Data Protection

International Privacy

Background

From new privacy regulations to international enforcement cooperation to data sharing agreements, information is no longer limited by geographic boundaries. Personal data must be protected globally.

The recent ease in international information flows and global impact of major privacy violations require a coordinated global response. In the wake of international data breaches, tracking technology that crosses borders, and continuously-developing international law on privacy, tracking international privacy gains new import. While international privacy encompasses a range of topic areas and technologies (including artificial intelligence and international surveillance), international data transfer, technological updates, and privacy work conducted by international bodies currently predominate international privacy discussion and developments.

EPIC’s international work promotes privacy, data protection, and open government laws and policies globally. EPIC pursues international privacy and freedom of information cases and submits amicus briefs before the European Court of Human Rights and other international institutions. EPIC also facilitates civil society participation in the OECD’S work, submits review and comment on proposed regulations and frameworks, and works with international and regional privacy advocacy groups to track global privacy trends and promote international privacy rights.

Privacy Shield Replacement – EU-U.S. Data Transfer ArrangementS

The area of international data transfer is constantly in transition within international law. Security requirements, adequacy findings, and formal arrangements frequently come into play and may vary by regulation or from country to country. In addition, new regulations, policies, and transitions between coalition statuses put agreements and frameworks in constant motion. The EU-U.S. data transfer arrangements, formerly addressed first by Safe Harbor and then by its replacement, Privacy Shield, have been closely scrutinized and in a constant state of flux. Safe Harbor established data flows between the U.S. and the European Union (EU) based on an adequacy decision – essentially, a determination that U.S. practices were “adequate” to protect the privacy rights of EU residents whose data was transferred to the U.S. 

Safe Harbor was struck down in 2015 after a Court of Justice of the European Union (CJEU) ruling (known as the Schrems I case) declaring that personal data were insufficiently protected under the framework. The European Commission and U.S. authorities drafted the Privacy Shield framework in 2016 to replace Safe Harbor and act as a data transfer mechanism between the EU and the U.S. However, the CJEU ruled in July 2020 (in a decision known as Schrems II) that the Privacy Shield framework was also inadequate to protect individual privacy and personal data, particularly in light of U.S. data surveillance actions pursued in the name of national security. 

This ruling aligned with the arguments contained in EPIC’s submitted amicus curiae brief on the case. The ruling specifically tied to personal data protections contained in the General Data Protection Regulation (GDPR), which mandates there be appropriate protections in place for personal data transferred to any country outside of the EU. Without the United States making significant changes to address privacy and data security concerns, the stability of any replacement framework remains uncertain.

International Privacy Frameworks

Several international bodies address privacy issues through guidelines, agreements, and frameworks. EPIC actively follows and consults with these bodies regarding development of these documents. EPIC lobbied for the creation of the Civil Society Information Society Advisory Committee (CSISAC), the body representing civil society at the Organisation for Economic Co-operation and Development (OECD), and remains an active participant and supporter of CSISAC, submitting commentary on documents proposed by the OECD and speaking at OECD meetings. The OECD is an international forum, including more than 30 countries and representatives from additional stakeholders (civil society, business and industry, trade unions, and technical advisors) that frequently engages with questions of privacy and international data flow.

The Council of Europe includes 47 member states and established the first binding international legal instrument protecting data privacy – the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108). Convention 108 was updated in 2018 to address emerging privacy challenges posed by new information and communication technologies and to strengthen enforcement of the Convention. EPIC has repeatedly called for the United States to ratify the updated Convention and continues to do so.

The Asia Pacific Economic Cooperation (APEC) is a 21 member body that puts forth non-binding commitments, including the APEC Privacy Framework of 2004. The Global Privacy Assembly (formerly the International Conference of Data Protection and Privacy Commissioners) brings together international authorities and institutions active in privacy work and enforcement, as well as global experts in privacy.

t

Recent Documents on International Privacy

Support Our Work

EPIC's work is funded by the support of individuals like you, who help us to continue to protect privacy, open government, and democratic values in the information age.

Donate