EU-US Privacy Shield – Form For Submission of Requests to the U.S. Ombudsperson
The Privacy Shield Ombudsperson is a mechanism set up under the Privacy Shield to facilitate the processing of and response to requests relating to the possible access for national security purposes by US intelligence authorities to personal data transmitted from the EU to the US. The Ombudsperson will deal with requests relating to data transferred not just pursuant to the Privacy Shield, but also on the basis of other frameworks such as the Standard contractual clauses (SCCs), binding corporate rules (BCRs) or derogations. In any event, you do not need to evidence that your data have in fact been accessed by the United States intelligence services.
Please note that only the requests relating to national security access by US intelligence agencies will be considered by the Ombudsperson. The EU supervisory authorities have provided further information about other aspects of the Privacy Shield and how to complain related to those aspects.
Please be aware that the response provided by the Ombudsperson will neither confirm nor deny whether you have been the target of surveillance nor will it confirm the specific remedy that was applied.
As stated in the Privacy Shield Annex III, the Privacy Shield Ombudsperson is a senior official within the U.S. Department of State who is independent from U.S. intelligence agencies. Assisted by a number of staff, the Ombudsperson is obliged to ensure that requests are properly investigated and addressed in a timely manner, and that you receive confirmation that the relevant U.S. laws have been complied with or, if the laws have been violated, the situation has been remedied.
In carrying out its duties, and investigating the requests received, the Ombudsperson has to work closely with and obtain all the information from other independent oversight and investigatory bodies necessary for its response when it concerns the compatibility of surveillance with U.S. law. These bodies are responsible for overseeing the various U.S. intelligence agencies.
Before being submitted to the Ombudsperson, your request will be checked by an EU supervisory authority to verify your identity, that you are acting only for yourself, that your request contains all the relevant information, that it relates to personal data transferred to the U.S., and that your request is not frivolous, vexatious or made in bad faith, i.e. reflects a genuine concern. Please note that your request will be verified by the supervisory authority to which you submitted it and, where found justified, transmitted to the EU Centralised Body, in charge of channelling your complaint to the Ombudsperson
You will also be requested to provide information about any online account or data transfer you believe may have been accessed; this could be your email address, user names on accounts such as Twitter, SnapChat or WhatsApp or flight, hotel or contract information. Your request should include the company you provided your data to.
Since the EU supervisory authorities are required under the Ombudsperson mechanism to verify the information provided in the request, including the email address and user names, your request can only be further processed if you can show that the details provided are actually yours. This can be done in a number of ways. You could provide confirmation from the provider of the service you are using, or a screenshot which clearly shows that you are the one using the account. This information will not be transmitted to the U.S. Ombudsperson.
The Privacy Shield does not include rules on how the personal data provided to the Ombudsperson and the additional U.S. agencies should be processed. The U.S. Department of State has confirmed on its website that “information submitted to the Ombudsperson as part of a request for review will not be used or retained for other purposes unless necessary to comply with applicable law”. The EU data protection authorities have sought further information and assurances from the U.S. government regarding the processing of any of your information that is provided under the Ombudsperson mechanism.
- European Commission, Guide to the EU-U.S Privacy Shield (available at http://ec.europa.eu/justice/data-protection/files/eu-us_privacy_shield_guide_en.pdf?wb48617274=20B3E23E)
The Privacy Shield Ombudsperson will provide a response to the submitting EU Centralised Body within in a timely manner
This response will confirm:
- That your complaint has been properly investigated and,
- That the U.S. law, statutes, executive orders, presidential directives, and agency policies, providing the limitations and safeguards have been complied with, or, in the event of non-compliance, such non-compliance has been remedied.
Once the response has been communicated to the EU Centralised Body, it will be transmitted to the national supervisory authority you originally contacted. This authority will, in turn, be responsible for communicating with you.
The following information is sought for the verification of the request by the EU supervisory authorities and for the further handling of the request by the Privacy Shield Ombudsperson.