Under Secretary of State for Economic Growth, Energy, and the Environment, Keith Krach, serves as the Privacy Shield Ombudsperson, a position dedicated to facilitating the processing of requests from EU and Swiss individuals relating to national security access to data transmitted from the European Union or Switzerland to the United States. Applicable data transfers include those conducted pursuant to the EU-U.S. Privacy Shield Framework, U.S.-Swiss Privacy Shield Framework, standard contractual clauses (SCCs), binding corporate rules (BCRs), and “Derogations” or “Possible Future Derogations.” This role builds on the Under Secretary’s position under Presidential Policy Directive 28 as the Senior Coordinator for International Information Technology Diplomacy, which includes serving as a point of contact for foreign governments to raise concerns regarding signals intelligence activities conducted by the United States.
The Under Secretary reports directly to the Secretary of State and is independent from the Intelligence Community. To carry out the Ombudsperson duties, the Under Secretary works closely with other United States Government officials, including independent oversight bodies such as inspectors general, as appropriate, to ensure that completed requests are processed and resolved in accordance with applicable laws and policies, including the Ombudsperson Mechanism Implementation Procedures.
Request Submission Process:
STEP 1: Individual Submits a Request
- EU individuals submit a request via the EU designated individual complaint handling body through their local Data Protection Authority (DPA).
- Swiss individuals submit a request via the Federal Data Protection and Information Commissioner (FDPIC)
STEP 2: Review by Relevant Authority
The EU or Swiss authority confirms the identity of the requestor and verifies that the request fulfills the following criteria established in the Ombudsperson Mechanism:
- the request is complete (see “Information to Include” section below);
- the requestor is acting on his/her own behalf, and not as a representative of a governmental or intergovernmental organization;
- the request pertains to data reasonably believed to have been transferred under the Privacy Shield; and
- the request is not frivolous, vexatious, or made in bad faith.
STEP 3: Transfer to Ombudsperson
If the EU or Swiss authority determines that the request meets the criteria, it then transmits the request to the Ombudsperson.
STEP 4: Response
The Ombudsperson will transmit the review findings through the EU individual complaint handling body or the FDPIC.
Information to Include:
Section 3.b of the Ombudsperson Mechanism specifies that requests must be made in writing and contain:
- any information that forms the basis for the request;
- a description of the nature of information or relief sought;
- a list of United States Government entities believed to be involved (if any); and
- any information about other measures pursued to obtain the information or relief requested and the response received through those other measures.
Information that forms the basis of the request should include unique identifiers associated with the types of communications an individual believes may have been accessed. For example, for concerns about email communications, a person will need to provide the relevant email addresses. Likewise, relevant telephone numbers must be provided if a person is concerned about telephone communications. Individuals can also include other information about the concerns that precipitated the request. Such information is requested in order to facilitate a precise and accurate review, and in general, more detailed requests may correspondingly enable a more detailed review.
A request does not need to demonstrate that the requester’s data has been accessed by the United States Government through signal intelligence activities.
Information submitted to the Ombudsperson as part of a request for review will not be used or retained for other purposes unless necessary to comply with applicable law. The EU and Swiss complaint handling bodies do not need to forward information provided for verifying the identity of the requestor or an individual’s contact information.