[Federal Register Volume 87, Number 198 (Friday, October 14, 2022)]
[Presidential Documents]
[Pages 62283-62297]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-22531]
�
�
� Presidential Documents
�
�
��Federal Register / Vol. 87, No. 198 / Friday, October 14, 2022 /
Presidential Documents��
�___________________________________________________________________
�Title 3--
�The President
[[Page 62283]]
Executive Order 14086 of October 7, 2022
Enhancing Safeguards for United States Signals
Intelligence Activities
By the authority vested in me as President by the
Constitution and the laws of the United States of
America, it is hereby ordered as follows:
Section 1. Purpose. The United States collects signals
intelligence so that its national security
decisionmakers have access to the timely, accurate, and
insightful information necessary to advance the
national security interests of the United States and to
protect its citizens and the citizens of its allies and
partners from harm. Signals intelligence capabilities
are a major reason we have been able to adapt to a
dynamic and challenging security environment, and the
United States must preserve and continue to develop
robust and technologically advanced signals
intelligence capabilities to protect our security and
that of our allies and partners. At the same time, the
United States recognizes that signals intelligence
activities must take into account that all persons
should be treated with dignity and respect, regardless
of their nationality or wherever they might reside, and
that all persons have legitimate privacy interests in
the handling of their personal information. Therefore,
this order establishes safeguards for such signals
intelligence activities.
Sec. 2. Signals Intelligence Activities.
(a) Principles. Signals intelligence activities
shall be authorized and conducted consistent with the
following principles:
(i) Signals intelligence activities shall be authorized by statute or by
Executive Order, proclamation, or other Presidential directive and
undertaken in accordance with the Constitution and with applicable statutes
and Executive Orders, proclamations, and other Presidential directives.
(ii) Signals intelligence activities shall be subject to appropriate
safeguards, which shall ensure that privacy and civil liberties are
integral considerations in the planning and implementation of such
activities so that:
(A) signals intelligence activities shall be conducted only following a
determination, based on a reasonable assessment of all relevant factors,
that the activities are necessary to advance a validated intelligence
priority, although signals intelligence does not have to be the sole means
available or used for advancing aspects of the validated intelligence
priority; and
(B) signals intelligence activities shall be conducted only to the extent
and in a manner that is proportionate to the validated intelligence
priority for which they have been authorized, with the aim of achieving a
proper balance between the importance of the validated intelligence
priority being advanced and the impact on the privacy and civil liberties
of all persons, regardless of their nationality or wherever they might
reside.
(iii) Signals intelligence activities shall be subjected to rigorous
oversight in order to ensure that they comport with the principles
identified above.
(b) Objectives. Signals intelligence collection
activities shall be conducted in pursuit of legitimate
objectives.
(i) Legitimate objectives.
(A) Signals intelligence collection activities shall be conducted only in
pursuit of one or more of the following objectives:
[[Page 62284]]
(1) understanding or assessing the capabilities, intentions, or activities
of a foreign government, a foreign military, a faction of a foreign nation,
a foreign-based political organization, or an entity acting on behalf of or
controlled by any such foreign government, military, faction, or political
organization, in order to protect the national security of the United
States and of its allies and partners;
(2) understanding or assessing the capabilities, intentions, or activities
of foreign organizations, including international terrorist organizations,
that pose a current or potential threat to the national security of the
United States or of its allies or partners;
(3) understanding or assessing transnational threats that impact global
security, including climate and other ecological change, public health
risks, humanitarian threats, political instability, and geographic rivalry;
(4) protecting against foreign military capabilities and activities;
(5) protecting against terrorism, the taking of hostages, and the holding
of individuals captive (including the identification, location, and rescue
of hostages and captives) conducted by or on behalf of a foreign
government, foreign organization, or foreign person;
(6) protecting against espionage, sabotage, assassination, or other
intelligence activities conducted by, on behalf of, or with the assistance
of a foreign government, foreign organization, or foreign person;
(7) protecting against threats from the development, possession, or
proliferation of weapons of mass destruction or related technologies and
threats conducted by, on behalf of, or with the assistance of a foreign
government, foreign organization, or foreign person;
(8) protecting against cybersecurity threats created or exploited by, or
malicious cyber activities conducted by or on behalf of, a foreign
government, foreign organization, or foreign person;
(9) protecting against threats to the personnel of the United States or of
its allies or partners;
(10) protecting against transnational criminal threats, including illicit
finance and sanctions evasion related to one or more of the other
objectives identified in subsection (b)(i) of this section;
(11) protecting the integrity of elections and political processes,
government property, and United States infrastructure (both physical and
electronic) from activities conducted by, on behalf of, or with the
assistance of a foreign government, foreign organization, or foreign
person; and
(12) advancing collection or operational capabilities or activities in
order to further a legitimate objective identified in subsection (b)(i) of
this section.
(B) The President may authorize updates to the list of objectives in
light of new national security imperatives, such as new or heightened
threats to the national security of the United States, for which the
President determines that signals intelligence collection activities may be
used. The Director of National Intelligence (Director) shall publicly
release any updates to the list of objectives authorized by the President,
unless the President determines that doing so would pose a risk to the
national security of the United States.
(ii) Prohibited objectives.
(A) Signals intelligence collection activities shall not be conducted for
the purpose of:
(1) suppressing or burdening criticism, dissent, or the free expression of
ideas or political opinions by individuals or the press;
(2) suppressing or restricting legitimate privacy interests;
(3) suppressing or restricting a right to legal counsel; or
(4) disadvantaging persons based on their ethnicity, race, gender, gender
identity, sexual orientation, or religion.
(B) It is not a legitimate objective to collect foreign private
commercial information or trade secrets to afford a competitive advantage
to United States companies and United States business sectors commercially.
The
[[Page 62285]]
collection of such information is authorized only to protect the national
security of the United States or of its allies or partners.
(iii) Validation of signals intelligence collection priorities.
(A) Under section 102A of the National Security Act of 1947, as amended
(50 U.S.C. 3024), the Director must establish priorities for the
Intelligence Community to ensure the timely and effective collection of
national intelligence, including national intelligence collected through
signals intelligence. The Director does this through the National
Intelligence Priorities Framework (NIPF), which the Director maintains and
presents to the President, through the Assistant to the President for
National Security Affairs, on a regular basis. In order to ensure that
signals intelligence collection activities are undertaken to advance
legitimate objectives, before presenting the NIPF or any successor
framework that identifies intelligence priorities to the President, the
Director shall obtain from the Civil Liberties Protection Officer of the
Office of the Director of National Intelligence (CLPO) an assessment as to
whether, with regard to anticipated signals intelligence collection
activities, each of the intelligence priorities identified in the NIPF or
successor framework:
(1) advances one or more of the legitimate objectives set forth in
subsection (b)(i) of this section;
(2) neither was designed nor is anticipated to result in signals
intelligence collection in contravention of the prohibited objectives set
forth in subsection (b)(ii) of this section; and
(3) was established after appropriate consideration for the privacy and
civil liberties of all persons, regardless of their nationality or wherever
they might reside.
(B) If the Director disagrees with any aspect of the CLPO's assessment
with respect to any of the intelligence priorities identified in the NIPF
or successor framework, the Director shall include the CLPO's assessment
and the Director's views when presenting the NIPF to the President.
(c) Privacy and civil liberties safeguards. The
following safeguards shall fulfill the principles
contained in subsections (a)(ii) and (a)(iii) of this
section.
(i) Collection of signals intelligence.
(A) The United States shall conduct signals intelligence collection
activities only following a determination that a specific signals
intelligence collection activity, based on a reasonable assessment of all
relevant factors, is necessary to advance a validated intelligence
priority, although signals intelligence does not have to be the sole means
available or used for advancing aspects of the validated intelligence
priority; it could be used, for example, to ensure alternative pathways for
validation or for maintaining reliable access to the same information. In
determining whether to collect signals intelligence consistent with this
principle, the United States--through an element of the Intelligence
Community or through an interagency committee consisting in whole or in
part of the heads of elements of the Intelligence Community, the heads of
departments containing such elements, or their designees--shall consider
the availability, feasibility, and appropriateness of other less intrusive
sources and methods for collecting the information necessary to advance a
validated intelligence priority, including from diplomatic and public
sources, and shall prioritize such available, feasible, and appropriate
alternatives to signals intelligence.
(B) Signals intelligence collection activities shall be as tailored as
feasible to advance a validated intelligence priority and, taking due
account of relevant factors, not disproportionately impact privacy and
civil liberties. Such factors may include, depending on the circumstances,
the nature of the pursued objective; the feasible steps taken to limit the
scope of the collection to the authorized purpose; the intrusiveness of the
collection activity, including its duration; the probable contribution of
the collection to the objective pursued; the reasonably foreseeable
consequences to individuals, including unintended third parties; the nature
and sensitivity
[[Page 62286]]
of the data to be collected; and the safeguards afforded to the information
collected.
(C) For purposes of subsection (c)(i) of this section, the scope of a
specific signals intelligence collection activity may include, for example,
a specific line of effort or target, as appropriate.
(ii) Bulk collection of signals intelligence.
(A) Targeted collection shall be prioritized. The bulk collection of
signals intelligence shall be authorized only based on a determination--by
an element of the Intelligence Community or through an interagency
committee consisting in whole or in part of the heads of elements of the
Intelligence Community, the heads of departments containing such elements,
or their designees--that the information necessary to advance a validated
intelligence priority cannot reasonably be obtained by targeted collection.
When it is determined to be necessary to engage in bulk collection in order
to advance a validated intelligence priority, the element of the
Intelligence Community shall apply reasonable methods and technical
measures in order to limit the data collected to only what is necessary to
advance a validated intelligence priority, while minimizing the collection
of non-pertinent information.
(B) Each element of the Intelligence Community that collects signals
intelligence through bulk collection shall use such information only in
pursuit of one or more of the following objectives:
(1) protecting against terrorism, the taking of hostages, and the holding
of individuals captive (including the identification, location, and rescue
of hostages and captives) conducted by or on behalf of a foreign
government, foreign organization, or foreign person;
(2) protecting against espionage, sabotage, assassination, or other
intelligence activities conducted by, on behalf of, or with the assistance
of a foreign government, foreign organization, or foreign person;
(3) protecting against threats from the development, possession, or
proliferation of weapons of mass destruction or related technologies and
threats conducted by, on behalf of, or with the assistance of a foreign
government, foreign organization, or foreign person;
(4) protecting against cybersecurity threats created or exploited by, or
malicious cyber activities conducted by or on behalf of, a foreign
government, foreign organization, or foreign person;
(5) protecting against threats to the personnel of the United States or of
its allies or partners; and
(6) protecting against transnational criminal threats, including illicit
finance and sanctions evasion related to one or more of the other
objectives identified in subsection (c)(ii) of this section.
(C) The President may authorize updates to the list of objectives in
light of new national security imperatives, such as new or heightened
threats to the national security of the United States, for which the
President determines that bulk collection may be used. The Director shall
publicly release any updates to the list of objectives authorized by the
President, unless the President determines that doing so would pose a risk
to the national security of the United States.
(D) In order to minimize any impact on privacy and civil liberties, a
targeted signals intelligence collection activity that temporarily uses
data acquired without discriminants (for example, without specific
identifiers or selection terms) shall be subject to the safeguards
described in this subsection, unless such data is:
(1) used only to support the initial technical phase of the targeted
signals intelligence collection activity;
(2) retained for only the short period of time required to complete this
phase; and
(3) thereafter deleted.
(iii) Handling of personal information collected through signals
intelligence.
[[Page 62287]]
(A) Minimization. Each element of the Intelligence Community that handles
personal information collected through signals intelligence shall establish
and apply policies and procedures designed to minimize the dissemination
and retention of personal information collected through signals
intelligence.
(1) Dissemination. Each element of the Intelligence Community that handles
personal information collected through signals intelligence:
(a) shall disseminate non-United States persons'
personal information collected through signals
intelligence only if it involves one or more of the
comparable types of information that section 2.3 of
Executive Order 12333 of December 4, 1981 (United
States Intelligence Activities), as amended, states
may be disseminated in the case of information
concerning United States persons;
(b) shall not disseminate personal information
collected through signals intelligence solely
because of a person's nationality or country of
residence;
(c) shall disseminate within the United States
Government personal information collected through
signals intelligence only if an authorized and
appropriately trained individual has a reasonable
belief that the personal information will be
appropriately protected and that the recipient has
a need to know the information;
(d) shall take due account of the purpose of the
dissemination, the nature and extent of the
personal information being disseminated, and the
potential for harmful impact on the person or
persons concerned before disseminating personal
information collected through signals intelligence
to recipients outside the United States Government,
including to a foreign government or international
organization; and
(e) shall not disseminate personal information
collected through signals intelligence for the
purpose of circumventing the provisions of this
order.
(2) Retention. Each element of the Intelligence Community that handles
personal information collected through signals intelligence:
(a) shall retain non-United States persons'
personal information collected through signals
intelligence only if the retention of comparable
information concerning United States persons would
be permitted under applicable law and shall subject
such information to the same retention periods that
would apply to comparable information concerning
United States persons;
(b) shall subject non-United States persons'
personal information collected through signals
intelligence for which no final retention
determination has been made to the same temporary
retention periods that would apply to comparable
information concerning United States persons; and
(c) shall delete non-United States persons'
personal information collected through signals
intelligence that may no longer be retained in the
same manner that comparable information concerning
United States persons would be deleted.
(B) Data security and access. Each element of the Intelligence Community
that handles personal information collected through signals intelligence:
(1) shall process and store personal information collected through signals
intelligence under conditions that provide appropriate protection and
prevent access by unauthorized persons, consistent with the applicable
safeguards for sensitive information contained in relevant Executive
Orders, proclamations, other Presidential directives, Intelligence
Community directives, and associated policies;
(2) shall limit access to such personal information to authorized personnel
who have a need to know the information to perform their mission and have
received appropriate training on the requirements of applicable United
States law, as described in policies and procedures issued under subsection
(c)(iv) of this section; and
[[Page 62288]]
(3) shall ensure that personal information collected through signals
intelligence for which no final retention determination has been made is
accessed only in order to make or support such a determination or to
conduct authorized administrative, testing, development, security, or
oversight functions.
(C) Data quality. Each element of the Intelligence Community that handles
personal information collected through signals intelligence shall include
such personal information in intelligence products only as consistent with
applicable Intelligence Community standards for accuracy and objectivity,
with a focus on applying standards relating to the quality and reliability
of the information, consideration of alternative sources of information and
interpretations of data, and objectivity in performing analysis.
(D) Queries of bulk collection. Each element of the Intelligence
Community that conducts queries of unminimized signals intelligence
obtained by bulk collection shall do so consistent with the permissible
uses of signals intelligence obtained by bulk collection identified in
subsection (c)(ii)(B) of this section and according to policies and
procedures issued under subsection (c)(iv) of this section, which shall
appropriately take into account the impact on the privacy and civil
liberties of all persons, regardless of their nationality or wherever they
might reside.
(E) Documentation. In order to facilitate the oversight processes set
forth in subsection (d) of this section and the redress mechanism set forth
in section 3 of this order, each element of the Intelligence Community that
engages in signals intelligence collection activities shall maintain
documentation to the extent reasonable in light of the nature and type of
collection at issue and the context in which it is collected. The content
of any such documentation may vary based on the circumstances but shall, to
the extent reasonable, provide the factual basis pursuant to which the
element of the Intelligence Community, based on a reasonable assessment of
all relevant factors, assesses that the signals intelligence collection
activity is necessary to advance a validated intelligence priority.
(iv) Update and publication of policies and procedures. The head of each
element of the Intelligence Community:
(A) shall continue to use the policies and procedures issued pursuant to
Presidential Policy Directive 28 of January 17, 2014 (Signals Intelligence
Activities) (PPD-28), until they are updated pursuant to subsection
(c)(iv)(B) of this section;
(B) shall, within 1 year of the date of this order, in consultation with
the Attorney General, the CLPO, and the Privacy and Civil Liberties
Oversight Board (PCLOB), update those policies and procedures as necessary
to implement the privacy and civil liberties safeguards in this order; and
(C) shall, within 1 year of the date of this order, release these
policies and procedures publicly to the maximum extent possible, consistent
with the protection of intelligence sources and methods, in order to
enhance the public's understanding of, and to promote public trust in, the
safeguards pursuant to which the United States conducts signals
intelligence activities.
(v) Review by the PCLOB.
(A) Nature of review. Consistent with applicable law, the PCLOB is
encouraged to conduct a review of the updated policies and procedures
described in subsection (c)(iv)(B) of this section once they have been
issued to ensure that they are consistent with the enhanced safeguards
contained in this order.
(B) Consideration of review. Within 180 days of completion of any review
by the PCLOB described in subsection (c)(v)(A) of this section, the head of
each element of the Intelligence Community shall carefully consider and
shall implement or otherwise address all recommendations contained in such
review, consistent with applicable law.
[[Page 62289]]
(d) Subjecting signals intelligence activities to
rigorous oversight. The actions directed in this
subsection are designed to build on the oversight
mechanisms that elements of the Intelligence Community
already have in place, in order to further ensure that
signals intelligence activities are subjected to
rigorous oversight.
(i) Legal, oversight, and compliance officials. Each element of the
Intelligence Community that collects signals intelligence:
(A) shall have in place senior-level legal, oversight, and compliance
officials who conduct periodic oversight of signals intelligence
activities, including an Inspector General, a Privacy and Civil Liberties
Officer, and an officer or officers in a designated compliance role with
the authority to conduct oversight of and ensure compliance with applicable
United States law;
(B) shall provide such legal, oversight, and compliance officials access
to all information pertinent to carrying out their oversight
responsibilities under this subsection, consistent with the protection of
intelligence sources or methods, including their oversight responsibilities
to ensure that any appropriate actions are taken to remediate an incident
of non-compliance with applicable United States law; and
(C) shall not take any actions designed to impede or improperly influence
such legal, oversight, and compliance officials in carrying out their
oversight responsibilities under this subsection.
(ii) Training. Each element of the Intelligence Community shall maintain
appropriate training requirements to ensure that all employees with access
to signals intelligence know and understand the requirements of this order
and the policies and procedures for reporting and remediating incidents of
non-compliance with applicable United States law.
(iii) Significant incidents of non-compliance.
(A) Each element of the Intelligence Community shall ensure that, if a
legal, oversight, or compliance official, as described in subsection (d)(i)
of this section, or any other employee, identifies a significant incident
of non-compliance with applicable United States law, the incident is
reported promptly to the head of the element of the Intelligence Community,
the head of the executive department or agency (agency) containing the
element of the Intelligence Community (to the extent relevant), and the
Director.
(B) Upon receipt of such report, the head of the element of the
Intelligence Community, the head of the agency containing the element of
the Intelligence Community (to the extent relevant), and the Director shall
ensure that any necessary actions are taken to remediate and prevent the
recurrence of the significant incident of non-compliance.
(e) Savings clause. Provided the signals
intelligence collection is conducted consistent with
and in the manner prescribed by this section of this
order, this order does not limit any signals
intelligence collection technique authorized under the
National Security Act of 1947, as amended (50 U.S.C.
3001 et seq.), the Foreign Intelligence Surveillance
Act of 1978, as amended (50 U.S.C. 1801 et seq.)
(FISA), Executive Order 12333, or other applicable law
or Presidential directive.
Sec. 3. Signals Intelligence Redress Mechanism.
(a) Purpose. This section establishes a redress
mechanism to review qualifying complaints transmitted
by the appropriate public authority in a qualifying
state concerning United States signals intelligence
activities for any covered violation of United States
law and, if necessary, appropriate remediation.
(b) Process for submission of qualifying
complaints. Within 60 days of the date of this order,
the Director, in consultation with the Attorney General
and the heads of elements of the Intelligence Community
that collect or
[[Page 62290]]
handle personal information collected through signals
intelligence, shall establish a process for the
submission of qualifying complaints transmitted by the
appropriate public authority in a qualifying state.
(c) Initial investigation of qualifying complaints
by the CLPO.
(i) Establishment. The Director, in consultation with the Attorney General,
shall establish a process that authorizes the CLPO to investigate, review,
and, as necessary, order appropriate remediation for qualifying complaints.
This process shall govern how the CLPO will review qualifying complaints in
a manner that protects classified or otherwise privileged or protected
information and shall ensure, at a minimum, that for each qualifying
complaint the CLPO shall:
(A) review information necessary to investigate the qualifying complaint;
(B) exercise its statutory and delegated authority to determine whether
there was a covered violation by:
(i) taking into account both relevant national security interests and
applicable privacy protections;
(ii) giving appropriate deference to any relevant determinations made by
national security officials; and
(iii) applying the law impartially;
(C) determine the appropriate remediation for any covered violation;
(D) provide a classified report on information indicating a violation of
any authority subject to the oversight of the Foreign Intelligence
Surveillance Court (FISC) to the Assistant Attorney General for National
Security, who shall report violations to the FISC in accordance with its
rules of procedure;
(E) after the review is completed, inform the complainant, through the
appropriate public authority in a qualifying state and without confirming
or denying that the complainant was subject to United States signals
intelligence activities, that:
(1) ``the review either did not identify any covered violations or the
Civil Liberties Protection Officer of the Office of the Director of
National Intelligence issued a determination requiring appropriate
remediation'';
(2) the complainant or an element of the Intelligence Community may, as
prescribed in the regulations issued by the Attorney General pursuant to
section 3(d)(i) of this order, apply for review of the CLPO's
determinations by the Data Protection Review Court described in subsection
(d) of this section; and
(3) if either the complainant or an element of the Intelligence Community
applies for review by the Data Protection Review Court, a special advocate
will be selected by the Data Protection Review Court to advocate regarding
the complainant's interest in the matter;
(F) maintain appropriate documentation of its review of the qualifying
complaint and produce a classified decision explaining the basis for its
factual findings, determination with respect to whether a covered violation
occurred, and determination of the appropriate remediation in the event
there was such a violation, consistent with its statutory and delegated
authority;
(G) prepare a classified ex parte record of review, which shall consist
of the appropriate documentation of its review of the qualifying complaint
and the classified decision described in subsection (c)(i)(F) of this
section; and
(H) provide any necessary support to the Data Protection Review Court.
(ii) Binding effect. Each element of the Intelligence Community, and each
agency containing an element of the Intelligence Community, shall comply
with any determination by the CLPO to undertake appropriate remediation
[[Page 62291]]
pursuant to subsection (c)(i)(C) of this section, subject to any contrary
determination by the Data Protection Review Court.
(iii) Assistance. Each element of the Intelligence Community shall provide
the CLPO with access to information necessary to conduct the reviews
described in subsection (c)(i) of this section, consistent with the
protection of intelligence sources and methods, and shall not take any
actions designed to impede or improperly influence the CLPO's reviews.
Privacy and civil liberties officials within elements of the Intelligence
Community shall also support the CLPO as it performs the reviews described
in subsection (c)(i) of this section.
(iv) Independence. The Director shall not interfere with a review by the
CLPO of a qualifying complaint under subsection (c)(i) of this section; nor
shall the Director remove the CLPO for any actions taken pursuant to this
order, except for instances of misconduct, malfeasance, breach of security,
neglect of duty, or incapacity.
(d) Data Protection Review Court.
(i) Establishment. The Attorney General is authorized to and shall
establish a process to review determinations made by the CLPO under
subsection (c)(i) of this section. In exercising that authority, the
Attorney General shall, within 60 days of the date of this order,
promulgate regulations establishing a Data Protection Review Court to
exercise the Attorney General's authority to review such determinations.
These regulations shall, at a minimum, provide that:
(A) The Attorney General, in consultation with the Secretary of Commerce,
the Director, and the PCLOB, shall appoint individuals to serve as judges
on the Data Protection Review Court, who shall be legal practitioners with
appropriate experience in the fields of data privacy and national security
law, giving weight to individuals with prior judicial experience, and who
shall not be, at the time of their initial appointment, employees of the
United States Government. During their term of appointment on the Data
Protection Review Court, such judges shall not have any official duties or
employment within the United States Government other than their official
duties and employment as judges on the Data Protection Review Court.
(B) Upon receipt of an application for review filed by the complainant or
an element of the Intelligence Community of a determination made by the
CLPO under subsection (c) of this section, a three-judge panel of the Data
Protection Review Court shall be convened to review the application.
Service on the Data Protection Review Court panel shall require that the
judge hold the requisite security clearances to access classified national
security information.
(C) Upon being convened, the Data Protection Review Court panel shall
select a special advocate through procedures prescribed in the Attorney
General's regulations. The special advocate shall assist the panel in its
consideration of the application for review, including by advocating
regarding the complainant's interest in the matter and ensuring that the
Data Protection Review Court panel is well informed of the issues and the
law with respect to the matter. Service as a special advocate shall require
that the special advocate hold the requisite security clearances to access
classified national security information and to adhere to restrictions
prescribed in the Attorney General's regulations on communications with the
complainant to ensure the protection of classified or otherwise privileged
or protected information.
(D) The Data Protection Review Court panel shall impartially review the
determinations made by the CLPO with respect to whether a covered violation
occurred and the appropriate remediation in the event there was such a
violation. The review shall be based at a minimum on the classified ex
parte record of review described in subsection (c)(i)(F) of this section
and information or submissions provided by the complainant,
[[Page 62292]]
the special advocate, or an element of the Intelligence Community. In
reviewing determinations made by the CLPO, the Data Protection Review Court
panel shall be guided by relevant decisions of the United States Supreme
Court in the same way as are courts established under Article III of the
United States Constitution, including those decisions regarding appropriate
deference to relevant determinations of national security officials.
(E) In the event that the Data Protection Review Court panel disagrees
with any of the CLPO's determinations with respect to whether a covered
violation occurred or the appropriate remediation in the event there was
such a violation, the panel shall issue its own determinations.
(F) The Data Protection Review Court panel shall provide a classified
report on information indicating a violation of any authority subject to
the oversight of the FISC to the Assistant Attorney General for National
Security, who shall report violations to the FISC in accordance with its
rules of procedure.
(G) After the review is completed, the CLPO shall be informed of the Data
Protection Review Court panel's determinations through procedures
prescribed by the Attorney General's regulations.
(H) After a review is completed in response to a complainant's
application for review, the Data Protection Review Court, through
procedures prescribed by the Attorney General's regulations, shall inform
the complainant, through the appropriate public authority in a qualifying
state and without confirming or denying that the complainant was subject to
United States signals intelligence activities, that ``the review either did
not identify any covered violations or the Data Protection Review Court
issued a determination requiring appropriate remediation.''
(ii) Binding effect. Each element of the Intelligence Community, and each
agency containing an element of the Intelligence Community, shall comply
with any determination by a Data Protection Review Court panel to undertake
appropriate remediation.
(iii) Assistance. Each element of the Intelligence Community shall provide
the CLPO with access to information necessary to conduct the review
described in subsection (d)(i) of this section, consistent with the
protection of intelligence sources and methods, that a Data Protection
Review Court panel requests from the CLPO and shall not take any actions
for the purpose of impeding or improperly influencing a panel's review.
(iv) Independence. The Attorney General shall not interfere with a review
by a Data Protection Review Court panel of a determination the CLPO made
regarding a qualifying complaint under subsection (c)(i) of this section;
nor shall the Attorney General remove any judges appointed as provided in
subsection (d)(i)(A) of this section, or remove any judge from service on a
Data Protection Review Court panel, except for instances of misconduct,
malfeasance, breach of security, neglect of duty, or incapacity, after
taking due account of the standards in the Rules for Judicial-Conduct and
Judicial-Disability Proceedings promulgated by the Judicial Conference of
the United States pursuant to the Judicial Conduct and Disability Act (28
U.S.C. 351 et seq.).
(v) Record of determinations. For each qualifying complaint transmitted by
the appropriate public authority in a qualifying state, the Secretary of
Commerce shall:
(A) maintain a record of the complainant who submitted such complaint;
(B) not later than 5 years after the date of this order and no less than
every 5 years thereafter, contact the relevant element or elements of the
Intelligence Community regarding whether information pertaining to the
review of such complaint by the CLPO has been declassified and whether
information pertaining to the review of any application for review
submitted to the Data Protection Review Court has been declassified,
[[Page 62293]]
including whether an element of the Intelligence Community filed an
application for review with the Data Protection Review Court; and
(C) if informed that such information has been declassified, notify the
complainant, through the appropriate public authority in a qualifying
state, that information pertaining to the review of their complaint by the
CLPO or to the review of any application for review submitted to the Data
Protection Review Court may be available under applicable law.
(e) Annual review by PCLOB of redress process.
(i) Nature of review. Consistent with applicable law, the PCLOB is
encouraged to conduct an annual review of the processing of qualifying
complaints by the redress mechanism established by section 3 of this order,
including whether the CLPO and the Data Protection Review Court processed
qualifying complaints in a timely manner; whether the CLPO and the Data
Protection Review Court are obtaining full access to necessary information;
whether the CLPO and the Data Protection Review Court are operating
consistent with this order; whether the safeguards established by section 2
of this order are properly considered in the processes of the CLPO and the
Data Protection Review Court; and whether the elements of the Intelligence
Community have fully complied with determinations made by the CLPO and the
Data Protection Review Court.
(ii) Assistance. The Attorney General, the CLPO, and the elements of the
Intelligence Community shall provide the PCLOB with access to information
necessary to conduct the review described in subsection (e)(i) of this
section, consistent with the protection of intelligence sources and
methods.
(iii) Report and certification. Within 30 days of completing any review
described in subsection (e)(i) of this section, the PCLOB is encouraged to:
(A) provide the President, the Attorney General, the Director, the heads
of elements of the Intelligence Community, the CLPO, and the congressional
intelligence committees with a classified report detailing the results of
its review;
(B) release to the public an unclassified version of the report; and
(C) make an annual public certification as to whether the redress
mechanism established pursuant to section 3 of this order is processing
complaints consistent with this order.
(iv) Consideration of review. Within 180 days of receipt of any report by
the PCLOB described in subsection (e)(iii)(A) of this section, the Attorney
General, the Director, the heads of elements of the Intelligence Community,
and the CLPO shall carefully consider and shall implement or otherwise
address all recommendations contained in such report, consistent with
applicable law.
(f) Designation of qualifying state.
(i) To implement the redress mechanism established by section 3 of this
order, the Attorney General is authorized to designate a country or
regional economic integration organization as a qualifying state for
purposes of the redress mechanism established pursuant to section 3 of this
order, effective immediately or on a date specified by the Attorney
General, if the Attorney General determines, in consultation with the
Secretary of State, the Secretary of Commerce, and the Director, that:
(A) the laws of the country, the regional economic integration
organization, or the regional economic integration organization's member
countries require appropriate safeguards in the conduct of signals
intelligence activities for United States persons' personal information
that is transferred from the United States to the territory of the country
or a member country of the regional economic integration organization;
[[Page 62294]]
(B) the country, the regional economic integration organization, or the
regional economic integration organization's member countries of the
regional economic integration organization permit, or are anticipated to
permit, the transfer of personal information for commercial purposes
between the territory of that country or those member countries and the
territory of the United States; and
(C) such designation would advance the national interests of the United
States.
(ii) The Attorney General may revoke or amend such a designation, effective
immediately or on a date specified by the Attorney General, if the Attorney
General determines, in consultation with the Secretary of State, the
Secretary of Commerce, and the Director, that:
(A) the country, the regional economic integration organization, or the
regional economic integration organization's member countries do not
provide appropriate safeguards in the conduct of signals intelligence
activities for United States persons' personal information that is
transferred from the United States to the territory of the country or to a
member country of the regional economic integration organization;
(B) the country, the regional economic integration organization, or the
regional economic integration organization's member countries do not permit
the transfer of personal information for commercial purposes between the
territory of that country or those member countries and the territory of
the United States; or
(C) such designation is not in the national interests of the United
States.
Sec. 4. Definitions. For purposes of this order:
(a) ``Appropriate remediation'' means lawful measures
designed to fully redress an identified covered
violation regarding a specific complainant and limited
to measures designed to address that specific
complainant's complaint, taking into account the ways
that a violation of the kind identified have
customarily been addressed. Such measures may include,
depending on the specific covered violation at issue,
curing through administrative measures violations found
to have been procedural or technical errors relating to
otherwise lawful access to or handling of data,
terminating acquisition of data where collection is not
lawfully authorized, deleting data that had been
acquired without lawful authorization, deleting the
results of inappropriately conducted queries of
otherwise lawfully collected data, restricting access
to lawfully collected data to those appropriately
trained, or recalling intelligence reports containing
data acquired without lawful authorization or that were
otherwise disseminated in a manner inconsistent with
United States law. Appropriate remediation shall be
narrowly tailored to redress the covered violation and
to minimize adverse impacts on the operations of the
Intelligence Community and the national security of the
United States.
(b) ``Bulk collection'' means the authorized
collection of large quantities of signals intelligence
data that, due to technical or operational
considerations, is acquired without the use of
discriminants (for example, without the use of specific
identifiers or selection terms).
(c) ``Counterintelligence'' shall have the same
meaning as it has in Executive Order 12333.
(d) ``Covered violation'' means a violation that:
(i) arises from signals intelligence activities conducted after the date of
this order regarding data transferred to the United States from a
qualifying state after the effective date of the Attorney General's
designation for such state, as provided in section 3(f)(i) of this order;
(ii) adversely affects the complainant's individual privacy and civil
liberties interests; and
(iii) violates one or more of the following:
(A) the United States Constitution;
[[Page 62295]]
(B) the applicable sections of FISA or any applicable FISC-approved
procedures;
(C) Executive Order 12333 or any applicable agency procedures pursuant to
Executive Order 12333;
(D) this order or any applicable agency policies and procedures issued or
updated pursuant to this order (or the policies and procedures identified
in section 2(c)(iv)(A) of this order before they are updated pursuant to
section 2(c)(iv)(B) of this order);
(E) any successor statute, order, policies, or procedures to those
identified in section 4(d)(iii)(B)-(D) of this order; or
(F) any other statute, order, policies, or procedures adopted after the
date of this order that provides privacy and civil liberties safeguards
with respect to United States signals intelligence activities within the
scope of this order, as identified in a list published and updated by the
Attorney General, in consultation with the Director of National
Intelligence.
(e) ``Foreign intelligence'' shall have the same
meaning as it has in Executive Order 12333.
(f) ``Intelligence'' shall have the same meaning as
it has in Executive Order 12333.
(g) ``Intelligence Community'' and ``elements of
the Intelligence Community'' shall have the same
meaning as they have in Executive Order 12333.
(h) ``National security'' shall have the same
meaning as it has in Executive Order 13526 of December
29, 2009 (Classified National Security Information).
(i) ``Non-United States person'' means a person who
is not a United States person.
(j) ``Personnel of the United States or of its
allies or partners'' means any current or former member
of the Armed Forces of the United States, any current
or former official of the United States Government, and
any other person currently or formerly employed by or
working on behalf of the United States Government, as
well as any current or former member of the military,
current or former official, or other person currently
or formerly employed by or working on behalf of an ally
or partner.
(k) ``Qualifying complaint'' means a complaint,
submitted in writing, that:
(i) alleges a covered violation has occurred that pertains to personal
information of or about the complainant, a natural person, reasonably
believed to have been transferred to the United States from a qualifying
state after the effective date of the Attorney General's designation for
such state, as provided in section 3(f)(i) of this order;
(ii) includes the following basic information to enable a review:
information that forms the basis for alleging that a covered violation has
occurred, which need not demonstrate that the complainant's data has in
fact been subject to United States signals intelligence activities; the
nature of the relief sought; the specific means by which personal
information of or about the complainant was believed to have been
transmitted to the United States; the identities of the United States
Government entities believed to be involved in the alleged violation (if
known); and any other measures the complainant pursued to obtain the relief
requested and the response received through those other measures;
(iii) is not frivolous, vexatious, or made in bad faith;
(iv) is brought on behalf of the complainant, acting on that person's own
behalf, and not as a representative of a governmental, nongovernmental, or
intergovernmental organization; and
(v) is transmitted by the appropriate public authority in a qualifying
state, after it has verified the identity of the complainant and that the
complaint satisfies the conditions of section 5(k)(i)-(iv) of this order.
[[Page 62296]]
(l) ``Significant incident of non-compliance''
shall mean a systemic or intentional failure to comply
with a principle, policy, or procedure of applicable
United States law that could impugn the reputation or
integrity of an element of the Intelligence Community
or otherwise call into question the propriety of an
Intelligence Community activity, including in light of
any significant impact on the privacy and civil
liberties interests of the person or persons concerned.
(m) ``United States person'' shall have the same
meaning as it has in Executive Order 12333.
(n) ``Validated intelligence priority'' shall mean,
for most United States signals intelligence collection
activities, a priority validated under the process
described in section 2(b)(iii) of this order; or, in
narrow circumstances (for example, when such process
cannot be carried out because of a need to address a
new or evolving intelligence requirement), shall mean a
priority set by the President or the head of an element
of the Intelligence Community in accordance with the
criteria described in section 2(b)(iii)(A)(1)-(3) of
this order to the extent feasible.
(o) ``Weapons of mass destruction'' shall have the
same meaning as it has in Executive Order 13526.
Sec. 5. General Provisions. (a) Nothing in this order
shall be construed to impair or otherwise affect:
(i) the authority granted by law to an executive department, agency, or the
head thereof; or
(ii) the functions of the Director of the Office of Management and Budget
relating to budgetary, administrative, or legislative proposals.
(b) This order shall be implemented consistent with
applicable law, including orders of and procedures
approved by the FISC, and subject to the availability
of appropriations.
(c) Nothing in this order precludes the application
of more privacy-protective safeguards for United States
signals intelligence activities that would apply in the
absence of this order. In the case of any conflict
between this order and other applicable law, the more
privacy-protective safeguards shall govern the conduct
of signals intelligence activities, to the maximum
extent allowed by law.
(d) Nothing in this order prohibits elements of the
Intelligence Community from disseminating information
relating to a crime for law enforcement purposes;
disseminating warnings of threats of killing, serious
bodily injury, or kidnapping; disseminating cyber
threat, incident, or intrusion response information;
notifying victims or warning potential victims of
crime; or complying with dissemination obligations
required by statute, treaty, or court order, including
orders of and procedures approved by the FISC or other
court orders.
(e) The collection, retention, and dissemination of
information concerning United States persons is
governed by multiple legal and policy requirements,
such as those required by FISA and Executive Order
12333. This order is not intended to alter the rules
applicable to United States persons adopted pursuant to
FISA, Executive Order 12333, or other applicable law.
(f) This order shall apply to signals intelligence
activities consistent with the scope of PPD-28's
application to such activities prior to PPD-28's
partial revocation by the national security memorandum
issued concurrently with this order. To implement this
subsection, the head of each agency containing an
element of the Intelligence Community, in consultation
with the Attorney General and the Director, is hereby
delegated the authority to issue guidance, which may be
classified, as appropriate, as to the scope of
application of this order with respect to the element
or elements of the Intelligence Community within their
agency. The CLPO and the Data Protection Review Court,
in carrying out the functions assigned to it under this
order, shall treat such guidance as authoritative and
binding.
[[Page 62297]]
(g) Nothing in this order confers authority to
declassify or disclose classified national security
information except as authorized pursuant to Executive
Order 13526 or any successor order. Consistent with the
requirements of Executive Order 13526, the CLPO, the
Data Protection Review Court, and the special advocates
shall not have authority to declassify classified
national security information, nor shall they disclose
any classified or otherwise privileged or protected
information except to authorized and appropriately
cleared individuals who have a need to know the
information.
(h) This order creates an entitlement to submit
qualifying complaints to the CLPO and to obtain review
of the CLPO's decisions by the Data Protection Review
Court in accordance with the redress mechanism
established in section 3 of this order. This order is
not intended to, and does not, create any other
entitlement, right, or benefit, substantive or
procedural, enforceable at law or in equity by any
party against the United States, its departments,
agencies, or entities, its officers, employees, or
agents, or any other person. This order is not intended
to, and does not, modify the availability or scope of
any judicial review of the decisions rendered through
the redress mechanism, which is governed by existing
law.
(Presidential Sig.)
THE WHITE HOUSE,
October 7, 2022.
[FR Doc. 2022-22531
Filed 10-13-22; 8:45 am]
Billing code 3395-F3-P