Privacy Act of 1974; Implementation

Issuing agencies

Abstract

The Office of Privacy and Civil Liberties (OPCL), a component within the United States Department of Justice (DOJ or Department), is finalizing without changes its Privacy Act exemption regulations for the system of records titled, Data Protection Review Court Records System, JUSTICE/OPCL-001, which were published as a notice of proposed rulemaking (NPRM) on May 23, 2023. The notice for this new system of records, Data Protection Review Court Records System, JUSTICE/OPCL-001, was also published in the Federal Register on May 23, 2023. Specifically, the Department's regulations will exempt this system of records from certain provisions of the Privacy Act to protect national security and law enforcement sensitive information, preserve judicial independence, and ensure the integrity of adjudicatory records in cases before the Data Protection Review Court (DPRC). The Department received no comments on the NPRM.

Full Text

<html>
<head>
<title>Federal Register, Volume 88 Issue 170 (Tuesday, September 5, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 170 (Tuesday, September 5, 2023)]
[Rules and Regulations]
[Pages 60583-60586]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-19093]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF JUSTICE

28 CFR Part 16

[CPCLO Order No. 004-2023]


Privacy Act of 1974; Implementation

AGENCY: Office of Privacy and Civil Liberties, United States Department 
of Justice.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Office of Privacy and Civil Liberties (OPCL), a component 
within the United States Department of Justice (DOJ or Department), is 
finalizing without changes its Privacy Act exemption regulations for 
the system of records titled, Data Protection Review Court Records 
System, JUSTICE/OPCL-001, which were published as a notice of proposed 
rulemaking (NPRM) on May 23, 2023. The notice for this new system of 
records, Data Protection Review Court Records System, JUSTICE/OPCL-001, 
was also published in the Federal Register on May 23, 2023. 
Specifically, the Department's regulations will exempt this system of 
records from certain provisions of the Privacy Act to protect national 
security and law enforcement sensitive information, preserve judicial 
independence, and ensure the integrity of adjudicatory records in cases 
before the Data Protection Review Court (DPRC). The Department received 
no comments on the NPRM.

DATES: This final rule is effective October 5, 2023.

FOR FURTHER INFORMATION CONTACT: Katherine Harman-Stokes, Director 
(Acting), Office of Privacy and Civil Liberties, U.S. Department of 
Justice, Two Constitution Square, 145 N St. NE, Suite 8W-300, 
Washington, DC 20530; email: <a href="/cdn-cgi/l/email-protection#d3a3a1baa5b2b0aafdb0bcbea3bfbab2bdb0b693a6a0b7bcb9fdb4bca5"><span class="__cf_email__" data-cfemail="d9a9abb0afb8baa0f7bab6b4a9b5b0b8b7babc99acaabdb6b3f7beb6af">[email&#160;protected]</span></a>; telephone: 
(202) 514-0208; facsimile: (202) 307-0693.

SUPPLEMENTARY INFORMATION: 

I. Background

    In accordance with the Privacy Act of 1974, OPCL is establishing a 
new system of records, Data Protection Review Court Records System, 
JUSTICE/OPCL-001, to maintain an accurate record of the DPRC review of 
determinations made by the Civil Liberties Protection Officer of the 
Office of the Director of National Intelligence (ODNI CLPO) in response 
to complaints alleging violations of United States law in the conduct 
of United States signals intelligence activities, under the EU-U.S. 
Data Protection Framework established on October 7, 2022, pursuant to 
Executive Order (E.O.) 14086, Enhancing Safeguards for United States 
Signals Intelligence Activities, 87 FR 62283 (Oct. 14, 2022).
    E.O. 14086 directed the Attorney General to issue a regulation 
establishing the DPRC as the second level of a two-level redress 
mechanism for alleged violations of law regarding signals intelligence 
activities. The Attorney General issued the regulation on October 7, 
2022, ``Data Protection Review Court.'' 87 FR 628303 (Oct. 14, 2022) 
(codified at 28 CFR part 201).
    The first level of the new redress mechanism established by E.O. 
14086 is the investigation, review, and determination by the ODNI CLPO 
of whether a covered violation occurred and, where necessary, the 
appropriate remediation in response to a complaint. The complainant or 
an element of the Intelligence Community may seek review by the DPRC of 
the ODNI CLPO's determination.
    Exercising the Attorney General's authority under 28 U.S.C. 511 and 
512 to provide his advice and opinion on questions of law and the 
authority delegated to the Attorney General under E.O. 14086, the DPRC 
will review whether the ODNI CLPO's determination regarding the 
occurrence of a covered violation was legally correct and supported by 
substantial evidence and whether, in the event of a covered violation, 
the ODNI CLPO's determination as to the appropriate remediation was 
consistent with E.O. 14086.
    The regulations require the DPRC, and OPCL in support of the DPRC, 
to maintain all records relating to the DPRC's review. For each 
application for review, OPCL shall maintain records of the information 
reviewed or created by the DPRC and the decision of the DPRC panel, 
which records shall be made available for consideration as non-binding 
precedent to future DPRC panels considering applications for review. 28 
CFR 201.9(j), see also 28 CFR 201.5 through 201.15. Records of the 
DPRC's review will include material created by the complainant, the 
public authority of a designated state, ODNI CLPO, elements of the 
Intelligence Community, DPRC Judges and Special Advocates, and 
Department of Justice personnel. Most of the information in this system 
consists of records that are classified, including the record of review 
received from the ODNI CLPO.
    Pursuant to 28 CFR 201.9(i), information in the system indicating a 
violation of any authority subject to the oversight of the Foreign 
Intelligence Surveillance Court (FISC) will be shared with the 
Assistant Attorney General for National Security, who shall report 
violations to the FISC as required by law and in accordance with its 
rules of procedure. Similarly, information in the system will be 
provided to the Privacy and Civil Liberties Oversight Board (PCLOB) as 
necessary for the PCLOB to conduct the annual review of the redress 
process described in section 3(e) of E.O. 14086, consistent with the 
protection of intelligence sources and methods.

II. Privacy Act Exemption

    The Privacy Act allows Federal agencies to exempt eligible records 
in a system of records from certain provisions of the Act, including 
those that provide individuals with a right to request access to and 
amendment of records about the individual. If an agency intends to 
exempt a particular system of records, it must first issue a rulemaking 
pursuant to 5 U.S.C. 553(b)(1)-(3), (c), and (e).
    The Department modifies 28 CFR part 16 to add a new Privacy Act 
exemption for the new system of records, Data Protection Review Court 
Records System, JUSTICE/OPCL-001. The Department adds this exemption 
because most of the records in this system will contain classified 
national security information. As such, notice, access, amendment, and 
disclosure (to include accounting for those records) to an individual, 
as well as certain record-keeping requirements, may cause damage to 
national security. The Privacy Act, pursuant to 5 U.S.C.

[[Page 60584]]

552a(k)(1), authorizes agencies to claim an exemption for systems of 
records that contain information properly classified pursuant to 
applicable law. Pursuant to 5 U.S.C. 552a(k)(1), the Department has 
claimed an exemption from several provisions of the Privacy Act, 
including provisions for individual access, amendment, disclosure of 
accounting, as well as certain provisions for record-keeping and 
notice, to prevent disclosure of any information properly classified 
pursuant to applicable law.
    The Department has also claimed an exemption for this system of 
records from the above references provision of the Privacy Act because 
the records in this system relate to criminal law enforcement 
activities, and certain requirements of the Privacy Act may interfere 
with the effective execution of these law enforcement activities. The 
Privacy Act, pursuant to 5 U.S.C. 552a(j)(2), authorizes agencies with 
a principal law enforcement function pertaining to the enforcement of 
criminal laws (including activities of prosecutors, courts, etc.) to 
claim an exemption for systems of records that contain information 
identifying criminal offenders and alleged offenders, information 
compiled for the purpose of criminal investigation, or reports compiled 
for the purpose of criminal law enforcement proceedings. Additionally, 
pursuant to 5 U.S.C. 552a(k)(2), agencies may exempt a system of 
records from certain provisions of the Privacy Act if it contains 
investigatory material compiled for law enforcement purposes, other 
than materials within the scope of 5 U.S.C. 552a(j)(2). The Department 
has claimed exemptions from several provisions of the Privacy Act, 
pursuant to 5 U.S.C. 552a(j)(2) and 552a(k)(2), to prevent the harms 
articulated in this rule from occurring. Records in this system of 
records are only exempt from the Privacy Act to the extent the purposes 
underlying the exemption pertain to the record.

Executive Orders 12866, 13563, and 14094--Regulatory Review

    In accordance with 5 U.S.C. 552a(j) and 552a(k), this regulation 
was subject to formal rulemaking procedures by giving interested 
persons an opportunity to participate in the rulemaking process 
``through submission of written data, views, or arguments,'' pursuant 
to 5 U.S.C. 553. This regulation exempts this system of records from 
certain provisions of the Privacy Act to protect national security and 
law enforcement sensitive information, preserve judicial independence 
and to ensure the integrity of adjudicatory records in cases before 
DPRC.
    The Department has determined that this rule is not a 
``significant'' regulatory action under section 3(f) of E.O. 12866. 
Accordingly, the rule has not been reviewed by the Office of Management 
and Budget (OMB) under E.O. 12866.
    This rule has been drafted and reviewed in accordance with 
Executive Order 12866, ``Regulatory Planning and Review,'' section 
1(b), Principles of Regulation; Executive Order 13563, ``Improving 
Regulation and Regulatory Review,'' section 1(b), General Principles of 
Regulation; and Executive Order 14094, ``Modernizing Regulatory 
Review''. OPCL anticipates no costs or benefits accruing from this 
rule.

Regulatory Flexibility Act

    This regulation will impact records related to or reviewed in 
handling complaints in accordance with E.O. 14086 and DOJ regulation, 
28 CFR part 201, which are personal and generally do not apply to an 
individual's entrepreneurial capacity, subject to limited exceptions. 
Even though this system will contain records that are not covered by 
the Privacy Act, the Chief Privacy and Civil Liberties Officer has 
nevertheless reviewed this regulation in accordance with the Regulatory 
Flexibility Act (5 U.S.C. 605(b)), and by approving it certifies that 
this regulation will not have a significant economic impact on a 
substantial number of small entities.

Small Business Regulatory Enforcement Fairness Act of 1996 (Subtitle 
E--Congressional Review Act)

    The Small Business Regulatory Enforcement Fairness Act (SBREFA) of 
1996, 5 U.S.C. 801 et seq., requires the Department to comply with 
small entity requests for information and advice about compliance with 
statutes and regulations within the Department's jurisdiction. Any 
small entity that has a question regarding this document may contact 
the person listed in FOR FURTHER INFORMATION CONTACT. Persons can 
obtain further information regarding SBREFA on the Small Business 
Administration's web page at <a href="https://www.sba.gov/advocacy">https://www.sba.gov/advocacy</a>. This 
regulation is not a major rule as defined by 5 U.S.C. 804 of the 
Congressional Review Act.

Executive Order 13132--Federalism

    This regulation will not have substantial direct effects on the 
States, on the relationship between the National Government and the 
States, or on distribution of power and responsibilities among the 
various levels of government. Therefore, in accordance with E.O. 13132, 
it is determined that this regulation does not have sufficient 
federalism implications to warrant the preparation of a Federalism 
Assessment.

Executive Order 12988--Civil Justice Reform (Plain Language)

    This regulation meets the applicable standards set forth in 
sections 3(a) and 3(b)(2) of E.O. 12988 to eliminate drafting errors 
and ambiguity, minimize litigation, provide a clear legal standard for 
affected conduct, and promote simplification and burden reduction.

Executive Order 13175--Consultation and Coordination With Indian Tribal 
Governments

    This regulation will have no implications for Indian Tribal 
governments. More specifically, it does not have substantial direct 
effects on one or more Indian tribes, on the relationship between the 
Federal Government and Indian tribes, or on the distribution of power 
and responsibilities between the Federal Government and Indian tribes. 
Therefore, the consultation requirements of E.O. 13175 do not apply.

Unfunded Mandates Reform Act of 1995

    This regulation will not result in the expenditure by State, local, 
and Tribal governments, in the aggregate, or by the private sector, of 
$100,000,000, as adjusted for inflation, or more in any one year, and 
it will not significantly or uniquely affect small governments. 
Therefore, no actions were deemed necessary under the provisions of the 
Unfunded Mandates Reform Act of 1995.

Paperwork Reduction Act

    The Paperwork Reduction Act of 1995, 44 U.S.C. 3507(d), requires 
the Department to consider the impact of paperwork and other 
information collection burdens imposed on the public. There are no 
current or new information collection requirements associated with this 
regulation.

List of Subjects in 28 CFR Part 16

    Administrative practices and procedures, Courts, Freedom of 
information, Privacy.

    Pursuant to the authority vested in the Attorney General by 5 
U.S.C. 552a and delegated to me by Attorney General Order 2940-2008, 
the Department of Justice amends 28 CFR part 16 as follows:

[[Page 60585]]

PART 16--PRODUCTION OR DISCLOSURE OF MATERIAL OR INFORMATION

0
1. The authority citation for part 16 continues to read as follows:

    Authority:  5 U.S.C. 301, 552, 552a, 553; 28 U.S.C. 509, 510, 
534; 31 U.S.C. 3717.

Subpart E--Exemption of Records Systems Under the Privacy Act

0
2. Add Sec.  16.139 to read as follows:


Sec.  16.139  Exemption of the Department of Justice Data Protection 
Review Court Records System, JUSTICE/OPCL-001.

    (a) The Department of Justice Data Protection Review Court system 
of records JUSTICE/OPCL-001 is exempted from subsections 5 U.S.C. 
552a(c)(3) and (4); (d)(1), (2), (3) and (4); (e)(1), (2) and (3); 
(e)(4)(G), (H) and (I); (e)(5) and (8); (f) and (g) of the Privacy Act. 
These exemptions apply only to the extent that information in this 
system is subject to exemption pursuant to 5 U.S.C. 552a(j) or (k). 
Where DOJ determines that compliance would not appear to interfere with 
or adversely affect the purpose of this system to address certain 
violations of United States law in the conduct of United States signals 
intelligence activities, and not interfere with national security or 
law enforcement operations, the applicable exemption may be waived by 
the DOJ in its sole discretion.
    (b) Exemptions from these particular subsections are justified for 
the following reasons:
    (1) From the subsection (c)(3) (accounting of disclosures) 
requirement that an accounting be made available to the named subject 
of a record, because this system is exempt from the access provisions 
of subsection (d). Where the individual is the subject of intelligence 
activities, to provide that individual with the disclosure accounting 
records would hinder authorized United States intelligence activities 
by informing that individual of the existence, nature, or scope of 
information that is properly classified pursuant to Executive Order 
12958, as amended, and thereby cause damage to the national security. 
Revealing this information would also be contrary to Executive Order 
14086 and could compromise ongoing, authorized law enforcement and 
intelligence efforts, particularly efforts to identify and/or mitigate 
national security threats.
    (2) From subsection (c)(4) (notice of amendment to record 
recipients) notification requirements because this system is exempt 
from the access and amendment provisions of subsection (d) as well as 
the provision for making the accounting of disclosures available to an 
individual in subsection (c)(3). The DOJ takes seriously its obligation 
to maintain accurate records despite its assertion of this exemption, 
and to the extent it, in its sole discretion, agrees to permit 
amendment or correction of DOJ records, it will share that information 
in appropriate cases.
    (3) From subsection (d)(1), (2), (3) and (4) (record subject's 
right to access and amend records), (e)(4)(G) and (H) (publication of 
procedures for notifying subjects of the existence of records about 
them and how they may access records and contest contents), (e)(8) 
(notice of compelled disclosures), (f) (agency rules for notifying 
subjects to the existence of records about them, for accessing and 
amending records, and for assessing fees) and (g) (civil remedies) 
because these provisions concern individual access to and amendment of 
records containing national security, law enforcement, intelligence, 
counterintelligence and counterterrorism sensitive information that 
could alert the subject of an authorized law enforcement or 
intelligence activity about that particular activity and the interest 
of the DOJ and/or other law enforcement or intelligence agencies in the 
subject. Providing access could compromise information classified to 
protect national security; disclose information that would constitute 
an unwarranted invasion of another's personal privacy; reveal a 
sensitive investigative or intelligence technique; provide information 
that would allow a subject to avoid detection or apprehension; or 
constitute a potential danger to the health or safety of law 
enforcement personnel, confidential sources, witnesses, or other 
individuals. Nevertheless, DOJ has published notice concerning 
notification, access, and contest procedures because it may in certain 
circumstances determine it appropriate to provide subjects access to 
all or a portion of the records about them in a system of records, 
particularly if information pertaining to the individual has been 
declassified.
    (4) From subsection (e)(1) (maintain only relevant and necessary 
records) because the Data Protection Review Court (DPRC), in the course 
of receiving information pursuant to an application for review, 
including the Office of the Director of National Intelligence (ODNI) 
Civil Liberties Protection Officer's (CLPO) record of review, may 
receive records that are ultimately deemed irrelevant or unnecessary 
for the adjudication of the matter. Relevance and necessity are 
questions of judgment and timing; what appears relevant and necessary 
when collected ultimately may be deemed unnecessary. It is only after 
the information is assessed that its relevancy and necessity can be 
established. Even if the records received are ultimately determined to 
be irrelevant or unnecessary to the adjudication of an application for 
review, the Office of Privacy and Civil Liberties (OPCL) generally must 
nevertheless retain such records to maintain an accurate and complete 
record of the information reviewed by the DPRC.
    (5) From subsection (e)(2) (collection directly from the 
individual) and (3) (provide Privacy Act Statement to subjects 
furnishing information). The DPRC will rely on records received from 
the ODNI CLPO, including records that the ODNI CLPO received from other 
elements of the Intelligence Community. The collection efforts of 
agencies that supply information ultimately received by the DPRC would 
be thwarted if the agencies were required to collect information with 
the subject's knowledge. Application of these provisions would put the 
subject of United States signals intelligence activities on notice of 
the signals intelligence activities and allow the subject an 
opportunity to engage in conduct intended to impede the investigative 
activity or avoid apprehension.
    (6) From subsection (e)(4)(I) (identifying sources of records in 
the system of records), to the extent that this subsection is 
interpreted to require more detail regarding the record sources in this 
system than has been published in the Federal Register. Should the 
subsection be so interpreted, exemption from this provision is 
necessary to protect disclosure of properly classified national 
security and law enforcement sensitive information. Further, greater 
specificity of sources of properly classified records could compromise 
national security.
    (7) From subsection (e)(5) (maintain timely, accurate, complete and 
up-to-date records) because many of the records in the system were 
derived from other domestic and foreign agency record systems over 
which DOJ exercises no control. It is often impossible to determine in 
advance if intelligence records contained in this system are accurate, 
relevant, timely and complete, but in the interest of maintaining a 
complete record of the information reviewed by the DPRC in each case, 
it is necessary to retain this information. The restrictions imposed by 
subsection (e)(5) would impede development of the record for review

[[Page 60586]]

and limit the DPRC's ability to exercise independent judgment in the 
adjudication of applications for review.
    (8) Continue in effect and assert all exemptions claimed under 5 
U.S.C. 552a(j) or (k) by an originating agency from which DOJ obtains 
records where the purposes underlying the original exemption remain 
valid and necessary to protect the contents of the record.

    Dated: August 23, 2023.
Peter Winn,
Chief Privacy and Civil Liberties Officer (Acting), United States 
Department of Justice.
[FR Doc. 2023-19093 Filed 9-1-23; 8:45 am]
BILLING CODE 4410-PJ-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>