DPRC Resources

a. The Data Protection Review Court (DPRC) is part of a new two-level process that will provide independent and impartial review of certain complaints submitted by individuals in, for example, European Union countries who claim their personal data was the subject of U.S. signals intelligence collection in violation of applicable U.S. law.  The Court was established by regulations issued by the Attorney General, pursuant to Executive Order 14086, “Enhancing Safeguards in United States Signals Intelligence Activities” (Oct. 7, 2022).

b. The regulations established the DPRC to review decisions of the Office of the Director of National Intelligence Civil Liberties Protection Officer (CLPO) with respect to qualifying complaints submitted by individuals in countries or regional economic integration organizations that the U.S. Attorney General has designated as “qualifying states” under Executive Order 14086.

c. To use the DPRC redress process, individuals must go through the first level of the redress mechanism, the CLPO redress mechanism.

d. Individuals may submit complaints with the appropriate public authority in a “qualifying state” (see Question 10) alleging that the United States violated applicable U.S. law in collecting or handling their data through signals intelligence activities.  After the appropriate public authority verifies the identity of the complainant and that the complaint satisfies the criteria for a qualifying complaint, that authority forwards the complaint to the CLPO for review.  After verifying the complaint is qualifying, the CLPO then investigates and determines whether a “covered violation” (see Question 5) occurred, and if so, what the appropriate remediation should be.  After the CLPO informs the individual, through the public authority, that its review is complete, the individual may then request that the DPRC review the CLPO’s determination.  For additional information about the first level of the redress process, please refer to the CLPO’s website, which includes Frequently Asked Questions (FAQs) on the CLPO’s redress mechanism and a “postcard” showing the criteria for complaints to be qualifying complaints.

e. If the individual requests review by the DPRC, a panel of three DPRC judges is appointed.  The panel then appoints a Special Advocate to assist the panel in its consideration of the application for review.  The panel reviews the CLPO’s determination and may request additional or clarifying information about the case.  The panel then makes an independent determination about whether a violation occurred, and if so, what the appropriate remediation should be.  The DPRC determination is final and binding with respect to the application for review before it.

In section 3(d) of Executive Order 14086, “Enhancing Safeguards for United States Signals Intelligence Activities” (Oct. 7, 2022), the President directed the Attorney General to establish the DPRC.  Exercising his statutory authority, including under 28 U.S.C. §§ 509, 510–512 as well as the authority granted him by the President in the Executive Order, the Attorney General issued regulations published at 28 CFR Part 201, establishing the DPRC as an independent court within the Department of Justice.  87 Fed. Reg. 62304 (Oct. 7, 2022).

a. An individual (“complainant”) may submit a complaint alleging that the United States violated laws covered by Executive Order 14086 (“covered violation”) in the conduct of signals intelligence activities with respect to personal data pertaining to that individual transferred from a qualifying state to the United States. As noted above, the complainant must submit such complaint to the appropriate public authority in the qualifying state, which then reviews the complaint and, if it meets the requirements stated in Executive Order 14086, transmits it to the CLPO. If the CLPO confirms that the complaint is qualified, it investigates the allegations to determine whether a covered violation has occurred, and if so, determines the appropriate remediation.

b. The CLPO then informs the complainant, through the appropriate public authority that the CLPO’s “review either did not identify any covered violations or the [CLPO] issued a determination requiring appropriate remediation.” Complainants also are informed that they may apply to the DPRC for a review of the CLPO’s determination.

c. For additional information about the first level of the redress process and how to submit a qualifying complaint through the appropriate public authority of a qualifying state, please refer to the CLPO’s website, its Frequently Asked Questions (FAQs) on the CLPO’s redress mechanism and a “postcard” showing the criteria for complaints to be qualifying complaints.

a. Within sixty (60) days of the complainant’s being informed that the CLPO has completed its review of the complaint and that the complainant may apply to the DPRC for review of the CLPO’s decision, the complainant may apply to the DPRC for review of the CLPO’s determination.  The complainant may submit, with their application for review, any information, including argument on questions of law or the application of law to the facts, and may be represented by counsel in submitting this information.  A complainant must submit a request for DPRC review to the same public authority in the qualifying state that originally received the complaint.  The public authority will transmit the request for review to the DPRC. The DPRC will then independently review the CLPO’s determination and make its own decision on whether the CLPO’s determination was correct.  The DPRC appoints a Special Advocate to assist in each review by representing the complainant’s interests, ensuring that the DPRC panel selected to consider an application for review is well informed of the issues and the law with respect to the matter. If the DPRC’s decision differs from the CLPO’s determination, the DPRC may order different remediation.

b. Elements of the Intelligence Community also may request DPRC review of the CLPO’s decision.  An element of the Intelligence Community must seek such review within sixty (60) days of receiving notice that the ODNI CLPO has completed its review of a complaint.  If an Intelligence Community element requests a review of the CLPO’s decision and the complainant does not, a Special Advocate will still be appointed so the complainant’s interests are presented to the Court.

c. For each application for review, a separate panel of DPRC judges is selected to review the CLPO determination.  Once convened, the CLPO provides the DPRC panel with a copy of the information it reviewed and its determinations -- its record of review -- of the underlying complaint and provides any requested support to the DPRC, for example, by supplementing the record with explanatory or clarifying information and making additional factual findings.

d. If the DPRC panel disagrees with the CLPO’s decision and considers issuing a decision for alternative remediation, the panel will inform the CLPO.  The CLPO will then consult with the relevant intelligence agency or agencies and may provide views to the DPRC regarding the proposed alternative remediation, including an assessment of its potential impact on the operations of the Intelligence Community and the national security of the United States.  This does not prevent the DPRC from issuing the alternative remediation.

e. After the DPRC completes its review, the Office of Privacy and Civil Liberties of the U.S. Department of Justice (OPCL), which has been directed by the Attorney General to provide administrative support to the DPRC, informs the complainant through the appropriate public authority, and without confirming or denying that the complainant was subject to United States signals intelligence activities, that the DPRC has completed its review.  In all cases, the complainant is informed that “the review either did not identify any covered violations or the [DPRC] issued a determination requiring appropriate remediation,” and that this constitutes the final agency action in the matter.

Section 4(d) of Executive Order 14086 defines “covered violation” as a violation that:

(i) arises from signals intelligence activities conducted after October 7, 2022 (the date of Executive Order 14086) regarding data transferred to the United States from a qualifying state after the effective date of the Attorney General’s designation for such state, as provided in section 3(f)(i) of Executive Order 14086;

(ii) adversely affects the complainant’s individual privacy and civil liberties interests; and

(iii) violates one or more of the following:

(A) the United States Constitution;

(B) the applicable sections of the Foreign Intelligence Surveillance Act (FISA) or any applicable Foreign Intelligence Surveillance Court-approved procedures;

(C) Executive Order 12333 or any applicable agency procedures pursuant to Executive Order 12333;

(D) Executive Order 14086 or any applicable agency policies and procedures issued or updated pursuant to Executive Order 14086, or the policies and procedures identified in section 2(c)(iv)(A) of Executive Order 14086 before they are updated pursuant to section 2(c)(iv)(B) of Executive Order 14086);

(E) any successor statute, order, policies, or procedures to those identified in section 4(d)(iii)(B)-(D) of Executive Order 14086; or

(F) any other statute, order, policies, or procedures adopted after the date of Executive Order 14086 that provides privacy and civil liberties safeguards with respect to United States signals intelligence activities within the scope of Executive Order 14086, as identified in a list published and updated by the Attorney General, in consultation with the Director of National Intelligence.

a. DPRC judges are attorneys experienced in data privacy and national security law appointed by the Attorney General to independently and impartially adjudicate applications for review of the ODNI CLPO’s determinations of qualifying complaints.  Consistent with the requirements of Executive Order 14086, many have prior judicial experience.  As a group, their backgrounds are broad and diverse, with experience also in the executive and legislative branches at the federal level, in the private practice of law, in academia, and in the non-profit sector.

b. DPRC judges are appointed by the Attorney General for four-year renewable terms.  See 28 CFR § 201.3(a).  Judges are required to be active members in good standing of the bar of a State, Commonwealth, Territory, or Possession of the United States, or of the District of Columbia and be licensed to practice law.

c. Judges of the DPRC are independent.  They are not subject to the supervision of the Attorney General and cannot be removed from the DPRC or subject to any other adverse action arising from their service on the DPRC, except for instances of misconduct, malfeasance, breach of security, neglect of duty, or incapacity, after taking due account of the standards in the Rules for Judicial Conduct and Judicial Disability Proceedings promulgated by the Judicial Conference of the United States pursuant to the Judicial Conduct and Disability Act (28 U.S.C. § 351 et seq.).

As provided in Executive Order 14086 and the Attorney General regulation, the DPRC consists of no fewer than six (6) judges.  DPRC judges are appointed by the Attorney General, after consultation with the Secretary of Commerce, the Director of National Intelligence, and the Privacy and Civil Liberties Oversight Board (PCLOB).  Appointments to the DPRC are informed by the criteria used by the Executive Branch in assessing candidates for the Federal judiciary, with weight given to any prior judicial experience.  Judges on the DPRC must be individuals with appropriate experience in the fields of data privacy and national security law.  DPRC judges maintain security clearances to access classified national security information.  The Attorney General shall endeavor to ensure that at least half of the judges at any given time have prior judicial experience.  At the time of their initial appointment, DPRC judges cannot have been employees of the United States Government in the previous two years.

Judges of the DPRC are independent from the supervision of the Attorney General and the President.  They cannot be removed from the DPRC or subject to any other adverse action arising from their service on the DPRC, except for instances of misconduct, malfeasance, breach of security, neglect of duty, or incapacity, after taking due account of the standards in the Rules for Judicial-Conduct and Judicial-Disability Proceedings promulgated by the Judicial Conference of the United States pursuant to the Judicial Conduct and Disability Act (28 U.S.C. § 351 et seq.).

a. Special Advocates are attorneys experienced in data privacy and national security law who advocate regarding the complainant’s interest in the matter, ensuring that the DPRC panel selected to consider an application for review is well informed of the issues and the law with respect to the matter.  Special Advocates have access to the information reviewed by the ODNI CLPO and its determinations (the record of review), and any information provided by the complainant as a part of an application for review by the DPRC, so that they can effectively advocate regarding the complainant’s interests.

b. Special Advocates are appointed by the Attorney General, after consultation with the Secretary of Commerce, the Director of National Intelligence, and the PCLOB, for two-year renewable terms.

c. At the time of their initial appointment, Special Advocates cannot have been employees of the executive branch in the previous two years.  All persons appointed as Special Advocates must be experienced attorneys licensed to practice law and active members in good standing of the bar of a State, Commonwealth, Territory, or Possession of the United States, or of the District of Columbia.

d. Special Advocates hold security clearances to access classified national security information.

e. The presiding DPRC judge on a panel considering an application for review will select a Special Advocate.  Neither the Attorney General, the CLPO, nor any element of the Intelligence Community is involved in the selection of the Special Advocate for any application for review.  As discussed below, DOJ’s OPCL provides administrative support to the DPRC, which includes all required support to a Special Advocate selected by a DPRC panel.

f. The Special Advocate is not the agent of the complainant, consistent with the rules of professional responsibility, and has no attorney-client relationship with the complainant.

g. To prevent the disclosure of classified or otherwise privileged or protected information, the Special Advocate will have no communications with the complainant if the complainant did not file an application for review (that is, if the application for review was filed by an element of the Intelligence Community).  If the complainant applied for review, the Special Advocate may submit to OPCL written questions for the complainant or the complainant’s counsel.  OPCL, in consultation with relevant elements of the Intelligence Community, will review the questions to ensure they do not disclose any classified or otherwise privileged or protected information and, subject to that limitation, shall forward the questions through the appropriate public authority to the complainant or the complainant’s counsel.  The complainant or the complainant’s counsel will be invited to provide written responses to the questions.

a. A country or regional economic integration organization must be designated by the Attorney General as a qualifying state for individuals in that jurisdiction to use the redress mechanism established by Executive Order 14086.

b. To be designated by the Attorney General, the Attorney General must determine, in consultation with the Secretary of State, the Secretary of Commerce, and the Director of the Office of National Intelligence, that:

(A) the laws of the country, the regional economic integration organization or its member states require appropriate safeguards in their signals intelligence activities for U.S. persons related to transfers of their personal information;

(B) the country, the regional economic integration organization, or its member states permit, or are anticipated to permit, the transfer of personal information for commercial purposes between that jurisdiction and the United States; and

(C) such designation would advance the national interests of the United States.

c. On June 30, 2023, the Attorney General designated the European Union and the three additional countries making up the European Economic Area (EEA) as “qualifying states” for purposes of implementing the redress mechanism established in Executive Order 14086.  That determination was effective on July 10, 2023, when the European Commission adopted its adequacy decision for the United States.  As a result of the designation and the adoption of the adequacy decision, EU/EEA individuals may now submit complaints to obtain redress for alleged violations of law in connection with U.S. signals intelligence activities affecting their personal data transferred to the United States.   The EU member states are listed here. The three additional countries making up the EEA are listed here.

d. On September 18, 2023, the Attorney General designated the United Kingdom as a “qualifying state” for purposes of implementing the redress mechanism established in Executive Order 14086.  That determination was effective on October 12, 2023, when the UK regulations implementing the data bridge for the UK Extension to the EU-U.S. Data Privacy Framework entered into force.

a. The Attorney General directed OPCL to provide administrative support to the DPRC.  This includes supporting the Attorney General with consultations regarding DPRC judges and Special Advocates, and on-boarding those DPRC judges and Special Advocates selected by the Attorney General.  It also includes requisitioning equipment and classified facilities for the DPRC’s use and providing recordkeeping and public communications support.  The Attorney General regulations establishing the DPRC provide additional examples of the administrative support that OPCL will provide to the Court.

b. In addition to its work to provide administrative support to the DPRC, OPCL supports the duties of the Department’s Chief Privacy and Civil Liberties Officer (CPCLO).  The CPCLO’s has duties and responsibilities are mandated by the Privacy Act of 1974, the Implementing Recommendations of the 9/11 Commission Act of 2007 and other additional applicable laws, regulations, and policies issued pursuant to other statutes (such as the Cybersecurity Information Sharing Act of 2015).  The CPCLO is responsible for ensuring that privacy and civil liberties are appropriately protected and that safeguards are implemented to mitigate risks.  The CPCLO is responsible for ensuring that appropriate redress mechanisms are provided to individuals, regardless of citizenship, when their rights to privacy or civil liberties are infringed. and OPCL is responsible for ensuring the Department’s compliance with privacy and civil liberties-related laws and policies, such as the Privacy Act of 1974, as well as administration policy directives.  See, e.g., 42 U.S.C. § 2000ee-1.  OPCL advises Department leadership and components concerning international data protection and privacy laws and policies.

In addition to establishing the redress mechanism, Executive Order 14086 enhanced safeguards for United States Signals Intelligence (SIGINT) collection. For example:

• Under Executive Order 14086, U.S. SIGINT collection must take under consideration the privacy and civil liberties of all persons, regardless of nationality or residence.
• U.S. SIGINT collection must be conducted only when necessary to advance a validated intelligence priority and only to the extent and manner proportionate to that priority.
• Executive Order 14086 directs that SIGINT collection shall only be conducted in pursuit of one or more of the legitimate objectives as set forth in the Order.
• The order further directs that SIGINT collection shall not be conducted for the purpose of prohibited objectives as set forth in the Order (such as burdening criticism, dissent, or free expression),  
• The order directs that, before the Director of National of Intelligence (DNI) presents intelligence objectives to the President of the United States, the DNI shall obtain the CLPO’s assessments as to whether each of the identified intelligence priorities (1) advances one or more of the legitimate objectives set forth in the order, (2) is neither designed nor anticipated to result in SIGINT collection in contravention of the prohibited objectives prohibited set forth in the order (such as burdening criticism, dissent, or free expression), and (3) was established after appropriate consideration for the privacy and civil liberties of all persons, regardless of their nationality or wherever they might reside.
• Targeted collection shall be prioritized, and bulk collection shall be authorized only after a determination that the information necessary to advance a validated intelligence priority cannot reasonably be obtained by targeted collection.
• U.S. Intelligence Community elements were required to update their procedures to reflect these new safeguards.  On July 3, 2023, ODNI confirmed that the procedures had been finalized.
• The PCLOB is an independent Executive Branch agency charged with ensuring that the federal government’s efforts to prevent terrorism are balanced with the need to protect privacy and civil liberties.  The Order encourages the PCLOB to conduct (1) a review of the IC’s procedures implementing the Order, (2) a review of the Attorney General regulations, and (3) an annual review of the redress mechanism, including whether the Intelligence Community fully complied with the determinations of the CLPO and the DPRC.  The PCLOB agreed to conduct these reviews.
• Executive Order 14086 also directed, that for each qualifying complaint transmitted by the appropriate public authority in a qualifying state, the Secretary of Commerce: (1) maintain a record of each complainant, (2) not later than five years after the date of the order and no less than every five years thereafter, contact relevant elements of the Intelligence Community regarding whether information pertaining to a review of a complaint (either by the CLPO or the DPRC) has been declassified, and (3) if such information has been declassified, notify the complainant through the appropriate public authority, that information relating to their complaint may be available under applicable law.