EU - U.S. Privacy Shield Ombudsperson

Date: 11/17/2016 Description: Privacy Shield Framework logo - State Dept Image

The Under Secretary of State for Economic Growth, Energy, and the Environment serves as the Privacy Shield Ombudsperson, a position dedicated to facilitating the processing of requests from EU individuals relating to national security access to data transmitted from the European Union to the United States. Applicable data transfers include those conducted pursuant to the EU-U.S. Privacy Shield Framework, standard contractual clauses (SCCs), binding corporate rules (BCRs), and “Derogations” or “Possible Future Derogations.” This role builds on the Under Secretary’s position under Presidential Policy Directive 28 as the Senior Coordinator for International Information Technology Diplomacy, which includes serving as a point of contact for foreign governments to raise concerns regarding signals intelligence activities conducted by the United States.

The Under Secretary reports directly to the Secretary of State and is independent from the Intelligence Community. To carry out the Ombudsperson duties, the Under Secretary works closely with other United States Government officials, including independent oversight bodies such as inspectors general and the Privacy and Civil Liberties Oversight Board, as appropriate, to ensure that completed requests are processed and resolved in accordance with applicable laws and policies.

Request Submission Process:

EU individuals submit a request via the EU designated individual complaint handling body. The EU authority confirms the identity of the requestor and verifies that the request fulfills the following criteria established in the Ombudsperson Mechanism:

  • the request is complete (see "Information to Include" section below);
  • the requestor is acting on his/her own behalf, and not as a representative of a governmental or intergovernmental organization;
  • the request pertains to data reasonably believed to have been transferred under the Privacy Shield; and
  • the request is not frivolous, vexatious, or made in bad faith.

If the EU determines that the request meets the criteria, the EU then transmits the request to the Ombudsperson. The Ombudsperson will transmit the review findings through the EU individual complaint handling body.

Information to Include:

Section 3.b of the Ombudsperson Mechanism specifies that requests must be made in writing and contain:

  • any information that forms the basis for the request;
  • a description of the nature of information or relief sought;
  • a list of United States Government entities believed to be involved (if any); and
  • any information about other measures pursued to obtain the information or relief requested and the response received through those other measures.

Information that forms the basis of the request should include unique identifiers associated with the types of communications an individual believes may have been accessed. For example, for concerns about email communications, a person will need to provide the relevant email addresses. Likewise, relevant telephone numbers must be provided if a person is concerned about telephone communications. Individuals can also include other information about the concerns that precipitated the request‎. Such information is requested in order to facilitate a precise and accurate review, and in general, more detailed requests may correspondingly enable a more detailed review.

A request does not need to demonstrate that the requester’s data has been accessed by the United States Government through signal intelligence activities.

Information submitted to the Ombudsperson as part of a request for review will not be used or retained for other purposes unless necessary to comply with applicable law. The EU does not need to forward information provided for verifying the identity of the requestor or an individual’s contact information.

Additional Resources:

Privacy Shield Website

Privacy Shield Framework Text

Ombudsperson Mechanism

Presidential Policy Directive 28

ODNI Office of Civil Liberties, Privacy, and Transparency

Privacy and Civil Liberties Oversight Board

Freedom of Information Act (FOIA)

Privacy Act

European Commission Privacy Shield website