Model Complaint Form to the US Office of the Director of National Intelligence's Civil Liberties Protection Officer (ODNI CLPO)
Redress procedures for individuals from Switzerland in connection withalleged violations of US law concerning data collected by the US authorities responsible for national security
15 September 2024
Preliminary remarks
Individuals in Switzerland may use this form to submit complaints about alleged unlawful access to and use by US intelligence services of their personal data transferred from Switzerland to companies in the USA. This redress mechanism applies to all personal data transferred from Switzerland to the USA2 and not only to transfers based on the Swiss-US Data Privacy Framework ("DPF")3. However, it only applies to data transferred after 15 September 20244.
This form only applies to complaints relating to intelligence activities in the field of national security. It cannot be used to file a complaint about access to data by US authorities for purposes other than national security. For complaints relating to the commercial aspects of the DPF, please use the appropriate form.
Please note that once you have submitted your complaint to the Federal Data Protection and Information Commissioner (FDPIC), the FDPIC will review it for completeness, i.e., whether your complaint meets the conditions set out in Section 4(k)(i)-(iv) of Executive Order 140865. Once the FDPIC confirms that your complaint is complete, it will provide a translation of your request into English if and to the extent necessary6. The FDPIC will forward your complaint to the US Civil Liberties Protection Officer of the US Office of the Director of National Intelligence ("CLPO"). The CLPO is a form of data protection officer working under the Director of National Intelligence. Your complaint will be transmitted by the FDPIC to the CLPO in encrypted form. Once the CLPO has verified that the complaint fulfils the required criteria, the CLPO will consider whether an appropriate remedy (i.e. legal measures to fully remedy an identified breach in relation to a specific complainant and complaint) is necessary and, if so, order the remedy7. As soon as the CLPO has considered the complaint, they will send their response in encrypted form to the FDPIC, which will inform you of the result. The standardized response will contain a statement that either no violations were found during the review or that a decision was issued that provides for appropriate remedial measures8. The message reads as follows: “The review either did not identify any covered violations or the Civil Liberties Protection Officer of the Office of the Director of National Intelligence issued a determination requiring appropriate remediation.” This response will therefore neither confirm nor deny whether your data were the target of surveillance measures, nor will it specify any actual remedial measures. Together with this notification, the CLPO will also inform you of the option of applying to the Data Protection Review Court (DPRC) for a review of the CLPO's decisions.
You have 60 days from receipt of the CLPO notice to request a review9. You may resubmit this review to the FDPIC, which, in a procedure comparable to the processing of your original complaint, will transmit this request (including a translation into English, if and to the extent necessary) in encrypted form to the US Department of Justice, Office of Privacy and Civil Liberties (OPCL), which provides organizational support to the DPRC10. After the DPRC has completed its review of your complaint, you will be notified via the FDPIC (including a translation from English, if and to the extent necessary) of the conclusion of the DPRC's review. The notification sent by the DPRC again contains a standardized response stating that either no violations were found during the review or a decision was issued that provides for appropriate remedial measures. The standardized response states: “The review either did not identify any covered violations or the Data Protection Review Court issued a determination requiring appropri-ate remediation.” 11 Once again, this response will neither confirm nor deny whether your data were the target of surveillance measures, nor will it specify any specific remedial measures.
The FDPIC verifies your identity12. Proof of identity is provided by presenting a valid identity document, e.g. your identity card or passport. Accordingly, we ask you to attach a copy of a valid identity document to your complaint to the FDPIC.
Where to send this form:
You can submit this form either electronically or by post to the following address:
Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter
Feldeggweg 1
CH-3003 Bern
- Where reference is made in this document to the CLPO, this refers to the Civil Liberties Protection Officer of the Office of the Director of National Intelligence.
- What is meant are the principles for cross-border disclosure of data in terms of Art. 16 paras 2 and 3 FADP, in particular standard data protection clauses and binding corporate rules on data protection.
- See Annex 1 of the Ordinance on Data Protection (Data Protection Ordinance, DPO) of 31 August 2022, SR 235.11.
- Further details of this complaints procedure are set out in Executive Order 14086 ("E.O.14086"), which is available at Federal Register : Enhancing Safeguards for United States Signals Intelligence Activities, supplemented by the US regulation on the Data Protection Review Court, available at https://www.justice.gov/d9/pages/attachments/2022/10/07/dprc_final_rule_signed.pdf and by the enforcement procedure implemented in Intelligence Directive 26, available at: https://www.dni.gov/files/documents/ICD/ICD_126-Im¬plementation-Procedures-for-SIGINT-Redress-Mechanism.pdf.
- E.O. 14086 Section 4(k)(v) provides as follows: “‘Qualifying complaint’ means a complaint, submitted in writing, that is transmitted by the appropriate public authority in a qualifying state, after it has verified the identity of the complainant and that the complaint satisfies the conditions of section 5(k)(i)-(iv) of this or-der.” In addition, Intelligence Community Directive 126 sets out the following in Section E(1)(c)(8): “Spe-cifically, for a transmitted complaint to be a ‘qualifying complaint’ consistent with Executive Order 14086's definition, the complaint must contain a verification by the appropriate public authority in a qualifying state: (a) of the identity of the complainant, and (b) that the complaint satisfies the conditions of Section E.1.c.(1) - (7) of this Directive,” and in Section E(1)(e): “The transmission of the complaint from an appropriate public authority in a qualifying state must also contain a description of the manner in which the authority verified the identity of the complainant. The CLPO shall rely on the verification of the identity of the complainant by the appropriate public authority in a qualifying state, but should either the information provided by the appropriate public authority in a qualifying state or subsequent investigation of the complaint call into question the identity of the complainant, the CLPO may request additional information from the public authority in a qualifying state in a manner that does not reveal intelligence sources or methods or otherwise indicate whether an individual has, in fact, been the subject of signals intelligence activities.”
- Section E(1)(f) of the Intelligence Community Directive 126 states: “If the CLPO determines that the complaint is not a qualifying complaint because it does not meet the conditions of Section E.1.c., or does not meet the conditions of Section E.1.d., of this Directive, the CLPO will provide written notification via encrypted electronic communication and in the English language to the appropriate public authority in a quali-fying state of the deficiencies in the complaint.”
- This may include, for example, the following: Measures to remedy procedural or technical violations in connection with otherwise lawful access; termination of the collection of data if the collection is not lawful; deletion of data that have been collected unlawfully; deletion of the results of inappropriate queries on lawfully collected data; restriction of access to data.
- E.O. 14086, Section 3(c)(E)(1).
- §201(6)(a) Attorney General Regulation – 28 CFR Part 201 – Data Protection Review Court.
- When calculating whether the complaint was filed within 60 days, the date of notification of the CLPO's decision to the complainant by the data protection authority and the date on which the complainant submits their complaint to the data protection authority are taken into account.
- E.O. 14086, Section 3(d)(i)(H).
- E.O. 14086, Section 4(k)(v) and Section E(1)(c)(8) of Intelligence Community Directive 126.
Last modification 29.10.2024