Council of Europe Privacy Convention
Top News
- European Commission Proposes Risk-Based AI Regulation, Banning ‘Unacceptable’ Uses: The European Commission released a long-awaited proposal for how to regulate AI throughout the European Union. The proposed regulation includes a ban on “unacceptable” uses of AI such as general social scoring and “real time remote biometric identification” for law enforcement. The proposal also imposes testing and transparency obligations for “high-risk” uses of AI, including a publicly accessible EU database on stand-alone “high-risk” systems. The proposal requires notice to individuals when they interact with certain types of AI and “conformity” assessments for “high-risk” systems. The prohibitions on unacceptable AI are very limited and many of the strongest provisions are subject to vast exceptions. However, a penalty of up to 4% of annual revenue on companies that violate the regulation is included. EPIC has called for prohibitions on secret scoring, mass surveillance, and facial recognition. EPIC urges legislators to implement the OECD Principles on AI and adopt the Universal Guidelines of AI. (Apr. 22, 2021)
- Mauritius Ratifies Convention 108+, 36 Countries Back Privacy Convention: This week, Mauritius signed and ratified the Modernized International Privacy Convention. Mauritius became the sixth state to officially ratify the modernized Convention 108, and the 36th country to become a signatory. The Council of Europe Convention 108+ is the first and only binding international legal instrument for data protection. Updated in 2018, the Modernized Convention includes new provisions on biometric data, algorithmic transparency, enhanced oversight. Non-members of the Council of Europe are able to sign the Convention, and EPIC and consumer groups have long urged the United States to ratify the international Privacy Convention. (Sep. 15, 2020)
More top news
- Facebook to be Ordered to Stop Sending EU Data to U.S. + (Sep. 10, 2020)
The
Irish Data Protection Commissioner has
reportedly issued a preliminary order instructing Facebook to stop transferring the data of EU users to the United States. The order comes in the wake of a recent the
European Court of Justice (CJEU) decision which found the Privacy Shield, which permitted companies to freely transfer users’ personal data, illegally infringed EU residents’ data protection and privacy rights. EPIC participated as an amicus curiae in the case, arguing that U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.
- Schrems Files 101 Complaints Targeting US-EU Data Transfers + (Aug. 18, 2020)
None of Your Business, the privacy NGO established by EPIC Advisory Board member Max Schrems, has filed
complaints in all 30 EU and EEA member states against 101 European companies that still forward data about each visitor to Google and Facebook. “We have done a quick search on major websites in each EU member state for code from Facebook and Google. These code snippets forward data on each visitor to Google or Facebook. Both companies admit that they transfer data of Europeans to the US for processing, where these companies are under a legal obligation to make such data available to US agencies like the NSA. Neither Google Analytics nor Facebook Connect are essential to run these webpages and are services that could have been replaced or at least deactivated by now.” says Max Schrems, honorary chair of noyb.eu. The complaints come in the wake of a recent the
European Court of Justice (CJEU) decision which found the Privacy Shield, which permitted companies to freely transfer users’ personal data, illegally infringed EU residents’ data protection and privacy rights. EPIC participated as an amicus curiae in the case,
arguing that
U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.
- BREAKING: Top Court in Europe Invalidates EU-U.S. Privacy Shield, Citing Lack of Privacy Safeguards and Overbroad U.S. Surveillance Laws + (Jul. 16, 2020)
Today the European Court of Justice issued a
decision in
Irish Data Protection Commissioner v. Facebook & Schrems, a case concerning transfers of personal data by Facebook between the EU and the United States. Specifically, the court considered the validity of transfers made from companies in the EU to companies in the U.S. pursuant to standard contracts or to the EU-U.S. Privacy Shield agreement, both of which had been authorized by the European Commission. But the court held that the Privacy Shield was invalid and that transfers could not be made under the contracts where personal data is not adequately protected. Because U.S. surveillance law authorizes the mass processing of personal data transferred from abroad, under Section 702 of
FISA, it “cannot ensure a level of protection essentially equivalent to that guaranteed by the Charter.” EPIC
participated as an amicus curiae in the case and argued that U.S. surveillance law does not provide an equivalent level of protection because it does not provide adequate protections or remedies for non-U.S. persons abroad. EPIC was represented in this case by the Free Legal Advice Centres (FLAC) and by barristers Grainne Gilmore and Colm O’Dwyer, SC. [
PRESS RELEASE]
- Germany’s Highest Court Rules Facebook Illegally Combines Users’ Data, Abusing Its Market Dominance + (Jun. 24, 2020)
In an
important decision for data privacy, Germany’s Federal Court of Justice sided with antitrust regulators in a case challenging Facebook’s practice of combining user data across different sources, including WhatsApp and Instagram. The Court held that Facebook’s terms of use were abusive because they did not allow users to use the platform without also consenting to Facebook’s collection of their data from other sites. The decision emphasized Facebook’s dominant market position in Germany and recognized that Facebook thus had a special responsibility towards maintaining market competition. EPIC has
repeatedly urged U.S. antitrust agencies to more aggressively regulate Facebook and other platforms, whose large mergers compromise user privacy and consolidate market power in a handful of companies. EPIC recently objected to the FTC’s
settlement with Facebook. EPIC continues to work with
international stakeholders to ensure user privacy.
- Global Privacy Assembly Surveys Policies on Coronavirus + (Apr. 3, 2020)
The
Global Privacy Assembly, the international network of data protection officials, has published
Data protection and Coronavirus (COVID-19) resources. The GPA stated that it “recognises the unprecedented challenges being faced to address the spread of Coronavirus (COVID-19). Data protection authorities across the world stand ready to help facilitate swift and safe data sharing to fight COVID-19, while still providing the protections the public expects.” EPIC is also tracking privacy statements from
UN Human Rights experts, the
Council of Europe, German data protection experts, NGOs, the
European Data Protection Board, and the
World Health Organization.
- Council of Europe Issues Statement on COVID-19 and Data Protection + (Mar. 30, 2020)
Today the Council of Europe published a
Joint Statement on The Right to Data Protection in the Context of the COVID-19 Pandemic. The statement was published by Alessandra Pierucci, Chair of the Committee of Convention 108 and Jean-Philippe Walter, Data Protection Commissioner of the Council of Europe. The COE Statement advises that “States have to address the threat resulting from the COVID-19 pandemic in respect of democracy, rule of law and human rights, including the rights to privacy and data protection.” The Council further states that even during a public health crisis, “human rights(such as the International Covenant on Civil and Political Rights and the European Convention on Human Rights) cannot be suspended but only derogated or restricted by law, to the extent strictly required by the exigencies of the situation, while respecting the essence of the fundamental rights and freedoms.” The COE notes that “anonymised data is not covered by data protection requirements. The use of aggregate location information . . . would thus not be prevented by data protection requirements.” EPIC has worked closely with the Council of Europe on updates to the
Council of Europe Privacy Convention, recommended US
ratification of the Convention, and recently advised the COE on AI policy. The text of the COE Privacy Convention is contained in the
EPIC Policy Law Sourcebook.
- On International Privacy Day, EPIC Urges Congress to Act on Privacy + (Jan. 28, 2020)
On January 28, EPIC celebrates International Privacy Day, which commemorates
Council of Europe Convention 108, the first international privacy convention. Today EPIC
urged Congress to take three steps to safeguard the personal data of Americans: (1) enact
comprehensive baseline legislation, (2) establish a
data protection agency, and (3) ratify the
International Privacy Convention.
EPIC and
consumer organizations have long urged the United States to endorse the Privacy Convention, which establishes a global framework for the free flow of personal data. The complete text of the Privacy Convention is in the EPIC
Privacy Law Sourcebook, available at the
EPIC Bookstore. Follow #DataProtectionDay.
- EU Legal Advisor Advances Privacy for National Security Matters + (Jan. 16, 2020)
The EU Advocate General
advised the European Court of Justice that “the means and methods of combating terrorism must be compatible with the requirements of the rule of law” in a case concerning the retention of personal data for law enforcement purposes. The AG recommended limiting retention of data to data that are essential for national security and limiting access to that data subject to prior review by courts. The opinion is not binding on the Court of Justice and the Court will issue a judgment at a later date. The AG
cited EPIC’s expert submissions in
“Schrems 2.0,” another case concerning Facebook’s transfer of personal data to the United States and the adequacy of U.S. privacy law.
- Swiss Sign Convention 108+, 35 Countries Back Privacy Convention + (Nov. 21, 2019)
This week, Switzerland
signed the
Modernized International Privacy Convention. With the Swiss signature thirty-five countries now back Convention 108+. The Council of Europe Convention 108+ is the first and only binding international legal instrument for data protection. Updated in 2018, the Modernized Convention includes new provisions on biometric data,
algorithmic transparency, enhanced oversight. Non-members of the Council of Europe are able to sign the Convention, and EPIC and consumer groups
have long
urged the United States to ratify the international Privacy Convention.
- UK Releases US-UK CLOUD Act Agreement + (Oct. 7, 2019)
The UK has released the text of the US-UK CLOUD Act Agreement. The agreement permits cross-border access to personal data without judicial approval, allows for law enforcement investigations under lower standards than in the U.S., and lacks notice to data subjects who are subject to surveillance. In testimony before the European Parliament, EPIC International Counsel Eleni Kyriakides argued that cross-border access to personal data should ensure robust human rights protections, such as notice, judicial authorization, and transparency.
- EPIC, Coalition Call for NGO Role in Privacy Convention Oversight + (Sep. 13, 2019)
EPIC, the Australian Privacy Foundation, and Privacy International submitted
comments calling for a greater NGO role in oversight of the
International Privacy Convention. The Council of Europe Convention 108+ is the first and only binding international legal instrument for data protection. Updated in 2018, the Modernized Convention includes new articles on biometric data and algorithmic transparency, and enhanced compliance with convention terms. The coalition comments urge the Council of Europe to include NGOs in compliance review groups, increase transparency of the review process, and to evaluate national privacy remedies and derogations from the Convention. EPIC and consumer groups
have also long
urged the United States to ratify the international Privacy Convention.
- U.S. Releases Annual Human Rights Report + (Mar. 14, 2019)
The U.S. Department of State has
released the annual report on human rights practices across the globe. The State Dept. report
reviews adherence to “internationally recognized individual, civil, political, and worker rights, as set forth in the Universal Declaration of Human Rights and other international agreements,” including the arbitrary or unlawful
interference with privacy. The 2018 report highlights China’s social credit system which “quantifies a person’s loyalty to the government by monitoring citizens’ online activity and relationships.” The report also cites the Indian Supreme Court
ruling that privacy is a fundamental right and Turkish authorities’ investigation of more than 45,000 social media accounts between 2016 and April 2018. Two EPIC publications –
The Privacy Law Sourcebook 2018 and
Privacy and Human Rights: An International Survey of Privacy Laws and Developments – provide a comprehensive overview of privacy frameworks around the world and track emerging privacy challenges.
- EPIC Files Brief on Government Hacking With Court of Human Rights + (Feb. 28, 2019)
EPIC has filed
a brief with the European Court of Human Rights detailing the public safety and privacy risks of government hacking.
Privacy International v. United Kingdom asks whether remote hacking by UK intelligence services violates the European Charter of Fundamental Rights. The Court recently
granted EPIC’s request
to intervene in the case. “Hacking tools stockpiled by governments could be used by criminals to mount cyberattacks,” EPIC’s brief states. EPIC also explained that “Government hacking weakens security safeguards.” EPIC has long advocated for strong cybersecurity policies.
- European Data Supervisor Releases Annual Report, Warns US on Bulk Collection + (Feb. 26, 2019)
European Data Protection Supervisor Giovanni Buttarelli released the
2018 EDPS annual report. Among recent accomplishments are the
2018 Conference on Digital Ethics, adoption of an EU-Japanese data transfer deal, and implementation of the
GDPR. At a press conference for the report’s release, Buttarelli also recommended that the United States enact a federal privacy law, ratify the Council of Europe Privacy, Convention, and resolve long-standing concerns about mass surveillance. “In my opinion, bulk collection as such is not fully compatible with our system,” Buttarelli
said. EPIC has long
recommended that the United States ratify the
International Privacy Convention. EPIC has also proposed
changes to Section 702 of the Patriot Act, which permits the bulk collection of the personal data of Europeans.
- Grand Chamber of Human Rights Court to Review UK Surveillance + (Feb. 5, 2019)
The European Court of Human Rights Grand Chamber has agreed to review
Big Brother Watch v. UK, a case concerning UK surveillance power revealed by Edward Snowden. Last year the Court
ruled that the communications surveillance regime narrowly violated human rights, and stopped short of ruling that bulk surveillance violated fundamental rights. The Grand Chamber, a larger panel of judges, has now agreed to hear the case again. The Chamber
only agrees to review cases raising important human rights issues. The groups that brought the case requested referral and urged the Court
to rule mass surveillance incompatible with human rights. EPIC
filed a brief in the original case explaining that the US, which transfers intelligence data to the UK, has “technological capacities” enabling “wide scale surveillance” and that US law do not restrict surveillance of non-U.S. persons abroad. In an article, EPIC
called the initial ruling against UK surveillance “narrow” but “important.”
- EU Receives 95,000 Privacy Complaints, Still No News from US FTC on Facebook Case + (Jan. 28, 2019)
According to the European Commission, recent figures from the European Data Protection Board reveal that EU Data Protection Authorities have received more than 95,000 complaints from citizens across the continent. In a joint statement on
International Privacy Day, the Commissioners said “Citizens have become more conscious of the importance of data protection and of their rights. And they are now exercising these rights, as national Data Protection Authorities see in their daily work.” The
European Data Protection Board also reported that the majority of the complaints were related to activities such as telemarketing, promotional e-mails, and video surveillance. In the United States, the Federal Trade Commission
announced in March 2018 that it was reopening the Facebook investigation, following news that Cambridge Analytica improperly harvested the personal data of 87 millions users. Still no word from the FTC on how that one case is proceeding.
- EPIC Asks UN to Question US About Privacy Violations by Private Firms + (Jan. 10, 2019)
As part of a routine review, EPIC
asked the United Nations Human Rights Committee to question the US about the failure to protect individuals against privacy violations by private industry. This year the Committee will
review US compliance with human rights obligations under the
International Covenant on Civil and Political Rights. EPIC explained that countries “have a duty to protect individuals against human rights violations by non-state actors,” and pointed to Article 17 in the international agreement. “Despite record-breaking data breaches, identity theft, and extensive corporate surveillance, the U.S still lacks both comprehensive privacy legislation and a data protection authority,” EPIC concluded. The
EPIC 2018 Privacy Law Sourcebook provides a comprehensive overview of privacy laws in the US and around the world.
- International Privacy Convention Open for Signature + (Oct. 11, 2018)
The Council of Europe has
opened for signature updates to
Convention 108, the international Privacy Convention. Among other changes, the modernized Convention requires prompt data breach notification, establishes national supervisory authorities to ensure compliance, permits transfers abroad only when personal data is sufficiently protected, and provides new user rights, including
algorithmic transparency.
Twenty-one nations have signed the treaty. Many more are expected to sign.
EPIC and
consumer coalitions have
urged the United States to ratify the international Privacy Convention. The complete text of the modernized Convention will be available in the 2018 edition of the Privacy Law Sourcebook, available at the
EPIC Bookstore.
- International Privacy Experts Adopt Recommendations for Cross-Border Law Enforcement Requests for Data + (Aug. 14, 2018)
The
International Working Group on Data Protection in Telecommunications has adopted
new recommendations to protect individual rights during criminal cross-border law enforcement. The Berlin-based Working Group includes Data Protection Authorities and experts who assess emerging privacy challenges. The Working Group on Data Protection calls on governments and international organisations to ensure law enforcement requests accord with international human rights norms. The Working Group recommends specific safeguards for data protection and privacy, including accountability, procedural fairness, notice and an opportunity to challenge. EPIC addressed similar issues in an
amicus brief for the US Supreme Court in the
Microsoft case. EPIC and a coalition of civil society organizations recently
urged the Council of Europe to protect human rights in the proposed
revision to the
Convention on Cybercrime. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the
Goethe-Institut, Germany’s cultural institute.
- EPIC Advises NTIA on International Internet Policy + (Aug. 1, 2018)
EPIC submitted
comments in response to the the National Telecommunications and Information Administration’s
request for recommendations on its international internet policy priorities. NTIA is the Executive Branch agency that is principally responsible by law for advising the President on telecommunications and information policy issues. EPIC recommended that the administration (1) enact comprehensive privacy law, based on the
OECD Privacy Guidelines); (2) encourage US firms to comply with
GDPR; and (3) ratify the
Council of Europe Privacy Convention. EPIC has
urged Congress to update U.S. privacy laws and recently wrote in the
Financial Times that “Instead of criticizing the EU effort, the Commerce Department should help develop a comprehensive strategy to update US data protection laws.” EPIC comments to the NTIA also addressed Algorithmic Transparency, security standards for the Internet of Things, and data minimization.
- Council of Europe Modernizes International Privacy Convention + (May. 18, 2018)
The Council of Europe has
updated Convention 108, the first international treaty for privacy and data protection. Among other changes, the
amending protocol requires prompt data breach notification, establishes national supervisory authorities to ensure compliance, permits transfers abroad only when personal data is sufficiently protected, and provides new user rights including
algorithmic transparency.
EPIC and
consumer coalitions have
urged the United States to ratify the International Privacy Convention. The complete text of the Privacy Convention is contained in the
Privacy Law Sourcebook, available at the
EPIC Bookstore.
- Transatlantic Consumer Dialogue Publishes “10 Things to Know About the GDPR” + (May. 8, 2018)
The Transatlantic Consumer Dialogue, a coalition of more than 70 consumer organizations in Europe and North America, has made available
“10 Things to Know About the GDPR.” The analysis details key elements of the new
European privacy law. TACD wrote, “People’s data should be treated with the highest privacy protections no matter where they are based. Privacy is a fundamental human right and data protection is intrinsically linked to it.” Last month, TACD sent a
letter to Mark Zuckerberg urging Facebook to comply with the GDPR as a baseline standard for all Facebook users worldwide. TACD will host a press conference on GDPR with EPIC in Washington DC on May 16. EPIC makes available the complete text of the GDPR and related materials in the
Privacy Law Sourcebook.
- Facebook Denied Attempt to Delay Review of EU-US Personal Data Transfers + (May. 3, 2018)
The Irish High Court has
denied Facebook’s request to halt review of
Data Protection Commissioner v. Facebookby Europe’s top court. The case, which was recently
referred to the
European Court of Justice, concerns whether Facebook’s transfers of personal data from Ireland to the United States violate the European Charter of Fundamental Rights. The case follows the
landmark 2015 decision that the US had insufficient privacy protections to allow transfer of Europeans’ personal data. Ruling against Facebook’s request to delay the case further pending appeal, the Irish court said EU data subjects could be harmed if the case were delayed, and that there were “considerable concerns” about Facebook’s conduct in the case. EPIC was
designated the US NGO amicus curiae in this case, and provided a detailed
assessment of US privacy law.
- EPIC Urges Secretary of State to Support International Privacy Convention + (Apr. 16, 2018)
EPIC submitted a
statement following the Senate
nomination hearing on Mike Pompeo for Secretary of State. EPIC said that the US Secretary of State should uphold privacy as a fundamental human right around the world. The United States Department of State publishes an
annual human rights report that covers “internationally recognized individual, civil, political, and worker rights, as set forth in the
Universal Declaration of Human Rights and other international agreements.” EPIC also said that “international agreements provide the best opportunity to establish data protection standards” and urged the Secretary of State to ratify the
International Privacy Convention. Privacy experts and advocates have also called for adoption of the
Madrid Privacy Declaration, a comprehensive framework for data protection.
- European Court of Justice Receives Key Questions on Future of EU-US Personal Data Transfers + (Apr. 12, 2018)
The Irish High Court has sent
eleven questions to the
European Court of Justice for review in
Data Protection Commissioner v. Facebook. The case considers whether Facebook’s transfers of data from Ireland to the United States violate the European Charter of Fundamental Rights. The case follows the 2015 landmark decision
Schrems v. DPC, which found that the US had insufficient privacy law to protect the personal data of Europeans. The new case examines “standard contractual clauses” and whether the US provides sufficient remedies for privacy violations, whether future data transfers should be suspended, and whether the EU-US
“Privacy Shield” matters. EPIC was
designated the US NGO amicus curiae in this case, and provided a
detailed assessment of US privacy law.
- Zuckerberg Confirms Global Compliance with GDPR + (Apr. 11, 2018)
In response to a series of questions from
Rep. Gene Green, (D-TX), Facebook CEO Mark Zuckerberg
confirmed that Facebook will comply with the new European Union privacy law –
“the GDPR” – in all jurisdictions. Earlier this week, the Transatlantic Consumer Dialogue (TACD), a coalition of more than 70 consumer organization in North America and Europe, sent a
letter to Mr. Zuckerberg urging him to comply with the GDPR as a baseline standard for all Facebook users worldwide. TACD wrote, “The GDPR helps ensure that companies such as yours operate in an accountable and transparent manner, subject to the rule of law and democratic process.”
- EPIC Provides U.S. Report for Privacy Experts Meeting + (Apr. 9, 2018)
EPIC has provided a comprehensive
report explaining the latest developments in U.S. privacy law and policy for the 63rd meeting of the
International Working Group on Data Protection. The Working Group includes
Data Protection Authorities and experts from around the world who work together to address emerging privacy challenges. The EPIC 2018 report details the
CLOUD Act, the FTC’s failure to enforce its
legal judgment against Facebook, the ongoing investigation of the
Russian interference in the 2016 election, federal nominees to the FTC and PCLOB, recent legislative
proposals on Artificial Intelligence, and more. The
64th meeting of the IWG will take place in Queenstown, New Zealand on November 29-30. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the
Goethe-Institut, Germany’s cultural institute.
- EPIC to UNESCO: Algorithmic Transparency is an Internet Universality Indicator + (Mar. 16, 2018)
EPIC has provided comments to UNESCO on a proposed framework for
Internet Universality Indicators. The UNESCO
framework emphasizes Rights, Openness, Accessibility, and Multistakeholder participation. UNESCO
said that the framework will help guide protections for fundamental rights. EPIC also proposed
“Algorithmic Transparency” as a key indicator of Internet Universality. EPIC highlighted the risk of secret profiling, content filtering, the skewing of search results, and adverse decisionmaking, based on opaque algorithms. EPIC has worked closely with UNESCO for
over 20 years on Internet policy issues. At UNESCO headquarters in 2015, EPIC said that algorithmic transparency should be a
fundamental human right.
- International Privacy Experts Adopt Privacy Recommendations for Web Registration + (Mar. 9, 2018)
The
International Working Group on Data Protection has
adopted new recommendations to enhance the privacy of website registration data. The Berlin-based Working Group includes
Data Protection Authorities and experts who assess emerging privacy challenges. The “
Working Paper on Privacy and Data Protection Issues with Regard to Registrant data and the WHOIS Directory” highlights privacy risks of the current registration system. When registering a new website with ICANN, the personal data of website owners is published in a widely accessible database. The Working Group recommends limitations on disclosure consistent with the purpose of registration – to provide limited contact information to resolve technical concerns. Registration data is also subject to the
GDPR. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the
Goethe-Institut, Germany’s cultural institute.
- EPIC Amicus: Supreme Court Divided Over Microsoft Stored Communications Case + (Feb. 28, 2018)
This week, the Supreme Court heard arguments in
United States v. Microsoft Corps., a case concerning law enforcement access to personal data stored in Ireland. The Court appeared divided during the argument, but both Justice Ginsburg and Justice Alito appeared to agree that Congress and not the Court was better positioned to find a solution. In an
amicus brief, EPIC urged the Supreme Court to respect
international privacy standards. EPIC wrote, the “Supreme Court should not authorize searches in foreign jurisdictions that violate international human rights norms.” EPIC cited important cases from the European Court of Human Rights and the European Court of Justice. EPIC warned that “a ruling for the government would also invite other countries to disregard sovereign authority.” EPIC has long supported
international standards for privacy protection, and EPIC has urged U.S. ratification of the
Council of Europe Privacy Convention. EPIC routinely participates as
amicus curiae in privacy cases before the Supreme Court, most recently in
Carpenter v. United States (privacy of cellphone data),
Byrd v. United States (searches of rental cars), and
Dahda v. United States (wiretapping).
- EPIC Supports Data Protection Legislation for India + (Jan. 31, 2018)
In response to a
white paper on data protection from the Indian government, EPIC provided
detailed comments, backing comprehensive legislation. The white paper analyzes data protection laws from around the world, comparing the approaches of different countries. The Indian government proposes a data protection framework based on seven principles: (1) technology agnosticism, (2) holistic application, (3) informed consent, (4) data minimization, (5) controller accountability, (6) structured enforcement, and (7) deterrent penalties. In
comments on the proposal, EPIC backed India’s efforts to adopt data protection legislation, and recommended also a private right of action and breach notification. Last year, the Supreme Court of India
ruled that privacy is a fundamental right. EPIC’s report
Privacy and Human Rights provides an overview of privacy frameworks around the world.
- Congress Renews Controversial Surveillance Measure, EU Impacted + (Jan. 18, 2018)
In a decision that could jeopardize relations with Europe, Congress has
renewed “Section 702” of the
Foreign Intelligence Surveillance Act, which permits broad surveillance of individuals outside of the United States. The
FISA Amendment Reauthorization Act also permits government
surveillance of Americans and restarts the controversial
“about” collection program. Congress rejected
updates, including limits on data collection, that would preserve a
privacy agreement between Europe and the United States. The European Court of Justice will also soon
decide whether to allow data transfers from Ireland to the United States. EPIC
served as the US NGO amicus curiae in that case.
- In Supreme Court Brief, EPIC Backs International Privacy Standards + (Jan. 18, 2018)
EPIC has filed an
amicus brief in
United States v. Microsoft, a case before the US Supreme Court concerning law enforcement access to personal data stored in Ireland. EPIC urged the Supreme Court to respect
international privacy standards and not to extend U.S. domestic law to foreign jurisdictions. EPIC wrote, the “Supreme Court should not authorize searches in foreign jurisdictions that violate international human rights norms.” EPIC cited important cases from the European Court of Human Rights and the European Court of Justice. EPIC has long supported
international standards for privacy protection, and EPIC has
urged U.S. ratification of the
Council of Europe Privacy Convention. EPIC routinely participates as
amicus curiae in privacy cases before the Supreme Court, most recently in
Carpenter v. United States (privacy of cellphone data),
Byrd v. United States (searches of rental cars), and
Dahda v. United States (wiretapping).
- European Court Holds Camera Surveillance of University Lecture Halls Violates Privacy + (Nov. 29, 2017)
In the case of
Antović and Mirković v. Montenegro, the European Court of Human Rights held that camera surveillance in lecture halls at the University of Montenegro’s School of Mathematics violated
Article 8 of the European Convention on Human Rights (the right to respect one’s “private and family life”). The decision follows
earlier cases of the Court which recognize privacy rights in the workplace. Some U.S. law schools have
deemed all classrooms and meetings rooms as “recordable spaces” and state that voluntary participation therefore constitutes a waiver of legal claims. EPIC has protected the human right to privacy through
third-party intervention in the European Court of Human Rights as well as documented the
spread of CCTV surveillance technology across American cities.
EPIC’s Privacy Law Sourcebook provides background on US and international privacy law. The
Privacy Law and Society website provides more information about international privacy law.
- EPIC Provides U.S. Report for Privacy Experts Meeting + (Nov. 27, 2017)
EPIC has provided a comprehensive
report explaining the latest developments in U.S. privacy law and policy to the
International Working Group on Data Protection in Telecommunications. The Berlin-based Working Group includes
Data Protection Authorities and experts, from around the world, who work together to address emerging privacy challenges. The EPIC report details legislative proposals to address privacy and security risks of
automated vehicles, pending Supreme Court case concerning cell phone location tracking
Carpenter v. United States, U.S. investigation of the
Russian interference in the 2016 election, the
Equifax data breach, and more. The 62nd meeting to the IWG will take place in Paris, France on November 27-28. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the
Goethe-Institut, Germany’s cultural institute.
- European Court Adviser Says Facebook Privacy Class Action Barred + (Nov. 15, 2017)
The
opinion of a key adviser to the
European Court of Justice holds that a class action cannot proceed against Facebook, but would permit individual privacy claims to move forward. The class action of 25,000 consumers brought by Austrian privacy activist and EPIC Advisory Board member
Max Schrems alleges Facebook violated Europeans’ privacy rights, including for transferring data to the U.S. intelligence community. The opinion from Advocate General Bobek said a “consumer cannot invoke, at the same time as his own claims, claims on the same subject assigned by other consumers,” citing the risk of consumers shopping for the most favorable forums. The European Court of Justice typically adopts the opinions of the Advocate General. The Court of Justice will also
consider DPC v. Facebook, involving whether Facebook’s data transfers from Ireland to the U.S. violate European Fundamental Rights. In 2013, Max Schrems
received the EPIC International Champion of Freedom Award.
- European Court Adviser Says Local Regulators Can Enforce Privacy Laws Against Facebook + (Oct. 24, 2017)
The
opinion of a key adviser to the
European Court of Justice holds that local European data protection authorities can directly enforce privacy laws against Facebook. The case involves a German data protection authority’s order to deactivate a local Facebook fan page for illegally tracking users. The opinion from Advocate General Bot said regional data protection authorities can intervene to stop unlawful data practices. The European Court of Justice typically adopts the opinions of the Advocate General. The Court of Justice will also
consider DPC v. Facebook, involving whether Facebook’s data transfers from Ireland to the U.S. violate European Fundamental Rights.
- EU Approves Data Transfer Arrangement, But Seeks Stronger U.S. Privacy Protections + (Oct. 18, 2017)
Following the first annual review of the pact, the European Commission has
approved the EU-U.S.
Privacy Shield, a framework permitting the flow of European consumers’ personal data to the United States. However, the Commission
urged the U.S. to appoint a permanent
Ombudsperson to review complaints, to restore the
Privacy and Civil Liberties Oversight Board, and to pass the Obama-era
Presidential Policy Directive-28 into law. In a recent letter to
Congress, EPIC emphasized the need to update U.S. privacy laws. EPIC Senior Counsel Alan Butler has also highlighted weaknesses in US privacy in
DPC v. Facebook, a case now before the European Court of Justice.
- EPIC Urges House to Strengthen US Privacy Laws for Cross Border Data Flows + (Oct. 12, 2017)
EPIC sent a
letter to a House committee on Digital Commerce and Consumer Protection for the
hearing “21st Century Trade Barriers: Protectionist Cross Border Data Flow Policy’s Impact on U.S. Jobs.” EPIC explained that foreign governments are reluctant to permit the transfer of the personal data of their citizens to the U.S. due to the U.S.’s lax privacy laws. EPIC recommended Congress take four steps to update U.S. privacy law: (1) enact the Consumer Privacy Bill of Rights, (2) modernize the Privacy Act, (3) establish an independent data protection agency, and (4) ratify the International Privacy Convention. EPIC also noted that the
Schrems II decision calls into question the viability of
“Privacy Shield,” the current data transfer scheme between the US and EU.
- NGOs to Meet with Privacy Commissioners at Public Voice Event in Hong Kong + (Sep. 19, 2017)
The Public Voice will host an
event with NGOs and Privacy Commissioners at the
39th International Conference of Data Protection and Privacy Commissioners in Hong Kong. “Emerging Privacy Issues: A Dialogue Between NGOs & DPAs” will address emerging privacy issues, including
biometric identification,
Algorithmic transparency, border surveillance, the India privacy decision, and implementation of the
GDPR. Speakers include Chairman Isabelle Falque-Pterrotin of the CNIL and
Article 29 Working Party, Commissioner John Edwards of New Zealand, and Director Eduardo Bertoni of Argentina. Also participating will be representatives of
Access Now, EPIC,
GP Digital,
Privacy International, and the
World Privacy Forum. The
Public Voice, established in 1996, facilitates public participation in decisions concerning the future of the Internet.
- EPIC, Global Coalition Recommend Human Rights Protections for Cybercrime Proposal + (Sep. 18, 2017)
EPIC joined European Digital Rights (EDRI) and a coalition of organizations to
advise the Council of Europe about protecting human rights during trans-national criminal investigations. The “Global Civil Submission” states that a proposed
update to the
Convention on Cybercrime should include compliance with human rights principles and data protection standards for transnational data transfers. Several years ago, EPIC
opposed the U.S. ratification of the
Convention on Cybercrime, citing its sweeping expansion of law enforcement authority. However, EPIC and the U.S. Privacy Coalition have long campaigned for the United States ratification
“Convention 108,” the International Privacy Convention.
- Call For Papers – CPDP 2018 “The Internet of Bodies” + (Sep. 7, 2017)
Computers, Privacy, and Data Protection, the leading international conference devoted to privacy and data protection, has opened a
call for papers ahead of the 2018 conference. The conference theme is “The Internet of Bodies” and will be held on 24-26 January 2018 in Brussels. The CPDP2018 call for papers is addressed to all researchers who wish to present papers at this year’s conference. Papers will be reviewed by the CPDP
Scientific Committee. EPIC is one of the founders of CPDP and an annual sponsor of
the event. The
EPIC International Champion of Freedom Award will be presented at CPDP.
- International Privacy Experts Adopt Statements on E-Learning, Intelligence Gathering + (Aug. 14, 2017)
The
International Working Group on Data Protection in Telecommunications has adopted new recommendations to improve privacy and security standards for
e-learning platforms and
government intelligence gathering. The Berlin-based Working Group includes
Data Protection Authorities and experts who work together to address emerging privacy challenges. The Working Paper on “E-Learning Platforms” highlights privacy risks including excessive collection of students’ personal data. “Towards International Principles or Instruments to Govern Intelligence Gathering” recmmendsthat DPAs participate in developing an international instrument governing intelligence activities and recommends authorities promote principles concerning “Legitimacy,” “Rule of Law,” and “Oversight.” In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the
Goethe-Institut, Germany’s cultural institute.
- UK Government Releases Statement of Intent Describing New Data Protection Bill + (Aug. 10, 2017)
The UK has released a
statement of intent describing a forthcoming bill that would make major revisions to the the country’s data protection law. The new rules would follow the EU’s General Data Protection Regulation by strengthening rules for obtaining consent, making it easier for consumers to withdraw consent, and improving consumers’ ability to access, move, and remove data about themselves. The bill would also expand the definition of “personal data” to include DNA and IP addresses and would make it a crime to re-identify individuals from anonymized data. EPIC
supported the GDPR and the
right to be forgotten, has
explained that IP addresses are personal data, and has warned of the risks of improperly
“de-identified” data. EPIC recently filed a
complaint asking the FTC to investigate Google’s use of a proprietary, secret algorithm Google claims can “de-identify” consumers while tracking their purchases.
- European Court Halts Retention, Bulk Transfer of Passenger Data + (Jul. 26, 2017)
The top EU Court has
struck down an EU-Canada agreement on the processing of
airline passenger records. The Passenger Name Record agreement mandated data retention and permitted the bulk transfer of personal data provided by passengers booking a flight. The Court of Justice of the EU explained “the PNR agreement may not be concluded in its current form because several of its provisions are incompatible with the fundamental rights recognised by the EU.” The data can reveal “a complete travel itinerary, travel habits, relationships existing between two or more individuals, and information on the financial situation of air passengers, their dietary habits or their state of health.” The European Digital Rights Initiative
praised the outcome. The EU and US have a
similar agreement that permits retention of personal data for
15 years. EPIC has
criticized overbroad passenger data transfers, and
argued the EU-US agreement violates the EU data protection directive.
- European Privacy Officials Push for Answers on Status of U.S. Privacy + (Jun. 13, 2017)
The
Article 29 Working Party, an expert group of European privacy officials, is pressing the European Commission to closely evaluate the EU-US
Privacy Shield, a framework permitting the flow of European consumers’ personal data to the United States. In a
letter to the Commission, the Working Party outlined its expectations for this summer’s annual review of the arrangement. The Group asked for “precise evidence” that bulk surveillance is “limited and proportionate.” The Article 29 also seeks information about vacancies in key privacy oversight positions, including the
Privacy and Civil Liberties Oversight Board and the
Privacy Shield Ombudsperson, and any legal protections for “automated decision making.” The European Parliament previously
expressed alarm over the rollback of U.S. privacy safeguards necessary for the Privacy Shield. In 2015, EPIC and a coalition of privacy organizations
urged the US and the EU to strengthen privacy protections following a landmark
decision that found insufficient legal protections for the transfer of consumer data to the US. At a hearing before the High Court of Ireland, EPIC Senior Counsel Alan Butler made submissions in
DPC v. Facebook, highlighting weaknesses in US privacy law.
- European Data Protection Supervisor Backs “E-Privacy” Directive Updates + (May. 1, 2017)
European Data Protection Supervisor
Giovanni Buttarelli, one of Europe’s top privacy officials, published an
opinion backing a key update to EU privacy law. The updated
e-Privacy Regulation would extend consumer safeguards to users of all online communications services, cover content and metadata, and limit tracking of internet users. The EDPS
welcomed the “ambitious attempt to provide for the comprehensive protection of electronic communications.” However, the EDPS opinion also emphasized the need to strengthen privacy protections, raising concern about the proposal’s complexity and failure to cover data processing beyond communications services providers. The EDPS’s statement follows a supportive
opinion from the Article 29 Working Party, an expert group of European privacy officials. EPIC recently hosted Mr. Buttarelli in Washington, DC to speak before the Privacy Coalition, a nonpartisan association established in 1995 to promote dialogue on emerging privacy issues between civil society organizations and policy leaders.
- EPIC Hosts International Meeting of Data Protection Experts + (Apr. 25, 2017)
This week EPIC hosted the 61st meeting of the
International Working Group on Data Protection in Telecommunications in Washington, D.C. Twice a year, the Berlin-based Working Group convenes data protection authorities and privacy experts from around the world to develop
recommendations on emerging privacy challenges. The IWG recently issued recommendations on topics including
Biometrics in Online Authentication,
Location Tracking, and
Intelligent Video Analytics. The IWG meeting was held at the
Goethe-Institut, Germany’s cultural institute. Through June 2016 the Institut is presenting the
“Plurality of Privacy Project,” a transatlantic theater project focused on the value of privacy. EPIC previously hosted a meeting of the IWG in Washington, DC in the spring of 2004.
- EPIC, Privacy Coalition Meet with EU Data Protection Supervisor + (Apr. 21, 2017)
European Data Protection Supervisor
Giovanni Buttarelli spoke today to the Privacy Coalition, a nonpartisan association established in 1995 to promote dialogue on emerging privacy between civil society organizations and policy leaders. Mr. Buttarelli addressed relations between the European Union and the United States, and discussed encryption policy, the
E-Privacy Regulation, the
Privacy Shield, the
U.S. Privacy Act as it applies to foreigners among many other topics. Recent speakers at the Privacy Coalition have included FTC Chair Maureen Ohlhausen and FCC Senior Counsel Nick Degani.
- Government Argues for PRISM Reauthorization in New Report + (Apr. 20, 2017)
The Office of the Director of National Intelligence has released a
report on the controversial Section 702 “PRISM” program, which is set to expire on December 31, 2017. The report argues for renewal, but significant questions remain about the PRISM program. Despite repeated
requests from Congress, the ODNI has refused to reveal the number of U.S. persons who are swept up in PRISM surveillance every year. EPIC sent a
letter to the House Judiciary Committee urging public reporting of the Government’s surveillance activities. EPIC also warned that the Section 702
legal controversy could block international data transfers.
- European Privacy Officials Back “E-Privacy” Directive Updates + (Apr. 12, 2017)
The Article 29 Working Party, an expert group of European privacy officials, has issued an
opinion supporting a key
proposal to modernize EU privacy law for electronic communications. The updated
e-Privacy Regulation would extend consumer safeguards to users of all online communications services, cover content and metadata, and limit tracking of internet users. The Working Party welcomed the harmonization of privacy standards across the European Union, but cautioned that the Privacy Directive must offer protections at least as strong as the recently adopted
General Data Protection Regulation.
EPIC had urged the US Federal Communication Commission to adopt a similar, comprehensive approach to communications privacy. A narrow FCC rule covering only ISPs was recently rescinded by Congress, folding under attacks that it unreasonably singled out a sector of the communications industry.
- EPIC Celebrates International Privacy Day + (Jan. 28, 2017)
On January 28, EPIC celebrates
International Privacy Day, which commemorates
Convention 108, the first international treaty for privacy and data protection.
EPIC and
consumer organizations have
urged the United States to ratify the International Privacy Convention.
NGOs and Privacy experts have also expressed support for the
Madrid Declaration, a substantial document that reaffirms international instruments for privacy protection, identifies new challenges, and calls for concrete actions. The complete text of the Privacy Convention is contained in the
Privacy Law Sourcebook, available at the
EPIC Bookstore.
- US Designates Countries Covered Under the Judicial Redress Act + (Jan. 23, 2017)
During the final week in office, the Obama Department of Justice released the
list of European countries covered under the Judicial Redress Act. The
Act gives citizens of these countries limited rights under the US Privacy Act. The Act implements the US-EU
“Umbrella Agreement,” which is a framework for transferring law enforcement data across the Atlantic. The Act came about in response to the
Schrems decision, which held that the United States lacks adequate data protection. EPIC had recommended
substantial changes to the Judicial Redress Act, explaining in a
letter to Congress that the bill still did not provide adequate protection to permit
transborder data flows and fails to provide necessary updates for U.S. citizens. EPIC successfully sued the Justice Department to obtain the full text of the Umbrella Agreement.
- EPIC Urges Senate Committee to Ensure UN Ambassador Supports International Privacy Convention + (Jan. 18, 2017)
EPIC has sent a
statement to the Senate Foreign Relations Committee urging that the next UN Ambassador to advocate for human rights, particularly the right to privacy and the right to freedom of expression as set out in the Universal Declaration of Human Rights. EPIC also wrote that the UN Ambassador should support US ratification of the
Council of Europe Privacy Convention, which is critical to the continued flow of personal data around the world.
EPIC and
consumer organizations have called on the United States to ratify the Privacy Convention. Next week, many countries around the world will recognize January 28,
International Privacy Day, which celebrates the International Privacy Convention.
- EPIC Tells Senate to Probe Commerce Nominee on Data Protection, Privacy Shield + (Jan. 18, 2017)
EPIC has sent a
letter to the Senate Commerce Committee outlining the key privacy issues that the next Secretary of Commerce should address. The Committee convened this week to
consider the nomination of Wilbur Ross for Commerce Secretary. EPIC stated that privacy protection may be on “the most important issue that the Secretary of Commerce will confront over the next several years.” EPIC urged the Committee to ensure the nominee “make clear his commitment to a comprehensive approach to data protection, based in law.” EPIC warned about the
inadequacy of the
Privacy Shield, a non-legal framework that permits the flow of European consumers’ personal data to the United States, outside of European privacy law.
- European Communications Privacy Law Strengthens Rights for Internet Users + (Dec. 14, 2016)
A
draft of the update to the European
“e-Privacy Directive” provides important new safeguards for users of Internet-based services. The new regulation will apply to all online communications services, including email, instant messaging, and social media. The updated privacy law will limit tracking and profiling of Internet users. The report notes that lax rules for companies such as Facebook and Skype, “create a void of protection of confidentiality for the users of these services.” The US FCC recently
adopted modest
privacy rules that apply only to broadband services offered by telecom companies, despite EPIC’s
repeated advice to the FCC to
address “the full range of communications privacy issues facing US consumers.” The EU Commission’s update of the e-Privacy Directive follows the recently adopted
General Data Protection Regulation. The Commission’s formal proposal is
expected in January of 2017
- Second Legal Challenge Launched Against “Privacy Shield” + (Nov. 3, 2016)
La Quadrature du Net, a French privacy organization, has
launched a legal challenge to “Privacy Shield,” a controversial framework for the transfer of personal data from Europe to the United States. This lawsuit follows a similar
challenge brought by the Irish group Digital Rights Ireland. “Privacy Shield” was the response of EU and US politicians after the European Court of Justice
determined that there was insufficient legal protection for transatlantic data transfers. NGOs in the United States and Europe had urged the adoption of a
comprehensive framework for data protection and
said that Privacy Shield was not adequate. EPIC also
testified before Congress on the need to update US privacy law. EPIC is currently participating as
amicus curiae in related case brought by privacy advocate Max Schrems.
- Germany Prohibits WhatsApp Data Transfer to Facebook + (Sep. 27, 2016)
Germany’s privacy regulator has
ordered Facebook to immediately stop collecting and storing user data from
WhatsApp, and to delete all WhatsApp user data that has already been transferred. In a statement, German officials said that WhatsApp’s
new data transfer policy constitutes “an infringement of national data protection law.” EU Competition Commissioner Margrethe Vestager has also opened an i
nvestigation into WhatsApp’s privacy changes, which contradict
previous commitments to users and regulators. EPIC filed a
complaint with the FTC over the policy change, and more than a dozen consumer groups have
backed these efforts. The FTC
responded it would “carefully review” EPIC’s complaint. The FTC has previously
stated, “When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises.”
- EPIC Republishes “Privacy and Human Rights,” Most Comprehensive Survey of Privacy Law and Practices Ever + (Sep. 12, 2016)
EPIC has published the first digital edition of
Privacy and Human Rights: An International Survey of Privacy Laws and Developments. The report by EPIC and
Privacy International provides an overview of key privacy topics in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Topics include biometric identification, Internet advertising, and location privacy. Over 1,100 pages, almost 6,000 footnotes, and more than 300 contributors. Now available
online.
- European Data Protection Supervisor Calls for Stronger Protections for Electronic Communications + (Jul. 27, 2016)
The top European data protection official, the European Data Protection Supervisor, has
called for strong privacy protections in the
“ePrivacy Directive”, an updated framework to safeguard personal information. “The scope of new ePrivacy rules needs to be broad enough to cover all forms of electronic communications irrespective of network or service used.” The Data Protection Supervisor also
said the legislation should “allow users to use end-to- end encryption without back doors”.
NGOs and
data protection officials have also called for the reform of the European legislation after the adoption of the
General Data Protection Regulation. EPIC has
urged the FCC to establish a comprehensive framework for communications privacy, noting the work now underway in Europe to update privacy laws.
- Irish Court Approves EPIC as Amicus in Schrems Case + (Jul. 19, 2016)
The Irish High Court has
accepted EPIC’s application to participate in a case about data protection rights and
Facebook’s contractual clauses. The case follows Max Schrems’
complaint to the Irish Data Protection Commissioner after the
European Court of Justice’s decision to strike down the
Safe Harbor arrangement. EPIC will provide the Irish Court, and perhaps also the Court of Justice, expert opinion on U.S. surveillance law. EPIC recently joined a
case before the European Court of Human Rights concerning the activities of British and U.S. intelligence organizations. EPIC has appeared as a “friend of the court” in
almost 100 cases in the United States concerning emerging privacy and civil liberties issues.
- US Government Loses on Overseas Data Searches + (Jul. 14, 2016)
A federal appeals court has
ruled that the U.S. government cannot seize user data in foreign data centers under the Stored Communications Act. The decision reverses a lower court opinion that would have required Microsoft to hand over the contents of an email account stored in Ireland. The appeals court concluded that the purpose of the Act was to protect “users’ privacy interests in stored communications” not the creation of law enforcement powers that could reach overseas. The decision will likely bolster efforts to keep data in jurisdictions with stronger privacy safeguards. EPIC has recommended US ratification of the International Privacy Convention to preserve trans border data flows.
- European Commission Signs Off on Flawed “Privacy Shield” + (Jul. 12, 2016)
The
European Commission has approved the
“Privacy Shield” which will allow companies to
transfer personal data of Europeans to the U.S. without legal protections.
European data protection authorities, the
European Data Protection Supervisor, and
EU and US NGOs identified
flaws with the non-binding framework. Citing a judgement of the European high court which struck down a similar framework,
Max Schrems and Jan-Philipp Albrecht predicted that the “Privacy Shield will share the history of the previous Safe Harbor and be invalidated by the European Court of Justice.”
EPIC and other
consumer organizations urged the EU and US to strengthen safeguards for transborder data flows. According to the Federal Trade Commission, identity theft complaints in the US
increased by 47% between 2014 and 2015.
- EPIC’s Rotenberg Outlines Need for International Privacy Framework + (Jun. 17, 2016)
Speaking at the
Council of Europe in Strasbourg, EPIC President Marc Rotenberg
outlined the need for the US to ratify the
International Privacy Convention. Rotenberg said it was “unlikely that the Privacy Shield will survive another trip to Luxembourg.” The
Privacy Shield is a proposed arrangement for EU-US data transfers that has come under criticism from
European consumer groups, NGOs,
privacy officials, and the
EU Data Protection Supervisor. In 2009, more than 100 privacy groups and experts
endorsed the Council of Europe Privacy Convention. In 2010 members of the
EPIC Advisory Board urged then Secretary of State Hilary Clinton to seek US ratification of the Privacy Convention.
- Top European Privacy Official Rejects EU-US “Privacy Shield” + (May. 31, 2016)
The European Data Protection Supervisor has determined that “Privacy Shield is not robust enough to withstand future legal scrutiny.” He
called for changes in the
draft arrangement to permit data transfers to the United States. “Significant improvements are needed,”
said Giovanni Buttarelli. The
Article 29 Working Party, the
European Parliament, and a
coalition of EU and U.S.
consumer organizations have also
opposed the data transfer proposal. Citing rampant
data breaches in the United States, NGOs have urged
strong safeguards for
privacy and data protection.
- European Parliament Requires Changes to Privacy Shield + (May. 26, 2016)
The European Parliament
called for changes in the
draft arrangement to permit data transfers to the United States. The Parliament said that officials must “fully implement”
privacy recommendations and negotiate further
changes to the “Privacy Shield.” The
European Data Protection Supervisor is expected to issue an opinion on the data transfer arrangement next week.
EPIC and other
consumer and
privacy organizations have said that the Privacy Shield
fails to provide adequate safeguards for consumers.
- European Parliament Adopts Comprehensive Data Protection Regulation + (Apr. 14, 2016)
The European Parliament
finalized a historic
reform of
EU data protection legislation, which will have legal force in July 2018. “The new General Data Protection Regulation will enable people to regain control of their personal data in the digital age,”
said Parliament Member Jan Philipp Albrecht. The rules include data breach notification, coordinated enforcement, enhanced penalties, strengthened consent, and new measures to promote privacy innovation. EPIC and EU and US consumer groups have
supported the European law, stating that it provides “important new protections for the privacy and security of consumers.”
- TACD Opposes “Privacy Shield,” Urges Rejection by EU + (Apr. 7, 2016)
The
Transatlantic Consumer Dialogue has
urged the European Commission to reject the
“Privacy Shield,” a proposal to continue the transatlantic transfer of personal data from Europe to the United States. TACD warned that Privacy Shield “does not adequately protect consumers’ fundamental rights to privacy” and that it does not provide “effective and meaningful data protection.” European officials are carefully reviewing the proposal. EPIC and a
coalition of NGOs have urged the US to adopt a
robust data protection law and
end 702 surveillance. The TACD is a forum of more than 70 consumer organizations in Europe and the United States.
- EPIC’s Rotenberg Urges European Parliament to Condition “Privacy Shield’ on End of 702 Surveillance + (Mar. 17, 2016)
Speaking before the European Parliament on
“Privacy Shield,” Marc Rotenberg outlined several flaws in the
proposed EU-US data transfer agreement, including a weak privacy framework,
lack of enforcement, and a cumbersome redress mechanism. In the short term, Rotenberg recommended that the EU condition acceptance of the Privacy Shield on the end of the
“702 program,” which permits bulk surveillance on Europeans by the US. EPIC along with other NGOs has
urged the European Commission to rewrite the Privacy Shield, saying it fails to safeguard human rights and does not reflect
changes in US law as required by the
Schrems decision.
- “Privacy Shield” Released, New Questions Raised + (Feb. 29, 2016)
The text of the
“Privacy Shield” was released today by European Commission and the US Department of Commerce. The arrangement was intended to bring EU-US data transfers in line with the recent decision of the European Court of Justice in the
Schrems case. But the
framework appears to provide less protection than the
Safe Harbor arrangement it replaces. New exceptions
take broad categories of personal data entirely outside the scope of the agreement. Max Schrems
said “this is far from what the Court required and does not seem like a stable solution.” Privacy experts will now assess the text and
determine whether it provides an adequate basis for the transfer of personal data. EU and US NGOs have
urged the US to update its privacy laws.
- “Judicial Redress Act” Provides Little Redress + (Feb. 12, 2016)
The
Judicial Redress Act of 2015,
enacted by Congress and now on to the President for signature, fails to extend Privacy Act protections to non-U.S. citizens. EPIC previously
recommended changes to
protect transborder data flows. The bill,
as adopted, coerces European countries to transfer data to the US, even
without adequate protection, or be denied legal rights. Congress adopted the narrow amendment to the Privacy Act without any changes to benefit U.S. citizens even after a
data breach compromised 21.5 records maintained by the Office of Personnel Management. EPIC
explained that the OPM breach
made clear the
need for updates to the federal privacy law.
- Department of Commerce: Privacy Shield “does not exist” + (Feb. 10, 2016)
As a
response to EPIC’s Freedom of Information
request for the
“Privacy Shield,” the Commerce Department responded that “the record you requested does not exist.”
EU and
US officials celebrated earlier this month that the EU and the US reached an agreement for transatlantic data transfers but they did not make the agreement public. Apparently there was nothing to make public since the agreement does not exist. The EPIC FOIA request is designated DOC-ITA-2016-000577.
- Hackers Breach US Government Database, No Recourse for Non-Americans + (Feb. 9, 2016)
Less than a week after the European and US governments struck a deal for a framework to permit transborder data flows of personal data, hackers
breached sensitive personal data at the US Department of Homeland Security. The DHS stores vast amounts of personal information on non-US persons, including detailed travel information. Under
current law, non-US persons have
no legal rights when federal agencies fail to safeguard their personal data. EPIC is
seeking release of the so-called “Privacy Shield” and has launched a
new campaign to promote Data Protection in the United States.
- EPIC Seeks Release of “Privacy Shield,” Secret Data Transfer Agreement + (Feb. 4, 2016)
EPIC has filed emergency Freedom of Information requests with the
US and the
EU for release of a secret agreement for the transfer of personal data across the Atlantic. A new framework was required by a
recent decision of the European Court of Justice. But
European and American
consumer organizations say the “Privacy Shield” does not provide
adequate protection for the transfer of personal data. EPIC stated, “The public has a right to know whether this agreement provides adequate legal protection.” EPIC previously
obtained the secret
EU-US Umbrella Agreement in
FOIA litigation.
- Privacy Commissioners to Review “Privacy Shield” + (Feb. 3, 2016)
The
Article 29 Working Party, the association of European Data Protection Commissioners, has said it will review the adequacy of the
“Privacy Shield” proposal for transborder data flows. The Working Party said there must be (1) clear and precise rules, (2) a “necessary and proportionate” standard for data collection and access, (3) independent oversight, and (4) effective remedies for the individual. The Working Party also said it must first receive the relevant documents to assess the legal force of the arrangement and whether it will resolve “wider concerns raised by the
Schrems judgement.”
- Anticipating Annulment, EU-US Negotiators Sign Off on “Privacy Shield” + (Feb. 2, 2016)
Disregarding a decision of the European Court of Justice, negotiators for the US Commerce Dept., the FTC, and the European Commission have
agreed to allow the continued transfer of consumer data without adequate legal protection. A
virtually identical arrangement was recently struck down by the Court in the
Schrems case as a violation of multiple rights of Europeans, including rights to privacy, data protection, and effective redress. Consumers in the US have also expressed concern about rising levels of data breach, identity theft, and financial fraud. EPIC and many EU and US consumer organizations
urged negotiators to establish strong safeguards for the transfer of personal data.
- Schrems Responds to US Lobby Groups on Safe Harbor + (Jan. 29, 2016)
In a brief but clearly argued
letter to
European data protection authorities, Max Schrems writes that “attempts by lobby groups and the US government to ‘reinterpret’ or ‘overturn the clear judgement of the Union’s highest court are fundamentally flawed.” Schrems brought the
successful case to the
European Court of Justice that struck down the
Safe Harbor arrangement. The Schrems letter, released on International Data Protection Day, also states that a new transfer agreement must provide “protection against government surveillance and “essentially equivalent” protection against the commercial use of data by certified companies.” Max Schrems received the
2013 EPIC Champion of Freedom Award.
- “Clock is ticking” on Safe Harbor, says European Consumer Organization + (Jan. 29, 2016)
BEUC, the consumer organization of the European Union, has
urged European policy makers to accept a revised Safe Harbor arrangement only if it complies with the
Schrems decision and “guarantees that EU citizens’ fundamental rights are upheld when their data is exported to the United States.” Last year, 40 consumer privacy organizations in Europe and the United States
urged US Secretary Pritzker and EU Commissioner Jourova to take specific steps to close the widening EU-US data divide. Secretary Pritzker has been unwilling to meet with consumer organizations.
- EPIC Celebrates International Privacy Day + (Jan. 28, 2016)
EPIC celebrates January 28,
International Privacy Day, which commemorates the signing of
Convention 108, on January 28, 1981. The Privacy Convention was the first binding international treaty for privacy and data protection.
EPIC and
consumer organizations have called on the United States to ratify Convention 108.
NGOs and Privacy experts have also expressed support for the
Madrid Declaration, a substantial document that reaffirms international instruments for privacy protection, identifies new challenges, and calls for concrete actions.
- U.S. Law Firm Argues U.S. Privacy Law “Essentially Equivalent” + (Jan. 27, 2016)
A
recent report from a U.S. law firm concludes that the United States offers essentially equivalent privacy protection to Europe. The report also finds that “This body of laws ensures that government access to data for law-enforcement and intelligence purposes is limited to what is necessary and proportionate.” Of course, all travel records of Europeans are
routinely transferred to the U.S. Department of Homeland Security without any legal protection. Under Section 702 of the Patriot Act, the US government
routinely obtains vast amounts of personal data on non-US persons, including communications logs and website activity.
Executive Order 12333 provides even broader surveillance authorities.
- EPIC v. DOJ: EPIC Prevails, DOJ Releases Secret EU-US Umbrella Agreement + (Jan. 25, 2016)
After months of
delay, the Department of Justice has finally released to EPIC the full text of the
EU-US Umbrella Agreement. EPIC
sued the DOJ last year after the agency failed to act on EPIC’s FOIA request for the secret agreement. Today’s release comes on the heels of EPIC’s
opposition to the agency’s
attempt to further delay the Agreement’s release. The Umbrella Agreement outlines data transfers between EU and US law enforcement agencies, and is the basis for the Judicial Redress Act
currently before Congress. EPIC has
criticized the legislation, and recently
urged the Senate to delay action on the bill until the DOJ releases the Umbrella Agreement and the Judiciary Committee holds a hearing on the legislation.
- EPIC Seeks to Intervene in Privacy Case Before European Court of Human Rights + (Jan. 22, 2016)
EPIC has
asked the
European Court of Human Rights for permission to submit an
amicus brief in a case concerning mass surveillance.
Ten international human rights NGOs brought the
case to challenge UK surveillance laws and practices. The
case concerns Tempora,
PRISM, and Upstream programs, and the
interception of communications by UK intelligence services and the
National Security Agency. EPIC proposes to assist the Court in understanding U.S.
surveillance law, and to provide relevant information EPIC has
obtained through freedom of information litigation. EPIC routinely files
amicus briefs in cases concerning emerging privacy and civil liberties issues.
- EPIC Seeks Default Judgment in Umbrella Agreement Lawsuit + (Jan. 6, 2016)
In its
fight to obtain a copy of the
EU-US Umbrella Agreement, EPIC
asked a federal court in Washington, D.C. today to grant default judgment against the Department of Justice. EPIC
sued the agency to obtain the secret agreement, which concerns the transfer of personal information between the EU and US. After the DOJ failed to answer EPIC’s complaint, the court entered
default against the agency. The Agreement is central to pending
legislation, which the Senate Judiciary Committee is
set to debate this month yet the DOJ has not made the document available to the public or to Members of Congress.
- EPIC Celebrates Human Rights Day + (Dec. 10, 2015)
On December 10, EPIC celebrates international
Human Rights Day. On December 10, 1948, the
United Nations adopted the
Universal Declaration of Human Rights. The Declaration sets out
civil, political,
cultural, economic, and social rights. EPIC pursues the
global recognition of privacy, a fundamental right set out in
Article 12 of the Universal Declaration. Follow @EPICPrivacy on Twitter! #HumanRightsDay
- Decision by EU Legal Advisor Signals End of “Safe Harbor” + (Sep. 23, 2015)
An
opinion by the top advisor for Court of Justice of the European Union
indicates that the “Safe Harbor” arrangement, which permits the transfer of personal data to the US without legal protection, will come to an end. Under
Safe Harbor, US companies self-certify compliance with EU data protection law. But the Advocate General has found the arrangement fails to protect privacy and should be declared invalid.
Max Schrems, who
initiated the case in Ireland, stated “This finding, if confirmed by the court, would be a major step in limiting the legal options for US authorities to conduct mass surveillance on data held by EU companies.” The European Digital Rights Initiative also
supported the decision. EPIC has
recommended that the US update the Privacy Act to protect EU citizens and
ratify the
international convention for privacy protection.
- EU Officials: Court Ruling on “Right to be Forgotten” Applies Worldwide + (Dec. 1, 2014)
Privacy regulators in the European Union have issued
guidelines calling for the recent “Right to be Forgotten” ruling to apply worldwide. In May, the European Union Court of Justice
ruled that a European Union citizen can ask search engines to remove links in search results based on the citizen’s name. However, Google chose to remove the links for only certain domains, leaving the private information subject to the ruling accessible to most users. The new report makes clear that the ruling should apply across all search engine services. The EU officials explain, “limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient means to satisfactorily guarantee the rights of data subjects according to the ruling.” For more information, see
Fact Sheet on the Right to Be Forgotten,
EPIC: Right to Be Forgotten,
EPIC: International Privacy Law,
EPIC: Expungement.
- European Privacy Groups Boycott Google Roadshow + (Nov. 5, 2014)
Leading European privacy organizations have turned down invitations from Google to participate in a
series of events organized by the Internet giant, designed to raise questions about a
decision of the European Court of Justice regarding the right to privacy. The European Consumer Organization (BEUC), the European Digital Rights Initiative (EDRi), and Privacy International are among several of the groups that are not participating in the Google meetings. EU policymakers have also
challenged the company for attacking a judicial decision of the high court of the European Union, describing the tour as a “publicity stunt.” For more information, see
Fact Sheet on the Right to Be Forgotten,
EPIC: Right to Be Forgotten,
EPIC: International Privacy Law,
EPIC: Expungement, and
Rotenberg, “EU Court Strikes Blow for Privacy” (USA Today).
- Privacy Panel Backs PRISM Program + (Jul. 3, 2014)
In a
surprising report, the
US Privacy and Civil Liberties Oversight Board has endorsed the US government’s routine collection of the Internet activities of non-US persons, broadly referred to as the “PRISM Program.” The NSA obtains this information from Internet companies located in the United States. The Board cited the value of the program and compliance with the law, but said little about the impact on non-US persons. EPIC opposed a similar program concerning the collection of domestic telephone records in a
petition to the US Supreme Court last year. EPIC has also said that the collection of communications by the US should be subject to international privacy law, such as the International Covenant on Civil and Political Rights. It is anticipated that foreign countries will continue to transfer cloud-based services away from US firms because of the lax privacy safeguards in the United States. For more information, see
EPIC: In re EPIC and
EPIC: International Privacy Standards.
- “I will reform our surveillance programs,” President Obama Tells Nation + (Jan. 29, 2014)
Stating that “America must move off a permanent war footing,” President Obama
announced (video) at the State of the Union that “working with this Congress, I will reform our surveillance programs.” (50:30) The President
continued, (text) “because the vital work of intelligence community depends on public confidence, here and abroad, that the privacy of ordinary people is not being violated.” Citing the need to close the prison in Guantanamo, the President also said “we counter terrorism not just through intelligence and military action but by remaining true to our constitutional ideals and setting an example for the rest of the world.” EPIC and other consumer privacy organizations have urged the President to move forward the
Consumer Privacy Bill of Rights and to support the
International Privacy Convention.
- EPIC Gives 2014 International Award to European Parliament Member Jan Albrecht + (Jan. 27, 2014)
EPIC has given the 2014 International Champion of Freedom Award to
European Parliament Member Jan Philipp Albrecht for “modernizing and defending the law of data protection.” As a rapporteur for the
Committee on Civl Liberties, Justice and Home Affairs, Albrecht has led the effort in the European Parliament to update European privacy law. He is also an outspoken defender of privacy rights and has promoted the
investigation of the NSA program of mass surveillance. Albrecht
received the award from EPIC at the annual
Computers, Privacy, and Data Protection conference in Brussels. Previous award recipients include privacy activist Max Schrems, Canadian Privacy Commissioner Jennifer Stoddart, European Parliamentarian Sophie In’t Veld, Australian Jurist Michael Kirby, and Constitutional Law Scholar Stefano Rodotà. The award is given by EPIC annually in recognition of January 28,
International Privacy Day.
- OECD Releases Updated Privacy Guidelines + (Sep. 15, 2013)
The Organization for Economic Cooperation and Development has released the
2013 revisions to its privacy guidelines. The revisions build from the
original guidelines, developed in 1980, and retain the core set of Fair Information Practices while updating the framework to address new challenges, such as national implementation and cross-border enforcement. The OECD explains that the revisions aim to “focus on the practical implementation of privacy protection” and to “address the global dimension of privacy through improved interoperability.” EPIC Executive Director Marc Rotenberg, a member of the expert review group, has
said that “the OECD Privacy Guidelines are the most influential international framework for privacy ever established.” For more information, see
EPIC: International Privacy Standards.
- EPIC Supports International Principles for Privacy Protection + (Jul. 31, 2013)
EPIC has joined with leading human rights organizations and privacy experts in support of the
“International Principles on the Application of Human Rights to Communications Surveillance.” The Principles were adopted in response to growing concern about the surveillance of Internet communications by governments and private companies. Among the key principles in the framework document are Necessity, Adequacy, Proportionality, Competent Judicial Authority, Due Process, User Notification, Transparency, Public Oversight, and Safeguards Against Illegitimate Access.
- US Pushes Forward Flawed International Privacy Framework + (Jul. 30, 2012)
The United States is
the lone signatory for the Asia-Pacific Economic Cooperation’s Cross Border Privacy Rules. The APEC Cross Border Privacy Rules set out a self-regulatory framework for the transfer of personal data across national borders.
APEC is an inter-governmental organization with 21 member economies that promotes business and trade in the Asia-Pacific region. APEC established a
Privacy Framework in 2004 that is generally considered among the weakest privacy frameworks in the world. In 2006, EPIC and a coalition of consumer groups submitted
comments to the Department of Commerce detailing the shortcomings of the APEC framework and recommending stronger safeguards for consumers. For more information, see
EPIC: International Privacy Standards and
EPIC: APEC Privacy Framework.
- EPIC Expresses Support for International Privacy Convention + (Jan. 27, 2012)
Speaking this week at the
Computers, Privacy and Data Protection conference, EPIC President Marc Rotenberg expressed support for the
Council of Europe Privacy Convention. Two years ago, twenty-nine members of the of the EPIC Advisory Board, experts in privacy law and technology, sent a
letter to US Secretary of State Hillary Clinton to urge that the United States begin the process of ratification of the Council of Europe Convention on Privacy. They wrote, “privacy is a fundamental human right. In the 21st century, it may become one of the most critical human rights of all.” Speaking in Brussels, Mr. Rotenberg reiterated EPIC’s support for the Convention and also called attention to recent changes that modernize and update the international privacy framework.
- Senator Leahy Expresses Support for International Privacy Day + (Jan. 24, 2012)
Senator Patrick Leahy, theChairman of the Senate Judiciary Committee, offered a
statement commemorating Data Privacy Day, which takes place on January 28. Senator Leahy urged the Congress to adopt comprehensive data privacy legislation to “better protect Americans’ sensitive personal data and reduce the risk of data security breaches.” He also recommended changes to the Electronic Privacy Communications Act to “reflect the realities of our time” and to “keep us safe from cyber threats.” EPIC will be participating in the annual
Computers, Privacy, and Data Protection conference, taking place this week in Brussels. EPIC will also be announcing the recipients of the 2012 International Champion of Freedom Award and the 2012 US Privacy Champion Award. Join
International Privacy Day on Facebook.
Background
The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108), drawn up within the Council of Europe by a committee of governmental experts under the authority of the European Committee on Legal Co-operation (CDCJ), was opened for signature by the Member States of the Council of Europe on 28 January 1981 in Strasbourg. The Convention is the first and only binding international legal instrument protecting data privacy. COE 108 is open to any country, including countries which are not Members of the Council of Europe.
In 2018, the Convention was updated to address emerging privacy challenges posed by new information and communication technologies, and to strengthening enforcement of the Convention. The update is known as the Modernized Convention 108, or Convention 108+.
Convention 108 (1981)
The object of the Convention is to strengthen data protection – the legal protection of individuals with regard to automatic processing of personal information. The 1981 Convention reflected the need for new legal rules in the face of increasing reliance on digital data due to higher storage capacity, lower costs of processing, and the skyrocketing growth in data transactions. Many national legal systems lacked comprehensive data protection general rules on the collection, storage, and use of personal information. Therefore, Council of Europe sought greater unity in the protection of “the individual against abuses which may accompany the collection and processing of personal data” and to manage the “transfrontier flow of personal data.”
The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was opened for signature in Strasbourg, France on January 28, 1981. Since 2006, 28 January has been celebrated annually around the world as Privacy Day. The COE 108 has been signed and ratified by all 47 members of the Council of Europe, and ratified by seven non COE countries.
As the explanatory memorandum states, the convention has three parts (1) substantive law provisions in the form of basic principles; (2) special rules on transborder data flows; (3) mechanisms for mutual assistance and consultation between the Parties.
The Convention requires requires parties to pass into domestic law the data protection principles sed out in the Convention. These include:
Data quality. Data must be: obtained and processed fairly and lawfully, stored for specific legitimate purposes and not used for incompatible purposes, be adequate relevant and not excessive in relation to purpose, accurate and up to date, preserved in identifiable form for no longer than required.
Ban on processing of special categories of data on a person’s race, politics, health, religion, sexual life, criminal record, in the absence of proper legal safeguards.
Data security.
Individual rights to access, correction, and erasure if rights are violated.
The Convention also encourages the free flow of data, preventing parties from requiring special authorization to other parties except for narrow circumstances. Finally, the Convention sets up a system of cooperation in implementing the system, and establishes a Consultative Committee to oversee and implement the convention.
Convention 108+ (2018)
A lengthy review process beginning in 2013 resulted in a 2018 amending protocol . This protocol the Modernized Privacy Convention or Convention 108+. The aim of the modernization was both to address privacy challenges from new technologies and to strengthen enforcement.
Among other changes, the modernized Convention:
Requires prompt data breach notification.
Establishes national supervisory authorities to ensure compliance
Permits transfers to non-party states only when personal data is sufficiently protected
Provides new user rights around automated-decisionmaking, including algorithmic transparency.
Requires proportionality and data minimization.
The revisions were opened for signature on October 11, 2018. Thus far, twenty-six COE member and one non-member states have signed on to the amending protocol.
EPIC’s Work
EPIC has long campaigned for the United States to ratify the International Privacy Convention.
In 2009, the U.S. Privacy Coalition including EPIC launched the campaign to urge the US Government to support the Council of Europe Privacy Convention and proposed a resolution for the U.S. Senate. The resolution reads:
Expressing a need for the accession to the Council of Europe’s Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data
Whereas privacy is a fundamental right, valued by all Americans;
Whereas the increase of automatic processing and sharing of data continuously intensifies the need for more effective implementation and execution of legal instruments;
Whereas data security breaches along with cases of identity theft continue to pose a substantial risk to American consumers and businesses;
Whereas the continued transfer of personal data across national borders raises increasing concerns about the adequacy of privacy protection:
Whereas the current sectoral approach of legislation in the United States is insufficient for appropriate privacy and data protection;
Whereas the domain of privacy and data protection is international and requires an overarching framework in order to acknowledge and protect the fundamental rights of citizens;
Whereas the Council of Europe Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data is the most fundamental international instrument in the field: Now, therefore, be it
Resolved, That the Senate-
(1) requests accession to the Council of Europe’s Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data
Signed,
……………..
In 2010, twenty-nine members of the EPIC Advisory Board wrote to Secretary of State Hillary Rodham Clinton to urge that the United States begin the process of ratification of Council of Europe Convention 108. In 2011, EPIC President Marc Rotenberg addressed the European Parliament and European Commission at a high level meeting to call for U.S. ratification, and the Trans Atlantic Consumer Dialogue, a coalition of consumer groups, called for ratification to bridge the gap in EU-U.S. privacy protection.
The complete text of the modernized Convention will be available in the 2018 edition of the Privacy Law Sourcebook, available at the EPIC Bookstore.
Resources
- Coalition Letter to Council of Europe (July 4, 2018)
- Letter from EPIC to Senate Judiciary Committee (March 26, 2019)
- Comments of EPIC to NTIA (July 31, 2018)
- Letter from EPIC to House Commerce Committee (October 11, 2017)
- Remarks of EPIC President Marc Rotenberg “Accession to Convention 108: Benefits and Commitments” (June 17, 2016)
- Testimony of EPIC President Marc Rotenberg before the House Commerce Committee (November 3, 2015)
- Letter from EPIC, et. al, to President Obama (January 22, 2014)
- TACD, Consumer Privacy Rights (May 2012)
- EPIC’s Rotenberg Repeats Call for US to Ratify International Privacy Convention, J.D. Supra (January 31, 2011)
- Letter from members of the EPIC Advisory Board to Secretary Clinton (Jan. 28, 2010)
- Privacy Coalition Resolution (2009)
Primary Documents