to EU businesses, it will facilitate verification of: 
(1) Whether an organization is assured of the benefits of the 
Privacy Shield; (2) the type of information covered by an 
organization's Privacy Shield self-certification; (3) the privacy 
policy that applies to the covered information; and (4) the method 
the organization uses to verify its adherence to the Principles.

Increase Cooperation With DPAs

    To increase opportunities for cooperation with DPAs, the 
Department will establish a dedicated contact at the Department to 
act as a liaison with DPAs. In instances where a DPA believes that 
an organization is not complying with the Principles, including 
following a complaint from an EU individual, the DPA can reach out 
to the dedicated contact at the Department to refer the organization 
for further review. The contact will also receive referrals 
regarding organizations that falsely claim to participate in the 
Privacy Shield, despite never having self-certified their adherence 
to the Principles. The contact will assist DPAs seeking information 
related to a specific organization's self-certification or previous 
participation in the program, and the contact will respond to DPA 
inquiries regarding the implementation of specific Privacy Shield 
requirements. Second, the Department will provide DPAs with material 
regarding the Privacy Shield for inclusion on their own Web sites to 
increase transparency for EU individuals and EU businesses. 
Increased awareness regarding the Privacy Shield and the rights and 
responsibilities it creates should facilitate the identification of 
issues as they arise, so that these can be appropriately addressed.

Facilitate Resolution of Complaints About Non-Compliance

    The Department, through the dedicated contact, will receive 
complaints referred to the Department by a DPA that a Privacy Shield 
organization is not complying with the Principles. The Department 
will make its best effort to facilitate resolution of the complaint 
with the Privacy Shield organization. Within 90 days after receipt 
of the complaint, the Department will provide an update to the DPA. 
To facilitate the submission of such complaints, the Department will 
create a standard form for DPAs to submit to the Department's 
dedicated contact. The dedicated contact will track all referrals 
from DPAs received by the Department, and the Department will 
provide in the annual review described below a report analyzing in 
aggregate the complaints it receives each year.

Adopt Arbitral Procedures and Select Arbitrators in Consultation With 
the Commission

    The Department will fulfill its commitments under Annex I and 
publish the procedures after agreement has been reached.

[[Page 51045]]

Joint Review Mechanism of the Functioning of the Privacy Shield

    The Department of Commerce, the FTC, and other agencies, as 
appropriate, will hold annual meetings with the Commission, 
interested DPAs, and appropriate representatives from the Article 29 
Working Party, where the Department will provide updates on the 
Privacy Shield program. The annual meetings will include discussion 
of current issues related to the functioning, implementation, 
supervision, and enforcement of the Privacy Shield, including 
referrals received by the Department from DPAs, the results of ex 
officio compliance reviews, and may also include discussion of 
relevant changes of law. The first annual review and subsequent 
reviews as appropriate will include a dialogue on other topics, such 
as in the area of automated decision-making, including aspects 
relating to similarities and differences in approaches in the EU and 
the US.

Update of Laws

    The Department will make reasonable efforts to inform the 
Commission of material developments in the law in the United States 
so far as they are relevant to the Privacy Shield in the field of 
data privacy protection and the limitations and safeguards 
applicable to access to personal data by U.S. authorities and its 
subsequent use.

National Security Exception

    With respect to the limitations to the adherence to the Privacy 
Shield Principles for national security purposes, the General 
Counsel of the Office of the Director of National Intelligence, 
Robert Litt, has also sent two letters addressed to Justin 
Antonipillai and Ted Dean of the Department of Commerce, and these 
have been forwarded to you. These letters extensively discuss, among 
other things, the policies, safeguards, and limitations that apply 
to signals intelligence activities conducted by the U.S. In 
addition, these letters describe the transparency provided by the 
Intelligence Community about these matters. As the Commission is 
assessing the Privacy Shield Framework, the information in these 
letters provides assurance to conclude that the Privacy Shield will 
operate appropriately, in accordance with the Principles therein. We 
understand that you may raise information that has been released 
publicly by the Intelligence Community, along with other 
information, in the future to inform the annual review of the 
Privacy Shield Framework.
    On the basis of the Privacy Shield Principles and the 
accompanying letters and materials, including the Department's 
commitments regarding the administration and supervision of the 
Privacy Shield Framework, our expectation is that the Commission 
will determine that the EU-U.S. Privacy Shield Framework provides 
adequate protection for the purposes of EU law and data transfers 
from the European Union will continue to organizations that 
participate in the Privacy Shield.

Sincerely,
Ken Hyatt

Annex 2: Arbitral Model

Annex I

    This Annex I provides the terms under which Privacy Shield 
organizations are obligated to arbitrate claims, pursuant to the 
Recourse, Enforcement and Liability Principle. The binding 
arbitration option described below applies to certain ``residual'' 
claims as to data covered by the EU-U.S. Privacy Shield. The purpose 
of this option is to provide a prompt, independent, and fair 
mechanism, at the option of individuals, for resolution of claimed 
violations of the Principles not resolved by any of the other 
Privacy Shield mechanisms, if any.

A. Scope

    This arbitration option is available to an individual to 
determine, for residual claims, whether a Privacy Shield 
organization has violated its obligations under the Principles as to 
that individual, and whether any such violation remains fully or 
partially unremedied. This option is available only for these 
purposes. This option is not available, for example, with respect to 
the exceptions to the Principles \1\ or with respect to an 
allegation about the adequacy of the Privacy Shield.
---------------------------------------------------------------------------

    \1\ Section I.5 of the Principles.
---------------------------------------------------------------------------

B. Available Remedies

    Under this arbitration option, the Privacy Shield Panel 
(consisting of one or three arbitrators, as agreed by the parties) 
has the authority to impose individual-specific, non-monetary 
equitable relief (such as access, correction, deletion, or return of 
the individual's data in question) necessary to remedy the violation 
of the Principles only with respect to the individual. These are the 
only powers of the arbitration panel with respect to remedies. In 
considering remedies, the arbitration panel is required to consider 
other remedies that already have been imposed by other mechanisms 
under the Privacy Shield. No damages, costs, fees, or other remedies 
are available. Each party bears its own attorney's fees.

C. Pre-Arbitration Requirements

    An individual who decides to invoke this arbitration option must 
take the following steps prior to initiating an arbitration claim: 
(1) Raise the claimed violation directly with the organization and 
afford the organization an opportunity to resolve the issue within 
the timeframe set forth in Section III.11(d)(i) of the Principles; 
(2) make use of the independent recourse mechanism under the 
Principles, which is at no cost to the individual; and (3) raise the 
issue through their Data Protection Authority to the Department of 
Commerce and afford the Department of Commerce an opportunity to use 
best efforts to resolve the issue within the timeframes set forth in 
the Letter from the International Trade Administration of the 
Department of Commerce, at no cost to the individual.
    This arbitration option may not be invoked if the individual's 
same claimed violation of the Principles (1) has previously been 
subject to binding arbitration; (2) was the subject of a final 
judgment entered in a court action to which the individual was a 
party; or (3) was previously settled by the parties. In addition, 
this option may not be invoked if an EU Data Protection Authority 
(1) has authority under Sections III.5 or III.9 of the Principles; 
or (2) has the authority to resolve the claimed violation directly 
with the organization. A DPA's authority to resolve the same claim 
against an EU data controller does not alone preclude invocation of 
this arbitration option against a different legal entity not bound 
by the DPA authority.

D. Binding Nature of Decisions

    An individual's decision to invoke this binding arbitration 
option is entirely voluntary. Arbitral decisions will be binding on 
all parties to the arbitration. Once invoked, the individual forgoes 
the option to seek relief for the same claimed violation in another 
forum, except that if non-monetary equitable relief does not fully 
remedy the claimed violation, the individual's invocation of 
arbitration will not preclude a claim for damages that is otherwise 
available in the courts.

E. Review and Enforcement

    Individuals and Privacy Shield organizations will be able to 
seek judicial review and enforcement of the arbitral decisions 
pursuant to U.S. law under the Federal Arbitration Act.\2\ Any such 
cases

[[Page 51046]]

must be brought in the federal district court whose territorial 
coverage includes the primary place of business of the Privacy 
Shield organization. This arbitration option is intended to resolve 
individual disputes, and arbitral decisions are not intended to 
function as persuasive or binding precedent in matters involving 
other parties, including in future arbitrations or in EU or U.S. 
courts, or FTC proceedings.
---------------------------------------------------------------------------

    \2\ Chapter 2 of the Federal Arbitration Act (``FAA'') provides 
that ``[a]n arbitration agreement or arbitral award arising out of a 
legal relationship, whether contractual or not, which is considered 
as commercial, including a transaction, contract, or agreement 
described in [section 2 of the FAA], falls under the Convention [on 
the Recognition and Enforcement of Foreign Arbitral Awards of June 
10, 1958, 21 U.S.T. 2519, T.I.A.S. No. 6997 (``New York 
Convention'')].'' 9 U.S.C. 202. The FAA further provides that ``[a]n 
agreement or award arising out of such a relationship which is 
entirely between citizens of the United States shall be deemed not 
to fall under the [New York] Convention unless that relationship 
involves property located abroad, envisages performance or 
enforcement abroad, or has some other reasonable relation with one 
or more foreign states.'' Id. Under Chapter 2, ``any party to the 
arbitration may apply to any court having jurisdiction under this 
chapter for an order confirming the award as against any other party 
to the arbitration. The court shall confirm the award unless it 
finds one of the grounds for refusal or deferral of recognition or 
enforcement of the award specified in the said [New York] 
Convention.'' Id. Sec.  207. Chapter 2 further provides that ``[t]he 
district courts of the United States . . . shall have original 
jurisdiction over . . . an action or proceeding [under the New York 
Convention], regardless of the amount in controversy.'' Id. section 
203.
    Chapter 2 also provides that ``Chapter 1 applies to actions and 
proceedings brought under this chapter to the extent that chapter is 
not in conflict with this chapter or the [New York] Convention as 
ratified by the United States.'' Id. section 208. Chapter 1, in 
turn, provides that ``[a] written provision in . . . a contract 
evidencing a transaction involving commerce to settle by arbitration 
a controversy thereafter arising out of such contract or 
transaction, or the refusal to perform the whole or any part 
thereof, or an agreement in writing to submit to arbitration an 
existing controversy arising out of such a contract, transaction, or 
refusal, shall be valid, irrevocable, and enforceable, save upon 
such grounds as exist at law or in equity for the revocation of any 
contract.'' Id. section 2. Chapter 1 further provides that ``any 
party to the arbitration may apply to the court so specified for an 
order confirming the award, and thereupon the court must grant such 
an order unless the award is vacated, modified, or corrected as 
prescribed in sections 10 and 11 of [the FAA].'' Id. section 9.
---------------------------------------------------------------------------

F. The Arbitration Panel

    The parties will select the arbitrators from the list of 
arbitrators discussed below.
    Consistent with applicable law, the U.S. Department of Commerce 
and the European Commission will develop a list of at least 20 
arbitrators, chosen on the basis of independence, integrity, and 
expertise. The following shall apply in connection with this 
process:
    Arbitrators:
    (1) Will remain on the list for a period of 3 years, absent 
exceptional circumstances or for cause, renewable for one additional 
period of 3 years;
    (2) shall not be subject to any instructions from, or be 
affiliated with, either party, or any Privacy Shield organization, 
or the U.S., EU, or any EU Member State or any other governmental 
authority, public authority, or enforcement authority; and
    (3) must be admitted to practice law in the U.S. and be experts 
in U.S. privacy law, with expertise in EU data protection law.

G. Arbitration Procedures

    Consistent with applicable law, within 6 months from the 
adoption of the adequacy decision, the Department of Commerce and 
the European Commission will agree to adopt an existing, well-
established set of U.S. arbitral procedures (such as AAA or JAMS) to 
govern proceedings before the Privacy Shield Panel, subject to each 
of the following considerations:
    1. An individual may initiate binding arbitration, subject to 
the pre-arbitration requirements provision above, by delivering a 
``Notice'' to the organization. The Notice shall contain a summary 
of steps taken under Paragraph C to resolve the claim, a description 
of the alleged violation, and, at the choice of the individual, any 
supporting documents and materials and/or a discussion of law 
relating to the alleged claim.
    2. Procedures will be developed to ensure that an individual's 
same claimed violation does not receive duplicative remedies or 
procedures.
    3. FTC action may proceed in parallel with arbitration.
    4. No representative of the U.S., EU, or any EU Member State or 
any other governmental authority, public authority, or enforcement 
authority may participate in these arbitrations, provided, that at 
the request of an EU individual, EU DPAs may provide assistance in 
the preparation only of the Notice but EU DPAs may not have access 
to discovery or any other materials related to these arbitrations.
    5. The location of the arbitration will be the United States, 
and the individual may choose video or telephone participation, 
which will be provided at no cost to the individual. In-person 
participation will not be required.
    6. The language of the arbitration will be English unless 
otherwise agreed by the parties. Upon a reasoned request, and taking 
into account whether the individual is represented by an attorney, 
interpretation at the arbitral hearing as well as translation of 
arbitral materials will be provided at no cost to the individual, 
unless the panel finds that, under the circumstances of the specific 
arbitration, this would lead to unjustified or disproportionate 
costs.
    7. Materials submitted to arbitrators will be treated 
confidentially and will only be used in connection with the 
arbitration.
    8. Individual-specific discovery may be permitted if necessary, 
and such discovery will be treated confidentially by the parties and 
will only be used in connection with the arbitration.
    9. Arbitrations should be completed within 90 days of the 
delivery of the Notice to the organization at issue, unless 
otherwise agreed to by the parties.

H. Costs

    Arbitrators should take reasonable steps to minimize the costs 
or fees of the arbitrations.
    Subject to applicable law, the Department of Commerce will 
facilitate the establishment of a fund, into which Privacy Shield 
organizations will be required to pay an annual contribution, based 
in part on the size of the organization, which will cover the 
arbitral cost, including arbitrator fees, up to maximum amounts 
(``caps''), in consultation with the European Commission. The fund 
will be managed by a third party, which will report regularly on the 
operations of the fund. At the annual review, the Department of 
Commerce and European Commission will review the operation of the 
fund, including the need to adjust the amount of the contributions 
or of the caps, and will consider, among other things, the number of 
arbitrations and the costs and timing of the arbitrations, with the 
mutual understanding that there will be no excessive financial 
burden imposed on Privacy Shield organizations. Attorney's fees are 
not covered by this provision or any fund under this provision.

EU-U.S. Privacy Shield Principles

EU-U.S. Privacy Shield Framework Principles Issued by the U.S. 
Department of Commerce

I. Overview

    1. While the United States and the European Union share the goal 
of enhancing privacy protection, the United States takes a different 
approach to privacy from that taken by the European Union. The 
United States uses a sectoral approach that relies on a mix of 
legislation, regulation, and self-regulation. Given those 
differences and to provide organizations in the United States with a 
reliable mechanism for personal data transfers to the United States 
from the European Union while ensuring that EU data subjects 
continue to benefit from effective safeguards and protection as 
required by European legislation with respect to the processing of 
their personal data when they have been transferred to non-EU 
countries, the Department of Commerce is issuing these Privacy 
Shield Principles, including the Supplemental Principles 
(collectively ``the Principles'') under its statutory authority to 
foster, promote, and develop international commerce (15 U.S.C. 
1512). The Principles were developed in consultation with the 
European Commission, and with industry and other stakeholders, to 
facilitate trade and commerce between the United States and European 
Union. They are intended for use solely by organizations in the 
United States receiving personal data from the European Union for 
the purpose of qualifying for the Privacy Shield and thus 
benefitting from the European Commission's adequacy decision.\1\ The 
Principles do not affect the application of national provisions 
implementing Directive 95/46/EC (``the Directive'') that apply to 
the processing of personal data in the Member States. Nor do the 
Principles limit privacy obligations that otherwise apply under U.S. 
law.
---------------------------------------------------------------------------

    \1\ Provided that the Commission Decision on the adequacy of the 
protection provided by the EU-U.S. Privacy Shield applies to 
Iceland, Liechtenstein and Norway, the Privacy Shield Package will 
cover both the European Union, as well as these three countries. 
Consequently, references to the EU and its Member States will be 
read as including Iceland, Liechtenstein and Norway.
---------------------------------------------------------------------------

    2. In order to rely on the Privacy Shield to effectuate 
transfers of personal data from the EU, an organization must self-
certify its adherence to the Principles to the Department of 
Commerce (or its designee) (``the Department''). While decisions by 
organizations to thus enter the Privacy Shield are entirely 
voluntary, effective compliance is compulsory: Organizations that 
self-certify to the Department and publicly declare their commitment 
to adhere to the Principles must comply fully with the Principles. 
In order to enter the Privacy Shield, an organization must (a) be 
subject to the investigatory and enforcement powers of the Federal 
Trade Commission (the ``FTC''), the Department of Transportation or 
another statutory body that will effectively ensure compliance with 
the Principles (other U.S. statutory bodies recognized by the EU may 
be included as an annex in the future); (b) publicly declare its 
commitment to comply with the Principles; (c) publicly disclose its 
privacy policies in line with these Principles; and (d) fully 
implement them. An organization's failure to comply is enforceable 
under Section 5 of the Federal Trade Commission Act prohibiting 
unfair and deceptive acts in or affecting commerce (15 U.S.C. 45(a)) 
or other laws or regulations prohibiting such acts.
    3. The Department of Commerce will maintain and make available 
to the public an authoritative list of U.S. organizations that have 
self-certified to the Department and declared their commitment to 
adhere to the Principles (``the Privacy Shield List''). Privacy 
Shield benefits are assured from the

[[Page 51047]]

date that the Department places the organization on the Privacy 
Shield List. The Department will remove an organization from the 
Privacy Shield List if it voluntarily withdraws from the Privacy 
Shield or if it fails to complete its annual re-certification to the 
Department. An organization's removal from the Privacy Shield List 
means it may no longer benefit from the European Commission's 
adequacy decision to receive personal information from the EU. The 
organization must continue to apply the Principles to the personal 
information it received while it participated in the Privacy Shield, 
and affirm to the Department on an annual basis its commitment to do 
so, for as long as it retains such information; otherwise, the 
organization must return or delete the information or provide 
``adequate'' protection for the information by another authorized 
means. The Department will also remove from the Privacy Shield List 
those organizations that have persistently failed to comply with the 
Principles; these organizations do not qualify for Privacy Shield 
benefits and must return or delete the personal information they 
received under the Privacy Shield.
    4. The Department will also maintain and make available to the 
public an authoritative record of U.S. organizations that had 
previously self-certified to the Department, but that have been 
removed from the Privacy Shield List. The Department will provide a 
clear warning that these organizations are not participants in the 
Privacy Shield; that removal from the Privacy Shield List means that 
such organizations cannot claim to be Privacy Shield compliant and 
must avoid any statements or misleading practices implying that they 
participate in the Privacy Shield; and that such organizations are 
no longer entitled to benefit from the European Commission's 
adequacy decision that would enable those organizations to receive 
personal information from the EU. An organization that continues to 
claim participation in the Privacy Shield or makes other Privacy 
Shield-related misrepresentations after it has been removed from the 
Privacy Shield List may be subject to enforcement action by the FTC, 
the Department of Transportation, or other enforcement authorities.
    5. Adherence to these Principles may be limited: (a) To the 
extent necessary to meet national security, public interest, or law 
enforcement requirements; (b) by statute, government regulation, or 
case law that creates conflicting obligations or explicit 
authorizations, provided that, in exercising any such authorization, 
an organization can demonstrate that its non-compliance with the 
Principles is limited to the extent necessary to meet the overriding 
legitimate interests furthered by such authorization; or (c) if the 
effect of the Directive or Member State law is to allow exceptions 
or derogations, provided such exceptions or derogations are applied 
in comparable contexts. Consistent with the goal of enhancing 
privacy protection, organizations should strive to implement these 
Principles fully and transparently, including indicating in their 
privacy policies where exceptions to the Principles permitted by (b) 
above will apply on a regular basis. For the same reason, where the 
option is allowable under the Principles and/or U.S. law, 
organizations are expected to opt for the higher protection where 
possible.
    6. Organizations are obligated to apply the Principles to all 
personal data transferred in reliance on the Privacy Shield after 
they enter the Privacy Shield. An organization that chooses to 
extend Privacy Shield benefits to human resources personal 
information transferred from the EU for use in the context of an 
employment relationship must indicate this when it self-certifies to 
the Department and conform to the requirements set forth in the 
Supplemental Principle on Self-Certification.
    7. U.S. law will apply to questions of interpretation and 
compliance with the Principles and relevant privacy policies by 
Privacy Shield organizations, except where such organizations have 
committed to cooperate with European data protection authorities 
(``DPAs''). Unless otherwise stated, all provisions of the 
Principles apply where they are relevant.
    8. Definitions:
    a. ``Personal data'' and ``personal information'' are data about 
an identified or identifiable individual that are within the scope 
of the Directive, received by an organization in the United States 
from the European Union, and recorded in any form.
    b. ``Processing'' of personal data means any operation or set of 
operations which is performed upon personal data, whether or not by 
automated means, such as collection, recording, organization, 
storage, adaptation or alteration, retrieval, consultation, use, 
disclosure or dissemination, and erasure or destruction.
    c. ``Controller'' means a person or organization which, alone or 
jointly with others, determines the purposes and means of the 
processing of personal data.
    9. The effective date of the Principles is the date of final 
approval of the European Commission's adequacy determination.

II. Principles

1. Notice

    a. An organization must inform individuals about:
    i. Its participation in the Privacy Shield and provide a link 
to, or the web address for, the Privacy Shield List,
    ii. the types of personal data collected and, where applicable, 
the entities or subsidiaries of the organization also adhering to 
the Principles,
    iii. its commitment to subject to the Principles all personal 
data received from the EU in reliance on the Privacy Shield,
    iv. the purposes for which it collects and uses personal 
information about them,
    v. how to contact the organization with any inquiries or 
complaints, including any relevant establishment in the EU that can 
respond to such inquiries or complaints,
    vi. the type or identity of third parties to which it discloses 
personal information, and the purposes for which it does so,
    vii. the right of individuals to access their personal data,
    viii. the choices and means the organization offers individuals 
for limiting the use and disclosure of their personal data,
    ix. the independent dispute resolution body designated to 
address complaints and provide appropriate recourse free of charge 
to the individual, and whether it is: (1) The panel established by 
DPAs, (2) an alternative dispute resolution provider based in the 
EU, or (3) an alternative dispute resolution provider based in the 
United States,
    x. being subject to the investigatory and enforcement powers of 
the FTC, the Department of Transportation or any other U.S. 
authorized statutory body,
    xi. the possibility, under certain conditions, for the 
individual to invoke binding arbitration,
    xii. the requirement to disclose personal information in 
response to lawful requests by public authorities, including to meet 
national security or law enforcement requirements, and
    xiii. its liability in cases of onward transfers to third 
parties.
    b. This notice must be provided in clear and conspicuous 
language when individuals are first asked to provide personal 
information to the organization or as soon thereafter as is 
practicable, but in any event before the organization uses such 
information for a purpose other than that for which it was 
originally collected or processed by the transferring organization 
or discloses it for the first time to a third party.

2. Choice

    a. An organization must offer individuals the opportunity to 
choose (opt out) whether their personal information is (i) to be 
disclosed to a third party or (ii) to be used for a purpose that is 
materially different from the purpose(s) for which it was originally 
collected or subsequently authorized by the individuals. Individuals 
must be provided with clear, conspicuous, and readily available 
mechanisms to exercise choice.
    b. By derogation to the previous paragraph, it is not necessary 
to provide choice when disclosure is made to a third party that is 
acting as an agent to perform task(s) on behalf of and under the 
instructions of the organization. However, an organization shall 
always enter into a contract with the agent.
    c. For sensitive information (i.e., personal information 
specifying medical or health conditions, racial or ethnic origin, 
political opinions, religious or philosophical beliefs, trade union 
membership or information specifying the sex life of the 
individual), organizations must obtain affirmative express consent 
(opt in) from individuals if such information is to be (i) disclosed 
to a third party or (ii) used for a purpose other than those for 
which it was originally collected or subsequently authorized by the 
individuals through the exercise of opt-in choice. In addition, an 
organization should treat as sensitive any personal information 
received from a third party where the third party identifies and 
treats it as sensitive.

3. Accountability for Onward Transfer

    a. To transfer personal information to a third party acting as a 
controller, organizations must comply with the Notice and Choice 
Principles. Organizations must also enter into a contract with the 
third-party controller that provides that such data may

[[Page 51048]]

only be processed for limited and specified purposes consistent with 
the consent provided by the individual and that the recipient will 
provide the same level of protection as the Principles and will 
notify the organization if it makes a determination that it can no 
longer meet this obligation. The contract shall provide that when 
such a determination is made the third party controller ceases 
processing or takes other reasonable and appropriate steps to 
remediate.
    b. To transfer personal data to a third party acting as an 
agent, organizations must: (i) Transfer such data only for limited 
and specified purposes; (ii) ascertain that the agent is obligated 
to provide at least the same level of privacy protection as is 
required by the Principles; (iii) take reasonable and appropriate 
steps to ensure that the agent effectively processes the personal 
information transferred in a manner consistent with the 
organization's obligations under the Principles; (iv) require the 
agent to notify the organization if it makes a determination that it 
can no longer meet its obligation to provide the same level of 
protection as is required by the Principles; (v) upon notice, 
including under (iv), take reasonable and appropriate steps to stop 
and remediate unauthorized processing; and (vi) provide a summary or 
a representative copy of the relevant privacy provisions of its 
contract with that agent to the Department upon request.

4. Security

    a. Organizations creating, maintaining, using or disseminating 
personal information must take reasonable and appropriate measures 
to protect it from loss, misuse and unauthorized access, disclosure, 
alteration and destruction, taking into due account the risks 
involved in the processing and the nature of the personal data.

5. Data Integrity and Purpose Limitation

    a. Consistent with the Principles, personal information must be 
limited to the information that is relevant for the purposes of 
processing.\2\ An organization may not process personal information 
in a way that is incompatible with the purposes for which it has 
been collected or subsequently authorized by the individual. To the 
extent necessary for those purposes, an organization must take 
reasonable steps to ensure that personal data is reliable for its 
intended use, accurate, complete, and current. An organization must 
adhere to the Principles for as long as it retains such information.
---------------------------------------------------------------------------

    \2\ Depending on the circumstances, examples of compatible 
processing purposes may include those that reasonably serve customer 
relations, compliance and legal considerations, auditing, security 
and fraud prevention, preserving or defending the organization's 
legal rights, or other purposes consistent with the expectations of 
a reasonable person given the context of the collection.
---------------------------------------------------------------------------

    b. Information may be retained in a form identifying or making 
identifiable \3\ the individual only for as long as it serves a 
purpose of processing within the meaning of 5a. This obligation does 
not prevent organizations from processing personal information for 
longer periods for the time and to the extent such processing 
reasonably serves the purposes of archiving in the public interest, 
journalism, literature and art, scientific or historical research, 
and statistical analysis. In these cases, such processing shall be 
subject to the other Principles and provisions of the Framework. 
Organizations should take reasonable and appropriate measures in 
complying with this provision.
---------------------------------------------------------------------------

    \3\ In this context, if, given the means of identification 
reasonably likely to be used (considering, among other things, the 
costs of and the amount of time required for identification and the 
available technology at the time of the processing) and the form in 
which the data is retained, an individual could reasonably be 
identified by the organization, or a third party if it would have 
access to the data, then the individual is ``identifiable.''
---------------------------------------------------------------------------

6. Access

    a. Individuals must have access to personal information about 
them that an organization holds and be able to correct, amend, or 
delete that information where it is inaccurate, or has been 
processed in violation of the Principles, except where the burden or 
expense of providing access would be disproportionate to the risks 
to the individual's privacy in the case in question, or where the 
rights of persons other than the individual would be violated.

7. Recourse, Enforcement and Liability

    a. Effective privacy protection must include robust mechanisms 
for assuring compliance with the Principles, recourse for 
individuals who are affected by non-compliance with the Principles, 
and consequences for the organization when the Principles are not 
followed. At a minimum such mechanisms must include:
    i. Readily available independent recourse mechanisms by which 
each individual's complaints and disputes are investigated and 
expeditiously resolved at no cost to the individual and by reference 
to the Principles, and damages awarded where the applicable law or 
private-sector initiatives so provide;
    ii. follow-up procedures for verifying that the attestations and 
assertions organizations make about their privacy practices are true 
and that privacy practices have been implemented as presented and, 
in particular, with regard to cases of non-compliance; and
    iii. obligations to remedy problems arising out of failure to 
comply with the Principles by organizations announcing their 
adherence to them and consequences for such organizations. Sanctions 
must be sufficiently rigorous to ensure compliance by organizations.
    b. Organizations and their selected independent recourse 
mechanisms will respond promptly to inquiries and requests by the 
Department for information relating to the Privacy Shield. All 
organizations must respond expeditiously to complaints regarding 
compliance with the Principles referred by EU Member State 
authorities through the Department. Organizations that have chosen 
to cooperate with DPAs, including organizations that process human 
resources data, must respond directly to such authorities with 
regard to the investigation and resolution of complaints.
    c. Organizations are obligated to arbitrate claims and follow 
the terms as set forth in Annex I, provided that an individual has 
invoked binding arbitration by delivering notice to the organization 
at issue and following the procedures and subject to conditions set 
forth in Annex I.
    d. In the context of an onward transfer, a Privacy Shield 
organization has responsibility for the processing of personal 
information it receives under the Privacy Shield and subsequently 
transfers to a third party acting as an agent on its behalf. The 
Privacy Shield organization shall remain liable under the Principles 
if its agent processes such personal information in a manner 
inconsistent with the Principles, unless the organization proves 
that it is not responsible for the event giving rise to the damage.
    e. When an organization becomes subject to an FTC or court order 
based on non-compliance, the organization shall make public any 
relevant Privacy Shield-related sections of any compliance or 
assessment report submitted to the FTC, to the extent consistent 
with confidentiality requirements. The Department has established a 
dedicated point of contact for DPAs for any problems of compliance 
by Privacy Shield organizations. The FTC will give priority 
consideration to referrals of non-compliance with the Principles 
from the Department and EU Member State authorities, and will 
exchange information regarding referrals with the referring state 
authorities on a timely basis, subject to existing confidentiality 
restrictions.

III. Supplemental Principles

1. Sensitive Data

    a. An organization is not required to obtain affirmative express 
consent (opt in) with respect to sensitive data where the processing 
is:
    i. In the vital interests of the data subject or another person;
    ii. necessary for the establishment of legal claims or defenses;
    iii. required to provide medical care or diagnosis;
    iv. carried out in the course of legitimate activities by a 
foundation, association or any other non-profit body with a 
political, philosophical, religious or trade-union aim and on 
condition that the processing relates solely to the members of the 
body or to the persons who have regular contact with it in 
connection with its purposes and that the data are not disclosed to 
a third party without the consent of the data subjects;
    v. necessary to carry out the organization's obligations in the 
field of employment law; or
    vi. related to data that are manifestly made public by the 
individual.

2. Journalistic Exceptions

    a. Given U.S. constitutional protections for freedom of the 
press and the Directive's exemption for journalistic material, where 
the rights of a free press embodied in the First Amendment of the 
U.S. Constitution intersect with privacy protection interests, the 
First Amendment must govern the balancing of these interests with 
regard to the activities of U.S. persons or organizations.

[[Page 51049]]

    b. Personal information that is gathered for publication, 
broadcast, or other forms of public communication of journalistic 
material, whether used or not, as well as information found in 
previously published material disseminated from media archives, is 
not subject to the requirements of the Privacy Shield Principles.

3. Secondary Liability

    a. Internet Service Providers (``ISPs''), telecommunications 
carriers, and other organizations are not liable under the Privacy 
Shield Principles when on behalf of another organization they merely 
transmit, route, switch, or cache information. As is the case with 
the Directive itself, the Privacy Shield does not create secondary 
liability. To the extent that an organization is acting as a mere 
conduit for data transmitted by third parties and does not determine 
the purposes and means of processing those personal data, it would 
not be liable.

4. Performing Due Diligence and Conducting Audits

    a. The activities of auditors and investment bankers may involve 
processing personal data without the consent or knowledge of the 
individual. This is permitted by the Notice, Choice, and Access 
Principles under the circumstances described below.
    b. Public stock corporations and closely held companies, 
including Privacy Shield organizations, are regularly subject to 
audits. Such audits, particularly those looking into potential 
wrongdoing, may be jeopardized if disclosed prematurely. Similarly, 
a Privacy Shield organization involved in a potential merger or 
takeover will need to perform, or be the subject of, a ``due 
diligence'' review. This will often entail the collection and 
processing of personal data, such as information on senior 
executives and other key personnel. Premature disclosure could 
impede the transaction or even violate applicable securities 
regulation. Investment bankers and attorneys engaged in due 
diligence, or auditors conducting an audit, may process information 
without knowledge of the individual only to the extent and for the 
period necessary to meet statutory or public interest requirements 
and in other circumstances in which the application of these 
Principles would prejudice the legitimate interests of the 
organization. These legitimate interests include the monitoring of 
organizations' compliance with their legal obligations and 
legitimate accounting activities, and the need for confidentiality 
connected with possible acquisitions, mergers, joint ventures, or 
other similar transactions carried out by investment bankers or 
auditors.

5. The Role of the Data Protection Authorities

    a. Organizations will implement their commitment to cooperate 
with European Union data protection authorities (``DPAs'') as 
described below. Under the Privacy Shield, U.S. organizations 
receiving personal data from the EU must commit to employ effective 
mechanisms for assuring compliance with the Privacy Shield 
Principles. More specifically as set out in the Recourse, 
Enforcement and Liability Principle, participating organizations 
must provide: (a)(i) Recourse for individuals to whom the data 
relate; (a)(ii) follow up procedures for verifying that the 
attestations and assertions they have made about their privacy 
practices are true; and (a)(iii) obligations to remedy problems 
arising out of failure to comply with the Principles and 
consequences for such organizations. An organization may satisfy 
points (a)(i) and (a)(iii) of the Recourse, Enforcement and 
Liability Principle if it adheres to the requirements set forth here 
for cooperating with the DPAs.
    b. An organization commits to cooperate with the DPAs by 
declaring in its Privacy Shield self-certification submission to the 
Department of Commerce (see Supplemental Principle on Self-
Certification) that the organization:
    i. Elects to satisfy the requirement in points (a)(i) and 
(a)(iii) of the Privacy Shield Recourse, Enforcement and Liability 
Principle by committing to cooperate with the DPAs;
    ii. will cooperate with the DPAs in the investigation and 
resolution of complaints brought under the Privacy Shield; and
    iii. will comply with any advice given by the DPAs where the 
DPAs take the view that the organization needs to take specific 
action to comply with the Privacy Shield Principles, including 
remedial or compensatory measures for the benefit of individuals 
affected by any non-compliance with the Principles, and will provide 
the DPAs with written confirmation that such action has been taken.
    c. Operation of DPA Panels
    i. The cooperation of the DPAs will be provided in the form of 
information and advice in the following way:
    1. The advice of the DPAs will be delivered through an informal 
panel of DPAs established at the European Union level, which will 
inter alia help ensure a harmonized and coherent approach.
    2. The panel will provide advice to the U.S. organizations 
concerned on unresolved complaints from individuals about the 
handling of personal information that has been transferred from the 
EU under the Privacy Shield. This advice will be designed to ensure 
that the Privacy Shield Principles are being correctly applied and 
will include any remedies for the individual(s) concerned that the 
DPAs consider appropriate.
    3. The panel will provide such advice in response to referrals 
from the organizations concerned and/or to complaints received 
directly from individuals against organizations which have committed 
to cooperate with DPAs for Privacy Shield purposes, while 
encouraging and if necessary helping such individuals in the first 
instance to use the in-house complaint handling arrangements that 
the organization may offer.
    4. Advice will be issued only after both sides in a dispute have 
had a reasonable opportunity to comment and to provide any evidence 
they wish. The panel will seek to deliver advice as quickly as this 
requirement for due process allows. As a general rule, the panel 
will aim to provide advice within 60 days after receiving a 
complaint or referral and more quickly where possible.
    5. The panel will make public the results of its consideration 
of complaints submitted to it, if it sees fit.
    6. The delivery of advice through the panel will not give rise 
to any liability for the panel or for individual DPAs.
    ii. As noted above, organizations choosing this option for 
dispute resolution must undertake to comply with the advice of the 
DPAs. If an organization fails to comply within 25 days of the 
delivery of the advice and has offered no satisfactory explanation 
for the delay, the panel will give notice of its intention either to 
refer the matter to the Federal Trade Commission, the Department of 
Transportation, or other U.S. federal or state body with statutory 
powers to take enforcement action in cases of deception or 
misrepresentation, or to conclude that the agreement to cooperate 
has been seriously breached and must therefore be considered null 
and void. In the latter case, the panel will inform the Department 
of Commerce so that the Privacy Shield List can be duly amended. Any 
failure to fulfill the undertaking to cooperate with the DPAs, as 
well as failures to comply with the Privacy Shield Principles, will 
be actionable as a deceptive practice under Section 5 of the FTC Act 
or other similar statute.
    d. An organization that wishes its Privacy Shield benefits to 
cover human resources data transferred from the EU in the context of 
the employment relationship must commit to cooperate with the DPAs 
with regard to such data (see Supplemental Principle on Human 
Resources Data).
    e. Organizations choosing this option will be required to pay an 
annual fee which will be designed to cover the operating costs of 
the panel, and they may additionally be asked to meet any necessary 
translation expenses arising out of the panel's consideration of 
referrals or complaints against them. The annual fee will not exceed 
USD 500 and will be less for smaller companies.

6. Self-Certification

    a. Privacy Shield benefits are assured from the date on which 
the Department has placed the organization's self-certification 
submission on the Privacy Shield List after having determined that 
the submission is complete.
    b. To self-certify for the Privacy Shield, an organization must 
provide to the Department a self-certification submission, signed by 
a corporate officer on behalf of the organization that is joining 
the Privacy Shield, that contains at least the following 
information:
    i. Name of organization, mailing address, email address, 
telephone, and fax numbers;
    ii. description of the activities of the organization with 
respect to personal information received from the EU; and
    iii. description of the organization's privacy policy for such 
personal information, including:
    1. If the organization has a public Web site, the relevant web 
address where the privacy policy is available, or if the 
organization does not have a public Web site, where the privacy 
policy is available for viewing by the public;
    2. its effective date of implementation;

[[Page 51050]]

    3. a contact office for the handling of complaints, access 
requests, and any other issues arising under the Privacy Shield;
    4. the specific statutory body that has jurisdiction to hear any 
claims against the organization regarding possible unfair or 
deceptive practices and violations of laws or regulations governing 
privacy (and that is listed in the Principles or a future annex to 
the Principles);
    5. name of any privacy program in which the organization is a 
member;
    6. method of verification (e.g., in-house, third party) (see 
Supplemental Principle on Verification; and
    7. the independent recourse mechanism that is available to 
investigate unresolved complaints.
    c. Where the organization wishes its Privacy Shield benefits to 
cover human resources information transferred from the EU for use in 
the context of the employment relationship, it may do so where a 
statutory body listed in the Principles or a future annex to the 
Principles has jurisdiction to hear claims against the organization 
arising out of the processing of human resources information. In 
addition, the organization must indicate this in its self-
certification submission and declare its commitment to cooperate 
with the EU authority or authorities concerned in conformity with 
the Supplemental Principles on Human Resources Data and the Role of 
the Data Protection Authorities as applicable and that it will 
comply with the advice given by such authorities. The organization 
must also provide the Department with a copy of its human resources 
privacy policy and provide information where the privacy policy is 
available for viewing by its affected employees.
    d. The Department will maintain the Privacy Shield List of 
organizations that file completed self-certification submissions, 
thereby assuring the availability of Privacy Shield benefits, and 
will update such list on the basis of annual self-recertification 
submissions and notifications received pursuant to the Supplemental 
Principle on Dispute Resolution and Enforcement. Such self-
certification submissions must be provided not less than annually; 
otherwise the organization will be removed from the Privacy Shield 
List and Privacy Shield benefits will no longer be assured. Both the 
Privacy Shield List and the self-certification submissions by the 
organizations will be made publicly available. All organizations 
that are placed on the Privacy Shield List by the Department must 
also state in their relevant published privacy policy statements 
that they adhere to the Privacy Shield Principles. If available 
online, an organization's privacy policy must include a hyperlink to 
the Department's Privacy Shield Web site and a hyperlink to the Web 
site or complaint submission form of the independent recourse 
mechanism that is available to investigate unresolved complaints.
    e. The Privacy Principles apply immediately upon certification. 
Recognizing that the Principles will impact commercial relationships 
with third parties, organizations that certify to the Privacy Shield 
Framework in the first two months following the Framework's 
effective date shall bring existing commercial relationships with 
third parties into conformity with the Accountability for Onward 
Transfer Principle as soon as possible, and in any event no later 
than nine months from the date upon which they certify to the 
Privacy Shield. During that interim period, where organizations 
transfer data to a third party, they shall (i) apply the Notice and 
Choice Principles, and (ii) where personal data is transferred to a 
third party acting as an agent, ascertain that the agent is 
obligated to provide at least the same level of protection as is 
required by the Principles.
    f. An organization must subject to the Privacy Shield Principles 
all personal data received from the EU in reliance upon the Privacy 
Shield. The undertaking to adhere to the Privacy Shield Principles 
is not time-limited in respect of personal data received during the 
period in which the organization enjoys the benefits of the Privacy 
Shield. Its undertaking means that it will continue to apply the 
Principles to such data for as long as the organization stores, uses 
or discloses them, even if it subsequently leaves the Privacy Shield 
for any reason. An organization that withdraws from the Privacy 
Shield but wants to retain such data must affirm to the Department 
on an annual basis its commitment to continue to apply the 
Principles or provide ``adequate'' protection for the information by 
another authorized means (for example, using a contract that fully 
reflects the requirements of the relevant standard contractual 
clauses adopted by the European Commission); otherwise, the 
organization must return or delete the information. An organization 
that withdraws from the Privacy Shield must remove from any relevant 
privacy policy any references to the Privacy Shield that imply that 
the organization continues to actively participate in the Privacy 
Shield and is entitled to its benefits.
    g. An organization that will cease to exist as a separate legal 
entity as a result of a merger or a takeover must notify the 
Department of this in advance. The notification should also indicate 
whether the acquiring entity or the entity resulting from the merger 
will (i) continue to be bound by the Privacy Shield Principles by 
the operation of law governing the takeover or merger or (ii) elect 
to self-certify its adherence to the Privacy Shield Principles or 
put in place other safeguards, such as a written agreement that will 
ensure adherence to the Privacy Shield Principles. Where neither (i) 
nor (ii) applies, any personal data that has been acquired under the 
Privacy Shield must be promptly deleted.
    h. When an organization leaves the Privacy Shield for any 
reason, it must remove all statements implying that the organization 
continues to participate in the Privacy Shield or is entitled to the 
benefits of the Privacy Shield. The EU-U.S. Privacy Shield 
certification mark, if used, must also be removed. Any 
misrepresentation to the general public concerning an organization's 
adherence to the Privacy Shield Principles may be actionable by the 
FTC or other relevant government body. Misrepresentations to the 
Department may be actionable under the False Statements Act (18 
U.S.C. 1001).

7. Verification

    a. Organizations must provide follow up procedures for verifying 
that the attestations and assertions they make about their Privacy 
Shield privacy practices are true and those privacy practices have 
been implemented as represented and in accordance with the Privacy 
Shield Principles.
    b. To meet the verification requirements of the Recourse, 
Enforcement and Liability Principle, an organization must verify 
such attestations and assertions either through self-assessment or 
outside compliance reviews.
    c. Under the self-assessment approach, such verification must 
indicate that an organization's published privacy policy regarding 
personal information received from the EU is accurate, 
comprehensive, prominently displayed, completely implemented and 
accessible. It must also indicate that its privacy policy conforms 
to the Privacy Shield Principles; that individuals are informed of 
any in-house arrangements for handling complaints and of the 
independent mechanisms through which they may pursue complaints; 
that it has in place procedures for training employees in its 
implementation, and disciplining them for failure to follow it; and 
that it has in place internal procedures for periodically conducting 
objective reviews of compliance with the above. A statement 
verifying the self-assessment must be signed by a corporate officer 
or other authorized representative of the organization at least once 
a year and made available upon request by individuals or in the 
context of an investigation or a complaint about non-compliance.
    d. Where the organization has chosen outside compliance review, 
such a review must demonstrate that its privacy policy regarding 
personal information received from the EU conforms to the Privacy 
Shield Principles, that it is being complied with, and that 
individuals are informed of the mechanisms through which they may 
pursue complaints. The methods of review may include, without 
limitation, auditing, random reviews, use of ``decoys'', or use of 
technology tools as appropriate. A statement verifying that an 
outside compliance review has been successfully completed must be 
signed either by the reviewer or by the corporate officer or other 
authorized representative of the organization at least once a year 
and made available upon request by individuals or in the context of 
an investigation or a complaint about compliance.
    e. Organizations must retain their records on the implementation 
of their Privacy Shield privacy practices and make them available 
upon request in the context of an investigation or a complaint about 
non-compliance to the independent body responsible for investigating 
complaints or to the agency with unfair and deceptive practices 
jurisdiction. Organizations must also respond promptly to inquiries 
and other requests for information from the Department relating to 
the organization's adherence to the Principles.

[[Page 51051]]

8. Access

    a. The Access Principle in Practice
    i. Under the Privacy Shield Principles, the right of access is 
fundamental to privacy protection. In particular, it allows 
individuals to verify the accuracy of information held about them. 
The Access Principle means that individuals have the right to:
    1. Obtain from an organization confirmation of whether or not 
the organization is processing personal data relating to them; \4\
---------------------------------------------------------------------------

    \4\ The organization should answer requests from an individual 
concerning the purposes of the processing, the categories of 
personal data concerned, and the recipients or categories of 
recipients to whom the personal data is disclosed.
---------------------------------------------------------------------------

    2. have communicated to them such data so that they could verify 
its accuracy and the lawfulness of the processing; and
    3. have the data corrected, amended or deleted where it is 
inaccurate or processed in violation of the Principles.
    ii. Individuals do not have to justify requests for access to 
their personal data. In responding to individuals' access requests, 
organizations should first be guided by the concern(s) that led to 
the requests in the first place. For example, if an access request 
is vague or broad in scope, an organization may engage the 
individual in a dialogue so as to better understand the motivation 
for the request and to locate responsive information. The 
organization might inquire about which part(s) of the organization 
the individual interacted with or about the nature of the 
information or its use that is the subject of the access request.
    iii. Consistent with the fundamental nature of access, 
organizations should always make good faith efforts to provide 
access. For example, where certain information needs to be protected 
and can be readily separated from other personal information subject 
to an access request, the organization should redact the protected 
information and make available the other information. If an 
organization determines that access should be restricted in any 
particular instance, it should provide the individual requesting 
access with an explanation of why it has made that determination and 
a contact point for any further inquiries.
    b. Burden or Expense of Providing Access
    i. The right of access to personal data may be restricted in 
exceptional circumstances where the legitimate rights of persons 
other than the individual would be violated or where the burden or 
expense of providing access would be disproportionate to the risks 
to the individual's privacy in the case in question. Expense and 
burden are important factors and should be taken into account but 
they are not controlling factors in determining whether providing 
access is reasonable.
    ii. For example, if the personal information is used for 
decisions that will significantly affect the individual (e.g., the 
denial or grant of important benefits, such as insurance, a 
mortgage, or a job), then consistent with the other provisions of 
these Supplemental Principles, the organization would have to 
disclose that information even if it is relatively difficult or 
expensive to provide. If the personal information requested is not 
sensitive or not used for decisions that will significantly affect 
the individual, but is readily available and inexpensive to provide, 
an organization would have to provide access to such information.
    c. Confidential Commercial Information
    i. Confidential commercial information is information that an 
organization has taken steps to protect from disclosure, where 
disclosure would help a competitor in the market. Organizations may 
deny or limit access to the extent that granting full access would 
reveal its own confidential commercial information, such as 
marketing inferences or classifications generated by the 
organization, or the confidential commercial information of another 
that is subject to a contractual obligation of confidentiality.
    ii. Where confidential commercial information can be readily 
separated from other personal information subject to an access 
request, the organization should redact the confidential commercial 
information and make available the non-confidential information.
    d. Organization of Data Bases
    i. Access can be provided in the form of disclosure of the 
relevant personal information by an organization to the individual 
and does not require access by the individual to an organization's 
data base.
    ii. Access needs to be provided only to the extent that an 
organization stores the personal information. The Access Principle 
does not itself create any obligation to retain, maintain, 
reorganize, or restructure personal information files.
    e. When Access May be Restricted
    i. As organizations must always make good faith efforts to 
provide individuals with access to their personal data, the 
circumstances in which organizations may restrict such access are 
limited, and any reasons for restricting access must be specific. As 
under the Directive, an organization can restrict access to 
information to the extent that disclosure is likely to interfere 
with the safeguarding of important countervailing public interests, 
such as national security; defense; or public security. In addition, 
where personal information is processed solely for research or 
statistical purposes, access may be denied. Other reasons for 
denying or limiting access are:
    1. Interference with the execution or enforcement of the law or 
with private causes of action, including the prevention, 
investigation or detection of offenses or the right to a fair trial;
    2. disclosure where the legitimate rights or important interests 
of others would be violated;
    3. breaching a legal or other professional privilege or 
obligation;
    4. prejudicing employee security investigations or grievance 
proceedings or in connection with employee succession planning and 
corporate re-organizations; or
    5. prejudicing the confidentiality necessary in monitoring, 
inspection or regulatory functions connected with sound management, 
or in future or ongoing negotiations involving the organization.
    ii. An organization which claims an exception has the burden of 
demonstrating its necessity, and the reasons for restricting access 
and a contact point for further inquiries should be given to 
individuals.
    f. Right to Obtain Confirmation and Charging a Fee to Cover the 
Costs for Providing Access
    i. An individual has the right to obtain confirmation of whether 
or not this organization has personal data relating to him or her. 
An individual also has the right to have communicated to him or her 
personal data relating to him or her. An organization may charge a 
fee that is not excessive.
    ii. Charging a fee may be justified, for example, where requests 
for access are manifestly excessive, in particular because of their 
repetitive character.
    iii. Access may not be refused on cost grounds if the individual 
offers to pay the costs.
    g. Repetitious or Vexatious Requests for Access
    i. An organization may set reasonable limits on the number of 
times within a given period that access requests from a particular 
individual will be met. In setting such limitations, an organization 
should consider such factors as the frequency with which information 
is updated, the purpose for which the data are used, and the nature 
of the information.
    h. Fraudulent Requests for Access
    i. An organization is not required to provide access unless it 
is supplied with sufficient information to allow it to confirm the 
identity of the person making the request.
    i. Timeframe for Responses
    i. Organizations should respond to access requests within a 
reasonable time period, in a reasonable manner, and in a form that 
is readily intelligible to the individual. An organization that 
provides information to data subjects at regular intervals may 
satisfy an individual access request with its regular disclosure if 
it would not constitute an excessive delay.

9. Human Resources Data

    a. Coverage by the Privacy Shield
    i. Where an organization in the EU transfers personal 
information about its employees (past or present) collected in the 
context of the employment relationship, to a parent, affiliate, or 
unaffiliated service provider in the United States participating in 
the Privacy Shield, the transfer enjoys the benefits of the Privacy 
Shield. In such cases, the collection of the information and its 
processing prior to transfer will have been subject to the national 
laws of the EU country where it was collected, and any conditions 
for or restrictions on its transfer according to those laws will 
have to be respected.
    ii. The Privacy Shield Principles are relevant only when 
individually identified or identifiable records are transferred or 
accessed. Statistical reporting relying on aggregate employment data 
and containing no personal data or the use of anonymized data does 
not raise privacy concerns.
    b. Application of the Notice and Choice Principles
    i. A U.S. organization that has received employee information 
from the EU under the

[[Page 51052]]

Privacy Shield may disclose it to third parties or use it for 
different purposes only in accordance with the Notice and Choice 
Principles. For example, where an organization intends to use 
personal information collected through the employment relationship 
for non-employment-related purposes, such as marketing 
communications, the U.S. organization must provide the affected 
individuals with the requisite choice before doing so, unless they 
have already authorized the use of the information for such 
purposes. Such use must not be incompatible with the purposes for 
which the personal information has been collected or subsequently 
authorised by the individual. Moreover, such choices must not be 
used to restrict employment opportunities or take any punitive 
action against such employees.
    ii. It should be noted that certain generally applicable 
conditions for transfer from some EU Member States may preclude 
other uses of such information even after transfer outside the EU 
and such conditions will have to be respected.
    iii. In addition, employers should make reasonable efforts to 
accommodate employee privacy preferences. This could include, for 
example, restricting access to the personal data, anonymizing 
certain data, or assigning codes or pseudonyms when the actual names 
are not required for the management purpose at hand.
    iv. To the extent and for the period necessary to avoid 
prejudicing the ability of the organization in making promotions, 
appointments, or other similar employment decisions, an organization 
does not need to offer notice and choice.
    c. Application of the Access Principle
    i. The Supplemental Principle on Access provides guidance on 
reasons which may justify denying or limiting access on request in 
the human resources context. Of course, employers in the European 
Union must comply with local regulations and ensure that European 
Union employees have access to such information as is required by 
law in their home countries, regardless of the location of data 
processing and storage. The Privacy Shield requires that an 
organization processing such data in the United States will 
cooperate in providing such access either directly or through the EU 
employer.
    d. Enforcement
    i. In so far as personal information is used only in the context 
of the employment relationship, primary responsibility for the data 
vis-[agrave]-vis the employee remains with the organization in the 
EU. It follows that, where European employees make complaints about 
violations of their data protection rights and are not satisfied 
with the results of internal review, complaint, and appeal 
procedures (or any applicable grievance procedures under a contract 
with a trade union), they should be directed to the state or 
national data protection or labor authority in the jurisdiction 
where the employees work. This includes cases where the alleged 
mishandling of their personal information is the responsibility of 
the U.S. organization that has received the information from the 
employer and thus involves an alleged breach of the Privacy Shield 
Principles. This will be the most efficient way to address the often 
overlapping rights and obligations imposed by local labor law and 
labor agreements as well as data protection law.
    ii. A U.S. organization participating in the Privacy Shield that 
uses EU human resources data transferred from the European Union in 
the context of the employment relationship and that wishes such 
transfers to be covered by the Privacy Shield must therefore commit 
to cooperate in investigations by and to comply with the advice of 
competent EU authorities in such cases.
    e. Application of the Accountability for Onward Transfer 
Principle
    i. For occasional employment-related operational needs of the 
Privacy Shield organization with respect to personal data 
transferred under the Privacy Shield, such as the booking of a 
flight, hotel room, or insurance coverage, transfers of personal 
data of a small number of employees can take place to controllers 
without application of the Access Principle or entering into a 
contract with the third-party controller, as otherwise required 
under the Accountability for Onward Transfer Principle, provided 
that the Privacy Shield organization has complied with the Notice 
and Choice Principles.

10. Obligatory Contracts for Onward Transfers

    a. Data Processing Contracts
    i. When personal data is transferred from the EU to the United 
States only for processing purposes, a contract will be required, 
regardless of participation by the processor in the Privacy Shield.
    ii. Data controllers in the European Union are always required 
to enter into a contract when a transfer for mere processing is 
made, whether the processing operation is carried out inside or 
outside the EU, and whether or not the processor participates in the 
Privacy Shield. The purpose of the contract is to make sure that the 
processor:
    1. Acts only on instructions from the controller;
    2. provides appropriate technical and organizational measures to 
protect personal data against accidental or unlawful destruction or 
accidental loss, alternation, unauthorized disclosure or access, and 
understands whether onward transfer is allowed; and
    3. taking into account the nature of the processing, assists the 
controller in responding to individuals exercising their rights 
under the Principles.
    iii. Because adequate protection is provided by Privacy Shield 
participants, contracts with Privacy Shield participants for mere 
processing do not require prior authorization (or such authorization 
will be granted automatically by the EU Member States), as would be 
required for contracts with recipients not participating in the 
Privacy Shield or otherwise not providing adequate protection.
    b. Transfers within a Controlled Group of Corporations or 
Entities
    i. When personal information is transferred between two 
controllers within a controlled group of corporations or entities, a 
contract is not always required under the Accountability for Onward 
Transfer Principle. Data controllers within a controlled group of 
corporations or entities may base such transfers on other 
instruments, such as EU Binding Corporate Rules or other intra-group 
instruments (e.g., compliance and control programs), ensuring the 
continuity of protection of personal information under the 
Principles. In case of such transfers, the Privacy Shield 
organization remains responsible for compliance with the Principles.
    c. Transfers between Controllers
    i. For transfers between controllers, the recipient controller 
need not be a Privacy Shield organization or have an independent 
recourse mechanism. The Privacy Shield organization must enter into 
a contract with the recipient third-party controller that provides 
for the same level of protection as is available under the Privacy 
Shield, not including the requirement that the third party 
controller be a Privacy Shield organization or have an independent 
recourse mechanism, provided it makes available an equivalent 
mechanism.

11. Dispute Resolution and Enforcement

    a. The Recourse, Enforcement and Liability Principle sets out 
the requirements for Privacy Shield enforcement. How to meet the 
requirements of point (a)(ii) of the Principle is set out in the 
Supplemental Principle on Verification. This Supplemental Principle 
addresses points (a)(i) and (a)(iii), both of which require 
independent recourse mechanisms. These mechanisms may take different 
forms, but they must meet the Recourse, Enforcement and Liability 
Principle's requirements. Organizations satisfy the requirements 
through the following: (i) Compliance with private sector developed 
privacy programs that incorporate the Privacy Shield Principles into 
their rules and that include effective enforcement mechanisms of the 
type described in the Recourse, Enforcement and Liability Principle; 
(ii) compliance with legal or regulatory supervisory authorities 
that provide for handling of individual complaints and dispute 
resolution; or (iii) commitment to cooperate with data protection 
authorities located in the European Union or their authorized 
representatives.
    b. This list is intended to be illustrative and not limiting. 
The private sector may design additional mechanisms to provide 
enforcement, so long as they meet the requirements of the Recourse, 
Enforcement and Liability Principle and the Supplemental Principles. 
Please note that the Recourse, Enforcement and Liability Principle's 
requirements are additional to the requirement that self-regulatory 
efforts must be enforceable under Section 5 of the Federal Trade 
Commission Act, which prohibits unfair and deceptive acts, or 
another law or regulation prohibiting such acts.
    c. In order to help ensure compliance with their Privacy Shield 
commitments and to support the administration of the program, 
organizations, as well as their independent recourse mechanisms, 
must provide information relating to the Privacy Shield when 
requested by the Department. In addition, organizations must respond

[[Page 51053]]

expeditiously to complaints regarding their compliance with the 
Principles referred through the Department by DPAs. The response 
should address whether the complaint has merit and, if so, how the 
organization will rectify the problem. The Department will protect 
the confidentiality of information it receives in accordance with 
U.S. law.
    d. Recourse Mechanisms
    i. Consumers should be encouraged to raise any complaints they 
may have with the relevant organization before proceeding to 
independent recourse mechanisms. Organizations must respond to a 
consumer within 45 days of receiving a complaint. Whether a recourse 
mechanism is independent is a factual question that can be 
demonstrated notably by impartiality, transparent composition and 
financing, and a proven track record. As required by the Recourse, 
Enforcement and Liability Principle, the recourse available to 
individuals must be readily available and free of charge to 
individuals. Dispute resolution bodies should look into each 
complaint received from individuals unless they are obviously 
unfounded or frivolous. This does not preclude the establishment of 
eligibility requirements by the organization operating the recourse 
mechanism, but such requirements should be transparent and justified 
(for example, to exclude complaints that fall outside the scope of 
the program or are for consideration in another forum), and should 
not have the effect of undermining the commitment to look into 
legitimate complaints. In addition, recourse mechanisms should 
provide individuals with full and readily available information 
about how the dispute resolution procedure works when they file a 
complaint. Such information should include notice about the 
mechanism's privacy practices, in conformity with the Privacy Shield 
Principles. They should also cooperate in the development of tools 
such as standard complaint forms to facilitate the complaint 
resolution process.
    ii. Independent recourse mechanisms must include on their public 
Web sites information regarding the Privacy Shield Principles and 
the services that they provide under the Privacy Shield. This 
information must include: (1) Information on or a link to the 
Privacy Shield Principles' requirements for independent recourse 
mechanisms; (2) a link to the Department's Privacy Shield Web site; 
(3) an explanation that their dispute resolution services under the 
Privacy Shield are free of charge to individuals; (4) a description 
of how a Privacy Shield-related complaint can be filed; (5) the 
timeframe in which Privacy Shield-related complaints are processed; 
and (6) a description of the range of potential remedies.
    iii. Independent recourse mechanisms must publish an annual 
report providing aggregate statistics regarding their dispute 
resolution services. The annual report must include: (1) The total 
number of Privacy Shield-related complaints received during the 
reporting year; (2) the types of complaints received; (3) dispute 
resolution quality measures, such as the length of time taken to 
process complaints; and (4) the outcomes of the complaints received, 
notably the number and types of remedies or sanctions imposed.
    iv. As set forth in Annex I, an arbitration option is available 
to an individual to determine, for residual claims, whether a 
Privacy Shield organization has violated its obligations under the 
Principles as to that individual, and whether any such violation 
remains fully or partially unremedied. This option is available only 
for these purposes. This option is not available, for example, with 
respect to the exceptions to the Principles \5\ or with respect to 
an allegation about the adequacy of the Privacy Shield. Under this 
arbitration option, the Privacy Shield Panel (consisting of one or 
three arbitrators, as agreed by the parties) has the authority to 
impose individual-specific, non-monetary equitable relief (such as 
access, correction, deletion, or return of the individual's data in 
question) necessary to remedy the violation of the Principles only 
with respect to the individual. Individuals and Privacy Shield 
organizations will be able to seek judicial review and enforcement 
of the arbitral decisions pursuant to U.S. law under the Federal 
Arbitration Act.
---------------------------------------------------------------------------

    \5\ Section I.5 of the Principles.
---------------------------------------------------------------------------

    e. Remedies and Sanctions
    i. The result of any remedies provided by the dispute resolution 
body should be that the effects of non-compliance are reversed or 
corrected by the organization, insofar as feasible, and that future 
processing by the organization will be in conformity with the 
Principles and, where appropriate, that processing of the personal 
data of the individual who brought the complaint will cease. 
Sanctions need to be rigorous enough to ensure compliance by the 
organization with the Principles. A range of sanctions of varying 
degrees of severity will allow dispute resolution bodies to respond 
appropriately to varying degrees of non-compliance. Sanctions should 
include both publicity for findings of non-compliance and the 
requirement to delete data in certain circumstances.\6\ Other 
sanctions could include suspension and removal of a seal, 
compensation for individuals for losses incurred as a result of non-
compliance and injunctive awards. Private sector dispute resolution 
bodies and self-regulatory bodies must notify failures of Privacy 
Shield organizations to comply with their rulings to the 
governmental body with applicable jurisdiction or to the courts, as 
appropriate, and to notify the Department.
---------------------------------------------------------------------------

    \6\ Dispute resolution bodies have discretion about the 
circumstances in which they use these sanctions. The sensitivity of 
the data concerned is one factor to be taken into consideration in 
deciding whether deletion of data should be required, as is whether 
an organization has collected, used, or disclosed information in 
blatant contravention of the Privacy Shield Principles.
---------------------------------------------------------------------------

    f. FTC Action
    ii. The FTC has committed to reviewing on a priority basis 
referrals alleging non-compliance with the Principles received from: 
(i) Privacy self-regulatory organizations and other independent 
dispute resolution bodies; (ii) EU Member States; and (iii) the 
Department, to determine whether Section 5 of the FTC Act 
prohibiting unfair or deceptive acts or practices in commerce has 
been violated. If the FTC concludes that it has reason to believe 
Section 5 has been violated, it may resolve the matter by seeking an 
administrative cease and desist order prohibiting the challenged 
practices or by filing a complaint in a federal district court, 
which if successful could result in a federal court order to same 
effect. This includes false claims of adherence to the Privacy 
Shield Principles or participation in the Privacy Shield by 
organizations, which either are no longer on the Privacy Shield List 
or have never self-certified to the Department. The FTC may obtain 
civil penalties for violations of an administrative cease and desist 
order and may pursue civil or criminal contempt for violation of a 
federal court order. The FTC will notify the Department of any such 
actions it takes. The Department encourages other government bodies 
to notify it of the final disposition of any such referrals or other 
rulings determining adherence to the Privacy Shield Principles.
    g. Persistent Failure to Comply
    i. If an organization persistently fails to comply with the 
Principles, it is no longer entitled to benefit from the Privacy 
Shield. Organizations that have persistently failed to comply with 
the Principles will be removed from the Privacy Shield List by the 
Department and must return or delete the personal information they 
received under the Privacy Shield.
    ii. Persistent failure to comply arises where an organization 
that has self-certified to the Department refuses to comply with a 
final determination by any privacy self-regulatory, independent 
dispute resolution, or government body, or where such a body 
determines that an organization frequently fails to comply with the 
Principles to the point where its claim to comply is no longer 
credible. In these cases, the organization must promptly notify the 
Department of such facts. Failure to do so may be actionable under 
the False Statements Act (18 U.S.C. 1001). An organization's 
withdrawal from a private-sector privacy self-regulatory program or 
independent dispute resolution mechanism does not relieve it of its 
obligation to comply with the Principles and would constitute a 
persistent failure to comply.
    iii. The Department will remove an organization from the Privacy 
Shield List in response to any notification it receives of 
persistent failure to comply, whether it is received from the 
organization itself, from a privacy self-regulatory body or another 
independent dispute resolution body, or from a government body, but 
only after first providing 30 days' notice and an opportunity to 
respond to the organization that has failed to comply. Accordingly, 
the Privacy Shield List maintained by the Department will make clear 
which organizations are assured and which organizations are no 
longer assured of Privacy Shield benefits.
    iv. An organization applying to participate in a self-regulatory 
body for the purposes of requalifying for the Privacy Shield must 
provide that body with full information about its prior 
participation in the Privacy Shield.

12. Choice--Timing of Opt Out

    a. Generally, the purpose of the Choice Principle is to ensure 
that personal information is used and disclosed in ways

[[Page 51054]]

that are consistent with the individual's expectations and choices. 
Accordingly, an individual should be able to exercise ``opt out'' 
choice of having personal information used for direct marketing at 
any time subject to reasonable limits established by the 
organization, such as giving the organization time to make the opt 
out effective. An organization may also require sufficient 
information to confirm the identity of the individual requesting the 
``opt out.'' In the United States, individuals may be able to 
exercise this option through the use of a central ``opt out'' 
program such as the Direct Marketing Association's Mail Preference 
Service. Organizations that participate in the Direct Marketing 
Association's Mail Preference Service should promote its 
availability to consumers who do not wish to receive commercial 
information. In any event, an individual should be given a readily 
available and affordable mechanism to exercise this option.
    b. Similarly, an organization may use information for certain 
direct marketing purposes when it is impracticable to provide the 
individual with an opportunity to opt out before using the 
information, if the organization promptly gives the individual such 
opportunity at the same time (and upon request at any time) to 
decline (at no cost to the individual) to receive any further direct 
marketing communications and the organization complies with the 
individual's wishes.

13. Travel Information

    a. Airline passenger reservation and other travel information, 
such as frequent flyer or hotel reservation information and special 
handling needs, such as meals to meet religious requirements or 
physical assistance, may be transferred to organizations located 
outside the EU in several different circumstances. Under Article 26 
of the Directive, personal data may be transferred ``to a third 
country which does not ensure an adequate level of protection within 
the meaning of Article 25(2)'' on the condition that it (i) is 
necessary to provide the services requested by the consumer or to 
fulfill the terms of an agreement, such as a ``frequent flyer'' 
agreement; or (ii) has been unambiguously consented to by the 
consumer. U.S. organizations subscribing to the Privacy Shield 
provide adequate protection for personal data and may therefore 
receive data transfers from the EU without meeting these conditions 
or other conditions set out in Article 26 of the Directive. Since 
the Privacy Shield includes specific rules for sensitive 
information, such information (which may need to be collected, for 
example, in connection with customers' needs for physical 
assistance) may be included in transfers to Privacy Shield 
participants. In all cases, however, the organization transferring 
the information has to respect the law in the EU Member State in 
which it is operating, which may inter alia impose special 
conditions for the handling of sensitive data.

14. Pharmaceutical and Medical Products

    a. Application of EU Member State Laws or the Privacy Shield 
Principles
    i. EU Member State law applies to the collection of the personal 
data and to any processing that takes place prior to the transfer to 
the United States. The Privacy Shield Principles apply to the data 
once they have been transferred to the United States. Data used for 
pharmaceutical research and other purposes should be anonymized when 
appropriate.
    b. Future Scientific Research
    i. Personal data developed in specific medical or pharmaceutical 
research studies often play a valuable role in future scientific 
research. Where personal data collected for one research study are 
transferred to a U.S. organization in the Privacy Shield, the 
organization may use the data for a new scientific research activity 
if appropriate notice and choice have been provided in the first 
instance. Such notice should provide information about any future 
specific uses of the data, such as periodic follow-up, related 
studies, or marketing.
    ii. It is understood that not all future uses of the data can be 
specified, since a new research use could arise from new insights on 
the original data, new medical discoveries and advances, and public 
health and regulatory developments. Where appropriate, the notice 
should therefore include an explanation that personal data may be 
used in future medical and pharmaceutical research activities that 
are unanticipated. If the use is not consistent with the general 
research purpose(s) for which the personal data were originally 
collected, or to which the individual has consented subsequently, 
new consent must be obtained.
    c. Withdrawal from a Clinical Trial
    i. Participants may decide or be asked to withdraw from a 
clinical trial at any time. Any personal data collected previous to 
withdrawal may still be processed along with other data collected as 
part of the clinical trial, however, if this was made clear to the 
participant in the notice at the time he or she agreed to 
participate.
    d. Transfers for Regulatory and Supervision Purposes
    i. Pharmaceutical and medical device companies are allowed to 
provide personal data from clinical trials conducted in the EU to 
regulators in the United States for regulatory and supervision 
purposes. Similar transfers are allowed to parties other than 
regulators, such as company locations and other researchers, 
consistent with the Principles of Notice and Choice.
    e. ``Blinded'' Studies
    i. To ensure objectivity in many clinical trials, participants, 
and often investigators as well, cannot be given access to 
information about which treatment each participant may be receiving. 
Doing so would jeopardize the validity of the research study and 
results. Participants in such clinical trials (referred to as 
``blinded'' studies) do not have to be provided access to the data 
on their treatment during the trial if this restriction has been 
explained when the participant entered the trial and the disclosure 
of such information would jeopardize the integrity of the research 
effort.
    ii. Agreement to participate in the trial under these conditions 
is a reasonable forgoing of the right of access. Following the 
conclusion of the trial and analysis of the results, participants 
should have access to their data if they request it. They should 
seek it primarily from the physician or other health care provider 
from whom they received treatment within the clinical trial, or 
secondarily from the sponsoring organization.
    f. Product Safety and Efficacy Monitoring
    i. A pharmaceutical or medical device company does not have to 
apply the Privacy Shield Principles with respect to the Notice, 
Choice, Accountability for Onward Transfer, and Access Principles in 
its product safety and efficacy monitoring activities, including the 
reporting of adverse events and the tracking of patients/subjects 
using certain medicines or medical devices, to the extent that 
adherence to the Principles interferes with compliance with 
regulatory requirements. This is true both with respect to reports 
by, for example, health care providers to pharmaceutical and medical 
device companies, and with respect to reports by pharmaceutical and 
medical device companies to government agencies like the Food and 
Drug Administration.
    g. Key-coded Data
    i. Invariably, research data are uniquely key-coded at their 
origin by the principal investigator so as not to reveal the 
identity of individual data subjects. Pharmaceutical companies 
sponsoring such research do not receive the key. The unique key code 
is held only by the researcher, so that he or she can identify the 
research subject under special circumstances (e.g., if follow-up 
medical attention is required). A transfer from the EU to the United 
States of data coded in this way would not constitute a transfer of 
personal data that would be subject to the Privacy Shield 
Principles.

15. Public Record and Publicly Available Information

    a. An organization must apply the Privacy Shield Principles of 
Security, Data Integrity and Purpose Limitation, and Recourse, 
Enforcement and Liability to personal data from publicly available 
sources. These Principles shall apply also to personal data 
collected from public records, i.e., those records kept by 
government agencies or entities at any level that are open to 
consultation by the public in general.
    b. It is not necessary to apply the Notice, Choice, or 
Accountability for Onward Transfer Principles to public record 
information, as long as it is not combined with non-public record 
information, and any conditions for consultation established by the 
relevant jurisdiction are respected. Also, it is generally not 
necessary to apply the Notice, Choice, or Accountability for Onward 
Transfer Principles to publicly available information unless the 
European transferor indicates that such information is subject to 
restrictions that require application of those Principles by the 
organization for the uses it intends. Organizations will have no 
liability for how such information is used by those obtaining such 
information from published materials.
    c. Where an organization is found to have intentionally made 
personal information public in contravention of the Principles so

[[Page 51055]]

that it or others may benefit from these exceptions, it will cease 
to qualify for the benefits of the Privacy Shield.
    d. It is not necessary to apply the Access Principle to public 
record information as long as it is not combined with other personal 
information (apart from small amounts used to index or organize the 
public record information); however, any conditions for consultation 
established by the relevant jurisdiction are to be respected. In 
contrast, where public record information is combined with other 
non-public record information (other than as specifically noted 
above), an organization must provide access to all such information, 
assuming it is not subject to other permitted exceptions.
    e. As with public record information, it is not necessary to 
provide access to information that is already publicly available to 
the public at large, as long as it is not combined with non-publicly 
available information. Organizations that are in the business of 
selling publicly available information may charge the organization's 
customary fee in responding to requests for access. Alternatively, 
individuals may seek access to their information from the 
organization that originally compiled the data.

16. Access Requests by Public Authorities

    a. In order to provide transparency in respect of lawful 
requests by public authorities to access personal information, 
Privacy Shield organizations may voluntarily issue periodic 
transparency reports on the number of requests for personal 
information they receive by public authorities for law enforcement 
or national security reasons, to the extent such disclosures are 
permissible under applicable law.
    b. The information provided by the Privacy Shield organizations 
in these reports together with information that has been released by 
the intelligence community, along with other information, can be 
used to inform the annual joint review of the functioning of the 
Privacy Shield in accordance with the Principles.
    c. Absence of notice in accordance with point (a)(xii) of the 
Notice Principle shall not prevent or impair an organization's 
ability to respond to any lawful request.

Annex I: Arbitral Model

Annex I

    This Annex I provides the terms under which Privacy Shield 
organizations are obligated to arbitrate claims, pursuant to the 
Recourse, Enforcement and Liability Principle. The binding 
arbitration option described below applies to certain ``residual'' 
claims as to data covered by the EU-U.S. Privacy Shield. The purpose 
of this option is to provide a prompt, independent, and fair 
mechanism, at the option of individuals, for resolution of claimed 
violations of the Principles not resolved by any of the other 
Privacy Shield mechanisms, if any.

A. Scope

    This arbitration option is available to an individual to 
determine, for residual claims, whether a Privacy Shield 
organization has violated its obligations under the Principles as to 
that individual, and whether any such violation remains fully or 
partially unremedied. This option is available only for these 
purposes. This option is not available, for example, with respect to 
the exceptions to the Principles \7\ or with respect to an 
allegation about the adequacy of the Privacy Shield.
---------------------------------------------------------------------------

    \7\ Section I.5 of the Principles.
---------------------------------------------------------------------------

B. Available Remedies

    Under this arbitration option, the Privacy Shield Panel 
(consisting of one or three arbitrators, as agreed by the parties) 
has the authority to impose individual-specific, non-monetary 
equitable relief (such as access, correction, deletion, or return of 
the individual's data in question) necessary to remedy the violation 
of the Principles only with respect to the individual. These are the 
only powers of the arbitration panel with respect to remedies. In 
considering remedies, the arbitration panel is required to consider 
other remedies that already have been imposed by other mechanisms 
under the Privacy Shield. No damages, costs, fees, or other remedies 
are available. Each party bears its own attorney's fees.

C. Pre-Arbitration Requirements

    An individual who decides to invoke this arbitration option must 
take the following steps prior to initiating an arbitration claim: 
(1) Raise the claimed violation directly with the organization and 
afford the organization an opportunity to resolve the issue within 
the timeframe set forth in Section III.11(d)(i) of the Principles; 
(2) make use of the independent recourse mechanism under the 
Principles, which is at no cost to the individual; and (3) raise the 
issue through their Data Protection Authority to the Department of 
Commerce and afford the Department of Commerce an opportunity to use 
best efforts to resolve the issue within the timeframes set forth in 
the Letter from the International Trade Administration of the 
Department of Commerce, at no cost to the individual.
    This arbitration option may not be invoked if the individual's 
same claimed violation of the Principles (1) has previously been 
subject to binding arbitration; (2) was the subject of a final 
judgment entered in a court action to which the individual was a 
party; or (3) was previously settled by the parties. In addition, 
this option may not be invoked if an EU Data Protection Authority 
(1) has authority under Sections III.5 or III.9 of the Principles; 
or (2) has the authority to resolve the claimed violation directly 
with the organization. A DPA's authority to resolve the same claim 
against an EU data controller does not alone preclude invocation of 
this arbitration option against a different legal entity not bound 
by the DPA authority.

D. Binding Nature of Decisions

    An individual's decision to invoke this binding arbitration 
option is entirely voluntary. Arbitral decisions will be binding on 
all parties to the arbitration. Once invoked, the individual forgoes 
the option to seek relief for the same claimed violation in another 
forum, except that if non-monetary equitable relief does not fully 
remedy the claimed violation, the individual's invocation of 
arbitration will not preclude a claim for damages that is otherwise 
available in the courts.

E. Review and Enforcement

    Individuals and Privacy Shield organizations will be able to 
seek judicial review and enforcement of the arbitral decisions 
pursuant to U.S. law under the Federal Arbitration Act.\8\ Any such 
cases must be brought in the federal district court whose 
territorial coverage includes the primary place of business of the 
Privacy Shield organization. This arbitration option is intended to 
resolve individual disputes, and arbitral decisions are not intended 
to function as persuasive or binding precedent in matters involving 
other parties, including in future arbitrations or in EU or U.S. 
courts, or FTC proceedings.
---------------------------------------------------------------------------

    \8\ Chapter 2 of the Federal Arbitration Act (``FAA'') provides 
that ``[a]n arbitration agreement or arbitral award arising out of a 
legal relationship, whether contractual or not, which is considered 
as commercial, including a transaction, contract, or agreement 
described in [section 2 of the FAA], falls under the Convention [on 
the Recognition and Enforcement of Foreign Arbitral Awards of June 
10, 1958, 21 U.S.T. 2519, T.I.A.S. No. 6997 (``New York 
Convention'')].'' 9 U.S.C. 202. The FAA further provides that ``[a]n 
agreement or award arising out of such a relationship which is 
entirely between citizens of the United States shall be deemed not 
to fall under the [New York] Convention unless that relationship 
involves property located abroad, envisages performance or 
enforcement abroad, or has some other reasonable relation with one 
or more foreign states.'' Id. Under Chapter 2, ``any party to the 
arbitration may apply to any court having jurisdiction under this 
chapter for an order confirming the award as against any other party 
to the arbitration. The court shall confirm the award unless it 
finds one of the grounds for refusal or deferral of recognition or 
enforcement of the award specified in the said [New York] 
Convention.'' Id. section 207. Chapter 2 further provides that 
``[t]he district courts of the United States . . . shall have 
original jurisdiction over . . . an action or proceeding [under the 
New York Convention], regardless of the amount in controversy.'' Id. 
section 203.
    Chapter 2 also provides that ``Chapter 1 applies to actions and 
proceedings brought under this chapter to the extent that chapter is 
not in conflict with this chapter or the [New York] Convention as 
ratified by the United States.'' Id. section 208. Chapter 1, in 
turn, provides that ``[a] written provision in . . . a contract 
evidencing a transaction involving commerce to settle by arbitration 
a controversy thereafter arising out of such contract or 
transaction, or the refusal to perform the whole or any part 
thereof, or an agreement in writing to submit to arbitration an 
existing controversy arising out of such a contract, transaction, or 
refusal, shall be valid, irrevocable, and enforceable, save upon 
such grounds as exist at law or in equity for the revocation of any 
contract.'' Id. section 2. Chapter 1 further provides that ``any 
party to the arbitration may apply to the court so specified for an 
order confirming the award, and thereupon the court must grant such 
an order unless the award is vacated, modified, or corrected as 
prescribed in sections 10 and 11 of [the FAA].'' Id. section 9.
---------------------------------------------------------------------------

F. The Arbitration Panel

    The parties will select the arbitrators from the list of 
arbitrators discussed below.
    Consistent with applicable law, the U.S. Department of Commerce 
and the European

[[Page 51056]]

Commission will develop a list of at least 20 arbitrators, chosen on 
the basis of independence, integrity, and expertise. The following 
shall apply in connection with this process:
    Arbitrators:
    (1) Will remain on the list for a period of 3 years, absent 
exceptional circumstances or for cause, renewable for one additional 
period of 3 years;
    (2) shall not be subject to any instructions from, or be 
affiliated with, either party, or any Privacy Shield organization, 
or the U.S., EU, or any EU Member State or any other governmental 
authority, public authority, or enforcement authority; and
    (3) must be admitted to practice law in the U.S. and be experts 
in U.S. privacy law, with expertise in EU data protection law.

G. Arbitration Procedures

    Consistent with applicable law, within 6 months from the 
adoption of the adequacy decision, the Department of Commerce and 
the European Commission will agree to adopt an existing, well-
established set of U.S. arbitral procedures (such as AAA or JAMS) to 
govern proceedings before the Privacy Shield Panel, subject to each 
of the following considerations:
    1. An individual may initiate binding arbitration, subject to 
the pre-arbitration requirements provision above, by delivering a 
``Notice'' to the organization. The Notice shall contain a summary 
of steps taken under Paragraph C to resolve the claim, a description 
of the alleged violation, and, at the choice of the individual, any 
supporting documents and materials and/or a discussion of law 
relating to the alleged claim.
    2. Procedures will be developed to ensure that an individual's 
same claimed violation does not receive duplicative remedies or 
procedures.
    3. FTC action may proceed in parallel with arbitration.
    4. No representative of the U.S., EU, or any EU Member State or 
any other governmental authority, public authority, or enforcement 
authority may participate in these arbitrations, provided, that at 
the request of an EU individual, EU DPAs may provide assistance in 
the preparation only of the Notice but EU DPAs may not have access 
to discovery or any other materials related to these arbitrations.
    5. The location of the arbitration will be the United States, 
and the individual may choose video or telephone participation, 
which will be provided at no cost to the individual. In-person 
participation will not be required.
    6. The language of the arbitration will be English unless 
otherwise agreed by the parties. Upon a reasoned request, and taking 
into account whether the individual is represented by an attorney, 
interpretation at the arbitral hearing as well as translation of 
arbitral materials will be provided at no cost to the individual, 
unless the panel finds that, under the circumstances of the specific 
arbitration, this would lead to unjustified or disproportionate 
costs.
    7. Materials submitted to arbitrators will be treated 
confidentially and will only be used in connection with the 
arbitration.
    8. Individual-specific discovery may be permitted if necessary, 
and such discovery will be treated confidentially by the parties and 
will only be used in connection with the arbitration.
    9. Arbitrations should be completed within 90 days of the 
delivery of the Notice to the organization at issue, unless 
otherwise agreed to by the parties.

H. Costs

    Arbitrators should take reasonable steps to minimize the costs 
or fees of the arbitrations. Subject to applicable law, the 
Department of Commerce will facilitate the establishment of a fund, 
into which Privacy Shield organizations will be required to pay an 
annual contribution, based in part on the size of the organization, 
which will cover the arbitral cost, including arbitrator fees, up to 
maximum amounts (``caps''), in consultation with the European 
Commission. The fund will be managed by a third party, which will 
report regularly on the operations of the fund. At the annual 
review, the Department of Commerce and European Commission will 
review the operation of the fund, including the need to adjust the 
amount of the contributions or of the caps, and will consider, among 
other things, the number of arbitrations and the costs and timing of 
the arbitrations, with the mutual understanding that there will be 
no excessive financial burden imposed on Privacy Shield 
organizations. Attorney's fees are not covered by this provision or 
any fund under this provision.

Letter From U.S. Secretary of State John Kerry

July 7, 2016

Dear Commissioner Jourov[aacute],

    I am pleased we have reached an understanding on the European 
Union-United States Privacy Shield that will include an Ombudsperson 
mechanism through which authorities in the EU will be able to submit 
requests on behalf of EU individuals regarding U.S. signals 
intelligence practices.
    On January 17, 2014, President Barack Obama announced important 
intelligence reforms included in Presidential Policy Directive 28 
(PPD-28). Under PPD-28, I designated Under Secretary of State 
Catherine A. Novelli, who also serves as Senior Coordinator for 
International Information Technology Diplomacy, as our point of 
contact for foreign governments that wish to raise concerns 
regarding U.S. signals intelligence activities. Building on this 
role, I have established a Privacy Shield Ombudsperson mechanism in 
accordance with the terms set out in Annex A, which have been 
updated since my letter of February 22, 2016. I have directed Under 
Secretary Novelli to perform this function. Under Secretary Novelli 
is independent from the U.S. intelligence community, and reports 
directly to me.
    I have directed my staff to devote the necessary resources to 
implement this new Ombudsperson mechanism, and am confident it will 
be an effective means to address EU individuals' concerns.

Sincerely,

John F. Kerry

Annex A: EU-U.S. Privacy Shield Ombudsperson Mechanism

EU-U.S. Privacy Shield Ombudsperson Mechanism Regarding Signals 
Intelligence

    In recognition of the importance of the EU-U.S. Privacy Shield 
Framework, this Memorandum sets forth the process for implementing a 
new mechanism, consistent with Presidential Policy Directive 28 
(PPD-28), regarding signals intelligence.\9\
---------------------------------------------------------------------------

    \9\ Provided that the Commission Decision on the adequacy of the 
protection provided by the EU-U.S. Privacy Shield applies to 
Iceland, Liechtenstein and Norway, the Privacy Shield Package will 
cover both the European Union, as well as these three countries. 
Consequently, references to the EU and its Member States will be 
read as including Iceland, Liechtenstein and Norway.
---------------------------------------------------------------------------

    On January 17, 2014, President Obama gave a speech announcing 
important intelligence reforms. In that speech, he pointed out that 
``[o]ur efforts help protect not only our nation, but our friends 
and allies as well. Our efforts will only be effective if ordinary 
citizens in other countries have confidence that the United States 
respects their privacy too.'' President Obama announced the issuance 
of a new presidential directive--PPD-28--to ``clearly prescribe what 
we do, and do not do, when it comes to our overseas surveillance.''
    Section 4(d) of PPD-28 directs the Secretary of State to 
designate a ``Senior Coordinator for International Information 
Technology Diplomacy'' (Senior Coordinator) ``to . . . serve as a 
point of contact for foreign governments who wish to raise concerns 
regarding signals intelligence activities conducted by the United 
States.'' As of January 2015, Under Secretary C. Novelli has served 
as the Senior Coordinator.
    This Memorandum describes a new mechanism that the Senior 
Coordinator will follow to facilitate the processing of requests 
relating to national security access to data transmitted from the EU 
to the United States pursuant to the Privacy Shield, standard 
contractual clauses (SCCs), binding corporate rules (BCRs), 
``Derogations,'' \10\ or ``Possible Future Derogations,'' \11\ 
through established

[[Page 51057]]

avenues under applicable United States laws and policy, and the 
response to those requests.
---------------------------------------------------------------------------

    \10\ ``Derogations'' in this context mean a commercial transfer 
or transfers that take place on the condition that: (a) the data 
subject has given his consent unambiguously to the proposed 
transfer; or (b) the transfer is necessary for the performance of a 
contract between the data subject and the controller or the 
implementation of precontractual measures taken in response to the 
data subject's request; or (c) the transfer is necessary for the 
conclusion or performance of a contract concluded in the interest of 
the data subject between the controller and a third party; or (d) 
the transfer is necessary or legally required on important public 
interest grounds, or for the establishment, exercise or defense of 
legal claims; or (e) the transfer is necessary in order to protect 
the vital interests of the data subject; or (f) the transfer is made 
from a register which according to laws or regulations is intended 
to provide information to the public and which is open to 
consultation either by the public in general or by any person who 
can demonstrate legitimate interest, to the extent that the 
conditions laid down in law for consultation are fulfilled in the 
particular case.
    \11\ ``Possible Future Derogations'' in this context mean a 
commercial transfer or transfers that take place on one of the 
following conditions, to the extent the condition constitutes lawful 
grounds for transfers of personal data from the EU to the U.S.: (a) 
The data subject has explicitly consented to the proposed transfer, 
after having been informed of the possible risks of such transfers 
for the data subject due to the absence of an adequacy decision and 
appropriate safeguards; or (b) the transfer is necessary in order to 
protect the vital interests of the data subject or of other persons, 
where the data subject is physically or legally incapable of giving 
consent; or (c) in case of a transfer to a third country or an 
international organization and none of the other derogations or 
possible future derogations is applicable, only if the transfer is 
not repetitive, concerns only a limited number of data subjects, is 
necessary for the purposes of compelling legitimate interests 
pursued by the controller which are not overridden by the interests 
or rights and freedoms of the data subject, and the controller has 
assessed all the circumstances surrounding the data transfer and has 
on the basis of that assessment provided suitable safeguards with 
regard to the protection of personal data.
---------------------------------------------------------------------------

    1. The Privacy Shield Ombudsperson. The Senior Coordinator will 
serve as the Privacy Shield Ombudsperson and designate additional 
State Department officials, as appropriate to assist in her 
performance of the responsibilities detailed in this memorandum. 
(Hereinafter, the Coordinator and any officials performing such 
duties will be referred to as ``Privacy Shield Ombudsperson.'') The 
Privacy Shield Ombudsperson will work closely with appropriate 
officials from other departments and agencies who are responsible 
for processing requests in accordance with applicable United States 
law and policy. The Ombudsperson is independent from the 
Intelligence Community. The Ombudsperson reports directly to the 
Secretary of State who will ensure that the Ombudsperson carries out 
its function objectively and free from improper influence that is 
liable to have an effect on the response to be provided.
    2. Effective Coordination. The Privacy Shield Ombudsperson will 
be able to effectively use and coordinate with the oversight bodies, 
described below, in order to ensure that the Ombudsperson's response 
to requests from the submitting EU individual complaint handing body 
is based on the necessary information. When the request relates to 
the compatibility of surveillance with U.S. law, the Privacy Shield 
Ombudsperson will be able to cooperate with one of the independent 
oversight bodies with investigatory powers.
    a. The Privacy Shield Ombudsperson will work closely with other 
United States Government officials, including appropriate 
independent oversight bodies, to ensure that completed requests are 
processed and resolved in accordance with applicable laws and 
policies. In particular, the Privacy Shield Ombudsperson will be 
able to coordinate closely with the Office of the Director of 
National Intelligence, the Department of Justice, and other 
departments and agencies involved in United States national security 
as appropriate, and Inspectors General, Freedom of Information Act 
Officers, and Civil Liberties and Privacy Officers.
    b. The United States Government will rely on mechanisms for 
coordinating and overseeing national security matters across 
departments and agencies to help ensure that the Privacy Shield 
Ombudsperson is able to respond within the meaning of Section 4(e) 
to completed requests under Section 3(b).
    c. The Privacy Shield Ombudsperson may refer matters related to 
requests to the Privacy and Civil Liberties Oversight Board for its 
consideration.
    3. Submitting Requests.
    a. A request will initially be submitted to the supervisory 
authorities in the Member States competent for the oversight of 
national security services and/or the processing of personal data by 
public authorities. The request will be submitted to the 
Ombudsperson by a EU centralized body (hereafter together: The ``EU 
individual complaint handling body'').
    b. The EU individual complaint handling body will ensure, in 
compliance with the following actions, that the request is complete:
    (i) Verifying the identity of the individual, and that the 
individual is acting on his/her own behalf, and not as a 
representative of a governmental or intergovernmental organization.
    (ii) Ensuring the request is made in writing, and that it 
contains the following basic information:
     Any information that forms the basis for the request,
     the nature of information or relief sought,
     the United States Government entities believed to be 
involved, if any, and
     the other measures pursued to obtain the information or 
relief requested and the response received through those other 
measures.
    (iii) Verifying that the request pertains to data reasonably 
believed to have been transferred from the EU to the United States 
pursuant to the Privacy Shield, SCCs, BCRs, Derogations, or Possible 
Future Derogations.
    (iv) Making an initial determination that the request is not 
frivolous, vexatious, or made in bad faith.
    c. To be completed for purposes of further handling by the 
Privacy Shield Ombudsperson under this memorandum, the request need 
not demonstrate that the requester's data has in fact been accessed 
by the United States Government through signal intelligence 
activities.
    4. Commitments to Communicate with Submitting EU Individual 
Complaint Handling Body.
    a. The Privacy Shield Ombudsperson will acknowledge receipt of 
the request to the submitting EU individual complaint handling body.
    b. The Privacy Shield Ombudsperson will conduct an initial 
review to verify that the request has been completed in conformance 
with Section 3(b). If the Privacy Shield Ombudsperson notes any 
deficiencies or has any questions regarding the completion of the 
request, the Privacy Shield Ombudsperson will seek to address and 
resolve those concerns with the submitting EU individual complaint 
handling body.
    c. If, to facilitate appropriate processing of the request, the 
Privacy Shield Ombudsperson needs more information about the 
request, or if specific action is needed to be taken by the 
individual who originally submitted the request, the Privacy Shield 
Ombudsperson will so inform the submitting EU individual complaint 
handling body.
    d. The Privacy Shield Ombudsperson will track the status of 
requests and provide updates as appropriate to the submitting EU 
individual complaint handling body.
    e. Once a request has been completed as described in Section 3 
of this Memorandum, the Privacy Shield Ombudsperson will provide in 
a timely manner an appropriate response to the submitting EU 
individual complaint handling body, subject to the continuing 
obligation to protect information under applicable laws and 
policies. The Privacy Shield Ombudsperson will provide a response to 
the submitting EU individual complaint handling body confirming (i) 
that the complaint has been properly investigated, and (ii) that the 
U.S. law, statutes, executives orders, presidential directives, and 
agency policies, providing the limitations and safeguards described 
in the ODNI letter, have been complied with, or, in the event of 
non-compliance, such non-compliance has been remedied. The Privacy 
Shield Ombudsperson will neither confirm nor deny whether the 
individual has been the target of surveillance nor will the Privacy 
Shield Ombudsperson confirm the specific remedy that was applied. As 
further explained in Section 5, FOIA requests will be processed as 
provided under that statute and applicable regulations.
    f. The Privacy Shield Ombudsperson will communicate directly 
with the EU individual complaint handling body, who will in turn be 
responsible for communicating with the individual submitting the 
request. If direct communications are part of one of the underlying 
processes described below, then those communications will take place 
in accordance with existing procedures.
    g. Commitments in this Memorandum will not apply to general 
claims that the EU-U.S. Privacy Shield is inconsistent with European 
Union data protection requirements. The commitments in this 
Memorandum are made based on the common understanding by the 
European Commission and the U.S. government that given the scope of 
commitments under this mechanism, there may be resource constraints 
that arise, including with respect to Freedom of Information Act 
(FOIA) requests. Should the carrying-out of the Privacy Shield 
Ombudsperson's functions exceed reasonable resource constraints and 
impede the fulfillment of these commitments, the U.S. government 
will discuss with the European Commission any adjustments that may 
be appropriate to address the situation.
    5. Requests for Information. Requests for access to United 
States Government records may be made and processed under the 
Freedom of Information Act (FOIA).
    a. FOIA provides a means for any person to seek access to 
existing federal agency records, regardless of the nationality of 
the requester. This statute is codified in the United States Code at 
5 U.S.C. 552. The statute, together with additional information 
about FOIA, is available at www.FOIA.gov

[[Page 51058]]

and https://www.justice.gov/oip/foia-resources. Each agency has a 
Chief FOIA Officer, and has provided information on its public Web 
site about how to submit a FOIA request to the agency. Agencies have 
processes for consulting with one another on FOIA requests that 
involve records held by another agency.

b. By way of example:

    (i) The Office of the Director of National Intelligence (ODNI) 
has established the ODNI FOIA Portal for the ODNI: https://www.dni.gov/index.php/about-this-site/foia. This portal provides 
information on submitting a request, checking on the status of an 
existing request, and accessing information that has been released 
and published by the ODNI under FOIA. The ODNI FOIA Portal includes 
links to other FOIA Web sites for IC elements: https://www.dni.gov/index.php/about-this-site/foia/other-ic-foia-sites.
    (ii) The Department of Justice's Office of Information Policy 
provides comprehensive information about FOIA: https://www.justice.gov/oip. This includes not only information about 
submitting a FOIA request to the Department of Justice, but also 
provides guidance to the United States government on interpreting 
and applying FOIA requirements.
    c. Under FOIA, access to government records is subject to 
certain enumerated exemptions. These include limits on access to 
classified national security information, personal information of 
third parties, and information concerning law enforcement 
investigations, and are comparable to the limitations imposed by 
each EU Member State with its own information access law. These 
limitations apply equally to Americans and non-Americans.
    d. Disputes over the release of records requested pursuant to 
FOIA can be appealed administratively and then in federal court. The 
court is required to make a de novo determination of whether records 
are properly withheld, 5 U.S.C. 552(a)(4)(B), and can compel the 
government to provide access to records. In some cases courts have 
overturned government assertions that information should be withheld 
as classified. Although no monetary damages are available, courts 
can award attorney's fees.
    6. Requests for Further Action. A request alleging violation of 
law or other misconduct will be referred to the appropriate United 
States Government body, including independent oversight bodies, with 
the power to investigate the respective request and address non-
compliance as described below.
    a. Inspectors General are statutorily independent; have broad 
power to conduct investigations, audits and reviews of programs, 
including of fraud and abuse or violation of law; and can recommend 
corrective actions.
    (i) The Inspector General Act of 1978, as amended, statutorily 
established the Federal Inspectors General (IG) as independent and 
objective units within most agencies whose duties are to combat 
waste, fraud, and abuse in the programs and operations of their 
respective agencies. To this end, each IG is responsible for 
conducting audits and investigations relating to the programs and 
operations of its agency. Additionally, IGs provide leadership and 
coordination and recommend policies for activities designed to 
promote economy, efficiency, and effectiveness, and prevent and 
detect fraud and abuse, in agency programs and operations.
    (ii) Each element of the Intelligence Community has its own 
Office of the Inspector General with responsibility for oversight of 
foreign intelligence activities, among other matters. A number of 
Inspector General reports about intelligence programs have been 
publicly released.
    (iii) By way of example:
     The Office of the Inspector General of the Intelligence 
Community (IC IG) was established pursuant to Section 405 of the 
Intelligence Authorization Act of Fiscal Year 2010. The IC IG is 
responsible for conducting IC-wide audits, investigations, 
inspections, and reviews that identify and address systemic risks, 
vulnerabilities, and deficiencies that cut across IC agency 
missions, in order to positively impact IC-wide economies and 
efficiencies. The IC IG is authorized to investigate complaints or 
information concerning allegations of a violation of law, rule, 
regulation, waste, fraud, abuse of authority, or a substantial or 
specific danger to public health and safety in connection with ODNI 
and/or IC intelligence programs and activities. The IC IG provides 
information on how to contact the IC IG directly to submit a report: 
https://www.dni.gov/index.php/about-this-site/contact-the-ig.
     The Office of the Inspector General (OIG) in the U.S. 
Department of Justice (DOJ) is a statutorily created independent 
entity whose mission is to detect and deter waste, fraud, abuse, and 
misconduct in DOJ programs and personnel, and to promote economy and 
efficiency in those programs. The OIG investigates alleged 
violations of criminal and civil laws by DOJ employees and also 
audits and inspects DOJ programs. The OIG has jurisdiction over all 
complaints of misconduct against Department of Justice employees, 
including the Federal Bureau of Investigation; Drug Enforcement 
Administration; Federal Bureau of Prisons; U.S. Marshals Service; 
Bureau of Alcohol, Tobacco, Firearms, and Explosives; United States 
Attorneys Offices; and employees who work in other Divisions or 
Offices in the Department of Justice. (The one exception is that 
allegations of misconduct by a Department attorney or law 
enforcement personnel that relate to the exercise of the Department 
attorney's authority to investigate, litigate, or provide legal 
advice are the responsibility of the Department's Office of 
Professional Responsibility.) In addition, section 1001 of the USA 
Patriot Act, signed into law on October 26, 2001, directs the 
Inspector General to review information and receive complaints 
alleging abuses of civil rights and civil liberties by Department of 
Justice employees. The OIG maintains a public Web site--https://www.oig.justice.gov--which includes a ``Hotline'' for submitting 
complaints--https://www.oig.justice.gov/hotline/index.htm.
    b. Privacy and Civil Liberties offices and entities in the 
United States Government also have relevant responsibilities. By way 
of example:
    (i) Section 803 of the Implementing Recommendations of the 9/11 
Commission Act of 2007, codified in the United States Code at 42 
U.S.C. 2000-ee1, establishes privacy and civil liberties officers at 
certain departments and agencies (including the Department of State, 
Department of Justice, and ODNI). Section 803 specifies that these 
privacy and civil liberties officers will serve as the principal 
advisor to, among other things, ensure that such department, agency, 
or element has adequate procedures to address complaints from 
individuals who allege such department, agency, or element has 
violated their privacy or civil liberties.
    (ii) The ODNI's Civil Liberties and Privacy Office (ODNI CLPO) 
is led by the ODNI Civil Liberties Protection Officer, a position 
established by the National Security Act of 1948, as amended. The 
duties of the ODNI CLPO include ensuring that the policies and 
procedures of the elements of the Intelligence Community include 
adequate protections for privacy and civil liberties, and reviewing 
and investigating complaints alleging abuse or violation of civil 
liberties and privacy in ODNI programs and activities. The ODNI CLPO 
provides information to the public on its Web site, including 
instructions for how to submit a complaint: www.dni.gov/clpo. If the 
ODNI CLPO receives a privacy or civil liberties complaint involving 
IC programs and activities, it will coordinate with other IC 
elements on how that complaint should be further processed within 
the IC. Note that the National Security Agency (NSA) also has a 
Civil Liberties and Privacy Office, which provides information about 
its responsibilities on its Web site--https://www.nsa.gov/civil_liberties/. If information indicates that an agency is out of 
compliance with privacy requirements (e.g., a requirement under 
Section 4 of PPD-28), then agencies have compliance mechanisms to 
review and remedy the incident. Agencies are required to report 
compliance incidents under PPD-28 to the ODNI.
    (iii) The Office of Privacy and Civil Liberties (OPCL) at the 
Department of Justice supports the duties and responsibilities of 
the Department's Chief Privacy and Civil Liberties Officer (CPCLO). 
The principal mission of OPCL is to protect the privacy and civil 
liberties of the American people through review, oversight, and 
coordination of the Department's privacy operations. OPCL provides 
legal advice and guidance to Departmental components; ensures the 
Department's privacy compliance, including compliance with the 
Privacy Act of 1974, the privacy provisions of both the E-Government 
Act of 2002 and the Federal Information Security Management Act, as 
well as administration policy directives issued in furtherance of 
those Acts; develops and provides Departmental privacy training; 
assists the CPCLO in developing Departmental privacy policy; 
prepares privacy-related reporting to the President and Congress; 
and reviews the information handling practices of the Department to 
ensure that such practices are consistent with

[[Page 51059]]

the protection of privacy and civil liberties. OPCL provides 
information to the public about its responsibilities at https://www.justice.gov/opcl.
    (iv) According to 42 U.S.C. 2000ee et seq., the Privacy and 
Civil Liberties Oversight Board shall continually review (i) the 
policies and procedures, as well as their implementation, of the 
departments, agencies and elements of the executive branch relating 
to efforts to protect the Nation from terrorism to ensure that 
privacy and civil liberties are protected, and (ii) other actions by 
the executive branch relating to such efforts to determine whether 
such actions appropriately protect privacy and civil liberties and 
are consistent with governing laws, regulations, and policies 
regarding privacy and civil liberties. It shall receive and review 
reports and other information from privacy officers and civil 
liberties officers and, when appropriate, make recommendations to 
them regarding their activities. Section 803 of the Implementing 
Recommendations of the 9/11 Commission Act of 2007, codified at 42 
U.S.C. 2000ee-1, directs the privacy and civil liberties officers of 
eight federal agencies (including the Secretary of Defense, 
Secretary of Homeland Security, Director of National Intelligence, 
and Director of the Central Intelligence Agency), and any additional 
agency designated by the Board, to submit periodic reports to the 
PCLOB, including the number, nature, and disposition of the 
complaints received by the respective agency for alleged violations. 
The PCLOB's enabling statute directs the Board to receive these 
reports and, when appropriate, make recommendations to the privacy 
and civil liberties officers regarding their activities.

Letter From Federal Trade Commission Chairwoman Edith Ramirez

July 7, 2016
VIA EMAIL

V[ecaron]ra Jourov[aacute], Commissioner for Justice, Consumers and 
Gender Equality, European Commission, Rue de la Loi/Wetstraat 200, 
1049 Brussels, Belgium

Dear Commissioner Jourov[aacute]:

    The United States Federal Trade Commission (``FTC'') appreciates 
the opportunity to describe its enforcement of the new EU-U.S. 
Privacy Shield Framework (the ``Privacy Shield Framework'' or 
``Framework''). We believe the Framework will play a critical role 
in facilitating privacy-protective commercial transactions in an 
increasingly interconnected world. It will enable businesses to 
conduct important operations in the global economy, while at the 
same time ensuring that EU consumers retain important privacy 
protections. The FTC has long committed to protecting privacy across 
borders and will make enforcement of the new Framework a high 
priority. Below, we explain the FTC's history of strong privacy 
enforcement generally, including our enforcement of the original 
Safe Harbor program, as well as the FTC's approach to enforcement of 
the new Framework.
    The FTC first publicly expressed its commitment to enforce the 
Safe Harbor program in 2000. At that time, then-FTC Chairman Robert 
Pitofsky sent the European Commission a letter outlining the FTC's 
pledge to vigorously enforce the Safe Harbor Privacy Principles. The 
FTC has continued to uphold this commitment through nearly 40 
enforcement actions, numerous additional investigations, and 
cooperation with individual European data protection authorities 
(``EU DPAs'') on matters of mutual interest.
    After the European Commission raised concerns in November 2013 
about the administration and enforcement of the Safe Harbor program, 
we and the U.S. Department of Commerce began consultations with 
officials from the European Commission to explore ways to strengthen 
it. While those consultations were proceeding, on October 6, 2015, 
the European Court of Justice issued a decision in the Schrems case 
that, among other things, invalidated the European Commission's 
decision on the adequacy of the Safe Harbor program. Following the 
decision, we continued to work closely with the Department of 
Commerce and the European Commission in an effort to strengthen the 
privacy protections provided to EU individuals. The Privacy Shield 
Framework is a result of these ongoing consultations. As was the 
case with the Safe Harbor program, the FTC hereby commits to 
vigorous enforcement of the new Framework. This letter memorializes 
that commitment.
    Notably, we affirm our commitment in four key areas: (1) 
Referral prioritization and investigations; (2) addressing false or 
deceptive Privacy Shield membership claims; (3) continued order 
monitoring; and (4) enhanced engagement and enforcement cooperation 
with EU DPAs. We provide below detailed information about each of 
these commitments and relevant background about the FTC's role in 
protecting consumer privacy and enforcing Safe Harbor, as well as 
the broader privacy landscape in the United States.\12\
---------------------------------------------------------------------------

    \12\ We provide additional information about U.S. federal and 
state privacy laws in Attachment A. In addition, a summary of our 
recent privacy and security enforcement actions is available on the 
FTC's Web site at https://www.ftc.gov/reports/privacy-data-security-update-2015.
---------------------------------------------------------------------------

I. Background

A. FTC Privacy Enforcement and Policy Work

    The FTC has broad civil enforcement authority to promote 
consumer protection and competition in the commercial sphere. As 
part of its consumer protection mandate, the FTC enforces a wide 
range of laws to protect the privacy and security of consumer data. 
The primary law enforced by the FTC, the FTC Act, prohibits 
``unfair'' and ``deceptive'' acts or practices in or affecting 
commerce.\13\ A representation, omission, or practice is deceptive 
if it is material and likely to mislead consumers acting reasonably 
under the circumstances.\14\ An act or practice is unfair if it 
causes, or is likely to cause, substantial injury that is not 
reasonably avoidable by consumers or outweighed by countervailing 
benefits to consumers or competition.\15\ The FTC also enforces 
targeted statutes that protect information relating to health, 
credit and other financial matters, as well as children's online 
information, and has issued regulations implementing each of these 
statutes.
---------------------------------------------------------------------------

    \13\ 15 U.S.C. 45(a).
    \14\ See FTC Policy Statement on Deception, appended to 
Cliffdale Assocs., Inc., 103 F.T.C. 110, 174 (1984), available at 
https://www.ftc.gov/public-statements/1983/10/ftc-policy-statement-deception.
    \15\ See 15 U.S.C 45(n); FTC Policy Statement on Unfairness, 
appended to Int'l Harvester Co., 104 F.T.C. 949, 1070 (1984), 
available at https://www.ftc.gov/public-statements/1980/12/ftc-policy-statement-unfairness.
---------------------------------------------------------------------------

    The FTC's jurisdiction under the FTC Act applies to matters ``in 
or affecting commerce.'' The FTC does not have jurisdiction over 
criminal law enforcement or national security matters. Nor can the 
FTC reach most other governmental actions. In addition, there are 
exceptions to the FTC's jurisdiction over commercial activities, 
including with respect to banks, airlines, the business of 
insurance, and the common carrier activities of telecommunications 
service providers. The FTC also does not have jurisdiction over most 
non-profit organizations, but it does have jurisdiction over sham 
charities or other non-profits that in actuality operate for profit. 
The FTC also has jurisdiction over non-profit organizations that 
operate for the profit of their for-profit members, including by 
providing substantial economic benefits to those members.\16\ In 
some instances, the FTC's jurisdiction is concurrent with that of 
other law enforcement agencies.
---------------------------------------------------------------------------

    \16\ See California Dental Ass'n v. FTC, 526 U.S. 756 (1999).
---------------------------------------------------------------------------

    We have developed strong working relationships with federal and 
state authorities and work closely with them to coordinate 
investigations or make referrals where appropriate.
    Enforcement is the lynchpin of the FTC's approach to privacy 
protection. To date, the FTC has brought over 500 cases protecting 
the privacy and security of consumer information. This body of cases 
covers both offline and online information and includes enforcement 
actions against companies large and small, alleging that they failed 
to properly dispose of sensitive consumer data, failed to secure 
consumers' personal information, deceptively tracked consumers 
online, spammed consumers, installed spyware or other malware on 
consumers' computers, violated Do Not Call and other telemarketing 
rules, and improperly collected and shared consumer information on 
mobile devices. The FTC's enforcement actions--in both the physical 
and digital worlds--send an important message to companies about the 
need to protect consumer privacy.
    The FTC has also pursued numerous policy initiatives aimed at 
enhancing consumer privacy that inform its enforcement work. The FTC 
has hosted workshops and issued reports recommending best practices 
aimed at improving privacy in the mobile ecosystem; increasing 
transparency of the data broker industry; maximizing the benefits of 
big data while mitigating its risks, particularly for low-income and 
underserved consumers; and highlighting the privacy and security

[[Page 51060]]

implications of facial recognition and the Internet of Things, among 
other areas.
    The FTC also engages in consumer and business education to 
enhance the impact of its enforcement and policy development 
initiatives. The FTC has used a variety of tools-- publications, 
online resources, workshops, and social media--to provide 
educational materials on a wide range of topics, including mobile 
apps, children's privacy, and data security. Most recently, the 
Commission launched its ``Start With Security'' initiative, which 
includes new guidance for businesses drawing on lessons learned from 
the agency's data security cases, as well as a series of workshops 
across the country. In addition, the FTC has long been a leader in 
educating consumers about basic computer security. Last year, our 
OnGuard Online site and its Spanish language counterpart, Alerta en 
L[iacute]nea, had more than 5 million page views.

B. U.S. Legal Protections Benefiting EU Consumers

    The Framework will operate in the context of the larger U.S. 
privacy landscape, which protects EU consumers in a number of ways.
    The FTC Act's prohibition on unfair or deceptive acts or 
practices is not limited to protecting U.S. consumers from U.S. 
companies, as it includes those practices that (1) cause or are 
likely to cause reasonably foreseeable injury in the United States, 
or (2) involve material conduct in the United States. Further, the 
FTC can use all remedies, including restitution, that are available 
to protect domestic consumers when protecting foreign consumers.
    Indeed, the FTC's enforcement work significantly benefits both 
U.S. and foreign consumers. For example, our cases enforcing Section 
5 of the FTC Act have protected the privacy of U.S. and foreign 
consumers alike. In a case against an information broker, 
Accusearch, the FTC alleged that the company's sale of confidential 
telephone records to third parties without consumers' knowledge or 
consent was an unfair practice in violation of Section 5 of the FTC 
Act. Accusearch sold information relating to both U.S. and foreign 
consumers.\17\ The court granted injunctive relief against 
Accusearch prohibiting, among other things, the marketing or sale of 
consumers' personal information without written consent, unless it 
was lawfully obtained from publicly available information, and 
ordered disgorgement of almost $200,000.\18\
---------------------------------------------------------------------------

    \17\ See Office of the Privacy Commissioner of Canada, Complaint 
under PIPEDA against Accusearch, Inc., doing business as Abika.com, 
https://www.priv.gc.ca/cf-dc/2009/20090090731e.asp. The Office of 
the Privacy Commissioner of Canada filed an amicus curiae brief in 
the appeal of the FTC action and conducted its own investigation, 
concluding that Accusearch's practices also violated Canadian law.
    \18\ See FTC v. Accusearch, Inc., No. 06CV015D (D. Wyo. Dec. 20, 
2007), aff'd 570 F.3d 1187 (10th Cir. 2009).
---------------------------------------------------------------------------

    The FTC's settlement with TRUSTe is another example. It ensures 
that consumers, including those in the European Union, can rely on 
representations that a global self-regulatory organization makes 
about its review and certification of domestic and foreign online 
services.\19\ Importantly, our action against TRUSTe also 
strengthens the privacy self-regulatory system more broadly by 
ensuring the accountability of entities that play an important role 
in self-regulatory schemes, including cross-border privacy 
frameworks.
---------------------------------------------------------------------------

    \19\ See In the Matter of True Ultimate Standards Everywhere, 
Inc., No. C-4512 (F.T.C. Mar. 12, 2015) (decision and order), 
available at https://wwwftc.gov/system/files/documents/cases/150318trust-edo.pdf.
---------------------------------------------------------------------------

    The FTC also enforces other targeted laws whose protections 
extend to non-U.S. consumers, such as the Children's Online Privacy 
Protection Act (``COPPA''). Among other things, COPPA requires that 
operators of child-directed Web sites and online services, or 
general audience sites that knowingly collect personal information 
from children under the age of 13, provide parental notice and 
obtain verifiable parental consent. U.S.-based Web sites and 
services that are subject to COPPA and collect personal information 
from foreign children are required to comply with COPPA. Foreign-
based Web sites and online services must also comply with COPPA if 
they are directed to children in the United States, or if they 
knowingly collect personal information from children in the United 
States. In addition to the U.S. federal laws enforced by the FTC, 
certain other federal and state consumer protection and privacy laws 
may provide additional benefits to EU consumers.

C. Safe Harbor Enforcement

    As part of its privacy and security enforcement program, the FTC 
has also sought to protect EU consumers by bringing enforcement 
actions that involved Safe Harbor violations. The FTC has brought 39 
Safe Harbor enforcement actions: 36 alleging false certification 
claims, and three cases--against Google, Facebook, and Myspace--
involving alleged violations of Safe Harbor Privacy Principles.\20\ 
These cases demonstrate the enforceability of certifications and the 
repercussions for non-compliance. Twenty-year consent orders require 
Google, Facebook, and Myspace to implement comprehensive privacy 
programs that must be reasonably designed to address privacy risks 
related to the development and management of new and existing 
products and services and to protect the privacy and confidentiality 
of personal information. The comprehensive privacy programs mandated 
under these orders must identify foreseeable material risks and have 
controls to address those risks. The companies must also submit to 
ongoing, independent assessments of their privacy programs, which 
must be provided to the FTC. The orders also prohibit these 
companies from misrepresenting their privacy practices and their 
participation in any privacy or security program. This prohibition 
would also apply to companies' acts and practices under the new 
Privacy Shield Framework. The FTC can enforce these orders by 
seeking civil penalties. In fact, Google paid a record $22.5 million 
civil penalty in 2012 to resolve allegations it had violated its 
order. Consequently, these FTC orders help protect over a billion 
consumers worldwide, hundreds of millions of whom reside in Europe.
---------------------------------------------------------------------------

    \20\ See In the Matter of Google, Inc., No. C-4336 (F.T.C. Oct. 
13 2011) (decision and order), available at https://wwwftc.gov/news-events/press-releases/2011/03/ftc-charges-deceptive-privacy-practices-googles-rollout-its- buzz; In the Matter of Facebook, 
Inc., No. C-4365 (F.T.C. July 27, 2012) (decision and order), 
available at https://wwwftc.gov/news-events/press-releases/2012/08/ftc-approves-final-settlement-facebook; In the Matter of Myspace 
LLC, No. C-4369 (F.T.C. Aug. 30, 2012) (decision and order), 
available at https://www.ftc.gov/news-events/press-releases/2012/09/ftc-finalizes-privacy-settlement-myspace.
---------------------------------------------------------------------------

    The FTC's cases have also focused on false, deceptive, or 
misleading claims of Safe Harbor participation. The FTC takes these 
claims seriously. For example, in FTC v. Karnani, the FTC brought an 
action in 2011 against an Internet marketer in the United States 
alleging that he and his company tricked British consumers into 
believing that the company was based in the United Kingdom, 
including by using .uk web extensions and referencing British 
currency and the UK postal system.\21\ However, when consumers 
received the products, they discovered unexpected import duties, 
warranties that were not valid in the United Kingdom, and charges 
associated with obtaining refunds. The FTC also charged that the 
defendants deceived consumers about their participation in the Safe 
Harbor program. Notably, all of the consumer victims were in the 
United Kingdom.
---------------------------------------------------------------------------

    \21\ See FTC v. Karnani, No. 2:09-cv-05276 (C.D. Cal. May 20, 
2011) (stipulated final order), available at https://www.ftc.gov/sites/default/files/documents/cases/2011/06/110609karnanistip.pdf; 
see also Lesley Fair, FTC Business Center Blog, Around the World in 
Shady Ways, https://www.business.ftc.gov/blog/2011/06/around-world-shady-ways (June 9, 2011).
---------------------------------------------------------------------------

    Many of our other Safe Harbor enforcement cases involved 
organizations that joined the Safe Harbor program but failed to 
renew their annual certification while they continued to represent 
themselves as current members. As discussed further below, the FTC 
also commits to addressing false claims of participation in the 
Privacy Shield Framework. This strategic enforcement activity will 
complement the Department of Commerce's increased actions to verify 
compliance with program requirements for certification and re-
certification, its monitoring of effective compliance, including 
through the use of questionnaires to Framework participants, and its 
increased efforts to identify false Framework membership claims and 
misuse of any Framework certification mark.\22\
---------------------------------------------------------------------------

    \22\ Letter from Ken Hyatt, Acting Under Secretary of Commerce 
for International Trade, International Trade Administration, to 
V[ecaron]ra Jourov[aacute], Commissioner for Justice, Consumers and 
Gender Equality.
---------------------------------------------------------------------------

II. Referral Prioritization and Investigations

    As we did under the Safe Harbor program, the FTC commits to give 
priority to Privacy Shield referrals from EU Member States. We will 
also prioritize referrals of non-compliance with self-regulatory 
guidelines relating to the Privacy Shield Framework from privacy 
self- regulatory organizations

[[Page 51061]]

and other independent dispute resolution bodies.
    To facilitate referrals under the Framework from EU Member 
States, the FTC is creating a standardized referral process and 
providing guidance to EU Member States on the type of information 
that would best assist the FTC in its inquiry into a referral. As 
part of this effort, the FTC will designate an agency point of 
contact for EU Member State referrals. It is most useful when the 
referring authority has conducted a preliminary inquiry into the 
alleged violation and can cooperate with the FTC in an 
investigation.
    Upon receipt of a referral from an EU Member State or self-
regulatory organization, the FTC can take a range of actions to 
address the issues raised. For example, we may review the company's 
privacy policies, obtain further information directly from the 
company or from third parties, follow up with the referring entity, 
assess whether there is a pattern of violations or significant 
number of consumers affected, determine whether the referral 
implicates issues within the purview of the Department of Commerce, 
assess whether consumer and business education would be helpful, 
and, as appropriate, initiate an enforcement proceeding.
    The FTC also commits to exchange information on referrals with 
referring enforcement authorities, including the status of 
referrals, subject to confidentiality laws and restrictions. To the 
extent feasible given the number and type of referrals received, the 
information provided will include an evaluation of the referred 
matters, including a description of significant issues raised and 
any action taken to address law violations within the jurisdiction 
of the FTC. The FTC will also provide feedback to the referring 
authority on the types of referrals received in order to increase 
the effectiveness of efforts to address unlawful conduct. If a 
referring enforcement authority seeks information about the status 
of a particular referral for purposes of pursuing its own 
enforcement proceeding, the FTC will respond, taking into account 
the number of referrals under consideration and subject to 
confidentiality and other legal requirements.
    The FTC will also work closely with EU DPAs to provide 
enforcement assistance. In appropriate cases, this could include 
information sharing and investigative assistance pursuant to the 
U.S. SAFE WEB Act, which authorizes FTC assistance to foreign law 
enforcement agencies when the foreign agency is enforcing laws 
prohibiting practices that are substantially similar to those 
prohibited by laws the FTC enforces.\23\ As part of this assistance, 
the FTC can share information obtained in connection with an FTC 
investigation, issue compulsory process on behalf of the EU DPA 
conducting its own investigation, and seek oral testimony from 
witnesses or defendants in connection with the DPA's enforcement 
proceeding, subject to the requirements of the U.S. SAFE WEB Act. 
The FTC regularly uses this authority to assist other authorities 
around the world in privacy and consumer protection cases.\24\
---------------------------------------------------------------------------

    \23\ In determining whether to exercise its U.S. SAFE WEB Act 
authority, the FTC considers, inter alia: ``(A) whether the 
requesting agency has agreed to provide or will provide reciprocal 
assistance to the Commission; (B) whether compliance with the 
request would prejudice the public interest of the United States; 
and (C) whether the requesting agency's investigation or enforcement 
proceeding concerns acts or practices that cause or are likely to 
cause injury to a significant number of persons.'' 15 U.S.C. 
46(j)(3). This authority does not apply to enforcement of 
competition laws.
    \24\ In fiscal years 2012-2015, for example, the FTC used its 
U.S. SAFE WEB Act authority to share information in response to 
almost 60 requests from foreign agencies and it issued nearly 60 
civil investigative demands (equivalent to administrative subpoenas) 
to aid 25 foreign investigations.
---------------------------------------------------------------------------

    In addition to prioritizing Privacy Shield referrals from EU 
Member States and privacy self-regulatory organizations,\25\ the FTC 
commits to investigating possible Framework violations on its own 
initiative where appropriate using a range of tools.
---------------------------------------------------------------------------

    \25\ Although the FTC does not resolve or mediate individual 
consumer complaints, the FTC affirms that it will prioritize Privacy 
Shield referrals from EU DPAs. In addition, the FTC uses complaints 
in its Consumer Sentinel database, which is accessible by many other 
law enforcement agencies, to identify trends, determine enforcement 
priorities, and identify potential investigative targets. EU 
individuals can use the same complaint system available to U.S. 
citizens to submit a complaint to the FTC at www.ftc.gov/complaint. 
For individual Privacy Shield complaints, however, it may be most 
useful for EU individuals to submit complaints to their Member State 
DPA or alternative dispute resolution provider.
---------------------------------------------------------------------------

    For well over a decade, the FTC has maintained a robust program 
of investigating privacy and security issues involving commercial 
organizations. As part of these investigations, the FTC routinely 
examined whether the entity at issue was making Safe Harbor 
representations. If the entity was making such representations and 
the investigation revealed apparent violations of the Safe Harbor 
Privacy Principles, the FTC included allegations of Safe Harbor 
violations in its enforcement actions. We will continue this 
proactive approach under the new Framework. Importantly, the FTC 
conducts many more investigations than ultimately result in public 
enforcement actions. Many FTC investigations are closed because 
staff does not identify an apparent law violation. Because FTC 
investigations are non-public and confidential, the closing of an 
investigation is often not made public.
    The nearly 40 enforcement actions initiated by the FTC involving 
the Safe Harbor program evidence the agency's commitment to 
proactive enforcement of cross-border privacy programs. The FTC will 
look for potential Framework violations as part of the privacy and 
security investigations we undertake on a regular basis.

III. Addressing False or Deceptive Privacy Shield Membership Claims

    As referenced above, the FTC will take action against entities 
that misrepresent their participation in the Framework. The FTC will 
give priority consideration to referrals from the Department of 
Commerce regarding organizations that it identifies as improperly 
holding themselves out to be current members of the Framework or 
using any Framework certification mark without authorization.
    In addition, we note that if an organization's privacy policy 
promises that it complies with the Privacy Shield Principles, its 
failure to make or maintain a registration with the Department of 
Commerce likely will not, by itself, excuse the organization from 
FTC enforcement of those Framework commitments.

IV. Order Monitoring

    The FTC also affirms its commitment to monitor enforcement 
orders to ensure compliance with the Privacy Shield Framework.
    We will require compliance with the Framework through a variety 
of appropriate injunctive provisions in future FTC Framework orders. 
This includes prohibiting misrepresentations regarding the Framework 
and other privacy programs when these are the basis for the 
underlying FTC action.
    The FTC's cases enforcing the original Safe Harbor program are 
instructive. In the 36 cases involving false or deceptive claims of 
Safe Harbor certification, each order prohibits the defendant from 
misrepresenting its participation in Safe Harbor or any other 
privacy or security program and requires the company to make 
compliance reports available to the FTC. In cases that involved 
violations of Safe Harbor Privacy Principles, companies have been 
required to implement comprehensive privacy programs and obtain 
independent third-party assessments of those programs every other 
year for twenty years, which they must provide to the FTC.
    Violations of the FTC's administrative orders can lead to civil 
penalties of up to $16,000 per violation, or $16,000 per day for a 
continuing violation,\26\ which, in the case of practices affecting 
many consumers, can amount to millions of dollars. Each consent 
order also has reporting and compliance provisions. The entities 
under order must retain documents demonstrating their compliance for 
a specified number of years. The orders must also be disseminated to 
employees responsible for ensuring order compliance.
---------------------------------------------------------------------------

    \26\ 15 U.S.C. 45(m); 16 CFR 1.98.
---------------------------------------------------------------------------

    The FTC systematically monitors compliance with Safe Harbor 
orders, as it does with all of its orders. The FTC takes enforcement 
of its privacy and data security orders seriously and brings actions 
to enforce them when necessary. For example, as noted above, Google 
paid a $22.5 million civil penalty to resolve allegations it had 
violated its FTC order. Importantly, FTC orders will continue to 
protect all consumers worldwide who interact with a business, not 
just those consumers who have lodged complaints.
    Finally, the FTC will continue to maintain an online list of 
companies subject to orders obtained in connection with enforcement 
of both the Safe Harbor program and the new Privacy Shield 
Framework.\27\ In addition, the Privacy Shield Principles now 
require companies subject to an FTC or court order based on non-
compliance with the Principles

[[Page 51062]]

to make public any relevant Framework-related sections of any 
compliance or assessment report submitted to the FTC, to the extent 
consistent with confidentiality laws and rules.
---------------------------------------------------------------------------

    \27\ See FTC, Business Center, Legal Resources, https://www.ftc.gov/tips-advice/business-center/legal- 
resources?type=case&field consumer protection topics tid=251.
---------------------------------------------------------------------------

V. Engagement With EU DPAs and Enforcement Cooperation

    The FTC recognizes the important role that EU DPAs play with 
respect to Framework compliance and encourages increased 
consultation and enforcement cooperation. In addition to any 
consultation with referring DPAs on case-specific matters, the FTC 
commits to participate in periodic meetings with designated 
representatives of the Article 29 Working Party to discuss in 
general terms how to improve enforcement cooperation with respect to 
the Framework. The FTC will also participate, along with the 
Department of Commerce, the European Commission, and Article 29 
Working Party representatives, in the annual review of the Framework 
to discuss its implementation.
    The FTC also encourages the development of tools that will 
enhance enforcement cooperation with EU DPAs, as well as other 
privacy enforcement authorities around the world. In particular, the 
FTC, along with enforcement partners in the European Union and 
around the globe, last year launched an alert system within the 
Global Privacy Enforcement Network (``GPEN'') to share information 
about investigations and promote enforcement coordination. This GPEN 
Alert tool could be particularly useful in the context of the 
Privacy Shield Framework. The FTC and EU DPAs could use it to 
coordinate with respect to the Framework and other privacy 
investigations, including as a starting point for sharing 
information in order to deliver coordinated and more effective 
privacy protection for consumers. We look forward to continuing to 
work with participating EU authorities to deploy the GPEN Alert 
system more broadly and develop other tools to improve enforcement 
cooperation in privacy cases, including those involving the 
Framework.
    * * *
    The FTC is pleased to affirm its commitment to enforcing the new 
Privacy Shield Framework. We also look forward to continuing 
engagement with our EU colleagues as we work together to protect 
consumer privacy on both sides of the Atlantic.

Sincerely,

Edith Ramirez, Chairwoman

Attachment A

The EU-U.S. Privacy Shield Framework in Context: An Overview of the 
U.S. Privacy and Security Landscape

    The protections provided by the EU-U.S. Privacy Shield Framework 
(the ``Framework'') exist in the context of the broader privacy 
protections afforded under the U.S. legal system as a whole. First, 
the U.S. Federal Trade Commission (``FTC'') has a robust privacy and 
data security program for U.S. commercial practices that protects 
consumers worldwide. Second, the landscape of consumer privacy and 
security protection in the United States has evolved substantially 
since 2000 when the original U.S.-EU Safe Harbor program was 
adopted. Since that time, many federal and state privacy and 
security laws have been enacted, and public and private litigation 
to enforce privacy rights has increased significantly. The broad 
scope of U.S. legal protections for consumer privacy and security 
applicable to commercial data practices complements the protections 
provided to EU individuals by the new Framework.

I. The FTC's General Privacy and Security Enforcement Program

    The FTC is the leading U.S. consumer protection agency focused 
on commercial sector privacy. The FTC has authority to prosecute 
unfair and deceptive acts or practices that violate consumer 
privacy, as well as to enforce more targeted privacy laws that 
protect certain financial and health information, information about 
children, and information used to make certain eligibility decisions 
about consumers.
    The FTC has unparalleled experience in consumer privacy 
enforcement. The FTC's enforcement actions have addressed unlawful 
practices in offline and online environments. For example, the FTC 
has brought enforcement actions against well-known companies, such 
as Google, Facebook, Twitter, Microsoft, Wyndham, Oracle, HTC, and 
Snapchat, as well as lesser-known companies. The FTC has sued 
businesses that allegedly spammed consumers, installed spyware on 
computers, failed to secure consumers' personal information, 
deceptively tracked consumers online, violated children's privacy, 
unlawfully collected information on consumers' mobile devices, and 
failed to secure Internet-connected devices used to store personal 
information. The resulting orders have typically provided for 
ongoing monitoring by the FTC for a period of twenty years, 
prohibited further law violations, and subjected the businesses to 
substantial financial penalties for order violations.\1\ 
Importantly, FTC orders do not just protect the individuals who may 
have complained about a problem; rather, they protect all consumers 
dealing with the business going forward. In the cross-border 
context, the FTC has jurisdiction to protect consumers worldwide 
from practices taking place in the United States.\2\
---------------------------------------------------------------------------

    \1\ Any entity that fails to comply with an FTC order is subject 
to a civil penalty of up to $16,000 per violation, or $16,000 per 
day for a continuing violation. See 15 U.S.C. 45(l); 16 CFR 1.98(c).
    \2\ Congress has expressly affirmed the FTC's authority to seek 
legal remedies, including restitution, for any acts or practices 
involving foreign commerce that (1) cause or are likely to cause 
reasonably foreseeable injury in the United States, or (2) involve 
material conduct occurring within the United States. See 15 U.S.C. 
45(a)(4).
---------------------------------------------------------------------------

    To date, the FTC has brought over 130 spam and spyware cases, 
over 120 ``Do Not Call'' telemarketing cases, over 100 Fair Credit 
Reporting Act actions, almost 60 data security cases, more than 50 
general privacy actions, almost 30 cases for violations of the 
Gramm-Leach-Bliley Act, and over 20 actions enforcing the Children's 
Online Privacy Protection Act (``COPPA'').\3\ In addition to these 
cases, the FTC has also issued and publicized warning letters.\4\
---------------------------------------------------------------------------

    \3\ In some instances, the Commission's privacy and data 
security cases allege that a company engaged in both deceptive and 
unfair practices; these cases also sometimes involve alleged 
violations of multiple statues, such as the Fair Credit Reporting 
Act, the Gramm-Leach-Bliley Act, and COPPA.
    \4\ See, e.g., Press Release, Fed. Trade Comm'n, FTC Warns 
Children's App Maker BabyBus About Potential COPPA Violations (Dec. 
22, 2014), https://www.ftc.gov/news-events/press-releases/2014/12/ftc-warns-childrens-app-maker-babybus-about-potential-coppa; Press 
Release, Fed. Trade Comm'n, FTC Warns Data Broker Operations of 
Possible Privacy Violations (May 7, 2013), https://www.ftc.gov/news-events/press-releases/2013/05/ftc-warns-data-broker-operations-possible-privacy-violations; Press Release, Fed. Trade Comm'n, FTC 
Warns Data Brokers That Provide Tenant Rental Histories They May Be 
Subject to Fair Credit Reporting Act (Apr. 3, 2013), https://www.ftc.gov/news-events/press-releases/2013/04/ftc-warns-data-brokers-provide-tenant-rental-histories-they-may.
---------------------------------------------------------------------------

    As part of its history of strong privacy enforcement, the FTC 
has also regularly looked for potential violations of the Safe 
Harbor program. Since the Safe Harbor program was adopted, the FTC 
has undertaken numerous investigations into Safe Harbor compliance 
on its own initiative and has brought 39 cases against U.S. 
companies for Safe Harbor violations. The FTC will continue this 
proactive approach by making enforcement of the new Framework a 
priority.

II. Federal and State Protections for Consumer Privacy

    The Safe Harbor Enforcement Overview, which appears as an annex 
to the European Commission's Safe Harbor adequacy decision, provides 
a summary of many of the federal and state privacy laws in place at 
the time the Safe Harbor program was adopted in 2000.\5\ At that 
time, many federal statutes regulated the commercial collection and 
use of personal information, beyond Section 5 of the FTC Act, 
including: the Cable Communications Policy Act, the Driver's Privacy 
Protection Act, the Electronic Communications Privacy Act, the 
Electronic Funds Transfer Act, the Fair Credit Reporting Act, the 
Gramm-Leach-Bliley Act, the Right to Financial Privacy Act, the 
Telephone Consumer Protection Act, and the Video Privacy Protection 
Act. Many states had analogous laws in these areas as well.
---------------------------------------------------------------------------

    \5\ See U.S. Dep't of Commerce, Safe Harbor Enforcement 
Overview, https://build.export.gov/main/safeharbor/eu/eg main 
018481.
---------------------------------------------------------------------------

    Since 2000, there have been numerous developments at both the 
federal and state level that provide additional consumer privacy 
protections.\6\ At the federal level, for example, the FTC amended 
the COPPA Rule in 2013 to provide a number of additional protections 
for children's personal information. The FTC also issued two rules 
implementing the Gramm-Leach-Bliley Act--the Privacy Rule and the 
Safeguards Rule--

[[Page 51063]]

which require financial institutions \7\ to make disclosures about 
their information sharing practices and to implement a comprehensive 
information security program to protect consumer information.\8\ 
Similarly, the Fair and Accurate Credit Transactions Act 
(``FACTA''), enacted in 2003, supplements longstanding U.S. credit 
laws to establish requirements for the masking, sharing, and 
disposal of certain sensitive financial data. The FTC promulgated a 
number of rules under FACTA regarding, among other things, 
consumers' right to a free annual credit report; secure disposal 
requirements for consumer report information; consumers' right to 
opt out of receiving certain offers of credit and insurance; 
consumers' right to opt out of the use of information provided by an 
affiliated company to market its products and services; and 
requirements for financial institutions and creditors to implement 
identity theft detection and prevention programs.\9\ In addition, 
rules promulgated under the Health Insurance Portability and 
Accountability Act were revised in 2013, adding additional 
safeguards to protect the privacy and security of personal health 
information.\10\ Rules protecting consumers from unwanted 
telemarketing calls, robocalls, and spam have also gone into effect. 
Congress has also enacted laws requiring certain companies that 
collect health information to provide consumers with notification in 
the event of a breach.\11\
---------------------------------------------------------------------------

    \6\ For a more comprehensive summary of the legal protections in 
the United States, see Daniel J. Solove & Paul Schwartz, Information 
Privacy Law (5th ed. 2015).
    \7\ Financial institutions are defined very broadly under the 
Gramm-Leach-Bliley Act to include all businesses that are 
``significantly engaged'' in providing financial products or 
services. This includes, for example, check-cashing businesses, 
payday lenders, mortgage brokers, nonbank lenders, personal property 
or real estate appraisers, and professional tax preparers.
    \8\ Under the Consumer Financial Protection Act of 2010 
(``CFPA''), Title X of Pub. L. 111-203, 124 Stat. 1955 (July 21, 
2010) (also known as the ``Dodd-Frank Wall Street Reform and 
Consumer Protection Act''), most of the FTC's Gramm-Leach-Bliley Act 
rulemaking authority was transferred to the Consumer Financial 
Protection Bureau (``CFPB''). The FTC retains enforcement authority 
under the Gramm-Leach-Bliley Act as well as rulemaking authority for 
the Safeguards Rule and limited rulemaking authority under the 
Privacy Rule with respect to auto dealers.
    \9\ Under the CFPA, the Commission shares its FCRA enforcement 
role with the CFPB, but rulemaking authority transferred in large 
part to the CFPB (with the exception of the Red Flags and Disposal 
Rules).
    \10\ See 45 CFR parts 160, 162, and 164.
    \11\ See e.g., American Recovery & Reinvestment Act of 2009, 
Pub. L. No. 111-5, 123 Stat. 115 (2009) and relevant regulations, 45 
CFR 16.404-164.414; 16 CFR part 318.
---------------------------------------------------------------------------

    States have also been very active in passing laws related to 
privacy and security. Since 2000, forty-seven states, the District 
of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted 
laws requiring businesses to notify individuals of security breaches 
of personal information.\12\ At least thirty-two states and Puerto 
Rico have data disposal laws, establishing requirements for the 
destruction or disposal of personal information.\13\ A number of 
states also have enacted general data security laws. In addition, 
California has enacted various privacy laws, including a law 
requiring companies to have privacy policies and disclose their Do 
Not Track practices,\14\ a ``Shine the Light'' law requiring greater 
transparency for data brokers,\15\ and a law that mandates an 
``eraser button'' allowing minors to request the deletion of certain 
social media information.\16\ Using these laws and other 
authorities, federal and state governments have levied significant 
fines against companies that have failed to protect the privacy and 
security of consumers' personal information.\17\
---------------------------------------------------------------------------

    \12\ See, e.g., National Conference of State Legislatures 
(``NCSL''), State Security Breach Notification Laws (Jan. 4, 2016), 
available at https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx.
    \13\ NCSL, Data Disposal Laws (Jan. 12, 2016), available at 
https://www.ncsl.org/research/telecommunications-and-information-technology/data-disposal-laws.aspx.
    \14\ Cal. Bus. & Professional Code sections 22575-22579.
    \15\ Cal. Civ. Code sections 1798.80-1798.84.
    \16\ Cal. Bus. & Professional Code sections 22580-22582.
    \17\ See Jay Cline, U.S. Takes the Gold in Doling Out Privacy 
Fines, Computerworld (Feb. 17, 2014), available at https://www.computerworld.com/s/article/9246393/Jay Cline U.S. takes the 
gold in doling out privac y fines?taxonomyId=17&pageNumber=1.
---------------------------------------------------------------------------

    Private lawsuits have also led to successful judgments and 
settlements that provide additional privacy and data security 
protection for consumers. For example, in 2015, Target agreed to pay 
$10 million as part of a settlement with customers who claimed their 
personal financial information was compromised by a widespread data 
breach. In 2013, AOL agreed to pay a $5 million settlement to 
resolve a class action involving alleged inadequate de-
identification related to the release of search queries of hundreds 
of thousands of AOL members. Additionally, a federal court approved 
a $9 million payment by Netflix for allegedly keeping rental history 
records in violation of the Video Privacy Protection Act of 1988. 
Federal courts in California approved two separate settlements with 
Facebook, one for $20 million and another for $9.5 million, 
involving the company's collection, use, and sharing of its users' 
personal information. And, in 2008, a California state court 
approved a $20 million settlement with LensCrafters for unlawful 
disclosure of consumers' medical information.
    In sum, as this summary illustrates, the United States provides 
significant legal protection for consumer privacy and security. The 
new Privacy Shield Framework, which ensures meaningful safeguards 
for EU individuals, will operate against this larger backdrop in 
which the protection of consumers' privacy and security continues to 
be an important priority.

Letter From U.S. Secretary of Transportation Anthony Foxx

February 19, 2016
Commissioner Vera Jourov[aacute]
European Commission
Rue de la LoiI Wetstraat 200
1 049 l 049 Brussels
Belgium

Re: EU-U.S. Privacy Shield Framework

Dear Commissioner Jourov[aacute]:
    The United States Department of Transportation (``Department'' 
or ``DOT'') appreciates the opportunity to describe its role in 
enforcing the EU-U.S. Privacy Shield Framework. This Framework plays 
a critical role in protecting personal data provided during 
commercial transactions in an increasingly interconnected world. It 
enables businesses to conduct important operations in the global 
economy, while at the same time ensuring that EU consumers retain 
important privacy protections.
    The DOT first publicly expressed its commitment to enforcement 
of the Safe Harbor Framework in a letter sent to the European 
Commission over 15 years ago. The DOT pledged to vigorously enforce 
the Safe Harbor Privacy Principles in that letter. The DOT continues 
to uphold this commitment and this letter memorializes that 
commitment.
    Notably, the DOT renews its commitment in the following key 
areas: (1) Prioritization of investigation of alleged Privacy Shield 
violations; (2) appropriate enforcement action against entities 
making false or deceptive Privacy Shield certification claims; and 
(3) monitoring and making public enforcement orders concerning 
Privacy Shield violations. We provide information about each of 
these commitments and, for necessary context, pertinent background 
about the DOT's role in protecting consumer privacy and enforcing 
the Privacy Shield Framework.

I. Background

A. DOT's Privacy Authority

    The Department is strongly committed to ensuring the privacy of 
information provided by consumers to airlines and ticket agents. The 
DOT's authority to take action in this area is found in 49 U.S.C. 
41712, which prohibits a carrier or ticket agent from engaging in 
``an unfair or deceptive practice or an unfair method of 
competition'' in the sale of air transportation that results or is 
likely to result in consumer harm. Section 41712 is patterned after 
Section 5 of the Federal Trade Commission (FTC) Act (15 U.S.C. 45). 
We interpret our unfair or deceptive practice statute as prohibiting 
an airline or ticket agent from: (1) Violating the terms of its 
privacy policy; or (2) gathering or disclosing private information 
in a way that violates public policy, is immoral, or causes 
substantial consumer injury not offset by any countervailing 
benefits. We also interpret section 41712 as prohibiting carriers 
and ticket agents from: (l) violating any rule issued by the 
Department that identifies specific privacy practices as unfair or 
deceptive; or (2) violating the Children's Online Privacy Protection 
Act (COPPA) or FTC rules implementing COPPA. Under federal law, the 
DOT has exclusive authority to regulate the privacy practices of 
airlines, and it shares jurisdiction with the FTC with respect to 
the privacy practices of ticket agents in the sale of air 
transportation.
    As such, once a carrier or seller of air transportation publicly 
commits to the

[[Page 51064]]

Privacy Shield Framework's privacy principles the Department is able 
to use the statutory powers of section 41712 to ensure compliance 
with those principles. Therefore, once a passenger provides 
information to a carrier or ticket agent that has committed to 
honoring the Privacy Shield Framework's privacy principles, any 
failure to do so by the carrier or ticket agent would be a violation 
of section 41712.

B. Enforcement Practices

    The Department's Office of Aviation Enforcement and Proceedings 
(Aviation Enforcement Office) investigates and prosecutes cases 
under 49 U.S.C. 41712. It enforces the statutory prohibition in 
section 41712 against unfair and deceptive practices primarily 
through negotiation, preparing cease and desist orders, and drafting 
orders assessing civil penalties. The office learns of potential 
violations largely from complaints it receives from individuals, 
travel agents, airlines, and U.S. and foreign government agencies. 
Consumers may use the DOT's Web site to file privacy complaints 
against airlines and ticket agents.\1\
---------------------------------------------------------------------------

    \1\ https://www.transportation.gov/airconsumer/privacy-complaints.
---------------------------------------------------------------------------

    If a reasonable and appropriate settlement in a case is not 
reached, the Aviation Enforcement Office has the authority to 
institute an enforcement proceeding involving an evidentiary hearing 
before a DOT administrative law judge (ALJ). The ALJ has the 
authority to issue cease-and desist orders and civil penalties. 
Violations of section 41712 can result in the issuance of cease and 
desist orders and the imposition of civil penalties of up to $27,500 
for each violation of section 41712.
    The Department does not have the authority to award damages or 
provide pecuniary relief to individual complainants. However, the 
Department does have the authority to approve settlements resulting 
from investigations brought by its Aviation Enforcement Office that 
directly benefit consumers (e.g., cash, vouchers) as an offset to 
monetary penalties otherwise payable to the U.S. Government. This 
has occurred in the past, and may also occur in the context of the 
Privacy Shield Framework principles when circumstances warrant. 
Repeated violations of section 41712 by an airline would also raise 
questions regarding the airline's compliance disposition which 
could, in egregious situations, result in an airline being found to 
be no longer fit to operate and, therefore, losing its economic 
operating authority.
    To date, the DOT has received relatively few complaints 
involving alleged privacy violations by ticket agents or airlines. 
When they arise, they are investigated according to the principles 
set forth above.

C. DOT Legal Protections Benefiting EU Consumers

    Under section 41712, the prohibition on unfair or deceptive 
practices in air transportation or the sale of air transportation 
applies to U.S. and foreign air carriers as well as ticket agents. 
The DOT frequently takes action against U.S. and foreign airlines 
for practices that affect both foreign and U.S. consumers on the 
basis that the airline's practices took place in the course of 
providing transportation to or from the United States. The DOT does 
and will continue to use all remedies that are available to protect 
both foreign and U.S. consumers from unfair or deceptive practices 
in air transportation by regulated entities.
    The DOT also enforces, with respect to airlines, other targeted 
laws whose protections extend to non-U.S. consumers such as COPPA. 
Among other things, COPPA requires that operators of child-directed 
Web sites and online services, or general audience sites that 
knowingly collect personal information from children under 13 
provide parental notice and obtain verifiable parental consent. 
U.S.-based Web sites and services that are subject to COPPA and 
collect personal information from foreign children are required to 
comply with COPPA. Foreign-based Web sites and online services must 
also comply with COPPA if they are directed to children in the 
United States, or if they knowingly collect personal information 
from children in the United States. To the extent that U.S. or 
foreign airlines doing business in the United States violate COPPA, 
the DOT would have jurisdiction to take enforcement action.

II. Privacy Shield Enforcement

    If an airline or ticket agent chooses to participate in the 
Privacy Shield Framework and the Department receives a complaint 
that such an airline or ticket agent had allegedly violated the 
Framework, the Department would take the following steps to 
vigorously enforce the Framework.

A. Prioritizing Investigation of Alleged Violations

    The Department's Aviation Enforcement Office will investigate 
each complaint alleging Privacy Shield violations (including 
complaints received from EU Data Protection Authorities) and take 
enforcement action where there is evidence of a violation. Further, 
the Aviation Enforcement Office will cooperate with the FTC and 
Department of Commerce and give priority consideration to 
allegations that the regulated entities are not complying with 
privacy commitments made as part of the Privacy Shield Framework.
    Upon receipt of an allegation of a violation of the Privacy 
Shield Framework, the Department's Aviation Enforcement Office may 
take a range of actions as part of its investigation. For example, 
it may review the ticket agent or airline's privacy policies, obtain 
further information from the ticket agent or airline or from third 
parties, follow up with the referring entity, and assess whether 
there is a pattern of violations or significant number of consumers 
affected. In addition, it would determine whether the issue 
implicates matters within the purview of the Department of Commerce 
or FTC, assess whether consumer education and business education 
would be helpful, and as appropriate, initiate an enforcement 
proceeding.
    If the Department becomes aware of potential Privacy Shield 
violations by ticket agents, it will coordinate with the FTC on the 
matter. We will also advise the FTC and the Department of Commerce 
of the outcome of any Privacy Shield enforcement action.

B. Addressing False or Deceptive Membership Claims

    The Department remains committed to investigating Privacy Shield 
violations, including false or deceptive claims of membership in the 
Privacy Shield Program. We will give priority consideration to 
referrals from the Department of Commerce regarding organizations 
that it identifies as improperly holding themselves out to be 
current members of Privacy Shield or using the Privacy Shield 
Framework certification mark without authorization.
    In addition, we note that if an organization's privacy policy 
promises that it complies with the substantive Privacy Shield 
principles, its failure to make or maintain a registration with the 
Department of Commerce likely will not, by itself, excuse the 
organization from DOT enforcement of those commitments.

C. Monitoring and Making Public Enforcement Orders Concerning 
Privacy Shield Violations

    The Department's Aviation Enforcement Office also remains 
committed to monitoring enforcement orders as needed to ensure 
compliance with the Privacy Shield program. Specifically, if the 
office issues an order directing an airline or ticket agent to cease 
and desist from future violations of Privacy Shield and section 
41712, it will monitor the entity's compliance with the cease-and-
desist provision in the order. In addition, the office will ensure 
that orders resulting from Privacy Shield cases are available on its 
Web site.
    We look forward to our continued work with our federal partners 
and EU stakeholders on Privacy Shield matters.
    I hope that this information proves helpful. If you have any 
questions or need further information, please feel free to contact 
me.

Sincerely,
Anthony R. Foxx
Secretary of Transportation

Letter From General Counsel Robert Litt, Office of the Director of 
National Intelligence

Mr. Justin S. Antonipillai
Counselor
U.S. Department of Commerce
1401 Constitution Ave. NW.
Washington, DC 20230
Mr. Ted Dean
Deputy Assistant Secretary
International Trade Administration
1401 Constitution Ave. NW.
Washington, DC 20230
Dear Mr. Antonipillai and Mr. Dean:
    Over the last two and a half years, in the context of 
negotiations for the EU-U.S. Privacy Shield, the United States has 
provided substantial information about the operation of U.S. 
Intelligence Community signals intelligence collection activity. 
This has included information about the governing legal framework, 
the multi-layered oversight of those activities, the extensive 
transparency about those activities, and the overall protections for 
privacy and civil liberties, in order to assist the European

[[Page 51065]]

Commission in making a determination about the adequacy of those 
protections as they relate to the national security exception to the 
Privacy Shield principles. This document summarizes the information 
that has been provided.

I. PPD-28 and the Conduct of U.S. Signals Intelligence Activity

    The U.S. Intelligence Community collects foreign intelligence in 
a carefully controlled manner, in strict accordance with U.S. laws 
and subject to multiple layers of oversight, focusing on important 
foreign intelligence and national security priorities. A mosaic of 
laws and policies governs U.S. signals intelligence collection, 
including the U.S. Constitution, the Foreign Intelligence 
Surveillance Act (50 U.S.C. 1801 et seq.) (FISA), Executive Order 
12333 and its implementing procedures, Presidential guidance, and 
numerous procedures and guidelines, approved by the FISA Court and 
the Attorney General, that establish additional rules limiting the 
collection, retention, use, and dissemination of foreign 
intelligence information.\2\
---------------------------------------------------------------------------

    \2\ Further information concerning U.S. foreign intelligence 
activities is posted online and publicly accessible through IC on 
the Record (www.icontherecord.tumbir.com), the ODNI's public website 
dedicated to fostering greater public visibility into the 
intelligence activities of the government.
---------------------------------------------------------------------------

a. PPD 28 Overview

    In January 2014, President Obama gave a speech outlining various 
reforms to U.S. signals intelligence activities, and issued 
Presidential Policy Directive 28 (PPD-28) concerning those 
activities.\3\ The President emphasized that U.S. signals 
intelligence activities help secure not only our country and our 
freedoms, but also the security and freedoms of other countries, 
including EU Member States, that rely on the information U.S. 
intelligence agencies obtain to protect their own citizens.
---------------------------------------------------------------------------

    \3\ Available at https://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activities.
---------------------------------------------------------------------------

    PPD-28 sets out a series of principles and requirements that 
apply to all U.S. signals intelligence activities and for all 
people, regardless of nationality or location. In particular, it 
sets certain requirements for procedures to address the collection, 
retention, and dissemination of personal information about non-U.S. 
persons acquired pursuant to U.S. signals intelligence. These 
requirements are set forth in more detail below, but in summary:
     The PPD reiterates that the United States collects 
signals intelligence only as authorized by statute, executive order, 
or other Presidential directive.
     The PPD establishes procedures to ensure that signals 
intelligence activity is conducted only in furtherance of legitimate 
and authorized national security purposes.
     The PPD also requires that privacy and civil liberties 
be integral concerns in the planning of signals intelligence 
collection activities. In particular, the United States does not 
collect intelligence to suppress or burden criticism or dissent; in 
order to disadvantage persons based on their ethnicity, race, 
gender, sexual orientation, or religion; or to afford a competitive 
commercial advantage to U.S. companies and U.S. business sectors.
     The PPD directs that signals intelligence collection be 
as tailored as feasible and that signals intelligence collected in 
bulk can only be used for specific enumerated purposes.
     The PPD directs that the Intelligence Community adopt 
procedures ``reasonably designed to minimize the dissemination and 
retention of personal information collected from signals 
intelligence activities,'' and in particular extending certain 
protections afforded to the personal information of U.S. persons to 
non-US person information.
     Agency procedures implementing PPD-28 have been adopted 
and made public.
    The applicability of the procedures and protections set out 
herein to the Privacy Shield is clear. When data has been 
transferred to corporations in the United States pursuant to the 
Privacy Shield, or indeed by any means, U.S. intelligence agencies 
can seek that data from those corporations only if the request 
complies with FISA or is made pursuant to one of the National 
Security Letter statutory provisions, which are discussed below.\4\ 
In addition, without confirming or denying media reports alleging 
that the U.S. Intelligence Community collects data from 
transatlantic cables while it is being transmitted to the United 
States, were the U.S. Intelligence Community to collect data from 
transatlantic cables, it would do so subject to the limitations and 
safeguards set out herein, including the requirements of PPD-28.
---------------------------------------------------------------------------

    \4\ Law enforcement or regulatory agencies may request 
information from corporations for investigative purposes in the 
United States pursuant to other criminal, civil, and regulatory 
authorities that are beyond the scope of this paper, which is 
limited to national security authorities.
---------------------------------------------------------------------------

b. Collection Limitations

    PPD-28 sets out a number of important general principles that 
govern the collection of signals intelligence:
     The collection of signals intelligence must be 
authorized by statute or Presidential authorization, and must be 
undertaken in accordance with the Constitution and law.
     Privacy and civil liberties must be integral 
considerations in planning signals intelligence activities.
     Signals intelligence will be collected only when there 
is a valid foreign intelligence or counterintelligence purpose.
     The United States will not collect signals intelligence 
for the purpose of suppressing or burdening criticism or dissent.
     The United States will not collect signals intelligence 
to disadvantage people based on their ethnicity, race, gender, 
sexual orientation, or religion.
     The United States will not collect signals intelligence 
to afford a competitive commercial advantage to U.S. companies and 
business sectors.
     U.S. signals intelligence activity must always be as 
tailored as feasible, taking into account the availability of other 
sources of information. This means, among other things, that 
whenever practicable, signals intelligence collection activities are 
conducted in a targeted manner rather than in bulk.
    The requirement that signals intelligence activity be ``as 
tailored as feasible'' applies to the manner in which signals 
intelligence is collected, as well as to what is actually collected. 
For example, in determining whether to collect signals intelligence, 
the Intelligence Community must consider the availability of other 
information, including diplomatic or public sources, and prioritize 
collection through those means, where appropriate and feasible. 
Moreover, Intelligence Community element policies should require 
that wherever practicable, collection should be focused on specific 
foreign intelligence targets or topics through the use of 
discriminants (e.g., specific facilities, selection terms and 
identifiers).
    It is important to view the information provided to the 
Commission as a whole. Decisions about what is ``feasible'' or 
``practicable'' are not left to the discretion of individuals but 
are subject to the policies that agencies have issued under PPD-28--
which have been made publicly available--and to the other processes 
described therein.\5\ As PPD-28 says, bulk collection of signals 
intelligence is collection that ``due to technical or operational 
considerations, is acquired without the use of discriminants (e.g., 
specific identifiers, selection terms, etc.).'' In this respect, 
PPD-28 recognizes that Intelligence community elements must collect 
bulk signals intelligence in certain circumstances in order to 
identify new or emerging threats and other vital national security 
information that is often hidden within the large and complex system 
of modern global communications. It also recognizes the privacy and 
civil liberties concerns raised when bulk signals intelligence is 
collected. PPD-28 therefore directs the Intelligence Community to 
prioritize alternatives that would allow the conduct of targeted 
signals intelligence rather than bulk signals intelligence 
collection. Accordingly, Intelligence Community elements should 
conduct targeted signals intelligence collection activities rather 
than bulk signal intelligence collection activities whenever 
practicable.\6\ These principles ensure that the exception for bulk 
collection will not swallow the general rule.
---------------------------------------------------------------------------

    \5\ Available at www.icontherecord.tumblr.com/ppd-28/2015/privacy-civil-liberties#ppd-28. These procedures implement the 
targeting and tailoring concepts discussed in this letter in a 
manner specific to each IC element.
    \6\ To cite but one example, the NSA's procedures implementing 
PPD-28 state that ``[w]henever practicable, collection will occur 
through the use of one or more selection terms in order to focus the 
collection on specific foreign intelligence targets (e.g., a 
specific, known international terrorist or terrorist group) or 
specific foreign intelligence topics (e.g., the proliferation of 
weapons of mass destruction by a foreign power or its agents).''
---------------------------------------------------------------------------

    As for the concept of ``reasonableness,'' it is a bedrock 
principle of U.S. law. It signifies that Intelligence Community 
elements will not be required to adopt any measure theoretically 
possible, but rather will have to balance their efforts to protect 
legitimate

[[Page 51066]]

privacy and civil liberties interests with the practical necessities 
of signals intelligence activities. Here again, the agencies' 
policies have been made available, and can provide assurance that 
the term ``reasonably designed to minimize the dissemination and 
retention of personal information'' does not undermine the general 
rule.
    PPD-28 also provides that signals intelligence collected in bulk 
can only be used for six specific purposes: Detecting and countering 
certain activities of foreign powers; counterterrorism; counter-
proliferation; cybersecurity; detecting and countering threats to 
U.S. or allied armed forces; and combating transnational criminal 
threats, including sanctions evasion. The President's National 
Security Advisor, in consultation with the Director for National 
Intelligence (DNI), will annually review these permissible uses of 
signals intelligence collected in bulk to see whether they should be 
changed. The DNI will make this list publicly available to the 
maximum extent feasible, consistent with national security. This 
provides an important and transparent limitation on the use of bulk 
signals intelligence collection.
    Additionally, the Intelligence Community elements implementing 
PPD-28 have reinforced existing analytic practices and standards for 
querying unevaluated signals intelligence.\7\ Analysts must 
structure their queries or other search terms and techniques to 
ensure that they are appropriate to identify intelligence 
information relevant to a valid foreign intelligence or law 
enforcement task. To that end, IC elements must focus queries about 
persons on the categories of signals intelligence information 
responsive to a foreign intelligence or law enforcement requirement, 
so as to prevent the use of personal information not pertinent to 
foreign intelligence or law enforcement requirements.
---------------------------------------------------------------------------

    \7\ Available at https://www.dni.gov/files/documents/1017/PPD-28_Status_Report_Oct_2014.pdf.
---------------------------------------------------------------------------

    It is important to emphasize that any bulk collection activities 
regarding Internet communications that the U.S. Intelligence 
Community performs through signals intelligence operate on a small 
proportion of the Internet. Additionally, the use of targeted 
queries, as described above, ensures that only those items believed 
to be of potential intelligence value are ever presented for 
analysts to examine. These limits are intended to protect the 
privacy and civil liberties of all persons, whatever their 
nationality and regardless of where they might reside.
    The United States has elaborate processes to ensure that signals 
intelligence activities are conducted only in furtherance of 
appropriate national security purposes. Each year the President sets 
the nation's highest priorities for foreign intelligence collection 
after an extensive, formal interagency process. The DNI is 
responsible for translating these intelligence priorities into the 
National Intelligence Priorities Framework, or NIPF. PPD-28 
strengthened and enhanced the interagency process to ensure that all 
of the IC's intelligence priorities are reviewed and approved by 
high-level policymakers. Intelligence Community Directive (ICD) 204 
provides further guidance on the NIPF and was updated in January 
2015 to incorporate the requirements of PPD-28.\8\ Although the NIPF 
is classified, information related to specific U.S. foreign 
intelligence priorities is reflected annually in the DNI's 
unclassified Worldwide Threat Assessment, which is also readily 
available on the ODNI Web site.
---------------------------------------------------------------------------

    \8\ Available at https://www.dni.gov/files/documents/ICD/ICD%20204%20National%20Intelligence%20Priorities%20Framework.pdf.
---------------------------------------------------------------------------

    The priorities in the NIPF are at a fairly high level of 
generality. They include topics such as the pursuit of nuclear and 
ballistic missile capabilities by particular foreign adversaries, 
the effects of drug cartel corruption, and human rights abuses in 
specific countries. And they apply not just to signals intelligence, 
but to all intelligence activities. The organization that is 
responsible for translating the priorities in the NIPF into actual 
signals intelligence collection is called the National Signals 
Intelligence Committee, or SIGCOM. It operates under the auspices of 
the Director of the National Security Agency (NSA), who is 
designated by Executive Order 12333 as the ``functional manager for 
signals intelligence,'' responsible for overseeing and coordinating 
signals intelligence across the Intelligence Community under the 
oversight of both the Secretary of Defense and the DNI. The SIGCOM 
has representatives from all elements of the IC and, as the United 
States fully implements PPD-28, also will have full representation 
from other departments and agencies with a policy interest in 
signals intelligence.
    All U.S. departments and agencies that are consumers of foreign 
intelligence submit their requests for collection to the SIGCOM. The 
SIGCOM reviews those requests, ensures that they are consistent with 
the NIPF, and assigns them priorities using criteria such as:
     Can signals intelligence provide useful information in 
this case, or are there better or more cost-effective sources of 
information to address the requirement, such as imagery or open 
source information?
     How critical is this information need? If it is a high 
priority in the NIPF, it will most often be a high signal 
intelligence priority.
     What type of signals intelligence could be used?
     Is the collection as tailored as feasible? Should there 
be time, geographic, or other limitations?
    The U.S. signals intelligence requirements process also requires 
explicit consideration of other factors, namely:
     Is the target of the collection, or the methodology 
used to collect, particularly sensitive? If so, it will require 
review by senior policymakers.
     Will the collection present an unwarranted risk to 
privacy and civil liberties, regardless of nationality?
     Are additional dissemination and retention safeguards 
necessary to protect privacy or national security interests?
    Finally, at the end of the process, trained NSA personnel take 
the priorities validated by the SIGCOM and research and identify 
specific selection terms, such as telephone numbers or email 
addresses, which are expected to collect foreign intelligence 
responsive to these priorities. Any selector must be reviewed and 
approved before it is entered into NSA's collection systems. Even 
then, however, whether and when actual collection takes place will 
depend in part on additional considerations such as the availability 
of appropriate collection resources. This process ensures that U.S. 
signals intelligence collection targets reflect valid and important 
foreign intelligence needs. And, of course, when collection is 
conducted pursuant to FISA, NSA and other agencies must follow 
additional restrictions approved by the Foreign Intelligence 
Surveillance Court. In short, neither NSA nor any other U.S. 
intelligence agency decides on its own what to collect.
    Overall, this process ensures that all U.S. intelligence 
priorities are set by senior policymakers who are in the best 
position to identify U.S. foreign intelligence requirements, and 
that those policymakers take into account not only the potential 
value of the intelligence collection but also the risks associated 
with that collection, including the risks to privacy, national 
economic interests, and foreign relations.
    With respect to data transmitted to the United States pursuant 
to the Privacy Shield, although the United States cannot confirm or 
deny specific intelligence methods or operations, the requirements 
of PPD-28 apply to any signals intelligence operations the United 
States conducts, regardless of the type or source of data that is 
being collected. Further, the limitations and safeguards applicable 
to the collection of signals intelligence apply to signals 
intelligence collected for any authorized purpose, including both 
foreign relations and national security purposes.
    The procedures discussed above demonstrate a clear commitment to 
prevent arbitrary and indiscriminate collection of signals 
intelligence information, and to implement--from the highest levels 
of our Government--the principle of reasonableness. PPD-28 and 
agency implementing procedures clarify new and existing limitations 
to and describe with greater specificity the purpose for which the 
United States collects and uses signals intelligence. These should 
provide assurance that signals intelligence activities are and will 
continue to be conducted only to further legitimate foreign 
intelligence goals.

c. Retention and Dissemination Limitations

    Section 4 of PPD-28 requires that each element of the 
Intelligence Community have express limits on the retention and 
dissemination of personal information about non-U.S. persons 
collected by signals intelligence, comparable to the limits for U.S. 
persons. These rules are incorporated into procedures for each IC 
agency that were released in February 2015 and are publicly 
available. To qualify for retention or dissemination as foreign 
intelligence, personal information must relate to an authorized 
intelligence requirement, as determined in the NIPF process 
described

[[Page 51067]]

above; be reasonably believed to be evidence of a crime; or meet one 
of the other standards for retention of U.S. person information 
identified in Executive Order 12333, section 2.3.
    Information for which no such determination has been made may 
not be retained for more than five years, unless the DNI expressly 
determines that continued retention is in the national security 
interests of the United States. Thus, IC elements must delete non-
U.S. person information collected through signals intelligence five 
years after collection, unless, for example, the information has 
been determined to be relevant to an authorized foreign intelligence 
requirement, or if the DNI determines, after considering the views 
of the ODNI Civil Liberties Protection Officer and agency privacy 
and civil liberties officials, that continued retention is in the 
interest of national security.
    In addition, all agency policies implementing PPD-28 now 
explicitly require that information about a person may not be 
disseminated solely because an individual is a non-U.S. person, and 
ODNI has issued a directive to all IC elements \9\ to reflect this 
requirement. Intelligence Community personnel are specifically 
required to consider the privacy interests of non-U.S. persons when 
drafting and disseminating intelligence reports. In particular, 
signals intelligence about the routine activities of a foreign 
person would not be considered foreign intelligence that could be 
disseminated or retained permanently by virtue of that fact alone 
unless it is otherwise responsive to an authorized foreign 
intelligence requirement. This recognizes an important limitation 
and is responsive to European Commission concerns about the breadth 
of the definition of foreign intelligence as set forth in Executive 
Order 12333.
---------------------------------------------------------------------------

    \9\ Intelligence Community Directive (ICD) 203, available at 
https://www.dni.gov/files/documents/ICD/ICD%20203%20Analytic%20Standards.pdf.
---------------------------------------------------------------------------

d. Compliance and Oversight

    The U.S. system of foreign intelligence oversight provides 
rigorous and multi-layered oversight to ensure compliance with 
applicable laws and procedures, including those pertaining to the 
collection, retention, and dissemination of non-U.S. person 
information acquired by signals intelligence as set forth in PPD-28. 
These include:
     The Intelligence Community employs hundreds of 
oversight personnel. NSA alone has over 300 people dedicated to 
compliance, and other elements also have oversight offices. In 
addition, the Department of Justice provides extensive oversight of 
intelligence activities, and oversight is also provided by the 
Department of Defense.
     Each element of the Intelligence Community has its own 
Office of the Inspector General with responsibility for oversight of 
foreign intelligence activities, among other matters. Inspectors 
General are statutorily independent; have broad power to conduct 
investigations, audits and reviews of programs, including of fraud 
and abuse or violation of law; and can recommend corrective actions. 
While Inspector General recommendations are non-binding, the 
Inspector General's reports are often made public, and in any event 
are provided to Congress; this includes follow-up reports in case 
corrective action recommended in previous reports has not yet been 
completed. Congress is therefore informed of any non-compliance and 
can exert pressure, including through budgetary means, to achieve 
corrective action. A number of Inspector General reports about 
intelligence programs have been publicly released.\10\
---------------------------------------------------------------------------

    \10\ See e.g., U.S. Department of Justice Inspector General 
Report ``A Review of the Federal Bureau of Investigation's 
Activities Under Section 702 of the Foreign Intelligence 
Surveillance Act of 2008'' (September 2012), available at https://oig.justice.gov/reports/2016/o1601a.pdf.
---------------------------------------------------------------------------

     ODNI's Civil Liberties and Privacy Office (CLPO) is 
charged with ensuring that the IC operates in a manner that advances 
national security while protecting civil liberties and privacy 
rights.\11\ Other IC elements have their own privacy officers.
---------------------------------------------------------------------------

    \11\ See www.dni.gov/clpo.
---------------------------------------------------------------------------

     The Privacy and Civil Liberties Oversight Board 
(PCLOB), an independent body established by statute, is charged with 
analyzing and reviewing counterterrorism programs and policies, 
including the use of signals intelligence, to ensure that they 
adequately protect privacy and civil liberties. It has issued 
several public reports on intelligence activities.
     As discussed more fully below, the Foreign Intelligence 
Surveillance Court, a court composed of independent federal judges, 
is responsible for oversight and compliance of any signals 
intelligence collection activities conducted pursuant to FISA.
     Finally, the U.S. Congress, specifically the House and 
Senate Intelligence and Judiciary Committees, have significant 
oversight responsibilities regarding all U.S. foreign intelligence 
activities, including U.S. signals intelligence.
    Apart from these formal oversight mechanisms, the Intelligence 
Community has in place numerous mechanisms to ensure that the 
Intelligence Community is complying with the limitations on 
collection described above. For example:
     Cabinet officials are required to validate their 
signals intelligence requirements each year.
     NSA checks signals intelligence targets throughout the 
collection process to determine if they are actually providing 
valuable foreign intelligence responsive to the priorities, and will 
stop collection against targets that are not. Additional procedures 
ensure that selection terms are reviewed periodically.
     Based on a recommendation from an independent Review 
Group appointed by President Obama, the DNI has established a new 
mechanism to monitor the collection and dissemination of signals 
intelligence that is particularly sensitive because of the nature of 
the target or the means of collection, to ensure that it is 
consistent with the determinations of policymakers.
     Finally, ODNI annually reviews the IC's allocation of 
resources against the NIPF priorities and the intelligence mission 
as a whole. This review includes assessments of the value of all 
types of intelligence collection, including signals intelligence, 
and looks both backward--how successful has the IC been in achieving 
its goals?--and forward--what will the IC need in the future? This 
ensures that signals intelligence resources are applied to the most 
important national priorities.
    As evidenced by this comprehensive overview, the Intelligence 
Community does not decide on its own which conversations to listen 
to, try to collect everything, or operate free from scrutiny. Its 
activities are focused on priorities set by policymakers, through a 
process that involves input from across the government, and that is 
overseen both within NSA and by the ODNI, Department of Justice, and 
Department of Defense.
    PPD-28 also contains numerous other provisions to ensure that 
personal information collected pursuant to signals intelligence is 
protected, regardless of nationality. For instance, PPD-28 provides 
for data security, access, and quality procedures to protect 
personal information collected through signals intelligence, and 
provides for mandatory training to ensure that the workforce 
understands the responsibility to protect personal information, 
regardless of nationality. The PPD also provides for additional 
oversight and compliance mechanisms. These include periodic audit 
and reviews by appropriate oversight and compliance officials of the 
practices for protecting personal information contained in signals 
intelligence. The reviews also must examine the agencies' compliance 
with the procedures for protecting such information.
    Additionally, PPD-28 provides that significant compliance issues 
related to non-U.S. persons will be addressed at senior levels of 
government. Should a significant compliance issue occur involving 
the personal information of any person collected as a result of 
signals intelligence activities, the issue must, in addition to any 
existing reporting requirements, be reported promptly to the DNI. If 
the issue involves the personal information of a non-U.S. person, 
the DNI, in consultation with the Secretary of State and the head of 
the relevant IC element, will determine whether steps should be 
taken to notify the relevant foreign government, consistent with the 
protection of sources and methods and of U.S. personnel. Moreover, 
as directed by PPD-28, the Secretary of State has identified a 
senior official, Under Secretary Catherine Novelli, to serve as a 
point of contact for foreign governments that wish to raise concerns 
regarding signals intelligence activities of the United States. This 
commitment to high-level engagement exemplifies the efforts the U.S. 
government has made over the past few years to instill confidence in 
the numerous and overlapping privacy protections in place for U.S. 
person and non-U.S. person information.

e. Summary

    The United States' processes for collecting, retaining, and 
disseminating foreign intelligence provide important privacy

[[Page 51068]]

protections for the personal information of all persons, regardless 
of nationality. In particular, these processes ensure that our 
Intelligence Community focuses on its national security mission as 
authorized by applicable laws, executive orders, and presidential 
directives; safeguards information from unauthorized access, use and 
disclosure; and conducts its activities under multiple layers of 
review and oversight, including by congressional oversight 
committees. PPD-28 and the procedures implementing it represent our 
efforts to extend certain minimization and other substantial data 
protection principles to the personal information of all persons 
regardless of nationality. Personal information obtained through 
U.S. signals intelligence collection is subject to the principles 
and requirements of U.S. law and Presidential direction, including 
the protections set forth in PPD-28. These principles and 
requirements ensure that all persons are treated with dignity and 
respect, regardless of their nationality or wherever they might 
reside, and recognize that all persons have legitimate privacy 
interests in the handling of their personal information.

II. Foreign Intelligence Surveillance Act--Section 702

    Collection under Section 702 of the Foreign Intelligence 
Surveillance Act \12\ is not ``mass and indiscriminate'' but is 
narrowly focused on the collection of foreign intelligence from 
individually identified legitimate targets; is clearly authorized by 
explicit statutory authority; and is subject to both independent 
judicial supervision and substantial review and oversight within the 
Executive Branch and Congress. Collection under Section 702 is 
considered signals intelligence subject to the requirements of PPD-
28.\13\
---------------------------------------------------------------------------

    \12\ 50 U.S.C. 1881a.
    \13\ The United States also may obtain court orders pursuant to 
other provisions of FISA for the production of data, including data 
transferred pursuant to the Privacy Shield. See 50 U.S.C. 1801 et 
seq. Titles I and III of FISA, which respectively authorize 
electronic surveillance and physical searches, require a court order 
(except in emergency circumstances) and always require probable 
cause to believe that the target is a foreign power or an agent of a 
foreign power. Title IV of FISA authorizes the use of pen registers 
and trap and trace devices, pursuant to court order (except in 
emergency circumstances) in authorized foreign intelligence, 
counterintelligence, or counterterrorism investigations. Title V of 
FISA permits the FBI, pursuant to court order (except in emergency 
circumstances), to obtain business records that are relevant to an 
authorized foreign intelligence, counterintelligence, or 
counterterrorism investigations. As discussed below, the USA FREEDOM 
Act specifically prohibits the use of FISA pen register or business 
record orders for bulk collection, and imposes a requirement of a 
``specific selection term'' to ensure that those authorities are 
used in a targeted fashion.
---------------------------------------------------------------------------

    Collection under Section 702 is one of the most valuable sources 
of intelligence protecting both the United States and our European 
partners. Extensive information about the operation and oversight of 
Section 702 is publicly available. Numerous court filings, judicial 
decisions and oversight reports relating to the program have been 
declassified and released on the ODNI's public disclosure Web site, 
www.icontherecord.tumblr.com. Moreover, Section 702 was 
comprehensively analyzed by the PCLOB, in a report which is 
available at https://www.pclob.gov/library/702-Report.pdf.\14\
---------------------------------------------------------------------------

    \14\ Privacy and Civil Liberties Board, ``Report on the 
Surveillance Program Operated Pursuant to Section 702 of the Foreign 
Intelligence Surveillance Act'' (July 2, 2014) (``PCLOB Report'').
---------------------------------------------------------------------------

    Section 702 was passed as part of the FISA Amendments Act of 
2008,\15\ after extensive public debate in Congress. It authorizes 
the acquisition of foreign intelligence information through 
targeting of non-U.S. persons located outside the United States, 
with the compelled assistance of U.S. electronic communications 
service providers. Section 702 authorizes the Attorney General and 
the DNI--two Cabinet-level officials appointed by the President and 
confirmed by the Senate--to submit annual certifications to the FISA 
Court.\16\ These certifications identify specific categories of 
foreign intelligence to be collected, such as intelligence related 
to counterterrorism or weapons of mass destruction, which must fall 
within the categories of foreign intelligence defined by the FISA 
statute.\17\ As the PCLOB noted, ``[t]hese limitations do not permit 
unrestricted collection of information about foreigners.'' \18\
---------------------------------------------------------------------------

    \15\ See Pub. L. 110-261, 122 Stat. 2436 (2008).
    \16\ See 50 U.S.C. 1881a(a) and (b).
    \17\ See id. 1801(e).
    \18\ See PCLOB Report at 99.
---------------------------------------------------------------------------

    The certifications also are required to include ``targeting'' 
and ``minimization'' procedures that must be reviewed and approved 
by the FISA Court.\19\ The targeting procedures are designed to 
ensure that the collection takes place only as authorized by statute 
and is within the scope of the certifications; the minimization 
procedures are designed to limit the acquisition, dissemination, and 
retention of information about U.S. persons, but also contain 
provisions that provide substantial protection to information about 
non-U.S. persons as well, described below. Moreover, as described 
above, in PPD-28 the President directed that the Intelligence 
Community provide additional protections for personal information 
about non-U.S. persons, and those protections apply to information 
collected under Section 702.
---------------------------------------------------------------------------

    \19\ See 50 U.S.C. 1881a(d) and (e).
---------------------------------------------------------------------------

    Once the court approves the targeting and minimization 
procedures, collection under Section 702 is not bulk or 
indiscriminate, but ``consists entirely of targeting specific 
persons about whom an individualized determination has been made,'' 
as the PCLOB said.\20\ Collection is targeted through the use of 
individual selectors, such as email addresses or telephone numbers, 
which U.S. intelligence personnel have determined are likely being 
used to communicate foreign intelligence information of the type 
covered by the certification submitted to the court.\21\ The basis 
for selection of the target must be documented, and the 
documentation for every selector is subsequently reviewed by the 
Department of Justice.\22\ The U.S. Government has released 
information showing that in 2014 there were approximately 90,000 
individuals targeted under Section 702, a miniscule fraction of the 
over 3 billion internet users throughout the world.\23\
---------------------------------------------------------------------------

    \20\ See PCLOB Report at 111.
    \21\ Id.
    \22\ Id. at 8; 50 U.S.C. 1881a(l); see also NSA Director of 
Civil Liberties and Privacy Report, ``NSA's Implementation of 
Foreign Intelligence Surveillance Act Section 702'' (hereinafter 
``NSA Report'') at 4, available at https://icontherecord.tumblr.com/ppd-28/2015/privacy-civil-liberties.
    \23\ Director of National Intelligence 2014 Transparency Report, 
available at https://icontherecord.tumblr.com/transparency/odni_transparencyreport_cy2014.
---------------------------------------------------------------------------

    Information collected under Section 702 is subject to the court-
approved minimization procedures, which provide protections to non-
U.S. persons as well as U.S. persons, and which have been publicly 
released.\24\ For example, communications acquired under Section 
702, whether of U.S. persons or non-U.S. persons, are stored in 
databases with strict access controls. They may be reviewed only by 
intelligence personnel who have been trained in the privacy-
protective minimization procedures and who have been specifically 
approved for that access in order to carry out their authorized 
functions.\25\ Use of the data is limited to identification of 
foreign intelligence information or evidence of a crime.\26\ 
Pursuant to PPD-28, this information may be disseminated only if 
there is a valid foreign intelligence or law enforcement purpose; 
the mere fact that one party to the communication is not a U.S. 
person is not sufficient.\27\ And the minimization procedures and 
PPD-28 also set limits on how long data acquired pursuant to Section 
702 may be retained.\28\
---------------------------------------------------------------------------

    \24\ Minimization procedures available at: https://www.dni.gov/files/documents/ppd-28/2014%20NSA%20702%20Minimization%20Procedures.pdf (``NSA Minimization 
Procedures''); https://www.dni.gov/files/documents/ppd-28/2014%20FBI%20702%20Minimization%20Procedures.pdf; and https://www.dni.gov/files/documents/ppd-28/2014%20CIA%20702%20Minimization%20Procedures.pdf.
    \25\ See NSA Report at 4.
    \26\ See, e.g., NSA Minimization Procedures at 6.
    \27\ Intelligence Agency PPD-28 procedures available at https://icontherecord.tumblr.com/ppd-28/2015/privacy-civil-liberties.
    \28\ See NSA Minimization Procedures; PPD-28 Section 4.
---------------------------------------------------------------------------

    Oversight of Section 702 is extensive, and is conducted by all 
three branches of our government. Agencies implementing the statute 
have multiple levels of internal review, including by independent 
Inspectors General, and technological controls over access to the 
data. The Department of Justice and the ODNI closely review and 
scrutinize the use of Section 702 to verify compliance with legal 
rules; agencies are also under an independent obligation to report 
potential incidents of noncompliance. Those incidents are 
investigated, and all compliance incidents are reported to the 
Foreign Intelligence Surveillance Court, the President's 
Intelligence Oversight Board, and

[[Page 51069]]

Congress, and remedied as appropriate. \29\ To date, there have been 
no incidents of willful attempts to violate the law or circumvent 
legal requirements. \30\
---------------------------------------------------------------------------

    \29\ See 50 U.S.C. 1881(l); see also PCLOB Report at 66-76.
    \30\ See Semiannual Assessment of Compliance with Procedures and 
Guidelines Issues Pursuant to Section 702 of the Foreign 
Intelligence Surveillance Act, Submitted by the Attorney General and 
the Director of National Intelligence at 2-3, available at https://www.dni.gov/files/documents/Semiannual%20Assessment%20of%20Compliance%20with%20procedures%20and%20guidelines%20issued%20pursuant%20to%20Sect%20702%20of%20FISA.pdf.
---------------------------------------------------------------------------

    The FISA Court plays an important role in implementing Section 
702. It is composed of independent federal judges who serve for a 
term of seven years on the FISA Court but who, like all federal 
judges, have life tenure as judges. As noted above, the Court must 
review the annual certifications and targeting and minimization 
procedures for compliance with the law. In addition, as also noted 
above, the Government is required to notify the Court immediately of 
compliance issues,\31\ and several Court opinions have been 
declassified and released showing the exceptional degree of judicial 
scrutiny and independence it exercises in reviewing those incidents.
---------------------------------------------------------------------------

    \31\ Rule 13 of the Foreign Intelligence Surveillance Court 
Rules of Procedures, available at https://www.fisc.uscourts.gov/sites/default/files/FISC%20Rules%20of%20Procedure.pdf.
---------------------------------------------------------------------------

    The Court's exacting processes have been described by its former 
Presiding Judge in a letter to Congress that has been publicly 
released.\32\ And as a result of the USA FREEDOM Act, described 
below, the Court is now explicitly authorized to appoint an outside 
lawyer as an independent advocate on behalf of privacy in cases that 
present novel or significant legal issues.\33\ This degree of 
involvement by a country's independent judiciary in foreign 
intelligence activities directed at persons who are neither citizens 
of that country nor located within it is unusual if not 
unprecedented, and helps ensure that Section 702 collection occurs 
within appropriate legal limits.
---------------------------------------------------------------------------

    \32\ July 29, 2013 Letter from The Honorable Reggie B. Walton to 
The Honorable Patrick J. Leahy, available at https://fas.org/irp/news/2013/07/fisc-leahy.pdf.
    \33\ See Section 401 of the USA FREEDOM Act, Public Law 114-23.
---------------------------------------------------------------------------

    Congress exercises oversight through statutorily required 
reports to the Intelligence and Judiciary Committees, and frequent 
briefings and hearings. These include a semiannual report by the 
Attorney General documenting the use of Section 702 and any 
compliance incidents; \34\ a separate semiannual assessment by the 
Attorney General and the DNI documenting compliance with the 
targeting and minimization procedures, including compliance with the 
procedures designed to ensure that collection is for a valid foreign 
intelligence purpose; \35\ and an annual report by heads of 
intelligence elements which includes a certification that collection 
under Section 702 continues to produce foreign intelligence 
information.\36\
---------------------------------------------------------------------------

    \34\ See 50 U.S.C. 1881f.
    \35\ See id. 1881a(l)(1).
    \36\ See id. 1881a(l)(3). Some of these reports are classified.
---------------------------------------------------------------------------

    In short, collection under Section 702 is authorized by law; 
subject to multiple levels of review, judicial supervision and 
oversight; and, as the FISA Court stated in a recently declassified 
opinion, is ``not conducted in a bulk or indiscriminate manner,'' 
but ``through . . . discrete targeting decisions for individual 
[communication] facilities.'' \37\
---------------------------------------------------------------------------

    \37\ Mem. Opinion and Order at 26 (FISC 2014), available at 
https://www.dni.gov/files/documents/0928/FISC%20Memorandum%20Opinion%20and%20Order%2026%20August%202014.pdf.
---------------------------------------------------------------------------

III. USA Freedom Act

    The USA FREEDOM Act, signed into law in June 2015, significantly 
modified U.S. surveillance and other national security authorities, 
and increased public transparency on the use of these authorities 
and on decisions of the FISA Court, as set out below.\38\ The Act 
ensures that our intelligence and law enforcement professionals have 
the authorities they need to protect the Nation, while further 
ensuring that individuals' privacy is appropriately protected when 
these authorities are employed. It enhances privacy and civil 
liberties and increases transparency.
---------------------------------------------------------------------------

    \38\ See USA FREEDOM Act of 2015, Pub. L. 114-23, 401, 129 Stat. 
268.
---------------------------------------------------------------------------

    The Act prohibits bulk collection of any records, including of 
both U.S. and non-U.S. persons, pursuant to various provisions of 
FISA or through the use of National Security Letters, a form of 
statutorily authorized administrative subpoenas.\39\ This 
prohibition specifically includes telephone metadata relating to 
calls between persons inside the U.S. and persons outside the U.S., 
and would also include collection of Privacy Shield information 
pursuant to these authorities. The Act requires that the government 
base any application for records under those authorities on a 
``specific selection term''--a term that specifically identifies a 
person, account, address, or personal device in a way that limits 
the scope of information sought to the greatest extent reasonably 
practicable.\40\ This further ensures that collection of information 
for intelligence purposes is precisely focused and targeted.
---------------------------------------------------------------------------

    \39\ See id. 103, 201, 501. National Security Letters are 
authorized by a variety of statutes and allow the FBI to obtain 
information contained in credit reports, financial records, and 
electronic subscriber and transaction records from certain kinds of 
companies, only to protect against international terrorism or 
clandestine intelligence activities. See 12 U.S.C. 3414; 15 U.S.C. 
1681u-1681v; 18 U.S.C. 2709. National Security Letters are typically 
used by the FBI to gather critical non-content information at the 
early phases of counterterrorism and counterintelligence 
investigations--such as the identity of the subscriber to an account 
who may have been communicating with agents of a terrorist group 
such as ISIL. Recipients of a National Security Letter have the 
right to challenge them in court. See 18 U.S.C. 3511.
    \40\ See id.
---------------------------------------------------------------------------

    The Act also made significant modifications to proceedings 
before the FISA Court, which both increase transparency and provide 
additional assurances that privacy will be protected. As noted 
above, it authorized creation of a standing panel of security-
cleared lawyers with expertise in privacy and civil liberties, 
intelligence collection, communications technology, or other 
relevant areas, who may be appointed to appear before the court as 
amicus curiae in cases that involve significant or novel 
interpretations of law. These lawyers are authorized to make legal 
arguments that advance the protection of individual privacy and 
civil liberties, and will have access to any information, including 
classified information, that the court determines is necessary to 
their duties.\41\
---------------------------------------------------------------------------

    \41\ See id. section 401.
---------------------------------------------------------------------------

    The Act also builds on the U.S. Government's unprecedented 
transparency about intelligence activities by requiring the DNI, in 
consultation with the Attorney General, to either declassify, or 
publish an unclassified summary of, each decision, order, or opinion 
issued by the FISA Court or the Foreign Intelligence Surveillance 
Court of Review that includes a significant construction or 
interpretation of any provision of law.
    Moreover, the Act provides for extensive disclosures about FISA 
collection and National Security Letter requests. The United States 
must disclose to Congress and to the public each year the number of 
FISA orders and certifications sought and received; estimates of the 
number of U.S. persons and non-U.S. persons targeted and affected by 
surveillance; and the number of appointments of amici curiae, among 
other items of information.\42\ The Act also requires additional 
public reporting by the government about the numbers of National 
Security Letter requests about both U.S. and non-U.S. persons.\43\
---------------------------------------------------------------------------

    \42\ See id. section 602.
    \43\ See id.
---------------------------------------------------------------------------

    With regard to corporate transparency, the Act gives companies a 
range of options to report publicly the aggregate number of FISA 
orders and directives or National Security Letters they receive from 
the Government, as well as the number of customer accounts targeted 
by these orders.\44\ Several companies have already made such 
disclosures, which have revealed the limited number of customers 
whose records have been sought.
---------------------------------------------------------------------------

    \44\ See id. section 603.
---------------------------------------------------------------------------

    These corporate transparency reports demonstrate that U.S. 
intelligence requests affect only a miniscule fraction of data. For 
example, one major company's recent transparency report shows that 
it received national security requests (pursuant to FISA or National 
Security Letters) affecting fewer than 20,000 of its accounts, at a 
time when it had at least 400 million subscribers. In other words, 
all U.S. national security requests reported by this company 
affected fewer than .005% of its subscribers. Even if every one of 
those requests had concerned Safe Harbor data, which of course is 
not the case, it is obvious that the requests are targeted and 
appropriate in scale, and are neither bulk nor indiscriminate.
    Finally, while the statutes which authorize National Security 
Letters already restricted the circumstances under which a recipient 
of such a letter could be barred from disclosing

[[Page 51070]]

it, the Act further provided that such non-disclosure requirements 
must be reviewed periodically; required that recipients of National 
Security Letters be notified when the facts no longer support a non-
disclosure requirement; and codified procedures for recipients to 
challenge nondisclosure requirements.\45\
---------------------------------------------------------------------------

    \45\ See id. sections 502(f)-503.
---------------------------------------------------------------------------

    In sum, the USA FREEDOM Act's important amendments to U.S. 
intelligence authorities is clear evidence of the extensive effort 
taken by the United States to place the protection of personal 
information, privacy, civil liberties, and transparency at the 
forefront of all U.S. intelligence practices.

IV. Transparency

    In addition to the transparency mandated by the USA FREEDOM Act, 
the U.S. Intelligence Community provides the public much additional 
information, setting a strong example with respect to transparency 
into its intelligence activities. The Intelligence Community has 
published many of its policies, procedures, Foreign Intelligence 
Surveillance Court decisions, and other declassified materials, 
providing an extraordinary degree of transparency. In addition, the 
Intelligence Community has substantially increased its disclosure of 
statistics on the government's use of national security collection 
authorities. On April 22, 2015, the Intelligence Community issued 
its second annual report presenting statistics on how often the 
government uses these important authorities. ODNI also has 
published, on the ODNI Web site and on IC On the Record, a set of 
concrete transparency principles\46\ and an implementation plan that 
translates the principles into concrete, measurable initiatives.\47\ 
In October 2015, the Director of National Intelligence directed that 
each intelligence agency designate an Intelligence Transparency 
Officer within its leadership to foster transparency and lead 
transparency initiatives.\48\ The Transparency Officer will work 
closely with each intelligence agency's Privacy and Civil Liberties 
Officer to ensure that transparency, privacy, and civil liberties 
continue to remain top priorities.
---------------------------------------------------------------------------

    \46\ Available at http:\\www.dni.gov/index.php/intelligence-community/intelligence-transparency-principles.
    \47\ Available at http:\\www.dni.gov/files/documents/Newsroom/Reports%20and%20Pubs/Principles%20of%20Intelligence%20Transparency%20Implementation%20Plan.pdf.
    \48\ See id.
---------------------------------------------------------------------------

    As an example of these efforts, NSA's Chief Privacy and Civil 
Liberties Officer has released several unclassified reports over the 
past few years, including reports on activities under section 702, 
Executive Order 12333, and the USA FREEDOM Act.\49\ In addition, the 
IC works closely with the PCLOB, Congress, and the U.S. privacy 
advocacy community to provide further transparency relating to U.S. 
intelligence activities, wherever feasible and consistent with the 
protection of sensitive intelligence sources and methods. Taken as a 
whole, U.S. intelligence activities are as transparent as or more 
transparent than those of any other nation in the world and are as 
transparent as it is possible to be consistent with the need to 
protect sensitive sources and methods.
---------------------------------------------------------------------------

    \49\ Available at https://www.nsa.gov/civil_liberties/_files/nsa_report_on_section_702_program.pdf; https://www.nsa.gov/civil_liberties/_files/UFA_Civil_Liberties_and_Privacy_Report.pdf; 
https://www.nsa.gov/civil_liberties/_files/UFA_Civil_Liberties_and_Privacy_Report.pdf.
---------------------------------------------------------------------------

    To summarize the extensive transparency that exists about U.S. 
intelligence activities:
     The IC has released and posted online thousands of 
pages of court opinions and agency procedures outlining the specific 
procedures and requirements of our intelligence activities. We have 
also released reports on intelligence agencies' compliance with 
applicable restrictions.
     Senior intelligence officials regularly speak publicly 
about the roles and activities of their organizations, including 
descriptions of the compliance regimes and safeguards that govern 
their work.
     The IC released numerous additional documents about 
intelligence activities pursuant to our Freedom of Information Act.
     The President issued PPD-28, publicly setting out 
additional restrictions on our intelligence activities, and ODNI has 
issued two public reports on the implementation of those 
restrictions.
     The IC is now required by law to release significant 
legal opinions issued by the FISA Court, or summaries of those 
opinions.
     The government is required to report annually on the 
extent of its use of certain national security authorities, and 
companies are authorized to do so as well.
     The PCLOB has issued several detailed public reports on 
intelligence activities, and will continue to do so.
     The IC provides extensive classified information to 
Congressional oversight committees.
     The DNI issued transparency principles to govern the 
activities of the Intelligence Community.
    This extensive transparency will continue going forward. Any 
information that is released publicly will, of course, be available 
to both the Department of Commerce and the European Commission. The 
annual review between Commerce and the European Commission on the 
implementation of the Privacy Shield will provide an opportunity for 
the European Commission to discuss any questions raised by any new 
information released, as well as any other matters concerning the 
Privacy Shield and its operation, and we understand that the 
Department may, in its discretion, invite representatives of other 
agencies, including the IC, to participate in that review. This is, 
of course, in addition to the mechanism provided in PPD-28 for EU 
Member States to raise surveillance-related concerns with a 
designated State Department official.

V. Redress

    U.S. law provides a number of avenues of redress for individuals 
who have been the subject of unlawful electronic surveillance for 
national security purposes. Under FISA, the right to seek relief in 
U.S. court is not limited to U.S. persons. An individual who can 
establish standing to bring suit would have remedies to challenge 
unlawful electronic surveillance under FISA. For example, FISA 
allows persons subjected to unlawful electronic surveillance to sue 
U.S. government officials in their personal capacities for money 
damages, including punitive damages and attorney's fees. See 50 
U.S.C. 1810. Individuals who can establish their standing to sue 
also have a civil cause of action for money damages, including 
litigation costs, against the United States when information about 
them obtained in electronic surveillance under FISA has been 
unlawfully and willfully used or disclosed. See 18 U.S.C. 2712. In 
the event the government intends to use or disclose any information 
obtained or derived from electronic surveillance of any aggrieved 
person under FISA against that person in judicial or administrative 
proceedings in the United States, it must provide advance notice of 
its intent to the tribunal and the person, who may then challenge 
the legality of the surveillance and seek to suppress the 
information. See 50 U.S.C. 1806. Finally, FISA also provides 
criminal penalties for individuals who intentionally engage in 
unlawful electronic surveillance under color of law or who 
intentionally use or disclose information obtained by unlawful 
surveillance. See 50 U.S.C. 1809.
    EU citizens have other avenues to seek legal recourse against 
U.S. government officials for unlawful government use of or access 
to data, including government officials who violate the law in the 
course of unlawful access to or use of information for purported 
national security purposes. The Computer Fraud and Abuse Act 
prohibits intentional unauthorized access (or exceeding authorized 
access) to obtain information from a financial institution, a U.S. 
government computer system, or a computer accessed via the Internet, 
as well as threats to damage protected computers for purposes of 
extortion or fraud. See 18 U.S.C. 1030. Any person, of whatever 
nationality, who suffers damage or loss by reason of a violation of 
this law may sue the violator (including a government official) for 
compensatory damages and injunctive or other equitable relief under 
section 1030(g), regardless of whether a criminal prosecution has 
been pursued, provided the conduct involves at least one of several 
circumstances set forth in the statute. The Electronic 
Communications Privacy Act (ECPA) regulates government access to 
stored electronic communications and transactional records and 
subscriber information held by third-party communications providers. 
See 18 U.S.C. 2701-2712. ECPA authorizes an aggrieved individual to 
sue government officials for intentional unlawful access to stored 
data. ECPA applies to all persons regardless of citizenship and 
aggrieved persons may receive damages and attorney's fees. The Right 
to Financial Privacy Act (RFPA) limits the U.S. government's access 
to the bank and broker-dealer records of individual customers. See 
12 U.S.C. 3401-3422. Under the RFPA, a bank or broker-dealer 
customer can sue the U.S. government for statutory, actual, and 
punitive damages for wrongfully obtaining access to the customer's 
records, and a finding that such wrongful access was willful 
automatically triggers an investigation

[[Page 51071]]

of possible disciplinary action against the relevant government 
employees. See 12 U.S.C. 3417.
    Finally, the Freedom of Information Act (FOIA) provides a means 
for any person to seek access to existing federal agency records on 
any topic subject to certain categories of exemptions. See 5 U.S.C. 
552(b). These include limits on access to classified national 
security information, personal information of other individuals, and 
information concerning law enforcement investigations, and are 
comparable to the limitations imposed by nations with their own 
information access laws. These limitations apply equally to 
Americans and non-Americans. Disputes over the release of records 
requested pursuant to FOIA can be appealed administratively and then 
in federal court. The court is required to make a de novo 
determination of whether records are properly withheld, 5 U.S.C. 
552(a)(4)(B), and can compel the government to provide access to 
records. In some cases courts have overturned government assertions 
that information should be withheld as classified.\50\ Although no 
monetary damages are available, courts can award attorney's fees.
---------------------------------------------------------------------------

    \50\ See, e.g., New York Times v. Department of Justice, 756 
F.3d 100 (2d Cir. 2014); American Civil Liberties Union v. CIA, 710 
F.3d 422 (D.C. Cir. 2014).
---------------------------------------------------------------------------

VI. Conclusion

    The United States recognizes that our signals intelligence and 
other intelligence activities must take into account that all 
persons should be treated with dignity and respect, regardless of 
their nationality or place of residence, and that all persons have 
legitimate privacy interests in the handling of their personal 
information. The United States only uses signals intelligence to 
advance its national security and foreign policy interests and to 
protect its citizens and the citizens of its allies and partners 
from harm. In short, the IC does not engage in indiscriminate 
surveillance of anyone, including ordinary European citizens. 
Signals intelligence collection only takes place when duly 
authorized and in a manner that strictly complies with these 
limitations; only after consideration of the availability of 
alternative sources, including from diplomatic and public sources; 
and in a manner that prioritizes appropriate and feasible 
alternatives. And wherever practicable, signals intelligence only 
takes place through collection focused on specific foreign 
intelligence targets or topics through the use of discriminants.
    U.S. policy in this regard was affirmed in PPD-28. Within this 
framework, U.S. intelligence agencies do not have the legal 
authority, the resources, the technical capability or the desire to 
intercept all of the world's communications. Those agencies are not 
reading the emails of everyone in the United States, or of everyone 
in the world. Consistent with PPD-28, the United States provides 
robust protections to the personal information of non-U.S. persons 
that is collected through signals intelligence activities. To the 
maximum extent feasible consistent with the national security, this 
includes policies and procedures to minimize the retention and 
dissemination of personal information concerning non-U.S. persons 
comparable to the protections enjoyed by U.S. persons. Moreover, as 
discussed above, the comprehensive oversight regime of the targeted 
Section 702 FISA authority is unparalleled. Finally, the significant 
amendments to U.S. intelligence law set forth in the USA FREEDOM Act 
and the ODNI-led initiatives to promote transparency within the 
Intelligence Community greatly enhance the privacy and civil 
liberties of all individuals, regardless of their nationality.

Sincerely,

Robert S. Litt

Mr. Justin S. Antonipillai
Counselor
U.S. Department of Commerce
1401 Constitution Avenue, NW.
Washington, DC 20230

Mr. Ted Dean
Deputy Assistant Secretary
International Trade Administration
1401 Constitution Avenue, NW.
Washington, DC 20230

Dear Mr. Antonipillai and Mr. Dean:

    I am writing to provide further information about the manner in 
which the United States conducts bulk collection of signals 
intelligence. As explained in footnote 5 of Presidential Policy 
Directive 28 (PPD-28), ``bulk'' collection refers to the acquisition 
of a relatively large volume of signals intelligence information or 
data under circumstances where the Intelligence Community cannot use 
an identifier associated with a specific target (such as the 
target's email address or phone number) to focus the collection. 
However, this does not mean that this sort of collection is ``mass'' 
or ``indiscriminate.'' Indeed, PPD-28 also requires that ``[s]ignals 
intelligence activities shall be as tailored as feasible.'' In 
furtherance of this mandate, the Intelligence Community takes steps 
to ensure that even when we cannot use specific identifiers to 
target collection, the data to be collected is likely to contain 
foreign intelligence that will be responsive to requirements 
articulated by U.S. policy-makers pursuant to the process explained 
in my earlier letter, and minimizes the amount of non-pertinent 
information that is collected.
    As an example, the Intelligence Community may be asked to 
acquire signals intelligence about the activities of a terrorist 
group operating in a region of a Middle Eastern country, that is 
believed to be plotting attacks against Western European countries, 
but may not know the names, phone numbers, email addresses or other 
specific identifiers of individuals associated with this terrorist 
group. We might choose to target that group by collecting 
communications to and from that region for further review and 
analysis to identify those communications that relate to the group. 
In so doing, the Intelligence Community would seek to narrow the 
collection as much as possible. This would be considered collection 
in ``bulk'' because the use of discriminants is not feasible, but it 
is neither ``mass'' nor ``indiscriminate''; rather it is focused as 
precisely as possible.
    Thus, even when targeting through the use of specific selectors 
is not possible, the United States does not collect all 
communications from all communications facilities everywhere in the 
world, but applies filters and other technical tools to focus its 
collection on those facilities that are likely to contain 
communications of foreign intelligence value. In so doing, the 
United States' signals intelligence activities touch only a fraction 
of the communications traversing the Internet.
    Moreover, as noted in my earlier letter, because ``bulk'' 
collection entails a greater risk of collecting non-pertinent 
communications, PPD-28 limits the use that the Intelligence 
Community may make of signals intelligence collected in bulk to six 
specified purposes. PPD-28, and agency policies implementing PPD-28, 
also place restrictions on the retention and dissemination of 
personal information acquired through signals intelligence, 
regardless of whether the information was collected in bulk or 
through targeted collection, and regardless of the individual's 
nationality.
    Thus, the Intelligence Community's ``bulk'' collection is not 
``mass'' or ``indiscriminate,'' but involves the application of 
methods and tools to filter collection in order to focus the 
collection on material that will be responsive to policy-makers' 
articulated foreign intelligence requirements while minimizing the 
collection of non-pertinent information, and provides strict rules 
to protect the non-pertinent information that may be acquired. The 
policies and procedures described in this letter apply to all bulk 
signals intelligence collection, including any bulk collection of 
communications to and from Europe, without confirming or denying 
whether any such collection occurs.
    You have also asked for more information about the Privacy and 
Civil Liberties Oversight Board (PCLOB) and Inspectors General, and 
their authorities. The PCLOB is an independent agency in the 
Executive Branch. Members of the bipartisan, five-member Board are 
appointed by the President and confirmed by the Senate.\1\ Each 
Member of the Board serves a six-year term. Members of the Board and 
staff are provided appropriate security clearances in order for them 
to fully execute their statutory duties and responsibilities.\2\
---------------------------------------------------------------------------

    \1\ 42 U.S.C. 2000ee(a), (h).
    \2\ 42 U.S.C. 2000ee(k).
---------------------------------------------------------------------------

    The PCLOB's mission is to ensure that the federal government's 
efforts to prevent terrorism are balanced with the need to protect 
privacy and civil liberties. The Board has two fundamental 
responsibilities--oversight and advice. The PCLOB sets its own 
agenda and determines what oversight or advice activities it wishes 
to undertake.
    In its oversight role, the PCLOB reviews and analyzes actions 
the Executive Branch takes to protect the nation from terrorism, 
ensuring that the need for such actions is balanced with the need to 
protect privacy and civil liberties.\3\ The PCLOB's most recent

[[Page 51072]]

completed oversight review focused on surveillance programs operated 
under Section 702 of FISA.\4\ It is currently conducting a review of 
intelligence activities operated under Executive Order 12333.\5\
---------------------------------------------------------------------------

    \3\ 42 U.S.C. 2000ee(d)(2).
    \4\ See generally https://www.pclob.gov/library.html#oversightreports.
    \5\ See generally https://www.pclob.gov/events/2015/may13.html.
---------------------------------------------------------------------------

    In its advisory role, the PCLOB ensures that liberty concerns 
are appropriately considered in the development and implementation 
of laws, regulations, and policies related to efforts to protect the 
nation from terrorism.\6\
---------------------------------------------------------------------------

    \6\ 42 U.S.C. 2000ee(d)(1); see also PCLOB Advisory Function 
Policy and Procedure, Policy 2015-004, available at https://www.pclob.gov/library/Policy-Advisory_Function_Policy_Procedure.pdf.
---------------------------------------------------------------------------

    In order to carry out its mission, the Board is authorized by 
statute to have access to all relevant agency records, reports, 
audits, reviews, documents, papers, recommendations, and any other 
relevant materials, including classified information consistent with 
law.\7\ In addition, the Board may interview, take statements from, 
or take public testimony from any executive branch officer or 
employee.\8\ Additionally, the Board may request in writing that the 
Attorney General, on the Board's behalf, issues subpoenas compelling 
parties outside the Executive Branch to provide relevant 
information.\9\
---------------------------------------------------------------------------

    \7\ 42 U.S.C. 2000ee(g)(1)(A).
    \8\ 42 U.S.C. 2000ee(g)(1)(B).
    \9\ 42 U.S.C. 2000ee(g)(1)(D).
---------------------------------------------------------------------------

    Finally, the PCLOB has statutory public transparency 
requirements. This includes keeping the public informed of its 
activities by holding public hearings and making its reports 
publicly available, to the greatest extent possible consistent with 
the protection of classified information.\10\ In addition, the PCLOB 
is required to report when an Executive Branch agency declines to 
follow its advice.
---------------------------------------------------------------------------

    \10\ 42 U.S.C. 2000eee(f).
---------------------------------------------------------------------------

    Inspectors General (IGs) in the Intelligence Community (IC) 
conduct audits, inspections, and reviews of the programs and 
activities in the IC to identify and address systemic risks, 
vulnerabilities, and deficiencies. In addition, IGs investigate 
complaints or information of allegations of violations of law, 
rules, or regulations, or mismanagement; gross waste of funds; abuse 
of authority, or a substantial and specific danger to the public 
health and safety in IC programs and activities. IG independence is 
a critical component to the objectivity and integrity of every 
report, finding, and recommendation an IG issues. Some of the most 
critical components to maintaining IG independence include the IG 
appointment and removal process; separate operational, budget, and 
personnel authorities; and dual reporting requirements to Executive 
Branch agency heads and Congress.
    Congress established an independent IG office in each Executive 
Branch agency, including every IC element.\11\ With the passage of 
the Intelligence Authorization Act for Fiscal Year 2015, almost all 
IGs with oversight of an IC element are appointed by the President 
and confirmed by the Senate, including the Department of Justice, 
Central Intelligence Agency, National Security Agency, and the 
Intelligence Community.\12\ Further, these IGs are permanent, 
nonpartisan, officials who can only be removed by the President. 
While the U.S. Constitution requires that the President have IG 
removal authority, it has rarely been exercised and requires that 
the President provide Congress with a written justification 30 days 
before removing an IG.\13\ This IG appointment process ensures that 
there is no undue influence by Executive Branch officials in the 
selection, appointment, or removal of an IG.
---------------------------------------------------------------------------

    \11\ Sections 2 and 4 of the Inspector General Act of 1978, as 
amended (hereinafter ``IG Act''); Section 103H(b) and (e) of the 
National Security Act of 1947, as amended (hereinafter ``Nat'l Sec. 
Act''); Section 17(a) of the Central Intelligence Act (hereinafter 
``CIA Act'').
    \12\ See Public Law 113-293, 128 Stat. 3990, (Dec. 19, 2014). 
Only the IGs for the Defense Intelligence Agency and the National 
Geospatial-Intelligence Agency are not appointed by the President; 
however the DOD IG and the IC IG have concurrent jurisdiction over 
these agencies.
    \13\ Section 3 of the IG Act of 1978, as amended; Section 
103H(c) of the Nat'l Sec. Act; and Section 17(b) of the CIA Act.
---------------------------------------------------------------------------

    Second, IGs have significant statutory authorities to conduct 
audits, investigations, and reviews of Executive Branch programs and 
operations. In addition to oversight investigations and reviews 
required by law, IGs have broad discretion to exercise oversight 
authority to review programs and activities of their choosing.\14\ 
In exercising this authority, the law ensures that IGs have the 
independent resources to execute their responsibilities, including 
the authority to hire their own staff and separately document their 
budget requests to Congress.\15\ The law ensures that IGs have 
access to the information needed to execute their responsibilities. 
This includes the authority to have direct access to all agency 
records and information detailing the programs and operations of the 
agency regardless of classification; the authority to subpoena 
information and documents; and the authority to administer 
oaths.\16\ In limited cases, the head of an Executive Branch agency 
may prohibit an IG's activity if, for example, an IG audit or 
investigation would significantly impair the national security 
interests of the United States. Again, the exercise of this 
authority is extremely unusual and requires the head of the agency 
to notify Congress within 30 days of the reasons for exercising 
it.\17\ Indeed, the Director of National Intelligence has never 
exercised this limitation authority over any IG activities.
---------------------------------------------------------------------------

    \14\ See Sections 4(a) and 6(a)(2) of the IG Act of 1947; 
Section 103H(e) and (g)(2)(A) of the Nat'l Sec. Act; Section 17(a) 
and (c) of the CIA Act.
    \15\ Sections 3(d), 6(a)(7) and 6(f) of the IG Act; Sections 
103H(d), (i), (j) and (m) of the Nat'l Sec. Act; Sections 17(e)(7) 
and (f) of the CIA Act.
    \16\ Section 6(a)(1), (3), (4), (5), and (6) of the IG Act; 
Sections 103H(g)(2) of the Nat'l Sec. Act; Section 17(e)(1), (2), 
(4), and (5) of CIA Act.
    \17\ See, e.g., Sections 8(b) and 8E(a) of the IG Act; Section 
103H(f) of the Nat'l Sec. Act; Section 17(b) of the CIA Act.
---------------------------------------------------------------------------

    Third, IGs have responsibilities to keep both heads of Executive 
Branch agencies and Congress fully and currently informed through 
reports of fraud and other serious problems, abuses, and 
deficiencies relating to Executive Branch programs and 
activities.\18\ Dual reporting bolsters IG independence by providing 
transparency into the IG oversight process and allowing agency heads 
an opportunity to implement IG recommendations before Congress can 
take legislative action. For example, IGs are required by law to 
complete semi-annual reports that describe such problems as well as 
corrective actions taken to date.\19\ Executive Branch agencies take 
IG findings and recommendations seriously and IGs are often able to 
include the agencies' acceptance and implementation of IG 
recommendations in these and other reports provided to Congress, and 
in some cases the public.\20\ In addition to this IG dual-report 
structure, IGs are also responsible for shepherding Executive Branch 
whistleblowers to the appropriate congressional oversight committees 
to make disclosures of alleged fraud, waste, or abuse in Executive 
Branch programs and activities. The identities of those who come 
forward are protected from disclosure to the Executive Branch, which 
shields the whistleblowers from potential prohibited personnel 
actions or security clearance actions taken in reprisal for 
reporting to the IG.\21\ As whistleblowers are often the sources for 
IG investigations, the ability to report their concerns to the 
Congress without Executive Branch influences increases the 
effectiveness of IG oversight. Because of this independence, IGs can 
promote economy, efficiency, and accountability in Executive Branch 
agencies with objectivity and integrity.
---------------------------------------------------------------------------

    \18\ Section 4(a)(5) of the IG Act; Section 103H(a)(b)(3) and 
(4) of the Nat'l Sec. Act; Section 17(a)(2) and (4) of the CIA Act.
    \19\ Section 2(3), 4(a), and 5 of the IG Act; Section 103H(k) of 
the Nat'l Sec. Act; Section 17(d) of the CIA Act. The Inspector 
General of the Department of Justice makes its publicly released 
reports available on the Internet at https://oig.justice.gov/reports/all.htm. Similarly, the Inspector General for the Intelligence 
Community makes it semi-annual reports publicly available at https://www.dni.gov/index.php/intelligence-community/ic-policies-reports/records-requested-under-foia#icig.
    \20\ Section 2(3), 4(a), and 5 of the IG Act; Section 103H(k) of 
the Nat'l Sec. Act; Section 17(d) of the CIA Act. The Inspector 
General of the Department of Justice makes its publicly released 
reports available on the Internet at https://oig.justice.gov/reports/all.htm. Similarly, the Inspector General for the Intelligence 
Community makes it semi-annual reports publicly available at https://www.dni.gov/index.php/intelligence-community/ic-policies-reports/records-requested-under-foia#icig.
    \21\ Section 7 of the IG Act; Section 103H(g)(3) of the Nat'l 
Sec. Act; Section 17(e)(3) of the CIA Act.
---------------------------------------------------------------------------

    Finally, Congress has established the Council of Inspectors 
General on Integrity and Efficiency. This Council, among other 
things, develops IG standards for audits, investigations and 
reviews; promotes training; and has the authority to conduct reviews 
of allegations of IG misconduct, which serves as a critical eye on 
IGs, who are entrusted to watch all others.\22\
---------------------------------------------------------------------------

    \22\ Section 11 of the IG Act.
---------------------------------------------------------------------------

    I hope that this information is helpful to you.


[[Page 51073]]


Regards,

Robert S. Litt
General Counsel

Letter From Deputy Assistant Attorney General and Counselor for 
International Affairs Bruce Swartz, U.S. Department of Justice

February 19, 2016
Mr. Justin S. Antonipillai

Counselor
U.S. Department of Commerce
1401 Constitution Ave. NW.
Washington, DC 20230

Mr. Ted Dean

Deputy Assistant Secretary
International Trade Administration
1401 Constitution Ave. NW.
Washington, DC 20230

Dear Mr. Antonipillai and Mr. Dean:

    This letter provides a brief overview of the primary 
investigative tools used to obtain commercial data and other record 
information from corporations in the United States for criminal law 
enforcement or public interest (civil and regulatory) purposes, 
including the access limitations set forth in those authorities.\1\ 
These legal processes are nondiscriminatory in that they are used to 
obtain information from corporations in the United States, including 
from companies that will self-certify through the US/EU Privacy 
Shield framework, without regard to the nationality of the data 
subject. Further, corporations that receive legal process in the 
United States may challenge it in court as discussed below.\2\
---------------------------------------------------------------------------

    \1\ This overview does not describe the national security 
investigative tools used by law enforcement in terrorism and other 
national security investigations, including National Security 
Letters (NSLs) for certain record information in credit reports, 
financial records, and electronic subscriber and transaction 
records, see 12 U.S.C. 3414; 15 U.S.C. 1681u; 15 U.S.C. 1681v; 18 
U.S.C. 2709, and for electronic surveillance, search warrants, 
business records, and other collection of communications pursuant to 
the Foreign Intelligence Surveillance Act, see 50 U.S.C. 1801 et 
seq.
    \2\ This paper discusses federal law enforcement and regulatory 
authorities; violations of state law are investigated by states and 
are tried in state courts. State law enforcement authorities use 
warrants and subpoenas issued under state law in essentially the 
same manner as described herein, but with the possibility that state 
legal process may be subject to protections provided by State 
constitutions that exceed those of the U.S. Constitution. State law 
protections must be at least equal to those of the U.S. 
Constitution, including but not limited to the Fourth Amendment.
---------------------------------------------------------------------------

    Of particular note with respect to the seizure of data by public 
authorities is the Fourth Amendment to the United States 
Constitution, which provides that ``[t]he right of the people to be 
secure in their persons, houses, papers, and effects, against 
unreasonable searches and seizures, shall not be violated, and no 
Warrants shall issue, but upon probable cause, supported by Oath or 
affirmation, and particularly describing the place to be searched, 
and the persons or things to be seized.'' U.S. Const. amend. IV. As 
the United States Supreme Court stated in Berger v. State of New 
York, ``[t]he basic purpose of this Amendment, as recognized in 
countless decisions of this Court, is to safeguard the privacy and 
security of individuals against arbitrary invasions by government 
officials.'' 388 U.S. 41, 53 (1967) (citing Camara v. Mun. Court of 
San Francisco, 387 U.S. 523, 528 (1967)). In domestic criminal 
investigations, the Fourth Amendment generally requires law 
enforcement officers to obtain a court-issued warrant before 
conducting a search. See Katz v. United States, 389 U.S. 347, 357 
(1967). When the warrant requirement does not apply, government 
activity is subject to a ``reasonableness'' test under the Fourth 
Amendment. The Constitution itself, therefore, ensures that the U.S. 
government does not have limitless, or arbitrary, power to seize 
private information.

Criminal Law Enforcement Authorities:

    Federal prosecutors, who are officials of the Department of 
Justice (DOJ), and federal investigative agents including agents of 
the Federal Bureau of Investigation (FBI), a law enforcement agency 
within DOJ, are able to compel production of documents and other 
record information from corporations in the United States for 
criminal investigative purposes through several types of compulsory 
legal processes, including grand jury subpoenas, administrative 
subpoenas and search warrants, and may acquire other communications 
pursuant to federal criminal wiretap and pen register authorities.
    Grand Jury or Trial Subpoenas: Criminal subpoenas are used to 
support targeted law enforcement investigations. A grand jury 
subpoena is an official request issued from a grand jury (usually at 
the request of a federal prosecutor) to support a grand jury 
investigation into a particular suspected violation of criminal law. 
Grand juries are an investigative arm of the court and are impaneled 
by a judge or magistrate. A subpoena may require someone to testify 
at a proceeding, or to produce or make available business records, 
electronically stored information, or other tangible items. The 
information must be relevant to the investigation and the subpoena 
cannot be unreasonable because it is overbroad, or because it is 
oppressive or burdensome. A recipient can file a motion to challenge 
a subpoena based on those grounds. See Fed. R. Crim. P. 17. In 
limited circumstances, trial subpoenas for documents may be used 
after the case has been indicted by the grand jury.
    Administrative Subpoena Authority: Administrative subpoena 
authorities may be exercised in criminal or civil investigations. In 
the criminal law enforcement context, several federal statutes 
authorize the use of administrative subpoenas to produce or make 
available business records, electronically stored information, or 
other tangible items in investigations involving health care fraud, 
child abuse, Secret Service protection, controlled substance cases, 
and Inspector General investigations implicating government 
agencies. If the government seeks to enforce an administrative 
subpoena in court, the recipient of the administrative subpoena, 
like the recipient of a grand jury subpoena, can argue that the 
subpoena is unreasonable because it is overbroad, or because it is 
oppressive or burdensome.
    Court Orders For Pen Register and Trap and Traces: Under 
criminal pen register and trap and trace provisions, law enforcement 
may obtain a court order to acquire real-time, non-content dialing, 
routing, addressing and signaling information about a phone number 
or email upon certification that the information provided is 
relevant to a pending criminal investigation. See 18 U.S.C. 3121-
3127. The use or installation of such a device outside the law is a 
federal crime.
    Electronic Communications Privacy Act (ECPA): Additional rules 
govern the government's access to subscriber information, traffic 
data and stored content of communications held by ISPs telephone 
companies, and other third party service providers, pursuant to 
Title II of ECPA, also called the Stored Communications Act (SCA), 
18 U.S.C. 2701-2712. The SCA sets forth a system of statutory 
privacy rights that limit law enforcement access to data beyond what 
is required under constitutional law from customers and subscribers 
of Internet service providers. The SCA provides for increasing 
levels of privacy protections depending on the intrusiveness of the 
collection. For subscriber registration information, IP addresses 
and associated time stamps, and billing information, criminal law 
enforcement authorities must obtain a subpoena. For most other 
stored, non-content information, such as email headers without the 
subject line, law enforcement must present specific facts to a judge 
demonstrating that the requested information is relevant and 
material to an ongoing criminal investigation. To obtain the stored 
content of electronic communications, generally, criminal law 
enforcement authorities obtain a warrant from a judge based on 
probable cause to believe the account in question contains evidence 
of a crime. The SCA also provides for civil liability and criminal 
penalties.
    Court Orders for Surveillance Pursuant to Federal Wiretap Law: 
Additionally, law enforcement may intercept in real time wire, oral 
or electronic communications for criminal investigative purposes 
pursuant to the federal wiretap law. See 18 U.S.C. 2510-2522. This 
authority is available only pursuant to a court order in which a 
judge finds, inter alia, that there is probable cause to believe 
that the wiretap or electronic interception will produce evidence of 
a federal crime, or the whereabouts of a fugitive fleeing from 
prosecution. The statute provides for civil liability and criminal 
penalties for violations of the wiretapping provisions.
    Search Warrant--Rule 41: Law enforcement can physically search 
premises in the United States when authorized to do so by a judge. 
Law enforcement must demonstrate to the judge based on a showing of 
``probable cause'' that a crime was committed or is about to be 
committed and that items connected to the crime are likely to be 
found in the place specified by the warrant. This authority is often 
used when a physical search by police of a premise is needed due to 
the danger that evidence may be destroyed if a subpoena or other 
production order is served on the corporation. See U.S. Const. 
amend. IV

[[Page 51074]]

(discussed in further detail above), Fed. R. Crim. P. 41. The 
subject of a search warrant may move to quash the warrant as 
overbroad, vexatious or otherwise improperly obtained and aggrieved 
parties with standing may move to suppress any evidence obtained in 
an unlawful search. See Mapp v. Ohio, 367 U.S. 643 (1961).
    DOJ Guidelines and Policies: In addition to these 
Constitutional, statutory and rule-based limitations on government 
access to data, the Attorney General has issued guidelines that 
place further limits on law enforcement access to data, and that 
also contain privacy and civil liberty protections. For instance, 
the Attorney General's Guidelines for Domestic Federal Bureau of 
Investigation (FBI) Operations (September 2008) (hereinafter AG FBI 
Guidelines), available at https://www.justice.gov/archive/opa/docs/guidelines.pdf, set limits on use of investigative means to seek 
information related to investigations that involve federal crimes. 
These guidelines require that the FBI use the least intrusive 
investigative methods feasible, taking into account the effect on 
privacy and civil liberties and the potential damage to reputation. 
Further, they note that ``it is axiomatic that the FBI must conduct 
its investigations and other activities in a lawful and reasonable 
manner that respects liberty and privacy and avoids unnecessary 
intrusions into the lives of law-abiding people.'' See AG FBI 
Guidelines at 5. The FBI has implemented these guidelines through 
the FBI Domestic Investigations and Operations Guide (DIOG), 
available at https://vault.fbi.gov/FBI%20Domestic%20Investigations 
%20and%20Operations%20Guide%20(DIOG), a comprehensive manual that 
includes detailed limits on use of investigative tools and guidance 
to assure that civil liberties and privacy are protected in every 
investigation. Additional rules and policies that prescribe 
limitations on the investigative activities of federal prosecutors 
are set out in the United States Attorneys' Manual (USAM), also 
available online at https://www.justice.gov/usam/united-states-attorneys-manual.

Civil and Regulatory Authorities (Public Interest):

    There are also significant limits on civil or regulatory (i.e., 
``public interest'') access to data held by corporations in the 
United States. Agencies with civil and regulatory responsibilities 
may issue subpoenas to corporations for business records, 
electronically stored information, or other tangible items. These 
agencies are limited in their exercise of administrative or civil 
subpoena authority not only by their organic statutes, but also by 
independent judicial review of subpoenas prior to potential judicial 
enforcement. See, e.g., Fed. R. Civ. P. 45. Agencies may seek access 
only to data that is relevant to matters within their scope of 
authority to regulate. Further, a recipient of an administrative 
subpoena may challenge the enforcement of that subpoena in court by 
presenting evidence that the agency has not acted in accordance with 
basic standards of reasonableness, as discussed earlier.
    There are other legal bases for companies to challenge data 
requests from administrative agencies based on their specific 
industries and the types of data they possess. For example, 
financial institutions can challenge administrative subpoenas 
seeking certain types of information as violations of the Bank 
Secrecy Act and its implementing regulations. See 31 U.S.C. 5318, 31 
CFR chapter X. Other businesses can rely on the Fair Credit 
Reporting Act, see 15 U.S.C. 1681b, or a host of other sector 
specific laws. Misuse of an agency's subpoena authority can result 
in agency liability, or personal liability for agency officers. See, 
e.g., Right to Financial Privacy Act, 12 U.S.C. 3401-3422. Courts in 
the United States thus stand as the guardians against improper 
regulatory requests and provide independent oversight of federal 
agency actions.
    Finally, any statutory power that administrative authorities 
have to physically seize records from a company in the United States 
pursuant to an administrative search must meet the requirements of 
the Fourth Amendment. See See v. City of Seattle, 387 U.S. 541 
(1967).

Conclusion

    All law enforcement and regulatory activities in the United 
States must conform to applicable law, including the U.S. 
Constitution, statutes, rules, and regulations. Such activities must 
also comply with applicable policies, including any Attorney General 
Guidelines governing federal law enforcement activities. The legal 
framework described above limits the ability of U.S. law enforcement 
and regulatory agencies to acquire information from corporations in 
the United States--whether the information concerns U.S. persons or 
citizens of foreign countries--and in addition permits judicial 
review of any government requests for data pursuant to these 
authorities.

Sincerely,
Bruce C. Swartz
Deputy Assistant Attorney General and Counselor for International 
Affairs

    Dated: July 25, 2016.
Edward M Dean,
Deputy Assistant Secretary for Services, International Trade 
Administration, U.S. Department of Commerce.
[FR Doc. 2016-17961 Filed 8-1-16; 8:45 am]
 BILLING CODE 3510-DR-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.