Executive Order (EO) 14086 establishes an innovative two-tier redress mechanism for individuals with “qualifying complaints” about U.S. signal intelligence activities. One aspect of this mechanism has generated controversy: notification.
EO 14086 requires that notification be provided “without confirming or denying that the complainant was subject to United States signals intelligence activities” (section 3(c)(i)(E)). In addition, the EO provides that the notification will state: “the review either did not identify any covered violations or the Civil Liberties Protection Officer (CLPO) of the Office of the Director of National Intelligence (ODNI) issued a determination requiring appropriate remediation.” (I served for 14 years as the CLPO for the ODNI; I share what I learned about the national security legal framework in Protecting Privacy and Promoting Transparency in a Time of Change: My Perspective after 14 Years as Civil Liberties Protection Officer).
On February 14, the European Parliament’s Committee on Civil Liberties, Justice, and Home Affairs (the LIBE Committee) published a draft resolution urging the EC not to adopt the draft adequacy decision. In its draft resolution, the LIBE Committee “points out that the redress process provided by the EO is based on secrecy and does not set up an obligation to notify the complainant that their personal data has been processed, thereby undermining their right to access or rectify their data” (para. 5).
In “Without Confirming or Denying”: Opaque Notification and National Security Redress, we do examine this issue in depth. The paper finds that this kind of opacity is consistent with legal norms in both the United States and Europe for national security redress mechanisms. In the U.S., this is known as a “Glomar response” and has been accepted as legally valid by U.S. courts “if the fact of the existence or nonexistence of agency records [is itself classified]” (Wolf v. C.I.A., 473 F.3d 370, 374 (D.C. Cir. 2007)). In the European Union, the European Data Protection Board’s European Essential Guarantees for Surveillance Measures points out that “notification of persons whose data has been collected or analysed must occur only to the extent that and as soon as the notification no longer jeopardizes the tasks for which those authorities are responsible” (para. 44).
Notification nonetheless plays an important role in the new redress mechanism. When a complaint is submitted, the new EO requires the CLPO to conduct an in-depth investigation that dives into classified information (EO 14086 section 3(e)). The CLPO’s notification signals the end of its phase in the process and triggers the complainant’s right to request a review by the Data Protection Review Court (DPRC) (section 3(c)(i)(E)). The DPRC in turn appoints a Special Advocate and conducts its own examination of the CLPO’s investigation, taking into account submissions from the complainant as well as the Special Advocate (28 C.F.R. Part 201). Once it reaches its final, binding decision (which can include mandatory remediation), the DPRC issues a notification that states “[t]he review either did not identify any covered violations or the Data Protection Review Court issued a determination requiring appropriate remediation” (section 201.9). This notification is “final agency action”—a legal term of art under U.S. law that could trigger judicial review in U.S. federal district court, as the Privacy Across Borders team discussed in detail in Judicial Review of the Determinations of the New Data Protection Review Court Under the Administrative Procedure Act.
The fact that the record pertaining to a complaint is classified when prepared is not the end of the story. EO 14086 expressly contemplates that the record may be declassified, and if so, directs that the complainant be so notified (section 3(d)(v)). As we explained in Redress: What is the problem?, once notified of surveillance an individual can establish “standing” and bring a case in federal district court.
How might such information be declassified? In the U.S., classification is governed by Executive Order 13526, Classified National Security Information. The Order provides that “in no case shall information be classified, continue to be maintained as classified, or fail to be declassified in order to “conceal violations of law, inefficiency, or administrative error” (section 1.7). The Order makes clear that “[n]o information may remain classified indefinitely” (section 1.5(d)) and specifies that “[i]nformation shall be declassified as soon as it no longer meets the standards for classification under this order” (section 3.1).
The paper discusses formal declassification avenues in detail. First, even if information continues to meet classification standards, the appropriate authority may choose to declassify information in the public interest (section 3.1(d)). The DNI has used this authority to declassify certain documents now posted on IC on the Record. Second, EO 13526 provides that persons can seek information and documents from federal agencies through a “mandatory declassification review” (MDR) request and directs agencies conducting a mandatory review to “declassify information that no longer meets the standards for classification under this order” (section 3.5(c)). Requestors who are not satisfied with an agency declassification determination may appeal it to the Interagency Security Classification Appeals Panel (ISCAP) (section 3.5(f), section 5.3). Open government advocates have praised this panel for being willing to overturn agency decisions. According to one noted advocate, this panel’s record for overturning agency classification decisions is a “phenomenal record [that] deserves more consideration than it has received to date” (pp. 525-526). Although the MDR avenue is limited to U.S. persons, U.S. entities such as the CLPO, the DPRC, the Special Advocate, or the Secretary of Commerce could seek the declassification of these records. Note that declassification does not necessarily equate with public release; once declassified, the release of the records to the complainant could occur without broader publication.
In addition EO 13526 provides for internal challenges to classification decisions. It specifies that “[a]uthorized holders of information who, in good faith, believe that its classification status is improper are encouraged and expected to challenge the classification status of the information,” with the ability to appeal to the ISCAP (section 1.8). Given that both the CLPO and the DPRC are “authorized holders of information,” they are well-positioned to challenge classification decisions that they believe to be improper.
The paper outlines additional transparency avenues, such as the CLPO’s existing legal obligation to prepare a public semiannual report relating to its investigation of complaints and the Privacy and Civil Liberties Oversight Board’s annual report on the redress mechanism (EO 14086 section 3(e)).
In short, under existing law, notification can occur once doing so “no longer jeopardizes the tasks for which those authorities are responsible.” The standard for notification under U.S. law is therefore effectively the same as that under EU law.