By the authority vested in me as President under the Constitution and laws of the United States, it is hereby ordered as follows:
Section 1. Purpose. The United States collects signals intelligence so that its national security decision makers have access to the timely, accurate, and insightful information necessary to advance the national security interests of the United States and to protect its citizens and the citizens of its allies and partners from harm. Signals intelligence capabilities are a major reason we have been able to adapt to a dynamic and challenging security environment, and the United States must maintain and continue to develop robust and technologically advanced signals intelligence capabilities to protect our security and that of our allies and partners. At the same time, the United States recognizes that signals intelligence activities must take into account that all persons must be treated with dignity and respect, regardless of their nationality or wherever they may reside, and that all persons have legitimate privacy interests in the handling of their personal information. Accordingly, this executive order establishes safeguards for such signals intelligence activities.
Sec. 2. Signal intelligence activities.
(a) Principles. Signals intelligence activities must be approved and conducted in accordance with the following principles:
(i) Signal’s intelligence activities shall be authorized by law or by executive order, proclamation, or other presidential directive and shall be conducted in accordance with the Constitution and with applicable statutes and executive orders, proclamations, and other presidential directives.
(ii) Signals intelligence activities shall be subject to appropriate safeguards which shall ensure that privacy and civil liberties are integral considerations in the planning and implementation of such activities so that:
a) to advance aspects of the validated intelligence priority; and
(B) signals intelligence activities may be conducted only to the extent and in a manner proportionate to the validated intelligence priority for which they are authorized, with the purpose of striking an appropriate balance between the importance of furthering the validated intelligence priority and the impact on the privacy of peace and civil liberties for all persons, regardless of their nationality or wherever they may reside.
(iii) Signals intelligence activities must be subject to strict oversight to ensure compliance with the principles set forth above.
(b) Measure. Signals intelligence collection activities must be conducted in pursuit of legitimate objectives.
(A) The collection of signals intelligence activities may be conducted only to pursue one or more of the following objectives:
(1) understand or assess the capabilities, intentions, or activities of a foreign government, a foreign military, a faction of a foreign nation, a foreign-based political organization, or an entity acting on behalf of or controlled by such foreign government; military, faction, or political organization, to protect the national security of the United States and its allies and partners;
(2) understand or assess the capabilities, intentions, or activities of foreign organizations, including international terrorist organizations, that pose a current or potential threat to the national security of the United States or its allies or partners;
(3) understand or assess transnational threats affecting global security, including climate change and other ecological changes, public health risks, humanitarian threats, political instability, and geographic rivalry;
(4) protection against foreign military capabilities and activities;
(5) protection against terrorism, hostage-taking, and detention of individuals (including the identification, location, and rescue of hostages and prisoners) conducted by or on behalf of a foreign government, foreign organization, or foreign person;
(6) protection against espionage, sabotage, assassination, or other intelligence activities conducted by, on behalf of, or with the assistance of a foreign government, foreign organization, or foreign person;
(7) protection against threats posed by the development, possession, or proliferation of weapons of mass destruction or related technologies and threats made by, on behalf of, or with the assistance of a foreign government, foreign organization, or foreign person;
(8) protection against cyber security threats created or exploited by or malicious cyber activities conducted by or on behalf of a foreign government, foreign organization or foreign person;
(9) protection against threats against personnel of the United States or its allies or partners;
(10) protection against transnational criminal threats, including illicit financing and evasion of sanctions related to one or more of the other objectives identified in subsection (b)(i) of this section;
(11) protecting the integrity of elections and political processes, government property, and United States infrastructure (both physical and electronic) from activities conducted by, on behalf of, or with the assistance of a foreign government, foreign organization, or foreign person; and
(12) promote collection or operational capabilities or activities to further a legitimate objective identified in subsection (b)(i) of this section.
(B) The President may authorize updates to the list of targets in light of new national security requirements, such as new or increased threats to the national security of the United States, where the President determines that signals intelligence gathering activities may be used. The Director of National Intelligence (the Director) must publicly release any update to the list of targets approved by the President, unless the President determines that doing so would pose a risk to the national security of the United States.
(ii) Prohibited Targets.
(A) Signals intelligence collection activities may not be conducted for the purpose of:
(1) suppress or burden criticism, dissent, or the free expression of ideas or political opinions by individuals or the press;
(2) suppress or limit legitimate privacy interests;
(3) suppress or limit a right to legal counsel; or
(4) disparage individuals because of their ethnicity, race, gender, gender identity, sexual orientation, or religion.
(B) It is not a legitimate goal to collect foreign private commercial information or trade secrets in order to give American companies and American business sectors a competitive advantage commercially. The collection of such information is permitted only to protect the national security of the United States or its allies or partners.
(iii) Validation of signals intelligence collection priorities.
(A) Pursuant to section 102A of the National Security Act of 1947, as amended (50 U.S.C. 3024), the Director shall establish priorities for the intelligence community to ensure the timely and effective collection of national intelligence, including national intelligence gathered through signals intelligence. The Director does this through the National Intelligence Priorities Framework (NIPF), which the Director maintains and presents to the President, through the Assistant to the President for National Security Affairs, on a regular basis. To ensure that signals intelligence gathering activities are conducted in furtherance of legitimate objectives, before the NIPF or a successor framework identifying intelligence priorities is presented to the President, the Director shall obtain from the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) an assessment of whether, with respect to expected signals intelligence gathering activities, each of the intelligence priorities identified in the NIPF or its successor:
(1) furthers one or more of the legitimate goals set forth in subsection (b)(i) of this section;
(2) is neither designed nor expected to result in the collection of signals intelligence contrary to the prohibited purposes set forth in subsection (b)(ii) of this section; and
(3) was established with due regard to the privacy and civil liberties of all persons, regardless of their nationality or where they may reside.
(B) If the Director disagrees with any aspect of the CLPO’s assessment with respect to any of the intelligence priorities identified in the NIPF or successor framework, the Director shall include the CLPO’s assessment and the Director’s views when presenting the NIPF to the President.
(c) protection of privacy and civil liberties. The following safeguards shall meet the principles of subsections (a)(ii) and (a)(iii) of this section.
(i) Gathering of Signals Intelligence.
(A) The United States shall conduct signals intelligence collection activities only upon a determination that a specific signals intelligence collection activity, based on a reasonable assessment of all relevant factors, is necessary to further a validated intelligence priority, although signals intelligence need not be the only available; or means used to advance aspects of the validated intelligence priority; it could e.g. used to ensure alternative paths for validation or to maintain reliable access to the same information. In determining whether to collect signals intelligence in accordance with this principle, the United States will — through an element of the intelligence community or through an interagency committee composed in whole or in part of the heads of elements of the intelligence community, the heads of departments containing such elements, or their designees — shall consider the availability, feasibility, and appropriateness of other less intrusive sources and methods of gathering the information necessary to advance a validated intelligence priority, including from diplomatic and government sources, and shall prioritize such available, feasible, and appropriate alternatives for signal intelligence.
(B) Signals intelligence collection activities must be tailored as much as possible to furthering a validated intelligence priority and, with due consideration of relevant factors, not disproportionately affect privacy and civil liberties. Such factors may, depending on the circumstances, include the nature of the objective pursued; the possible steps taken to limit the scope of the collection to the authorized purpose; the intrusive nature of the collection activity, including its duration; the likely contribution of the collection to the objective pursued; the reasonably foreseeable consequences to individuals, including unintended third parties; the nature and sensitivity of the data to be collected; and the safeguards provided to the information collected.
(C) For purposes of subsection (c)(i) of this section, the scope of a specific signals intelligence gathering activity may include, for example; a specific effort or goal, as appropriate.
(ii) Bulk collection of signal information.
(A) Targeted collection shall be prioritized. Bulk collection of signals intelligence is authorized only based on a determination—by an element of the intelligence community or through an interagency committee composed in whole or in part of the heads of elements of the intelligence community and the department heads containing such elements, or their designees—that the information necessary to further a validated intelligence priority, cannot reasonably be achieved by targeted collection. When it is determined that it is necessary to engage in bulk collection in furtherance of a validated intelligence priority, the intelligence community element shall use reasonable methods and technical measures to limit the data collected to only that necessary to further a validated intelligence priority, while with the collection of non-relevant information being minimized.
(B) Each element of the intelligence community that collects signals intelligence through bulk collection may use such information only to pursue one or more of the following objectives:
(1) protection against terrorism, hostage-taking, and detention of individuals (including the identification, location, and rescue of hostages and prisoners) conducted by or on behalf of a foreign government, foreign organization, or foreign person;
(2) protection against espionage, sabotage, assassination, or other intelligence activities conducted by, on behalf of, or with the assistance of a foreign government, foreign organization, or foreign person;
(3) protection against threats posed by the development, possession, or proliferation of weapons of mass destruction or related technologies and threats made by, on behalf of, or with the assistance of a foreign government, foreign organization, or foreign person;
(4) protection against cyber security threats created or exploited by or malicious cyber activities conducted by or on behalf of a foreign government, foreign organization or foreign person;
(5) protection against threats against the personnel of the United States or its allies or partners; and
(6) protection against transnational criminal threats, including illicit financing and evasion of sanctions related to one or more of the other objectives identified in subsection (c)(ii) of this section.
(C) The President may authorize updates to the list of targets in light of new national security requirements, such as new or increased threats to the national security of the United States for which the President determines that bulk collection may be used. The Director must publicly release all updates to the list of targets approved by the President, unless the President determines that doing so would pose a risk to the national security of the United States.
(D) To minimize any impact on privacy and civil liberties, a targeted signals intelligence gathering activity that temporarily uses data acquired without discrimination (eg, without specific identifiers or selection criteria) must be subject to the safeguards described in this subsection unless such data is:
(1) used only to support the initial technical phase of the targeted signals intelligence gathering activity;
(2) stored only for the short period required to complete this phase; and
(iii) Handling of personal information collected through signals intelligence.
(A) Minimization. Each element of the intelligence community that handles personal information collected through signals intelligence shall establish and apply policies and procedures designed to minimize the dissemination and retention of personal information collected through signals intelligence.
(1) Dissemination. Each element of the intelligence community that handles personal information collected through signals intelligence:
(a) shall disclose personal information of non-United States persons collected through signals intelligence only if it involves one or more of the comparable types of information that section 2.3 of Executive Order 12333 of December 4, 1981 (United States Intelligence Activities), as amended, may States are disclosed in the case of information about US persons;
(b) may not disclose personal information collected through signals intelligence solely because of an individual’s nationality or country of residence;
(c) shall disclose personal information collected through signals intelligence within the United States Government only if an authorized and appropriately trained person has a reasonable belief that the personal information will be adequately protected and that the recipient has a need to know the information;
(d) must give due consideration to the purpose of the disclosure, the nature and extent of the personal information being disclosed, and the potential for adverse impact on the affected individual(s) before disclosing personal information collected through signals intelligence to recipients outside the United States Government; including to a foreign government or international organization; and
(e) must not disclose personal information collected through signals intelligence for the purpose of circumventing the provisions of this Order.
(2) Storage. Each element of the intelligence community that handles personal information collected through signals intelligence:
(a) shall retain personal information of non-U.S. persons collected through signals intelligence only if retention of comparable information about U.S. persons would be permitted under applicable law and shall subject such information to the same retention periods as would apply to comparable information regarding U.S. persons; persons;
(b) shall subject non-US persons’ personal information collected through signals intelligence for which a final retention determination has not been made to the same temporary retention periods that would apply to comparable information about US persons; and
(c) must delete non-U.S. persons’ personal information collected through signals intelligence that may no longer be retained in the same manner that comparable information about U.S. persons would be deleted.
(B) Data Security and Access. Each element of the intelligence community that handles personal information collected through signals intelligence:
(1) must process and store personal information collected through signals intelligence under conditions that provide adequate protection and prevent access by unauthorized persons, in accordance with the applicable safeguards for sensitive information contained in relevant executive orders, proclamations, other presidential directives, intelligence community directives, and related policies;
(2) must restrict access to such personal information to authorized personnel who have a need to know the information to perform their mission and have received appropriate training in the requirements of applicable United States law, as described in policies and procedures issued under subsection (c ) )(iv) in this section; and
(3) must ensure that personal information collected through signals intelligence for which a final retention determination has not been made is accessed only to make or support such a determination or to perform authorized administrative, testing, development, security- or supervisory functions.
(C) Data Quality. Each element of the intelligence community that handles personal information collected through signals intelligence shall include only such personal information in intelligence products that conform to applicable intelligence community standards for accuracy and objectivity, focusing on applying standards regarding the quality and reliability of the information. , consideration of alternative sources of information and interpretations of data, and objectivity in conducting analyses.
(D) Bulk Collection Requests. Each element of the intelligence community that conducts requests for non-minimized signals intelligence obtained through mass collection shall do so in accordance with the permitted use of signals intelligence obtained through mass collection identified in subsection (c)(ii)(B) of this section and in accordance with in accordance with policies and procedures issued pursuant to subsection (c)(iv) of this section, which shall take appropriate account of the impact on the privacy and civil liberties of all persons, regardless of their nationality or wherever they may reside.
(E) Documentation. To facilitate the oversight processes set forth in subsection (d) of this section and the grievance mechanism set forth in section 3 of this executive order, each element of the intelligence community participating in signals intelligence gathering activities shall maintain documentation in the to the extent reasonable in light of the nature and type of the collection in question and the context in which it is collected. The content of such documentation may vary based on the circumstances, but shall, to the extent reasonable, provide the factual basis, whereupon the element of the intelligence community, based on a reasonable assessment of all relevant factors, determines that the collection of signals intelligence activity is necessary to advance a validated intelligence priority.
(iv) Updating and Publishing Policies and Procedures. The head of each element of the intelligence community:
(A) shall continue to use the policies and procedures issued pursuant to Presidential Policy Directive 28 of January 17, 2014 (Signals Intelligence Activities) (PPD-28) until they are updated pursuant to subsection (c)( (iv)(B) of this section;
(B) shall, within 1 year after the date of this order, in consultation with the Attorney General, CLPO, and the Privacy and Civil Liberties Oversight Board (PCLOB), update these policies and procedures as necessary to implement privacy and civil law. freedom guarantees in this order; and
(C) shall, within 1 year after the date of this order, publish these policies and procedures publicly to the fullest extent possible, consistent with the protection of intelligence sources and methods, to increase public understanding of and promote public confidence in the security measures in under which the United States conducts signals intelligence activities.
(A) Nature of Review. Consistent with applicable law, the PCLOB is encouraged to conduct a review of the updated policies and procedures described in subsection (c)(iv)(B) of this section once they have been issued to ensure that they are consistent with the extended security measures that are included. in this order.
(B) Consideration of Review. Within 180 days after the completion of any review by the PCLOB described in subsection (c)(v)(A) of this section, the head of each element of the intelligence community shall carefully consider and implement or otherwise address all recommendations contained in such review, in accordance with applicable law.
(d) Subject signals intelligence activities to strict oversight. The actions directed in this subsection are designed to build on the oversight mechanisms already in place by elements of the intelligence community to further ensure that signals intelligence activities are subject to rigorous oversight.
(i) Legal, Regulatory and Compliance Officials. Each element of the intelligence community that collects signals intelligence:
(A) shall have in place high-level legal, oversight, and compliance officials who conduct periodic oversight of signals intelligence activities, including an inspector general, a privacy and civil liberties, and an officer or officials in a designated compliance role with authority to to monitor and ensure compliance with applicable US law;
(B) shall provide such legal, oversight, and compliance officials with access to all information relevant to carrying out their oversight responsibilities under this subsection, consistent with the protection of intelligence sources or methods, including their oversight responsibilities to ensure , that appropriate measures are taken to remedy an incident of non-compliance with applicable US law; and
(C) shall not take any action designed to obstruct or improperly influence such legal, supervisory, and compliance officials in carrying out their supervisory responsibilities under this subsection.
(ii) Training. Each element of the intelligence community must maintain appropriate training requirements to ensure that all personnel with access to signals intelligence know and understand the requirements of this order and the policies and procedures for reporting and remediating incidents of noncompliance with applicable U.S. law.
(iii) Material Instances of Non-Compliance.
(A) Each element of the intelligence community shall ensure that if a legal, oversight, or compliance officer, as described in subsection (d)(i) of this section, or any other officer, identifies a material incident of noncompliance with applicable United States law the incident is reported immediately to the head of the element of the intelligence community, the head of the executive department or agency (agency) containing the element of the intelligence community (to the extent applicable), and the director.
(B) Upon receipt of such report, the head of the intelligence community element, the head of the agency containing the intelligence community element (to the extent applicable), and the director shall ensure that all necessary steps are taken to remedy and prevent recurrence of the material event of non-compliance.
(e) Savings Clause. Provided that the collection of signals intelligence is carried out in accordance with and in the manner prescribed in this section of this executive order, this executive order does not limit any technique for the collection of signals intelligence authorized under the National Security Act of 1947, as amended (50 U.S.C. 3001 et seq.) , the Foreign Intelligence Surveillance Act of 1978, as amended (50 U.S.C. 1801 et seq.) (FISA), Executive Order 12333, or other applicable law or presidential directive.
Sec. 3. Signals intelligence mechanism.
(a) Purpose. This section establishes a grievance mechanism for the review of qualifying complaints submitted by the appropriate government agency of a qualifying State regarding United States signals intelligence activities for any covered violation of United States law and, if necessary, appropriate remediation.
(b) Process for Filing Qualifying Complaints. Within 60 days of the date of this order, the Director, in consultation with the Attorney General and the heads of elements of the intelligence community that collect or handle personal data collected through signals intelligence, shall establish a process for submitting qualified complaints transmitted by the appropriate public authority in a qualified state.
(c) Initial investigation of qualifying complaints by CLPO.
(i) Establishment. The Director, in consultation with the Attorney General, shall establish a process that authorizes the CLPO to investigate, review, and, if necessary, order appropriate remediation of qualifying complaints. This process shall govern how the CLPO will review qualifying complaints in a manner that protects classified or otherwise privileged or protected information and shall, at a minimum, ensure that for each qualifying complaint the CLPO shall:
(A) review the information necessary to investigate the qualifying complaint;
(B) exercise its statutory and delegated authority to determine whether there was a covered violation of:
(i) taking into account both relevant national security interests and applicable privacy protections;
(ii) to give appropriate deference to any relevant determinations made by national security officials; and
(iii) to apply the law impartially;
(C) determine the appropriate remedy for any Covered Violation;
(D) provide a classified report of information indicating a violation by any agency subject to supervision by the Foreign Intelligence Surveillance Court (FISC) to the Assistant Attorney General for National Security, who shall report violations to the FISC in accordance with its rules of procedure;
(E) after the review is completed, inform the complainant through the appropriate government agency of a Qualified State, and without confirming or denying that the complainant was the subject of U.S. signals intelligence activities, that:
(1) “the review either did not identify any covered violations or the Civil Rights Protection Officer of the Office of the Director of National Intelligence issued a determination requiring appropriate remediation”;
(2) The complainant or part of the intelligence community may, as provided in regulations issued by the Attorney General pursuant to section 3(d)(i) of this Order, request review of the CLPO’s decisions by the Data Protection Review Tribunal described in subsection (d ) in this episode; and
(3) if either the complainant or part of the intelligence community applies for review by the Data Protection Review Court, special counsel will be selected by the Data Protection Review Court to defend the complainant’s interest in the case;
(F) maintain appropriate documentation of its review of the qualified complaint and provide a classified decision explaining the basis for its factual findings, determination as to whether a covered violation occurred, and determination of appropriate relief in the event of such violation; , in accordance with its statutory and delegated powers;
(G) prepare a classified ex parte record of review, which shall consist of the relevant documentation for its review of the qualifying complaint and the classified determination described in subsection (c)(i)(F) of this section; and
(H) provide any necessary support to the Data Protection Review Court.
(ii) Binding effect. Each element of the Intelligence Community and each agency containing an element of the Intelligence Community shall comply with any decision by the CLPO to take appropriate remedial action pursuant to subsection (c)(i)(C) of this section, subject to a contrary determination by the Data Protection Review Court.
(iii) Assistance. Each element of the intelligence community must provide the CLPO with access to the information necessary to conduct the investigations described in subsection (c)(i) of this section, consistent with the protection of intelligence sources and methods, and must not take any action designed to obstruct or improperly influence CLPO’s reviews. Privacy and civil liberties officials within parts of the intelligence community shall also support the CLPO in conducting the reviews described in subsection (c)(i) of this section.
(iv) Independence. The Director may not interfere with a review by the CLPO of a qualifying complaint under subsection (c)(i) of this section; Nor shall the Director remove the CLPO for any actions taken pursuant to this Order, except in cases of misconduct, abuse, breach of security, dereliction of duty or incapacity.
(d) Data Protection Tribunal.
(i) Establishment. The Attorney General is authorized and must establish a process to review decisions made by the CLPO pursuant to subsection (c)(i) of this section. In exercising this power, the Attorney General shall, within 60 days of the date of this order, promulgate regulations establishing a data protection tribunal to exercise the power of the Attorney General to review such decisions. At a minimum, these rules must contain provisions on:
(A) The Attorney General, in consultation with the Secretary of Commerce, the Director, and the PCLOB, shall appoint individuals to serve as judges of the Data Protection Review Court, who shall be attorneys with appropriate data protection experience. and national security legislation that gives weight to individuals with prior legal experience who, at the time of their initial appointment, must not be employees of the United States government. During the term of their appointment to the Data Protection Review Court, such Judges shall not hold any official duties or employment with the United States Government other than their official duties and employment as Judges of the Data Protection Review Court.
(B) Upon receipt of an application for review made by the complainant or part of the intelligence community of a decision made by the CLPO under subsection (c) of this section, a three-judge panel of the Data Protection Review Court shall be convened to review the application. Service on the Data Protection Review Court panel shall require the judge to have the necessary security clearances to access classified national security information.
(C) Upon convening, the data protection review court panel shall select a special counsel through procedures prescribed in the Attorney General’s rules. The special counsel must assist the panel in its consideration of the review request, including by pleading the complainant’s interest in the case and ensuring that the DPA panel is well informed about the issues and the law in relation to the case. Service as a special counsel requires that the special counsel possess the necessary security clearances to access classified national security information and to comply with restrictions prescribed in the Attorney General’s Regulations on communications with the complainant to ensure the protection of classified or otherwise privileged or protected information.
(D) The Data Protection Review Tribunal panel shall impartially review the determinations made by the CLPO regarding whether a covered violation occurred and the appropriate remedy in the event of such violation. The review shall be based, at a minimum, on the classified ex-parte review record described in subsection (c)(i)(F) of this section and information or submissions provided by the complainant, the special counsel, or an element of the Intelligence Community . In reviewing decisions made by the CLPO, the Privacy Court Panel shall be guided by relevant decisions of the United States Supreme Court in the same manner as courts established under Article III of the United States Constitution, including decisions regarding appropriate deference to relevant decisions of national security officials.
(E) In the event that the Data Protection Review Tribunal panel disagrees with any of the CLPO’s determinations as to whether a covered breach occurred or the appropriate remedy in the event that there was such a breach, the panel shall issue its own decisions.
(F) The Data Protection Review Court panel shall provide a classified report of information indicating a violation by any authority subject to the oversight of the FISC to the Assistant Attorney General for National Security, who shall report violations to the FISC in accordance with its rules of the procedure.
(G) After the review is completed, the CLPO must be informed of the Data Protection Review Court panel’s decisions through procedures prescribed by the Attorney General’s rules.
(H) After a review is completed in response to a complainant’s request for review, the Data Protection Review Court shall, through procedures prescribed in the Attorney General’s rules, inform the complainant through the appropriate public authority of a qualified state and without confirming or denying that the complainant was subject to US intelligence that “the review either did not identify any covered violations or the Data Protection Review Court issued a determination requiring appropriate remediation.”
(ii) Binding effect. Each element of the intelligence community and each agency that contains an element of the intelligence community must comply with any decision by a data protection law panel to take appropriate relief.
(iii) Assistance. Each element of the intelligence community shall provide the CLPO with access to information necessary to conduct the review described in subsection (d)(i) of this section, consistent with the protection of intelligence sources and methods, as a panel of the data protection supervisory authority requests. from the CLPO and must not take any action intended to obstruct or improperly influence a panel’s review.
(iv) Independence. The Attorney General may not interfere with a review by a data protection law panel of a decision made by the CLPO regarding a qualifying complaint under subsection (c)(i) of this section; Nor may the Attorney General remove any judge appointed as provided in subsection (d)(i)(A) of this section, or remove any judge from service on a Data Protection Review Court panel, except in cases of misconduct, misconduct , breach of security, dereliction of duty, or incapacity after due consideration of the standards of the Rules of Judicial Conduct and Judicial Disability Proceedings promulgated by the United States Judicial Conference pursuant to the Judicial Conduct and Disability Act (28 U.S.C. 351 et. seq.) .
(v) Registration of decisions. For each qualifying complaint submitted by the appropriate public authority in a qualifying state, the Secretary of Commerce shall:
(A) maintain a record of the complainant who submitted such complaint;
(B) not later than 5 years after the date of this order and not less than every 5 years thereafter, contact the appropriate element(s) of the intelligence community regarding whether information relating to the CLPO’s review of such complaint has been declassified and information relating to the review of any application for review made to the Data Protection Review Court has been declassified, including whether any part of the intelligence community has made an application for review to the Data Protection Review Court; and
(C) if you are informed that such information has been declassified, you must, through the appropriate public authority in a Qualified State, notify the complainant of the information relating to the review of their complaint by the CLPO or to the review of any application for review submitted to the Data Protection Review Court may be available under applicable law.
(e) Annual review by PCLOB of grievance process.
(i) Nature of review. In accordance with applicable law, the PCLOB is encouraged to conduct an annual review of the processing of qualifying complaints using the complaint mechanism established in section 3 of this order, including whether the CLPO and the Data Protection Review Court processed qualifying complaints in a timely manner; whether the CLPO and the Data Protection Review Court obtain full access to necessary information; whether the CLPO and the Data Protection Review Court operate in accordance with this order; whether the safeguards set out in section 2 of this order are properly taken into account in the processes of the CLPO and the Data Protection Review Court; and whether elements of the intelligence community have fully complied with decisions made by the CLPO and the Data Protection Review Court.
(ii) Assistance. The Attorney General, the CLPO, and the elements of the intelligence community shall provide the PCLOB with access to information necessary to conduct the review described in subsection (e)(i) of this section, consistent with the protection of intelligence sources and methods.
(iii) Report and Certification. Within 30 days of completing a review described in subsection (e)(i) of this section, the PCLOB is directed to:
(A) provide the President, the Attorney General, the Director, the heads of the elements of the intelligence community, the CLPO, and the Congressional Intelligence Committee a classified report detailing the results of its review;
(B) release an unclassified version of the report to the public; and
(C) conduct an annual public certification of whether the grievance mechanism established pursuant to section 3 of this order is processing complaints in accordance with this order.
(iv) Consideration of review. Within 180 days of receipt of any report from the PCLOB described in subsection (e)(iii)(A) of this section, the Attorney General, the Director, the heads of the elements of the Intelligence Community, and the CLPO shall carefully consider and shall implement or on otherwise process any recommendations contained in such report in accordance with applicable law.
(f) Designation of qualifying state.
(i) To implement the grievance mechanism established by section 3 of this order, the Attorney General is authorized to designate a country or regional economic integration organization as a qualifying state for purposes of the grievance mechanism established by section 3 of this order, with effect immediately or on a date specified by the Attorney General, if the Attorney General, in consultation with the Secretary of State, the Secretary of Commerce and the Director, determines that:
(A) the laws of the country, the regional economic integration organization, or the regional economic integration organization member states require appropriate safeguards in the conduct of signals intelligence activities for the personal information of United States persons transferred from the United States to the territory of the country or a member country of the regional organization for economic integration;
(B) the country, the regional economic integration organization or the regional economic integration organization member countries of the regional economic integration organization permits or is expected to permit the transfer of personal information for commercial purposes between the territory of such country or those member countries and the territory of the United States; and
(C) such designation would advance the national interests of the United States.
(ii) The Attorney General may revoke or vary such designation with immediate effect or on a date specified by the Attorney General if the Attorney General, in consultation with the Secretary of State, the Secretary of Commerce and the Director, determines that :
(A) the country, the regional economic integration organization, or the regional economic integration organization member countries do not provide adequate safeguards in the conduct of signals intelligence activities for the personal information of US persons transferred from the United States to the territory of the country or a member country of the regional organization for economic integration;
(B) the country, the regional economic integration organization or the regional economic integration organization member countries do not permit the transfer of personal information for commercial purposes between the territory of such country or those member countries and the territory of the United States; or
(C) such designation is not in the national interest of the United States.
Sec. 4. Definitions. For the purpose of this order:
(a) “Relevant remedy” means lawful measures designed to fully remedy an identified covered violation relating to a specific complainant and limited to measures designed to address that specific complainant’s complaint, taking into account the ways in which a violation of the identified type has usually been dealt with. Such measures may include, depending on the specific covered violation in question, remediation through administrative measures of violations that are found to have been procedural or technical errors in connection with otherwise lawful access to or handling of data, suspension of acquisition of data where collection is not lawfully authorized, deletion of data that was acquired without lawful authorization, deletion of the results of inappropriately executed queries on otherwise lawfully collected data, restriction of access to lawfully collected data to those who are properly trained, or recall of intelligence reports that contain data obtained without lawful authorization or that were otherwise disseminated in a manner inconsistent with US law. Appropriate remediation must be narrowly tailored to remedy the covered violation and to minimize adverse effects on the operations of the Intelligence Community and the national security of the United States.
(b) “Bulk collection” means the authorized collection of large quantities of signals intelligence data acquired for technical or operational reasons without the use of discriminants (eg, without the use of specific identifiers or selection terms).
(c) “Counterintelligence” shall have the same meaning as in Executive Order 12333.
(d) “Covered Violation” means a violation that:
(i) arises from signals intelligence activities conducted after the date of this order relating to data transferred to the United States from a qualified state after the effective date of the Attorney General’s designation for such state, as set forth in section 3(f)(i) of this order;
(ii) adversely affects the individual privacy and civil liberties of the complainant; and
(iii) violates one or more of the following:
(A) the United States Constitution;
(B) the relevant sections of FISA or any applicable FISC-authorized procedures;
(C) Executive Order 12333 or any applicable regulatory proceeding pursuant to Executive Order 12333;
(D) this order or any applicable agency policies and procedures issued or updated pursuant to this order (or the policies and procedures identified in section 2(c)(iv)(A) of this order) before they are updated in accordance with section 2( c)(iv)(B) of this order);
(E) any successor statute, order, policies, or procedures to those identified in Section 4(d)(iii)(B)-(D) of this Order; or
(F) any other statute, order, policies, or procedures adopted after the date of this executive order that provide protections for privacy and civil liberties with respect to intelligence activities of the United States within the scope of this executive order, as identified in a list published and updated by the Attorney General in consultation with the Director of National Intelligence.
(e) “Foreign Intelligence Service” shall have the same meaning as in Executive Order 12333.
(f) “Intelligence” shall have the same meaning as in Executive Order 12333.
(g) “Intelligence Community” and “elements of the intelligence community” shall have the same meanings as provided in Executive Order 12333.
(h) “National security” shall have the same meaning as in Executive Order 13526 of December 29, 2009 (Classified National Security Information).
(i) “Non-U.S. Person” means a person who is not a U.S. Person.
(j) “Personnel of the United States or its allies or partners” means any current or former member of the Armed Forces of the United States, any current or former official of the United States Government, and any other person currently or formerly employed by or working for on behalf of the United States Government, as well as any current or former member of the military, current or former government official, or other person currently or previously employed by or working on behalf of an ally or partner.
(k) “Qualifying Complaint” means a written complaint that:
(i) alleges that a Covered Violation has been found that relates to personal information about or about the Complainant, an individual who is reasonably believed to have been transferred to the United States from a Qualifying State after the effective date of the Attorney General’s designation to such State, as set forth in Section 3(f)(i) of this Order;
(ii) includes the following basic information to enable a review: information that forms the basis of an allegation that a covered violation has occurred, which need not demonstrate that the complainant’s data has actually been the subject of US intelligence activities; the nature of the relief sought; the specific means by which personal information about or about the complainant is believed to have been transferred to the United States; the identity of the US government entities believed to be involved in the alleged infringement (if known); and any other measures taken by the complainant to obtain the relief sought and the response received through those other measures;
(iii) is not frivolous, annoying or made in bad faith;
(iv) comes on behalf of the complainant acting on that person’s own behalf and not as a representative of a governmental, non-governmental or intergovernmental organization; and
(v) is sent by the appropriate public authority of a Qualified State after it has verified the identity of the complainant and that the complaint meets the conditions of Sections 5(k)(i)-(iv) of this Order.
(l) “Material Incident of Noncompliance” shall mean a systemic or willful failure to comply with a principle, policy, or procedure of applicable United States law that may impugn the reputation or integrity of a portion of the Intelligence Community or otherwise call questions the appropriateness of an intelligence community activity, including in light of any significant impact on the privacy and civil liberties of the person(s) concerned.
(m) “United States person” shall have the same meaning as provided in Executive Order 12333.
(n) “Validated intelligence priority” means, for most United States signals intelligence collection activities, a priority validated pursuant to the process described in section 2(b)(iii) of this order; or in narrow circumstances (eg, when such a process cannot be carried out because of a need to meet a new or evolving intelligence requirement), shall mean a priority established by the President or the head of a part of the Intelligence Community in accordance with with the criteria described in section 2(b)(iii)(A)(1)-(3) of this order to the extent possible.
(o) “weapon of mass destruction” shall have the same meaning as in Executive Order 13526.
Sec. 5. General provisions. (a) Nothing in this order shall be construed to impair or otherwise affect:
(i) the authority granted by law to an executive department, agency, or the head thereof; or
(ii) the functions of the Director of the Office of Management and Budget in relation to budgetary, administrative or legislative proposals.
(b) This order shall be implemented in accordance with applicable law, including orders and procedures approved by the FISC, and subject to the availability of funds.
(c) Nothing in this order precludes the application of more privacy-protective safeguards to U.S. signals intelligence activities that would apply without this order. In the event of any conflict between this Executive Order and other applicable law, the more privacy-protective safeguards shall govern the conduct of signals intelligence activities to the maximum extent permitted by law.
(d) Nothing in this Order prohibits elements of the intelligence community from disseminating information relating to a crime for law enforcement purposes; dissemination of warnings of threats of death, serious bodily harm or kidnapping; dissemination of information about cyber threats, incidents or intrusions; notify victims or warn potential victims of crime; or to comply with disclosure obligations required by statute, treaty or court order, including orders and procedures approved by the FISC or other court orders.
(e) The collection, retention, and dissemination of information about U.S. persons is subject to several legal and policy requirements, such as those required by FISA and Executive Order 12333. This order is not intended to change the rules applicable to U.S. persons enacted pursuant to FISA, Executive Order 12333, or other applicable law.
(f) This order shall apply to signals intelligence activities consistent with the scope of PPD-28’s application to such activities prior to PPD-28’s partial revocation of the national security memorandum issued concurrently with this order. To implement this subsection, the head of each agency containing an element of the intelligence community, in consultation with the attorney general and the director, is hereby delegated the authority to issue guidance, which may be classified as appropriate with respect to the scope of application of this order with regard to the element or elements of the intelligence community within their agency. The CLPO and the Data Protection Review Court shall, in carrying out the functions assigned to it under this Order, treat such guidance as authoritative and binding.
(g) Nothing in this executive order confers authority to declassify or disclose classified national security information, except as authorized under Executive Order 13526 or a successor order. Consistent with the requirements of Executive Order 13526, the CLPO, the Data Protection Review Court, and the Special Counsel shall not have the authority to declassify classified national security information, nor shall they disclose any classified or otherwise privileged or protected information except to authorized and appropriately cleared persons who need to know the information.
(h) This Order provides the right to make qualifying complaints to the CLPO and to have the CLPO’s decisions reviewed by the Data Protection Review Court in accordance with the appeals mechanism set out in section 3 of this Order. This order is not intended to, and does not create, any other right, title, or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person. This order is not intended to, and does not alter, the availability or scope of any judicial review of decisions made through the appeals mechanism governed by existing law.
JOSEPH R. BIDEN JR.
