Submitting and Investigating Complaints under Executive Order 14086
As we laid out in What’s Next for the New Executive Order and the DPRC?, Executive Order 14086 assigns various tasks that must be completed within specified deadlines. One of those is for the Office of the Director of National Intelligence (ODNI) to establish the process of submission of qualifying complaints by the appropriate public authority in a qualifying state within 60 days from the date of the order, or by December 6th, 2022. That task was completed on time, and the result published as Intelligence Community Directive 126, Implementation Procedures for the Signal Intelligence Redress Mechanism Under Executive Order 14056. (To learn more about how the ODNI establishes policies and standards for the Intelligence Community, see Intelligence Community Directive 101, Intelligence Community Policy System).
This blog post will walk through how the EU-US Data Privacy Framework’s complaint process will work under Intelligence Community Directive (ICD) 126.
Submission of Qualifying Complaint
After the Attorney General determines a qualifying state, there are several conditions a complainant must meet for the ODNI’s Civil Liberties Protection Officer (CLPO) to investigate a qualifying complaint. First, a complainant must submit a complaint in writing to the “appropriate public authority in a qualifying state” (“public authority”). The ICD defines this “as an entity that has been officially selected by the qualifying state to facilitate the consideration of qualifying complaints made with respect to data transfers from the qualifying state to the United States” (recall that a “regional economic integration organization” could also be a qualifying state).
Upon receiving the complaint, the public authority must verify the identity of the complainant, and provide the CLPO with a description of how they did so. In addition, the public authority must verify that the complaint satisfies the criteria for qualifying complaints under the Executive Order, as set forth in Section E.1.c.(1)-(7) of the ICD. In addition, the public authority must ensure that the complaint is transmitted to the CLPO in the English language.
These provisions highlight the role that qualifying states must play in the process. At the outset, they must identify the entity within their government that will receive, provide initial review, and transmit qualifying complaints. They must then establish verification processes and ensure the complaint is translated as necessary.
Once the CLPO has received the complaint, it must carry out its own determination, based on the information transmitted by the public authority, that the complaint meets all of the necessary requirements within 15 business days. If the CLPO decides that the complaint does not meet all of the requirements under Section E.1.c. or E.1.d., the CLPO will “provide written notification . . . to the public authority in a qualifying state of the deficiencies in the complaint.”
Parenthetically, it is worth pausing here to ask whether a negative determination at this stage might be considered “final agency action” that is subject to judicial review under the Administrative Procedures Act. The PAB team examined this issue in Can a Federal District Court Review the Decisions of the New Data Protection Review Court? Note that the complainant might well be able to show actual injury–and therefore establish standing–based on being denied the benefit of the redress mechanism.
If the complaint meets all of the requirements, the CLPO will provide written notification via encrypted electronic communication stating the “qualifying complaint has been submitted and that an investigation will commence.” Following notification of the complaint’s status to the public authority, the CLPO will provide an unclassified record of the complaint that provides only the identity of the complaint to the Department of Commerce and Data Protection Review Court within 10 business days. All submitted complaints will be stored in a “secure and classified electronic repository.
Investigation and Review of Qualifying Complaint
The CLPO will investigate the qualifying complaint by “gathering information necessary to complete the review, to include, where appropriate, a description of the search parameters used to identify such information and written confirmation when no such information is identified.” Additional investigative measures are outlined in Section E.2.a.2. and Section E.2.a.3. Further, the CLPO will “request the Privacy and Civil Liberties Officers of the relevant IC elements” to provide information that will support the CLPO’s investigation of the qualifying complaint.
If the CLPO finds a covered violation occurred, it will “determine the appropriate remediation” and each IC element and agency containing an element of the IC will comply with the CLPO’s remediation. The CLPO “shall produce a classified written decision explaining the basis for the CLPO’s factual findings, determination with respect to whether a covered violation occurred, and determination of the appropriate remediation in the event of a covered violation.” The classified written decision, records obtained during the course of investigation, and other relevant information will “constitute a classified ex parte record of review.”
Transmittal of Review of Qualifying Complaint
Once the CLPO completes its review of the qualifying complaint, it will inform the complainant through the public authority that: “The review either did not identify any covered violations or the Civil Liberties Protection Officer of the Office of the Director of National Intelligence issued a determination requiring appropriate remediation.” The CLPO will not confirm whether the complainant was subject to United States signals intelligence activities.
It is helpful to note here the role this notification plays in the redress mechanism. It communicates to the complainant, the public authority, and the agencies involved that the CLPO has completed the investigative steps outlined in the ICD and that remedial measures, as appropriate, have been carried out. These steps include not only the investigation of the complaint and the execution of remediation measures, but also the compilation of the formal investigative record. It is this record that will then be subject to review by the Data Protection Review Court. It is also helpful to recall that under the Executive Order, the entire redress process, including the CLPO’s execution of its duties under the ICD, are subject to independent oversight by the Privacy and Civil Liberties Oversight Board.
Data Protection Review Court
If the complainant or IC element appeals the CLPO’s decision, the CLPO will submit the classified ex parte record of review and other “necessary support” to the Data Protection Review Court (“DPRC”). If the DPRC finds a decision contrary to the CLPO’s determination, the CLPO will support the DPRC and “shall consult with relevant IC elements and provide views to the Data Protection Review Court regarding the alternative appropriate remediation, to include an assessment of the impacts of such alternative appropriate remediation on the operations of the IC and the national security of the United States.”
ICD 126 sets forth detailed implementation procedures that clearly lay out the CLPO’s important new role in investigating and remediating complaints.