Max Schrems v. Data Protection Commissioner (CJEU – “Safe Harbor”)
Summary
One of the most important international privacy cases in recent history arose from a complaint against Facebook brought to the Irish Data Protection Commissioner by an Austrian privacy advocate named Max Schrems. In the complaint, Mr. Schrems challenged the transfer of his data (and the data of EU citizens’ generally) to the United States by Facebook, which is incorporated in Ireland. The case (“Schrems I”) led the Court of Justice of the European Union on October 6, 2015, to invalidate the Safe Harbor arrangement, which governed data transfers between the EU and the US.
Top News
- Irish High Court Orders DPC to Move Forward in Facebook Investigation: The Irish High Court today issued an order in a follow-on case to Irish Data Protection Commissioner v. Facebook and Schrems (“Schrems II”) and, as a result, the investigation into Facebook’s U.S.-EU data transfers will move forward. The case arises from a complaint filed with the DPC in Ireland against Facebook by privacy activist Max Schrems in 2013 alleging that the company violated EU law when it transferred personal data to the U.S. (where the company is obliged to provide access to the government). The case has since been referred two separate times to the highest court in Europe (the CJEU), and has led to the invalidation of both the U.S.-EU Safe Harbor Agreement and the U.S.-EU Privacy Shield Agreement. The CJEU in the Schrems II decision last year remanded the case to the Irish DPC to determine whether Facebook violated the law and whether it was necessary to block Facebook’s U.S.-EU data transfers. The DPC later issued a Preliminary Draft Decision to Facebook and laid out procedures for the inquiry. Both Facebook and Schrems challenged the DPC procedures. The DPC agreed in a settlement with Schrems that it would complete the investigation into his original complaint. The Irish High Court today rejected Facebook’s challenge to the DPC inquiry, and both the Schrems complaint and this new DPC inquiry against Facebook will move forward. EPIC participated as an amicus curiae in Schrems II, arguing that U.S. Surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad. (May. 14, 2021)
- Facebook to be Ordered to Stop Sending EU Data to U.S.: The Irish Data Protection Commissioner has reportedly issued a preliminary order instructing Facebook to stop transferring the data of EU users to the United States. The order comes in the wake of a recent the European Court of Justice (CJEU) decision which found the Privacy Shield, which permitted companies to freely transfer users’ personal data, illegally infringed EU residents’ data protection and privacy rights. EPIC participated as an amicus curiae in the case, arguing that U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad. (Sep. 10, 2020)
More top news
- Schrems Files 101 Complaints Targeting US-EU Data Transfers (Aug. 18, 2020) +
None of Your Business, the privacy NGO established by EPIC Advisory Board member Max Schrems, has filed
complaints in all 30 EU and EEA member states against 101 European companies that still forward data about each visitor to Google and Facebook. “We have done a quick search on major websites in each EU member state for code from Facebook and Google. These code snippets forward data on each visitor to Google or Facebook. Both companies admit that they transfer data of Europeans to the US for processing, where these companies are under a legal obligation to make such data available to US agencies like the NSA. Neither Google Analytics nor Facebook Connect are essential to run these webpages and are services that could have been replaced or at least deactivated by now.” says Max Schrems, honorary chair of noyb.eu. The complaints come in the wake of a recent the
European Court of Justice (CJEU) decision which found the Privacy Shield, which permitted companies to freely transfer users’ personal data, illegally infringed EU residents’ data protection and privacy rights. EPIC participated as an amicus curiae in the case,
arguing that
U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.
- Transatlantic Consumer Groups: No New Data Transfer Agreement Until Privacy Protections Improved (Jul. 28, 2020) +
The Transatlantic Consumer Dialogue (TACD), a coalition of US and European consumer groups,
urged EU Commissioner for Justice Didier Reynders and U.S. Secretary of Commerce Wilbur Ross to stop negotiations for a new data transfer agreement following the invalidation of the EU-U.S. Privacy Shield. In
Data Protection Commissioner v. Facebook & Max Schrems, the European Court of Justice (CJEU) found the Privacy Shield, which permitted companies to freely transfer users’ personal data, illegally infringed EU residents’ data protection and privacy rights. In its
letter, TACD claims the CJEU’s decision is “crystal clear,” and that any future data transfer deal will not be valid until the U.S. enacts comprehensive federal privacy legislation. EPIC participated as an amicus curiae in the
Schrems case,
arguing that
U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.
- BREAKING: Top Court in Europe Invalidates EU-U.S. Privacy Shield, Citing Lack of Privacy Safeguards and Overbroad U.S. Surveillance Laws (Jul. 16, 2020) +
Today the European Court of Justice issued a
decision in
Irish Data Protection Commissioner v. Facebook & Schrems, a case concerning transfers of personal data by Facebook between the EU and the United States. Specifically, the court considered the validity of transfers made from companies in the EU to companies in the U.S. pursuant to standard contracts or to the EU-U.S. Privacy Shield agreement, both of which had been authorized by the European Commission. But the court held that the Privacy Shield was invalid and that transfers could not be made under the contracts where personal data is not adequately protected. Because U.S. surveillance law authorizes the mass processing of personal data transferred from abroad, under Section 702 of
FISA, it “cannot ensure a level of protection essentially equivalent to that guaranteed by the Charter.” EPIC
participated as an amicus curiae in the case and argued that U.S. surveillance law does not provide an equivalent level of protection because it does not provide adequate protections or remedies for non-U.S. persons abroad. EPIC was represented in this case by the Free Legal Advice Centres (FLAC) and by barristers Grainne Gilmore and Colm O’Dwyer, SC. [
PRESS RELEASE]
- EU Legal Advisor Advances Privacy for National Security Matters (Jan. 16, 2020) +
The EU Advocate General
advised the European Court of Justice that “the means and methods of combating terrorism must be compatible with the requirements of the rule of law” in a case concerning the retention of personal data for law enforcement purposes. The AG recommended limiting retention of data to data that are essential for national security and limiting access to that data subject to prior review by courts. The opinion is not binding on the Court of Justice and the Court will issue a judgment at a later date. The AG
cited EPIC’s expert submissions in
“Schrems 2.0,” another case concerning Facebook’s transfer of personal data to the United States and the adequacy of U.S. privacy law.
- EU Advocate General Backs Data Transfers, Criticizes Privacy Shield (Dec. 19, 2019) +
Today the EU Advocate General issued an
advisory opinion in
“Schrems 2.0,” a case about Facebook’s transfer of personal data to the United States. The Advocate General backed data transfers generally but sharply criticized the
EU-US Privacy Shield agreement. The Advocate also said that data protection authorities must enforce privacy obligations. The Advocate General cited EPIC’s expert submissions in the case concerning the adequacy of US privacy law. The case follows the European Court’s landmark decision in
Schrems v. DPC striking down the
“Safe Harbor” arrangement. The European Court of Justice is expected to issue a binding opinion in the next few months. After the original Schrems opinion, EPIC
testified in Congress. EPIC’s Marc Rotenberg urged Congress to “modernize” US privacy law and also establish an independent privacy agency.
- Max Schrems Files GDPR Complaints with French Data Protection Agency (Dec. 10, 2019) +
European privacy advocacy group
None of Your Business—led by Max Schrems—filed three
complaints with the French Data Protection Authority (CNIL). The NOYB complaints charged that companies obtained “fake consent” for online tracking. Max and EPIC have challenged the use of “standard contractual clauses” in a case now before the European Court of Justice, known as
“Schrems 2.0”. A preliminary decision in that case is expected on December 19. Schrems
met with the
Privacy Coalition last month in Washington, DC to discuss the GDPR and litigation strategies.
- FTC Announces Privacy Shield No Penalty Enforcement Action (Dec. 3, 2019) +
The FTC entered into
settlements with four companies that misrepresented their participation in the
EU-U.S. Privacy Shield framework and the
Swiss-U.S. Privacy Shield framework. These frameworks permit the transfer of Europeans’ personal data to the U.S. with an assurance of privacy protection. The settlements require the companies to halt misrepresentations about compliance, but provides no remedy to those EU citizens whose personal data was collected. EPIC has repeatedly
told Congress that that the FTC lacks effective enforcement authority. In recent
comments on the Privacy Shield, EPIC also noted the absence of a comprehensive U.S. federal privacy law and a data protection authority with the
authority to enforce privacy rights. Under the
Schrems decision, which provided the basis for the Privacy Shield, the Court of Justice
explained that “everyone whose rights and freedoms are violated” have “the right to an effective remedy.”
- EPIC to Discuss US Surveillance before Top European Court (Jul. 8, 2019) +
This week EPIC Senior Counsel
Alan Butler will appear before the Court of Justice for the European Union in the case
Data Protection Commissioner v. Facebook. The case, known as “Schrems 2.0.” follows the European Court’s landmark decision in
Schrems v. DPC striking down the
“Safe Harbor” arrangement and leading to the creation of the
“Privacy Shield.” The current case considers whether the transfer of personal data to the U.S. using standard contract clauses violates the fundamental rights of Europeans. At issue is Section 702 of the FISA Amendments Act and Executive Order 12333. EPIC’s Butler will provide the Court with expert analysis on U.S. surveillance law. EPIC is a party to the case, along with Austrian privacy activist Max Schrems. EPIC also recently filed a brief with the European Court of Human Rights in
Big Brother Watch v. UK, arguing that the Human Rights Court should review UK-U.S. intelligence transfers in assessing UK bulk surveillance. That case will be heard July 10th.
- EPIC Seeks Records from FTC Regarding Irish Audits of Facebook (May. 11, 2018) +
EPIC has submitted a Freedom of Information Act
request seeking records about the Irish Data Protection Commissioner’s inquiries regarding Facebook’s compliance with the
FTC’s Consent Order. In 2011, the Austrian privacy group
Europe-v-Facebook and other parties filed formal
complaints to the Irish Data Protection Commissioner about
third party access to Facebook user data. The Irish Data Protection Commissioner then initiated an audit of Facebook to assess its compliance with both Irish Data Protection Law and EU law. The
2011 Irish audit found that the safeguards for third party applications did not ensure security for user data. In a
2012 re-audit, the Irish on Commissioner found a “satisfactory response” from Facebook regarding preventing third party applications. Following the 2012 re-audit, the FTC and the Data Protection Commissioner signed a
Memorandum of Understanding to exchange information to enforce compliance with privacy laws in each respective country. Two years after the Data Protection Commissioner found a “satisfactory response” from Facebook regarding third party applications, a third party application harvested the data of over 87 million users and transferred the data to
Cambridge Analytica.
- Facebook Denied Attempt to Delay Review of EU-US Personal Data Transfers (May. 3, 2018) +
The Irish High Court has
denied Facebook’s request to halt review of
Data Protection Commissioner v. Facebookby Europe’s top court. The case, which was recently
referred to the
European Court of Justice, concerns whether Facebook’s transfers of personal data from Ireland to the United States violate the European Charter of Fundamental Rights. The case follows the
landmark 2015 decision that the US had insufficient privacy protections to allow transfer of Europeans’ personal data. Ruling against Facebook’s request to delay the case further pending appeal, the Irish court said EU data subjects could be harmed if the case were delayed, and that there were “considerable concerns” about Facebook’s conduct in the case. EPIC was
designated the US NGO amicus curiae in this case, and provided a detailed
assessment of US privacy law.
- European Court of Justice Receives Key Questions on Future of EU-US Personal Data Transfers (Apr. 12, 2018) +
The Irish High Court has sent
eleven questions to the
European Court of Justice for review in
Data Protection Commissioner v. Facebook. The case considers whether Facebook’s transfers of data from Ireland to the United States violate the European Charter of Fundamental Rights. The case follows the 2015 landmark decision
Schrems v. DPC, which found that the US had insufficient privacy law to protect the personal data of Europeans. The new case examines “standard contractual clauses” and whether the US provides sufficient remedies for privacy violations, whether future data transfers should be suspended, and whether the EU-US
“Privacy Shield” matters. EPIC was
designated the US NGO amicus curiae in this case, and provided a
detailed assessment of US privacy law.
- European Court of Justice Grants Standing to Privacy Advocate But Bars Class Action under Austrian Law (Jan. 30, 2018) +
The Court of Justice of the European Union, following an
advisory opinion, has
determined that Max Schrem’s class action in Austria cannot proceed against Facebook, but individual privacy claims can. The Court granted Schrems standing, recognizing that “the activities of publishing books, giving lectures, operating websites,” and similar activities does not entail the loss of “a user’s status as a ‘consumer.'” However, the Court found that “the consumer forum cannot be invoked” in “claims assigned by other consumers.” The class action of 25,000 consumers brought by Austrian privacy activist and EPIC Advisory Board member
Max Schrems alleges that Facebook violated Europeans’ privacy rights, including for transferring data to the U.S. intelligence community. Max Schrems recently launched
NYOB to pursue class actions under the
General Data Protection Regulation. In 2013, Max Schrems received the
EPIC International Champion of Freedom Award.
- Congress Renews Controversial Surveillance Measure, EU Impacted (Jan. 18, 2018) +
In a decision that could jeopardize relations with Europe, Congress has
renewed “Section 702” of the
Foreign Intelligence Surveillance Act, which permits broad surveillance of individuals outside of the United States. The
FISA Amendment Reauthorization Act also permits government
surveillance of Americans and restarts the controversial
“about” collection program. Congress rejected
updates, including limits on data collection, that would preserve a
privacy agreement between Europe and the United States. The European Court of Justice will also soon
decide whether to allow data transfers from Ireland to the United States. EPIC
served as the US NGO amicus curiae in that case.
- European Privacy Experts Call for New Review of EU-US Data Arrangement (Dec. 5, 2017) +
The
Article 29 Working Party, a group of European privacy experts, is
calling for a reexamination of the
Privacy Shield, a framework permitting the flow of European consumers’ personal data to the United States. In a new
report, the Working Party said that “significant concerns” should be resolved by May 25, 2018 when the
GDPR goes into force. If not “the members of WP29 will take appropriate action,” including litigation. The Working Party cited the US failure to appoint an
Ombudsperson to review complaints, vacancies at the
Privacy and Civil Liberties Oversight Board, and continued mass surveillance practices by U.S. intelligence agencies. The report follows an earlier
review of the EU-US agreement which found “sufficient” protection of EU personal data to the United States. EPIC Senior Counsel Alan Butler has also highlighted weaknesses in US privacy in
DPC v. Facebook, a case now before the European Court of Justice. In a related development, the Working Party also established a task force which will coordinate national investigations of the Uber data breach now underway in Europe.
- European Court Adviser Says Facebook Privacy Class Action Barred (Nov. 15, 2017) +
The
opinion of a key adviser to the
European Court of Justice holds that a class action cannot proceed against Facebook, but would permit individual privacy claims to move forward. The class action of 25,000 consumers brought by Austrian privacy activist and EPIC Advisory Board member
Max Schrems alleges Facebook violated Europeans’ privacy rights, including for transferring data to the U.S. intelligence community. The opinion from Advocate General Bobek said a “consumer cannot invoke, at the same time as his own claims, claims on the same subject assigned by other consumers,” citing the risk of consumers shopping for the most favorable forums. The European Court of Justice typically adopts the opinions of the Advocate General. The Court of Justice will also
consider DPC v. Facebook, involving whether Facebook’s data transfers from Ireland to the U.S. violate European Fundamental Rights. In 2013, Max Schrems
received the EPIC International Champion of Freedom Award.
- European Court Adviser Says Local Regulators Can Enforce Privacy Laws Against Facebook (Oct. 24, 2017) +
The
opinion of a key adviser to the
European Court of Justice holds that local European data protection authorities can directly enforce privacy laws against Facebook. The case involves a German data protection authority’s order to deactivate a local Facebook fan page for illegally tracking users. The opinion from Advocate General Bot said regional data protection authorities can intervene to stop unlawful data practices. The European Court of Justice typically adopts the opinions of the Advocate General. The Court of Justice will also
consider DPC v. Facebook, involving whether Facebook’s data transfers from Ireland to the U.S. violate European Fundamental Rights.
- EU Approves Data Transfer Arrangement, But Seeks Stronger U.S. Privacy Protections (Oct. 18, 2017) +
Following the first annual review of the pact, the European Commission has
approved the EU-U.S.
Privacy Shield, a framework permitting the flow of European consumers’ personal data to the United States. However, the Commission
urged the U.S. to appoint a permanent
Ombudsperson to review complaints, to restore the
Privacy and Civil Liberties Oversight Board, and to pass the Obama-era
Presidential Policy Directive-28 into law. In a recent letter to
Congress, EPIC emphasized the need to update U.S. privacy laws. EPIC Senior Counsel Alan Butler has also highlighted weaknesses in US privacy in
DPC v. Facebook, a case now before the European Court of Justice.
- EPIC Urges House to Strengthen US Privacy Laws for Cross Border Data Flows (Oct. 12, 2017) +
EPIC sent a
letter to a House committee on Digital Commerce and Consumer Protection for the
hearing “21st Century Trade Barriers: Protectionist Cross Border Data Flow Policy’s Impact on U.S. Jobs.” EPIC explained that foreign governments are reluctant to permit the transfer of the personal data of their citizens to the U.S. due to the U.S.’s lax privacy laws. EPIC recommended Congress take four steps to update U.S. privacy law: (1) enact the Consumer Privacy Bill of Rights, (2) modernize the Privacy Act, (3) establish an independent data protection agency, and (4) ratify the International Privacy Convention. EPIC also noted that the
Schrems II decision calls into question the viability of
“Privacy Shield,” the current data transfer scheme between the US and EU.
- European Privacy Officials Push for Answers on Status of U.S. Privacy (Jun. 13, 2017) +
The
Article 29 Working Party, an expert group of European privacy officials, is pressing the European Commission to closely evaluate the EU-US
Privacy Shield, a framework permitting the flow of European consumers’ personal data to the United States. In a
letter to the Commission, the Working Party outlined its expectations for this summer’s annual review of the arrangement. The Group asked for “precise evidence” that bulk surveillance is “limited and proportionate.” The Article 29 also seeks information about vacancies in key privacy oversight positions, including the
Privacy and Civil Liberties Oversight Board and the
Privacy Shield Ombudsperson, and any legal protections for “automated decision making.” The European Parliament previously
expressed alarm over the rollback of U.S. privacy safeguards necessary for the Privacy Shield. In 2015, EPIC and a coalition of privacy organizations
urged the US and the EU to strengthen privacy protections following a landmark
decision that found insufficient legal protections for the transfer of consumer data to the US. At a hearing before the High Court of Ireland, EPIC Senior Counsel Alan Butler made submissions in
DPC v. Facebook, highlighting weaknesses in US privacy law.
- EPIC Urges Senate Committee To Reform Surveillance Law (Jun. 6, 2017) +
In advance of a
hearing on the
Foreign Intelligence Surveillance Act, EPIC has sent a
Statement to the Senate Select Committee on Intelligence urging increased transparency and new public reporting of the Government’s surveillance activities. EPIC also highlighted several
legal challenges to an NSA bulk surveillance program abroad. The bulk surveillance program for the communications of non-U.S. persons, sunsets on December 31, 2017. EPIC
testified before the House Judiciary Committee during the 2012 FISA reauthorization hearings, recommended improved public reporting, and warned pre-Snowden that the extent of mass surveillance was much greater than was known to the public.
- NGOs Continue Campaign Against Privacy Shield (Mar. 2, 2017) +
In March 2016, EPIC and more than
20 civil society organizations urged European leaders to oppose adoption of the
“Privacy Shield” for EU-US data flows. The NGOs
wrote that the political agreement fails to provide sufficient data protection and does not respect the decision of the European Court of Justice in the
Schrems case. The groups urged the US to make changes in domestic laws and international commitments to permit transfers of personal data to the US. The ACLU and Human Rights Watch have now also sent a
letter asking Europe to reexamine
Privacy Shield. At a hearing before the High Court of Ireland, EPIC Senior Counsel Alan Butler has made submissions in
DPC v. Facebook highlighting weaknesses in US privacy law.
- EPIC Urges House Committee To Ensure Transparency, Public Reporting in Surveillance Law (Mar. 1, 2017) +
In advance of a
hearing on Section 702 of the Foreign Intelligence Surveillance Act, EPIC has sent a
letter to the House Judiciary Committee urging increased transparency and new public reporting of the Government’s surveillance activities. EPIC also highlighted that Section 702 is the central focus of multiple current
legal challenges to international data transfer agreements occurring abroad. Section 702, which authorizes the bulk surveillance on the communications of non-U.S. persons, sunsets on December 31, 2017. EPIC
testified before the Committee during the 2012 FISA reauthorization hearings.
- EPIC in Court: Irish High Court Examines EU-US Data Transfers (Mar. 1, 2017) +
Today EPIC made
submissions before the Irish High Court in
Data Protection Commissioner v. Facebook, concerning privacy protections for transAtlantic data transfers. EPIC explained that “U.S. privacy law is characterized by particularly narrow conceptions of privacy and personal data, which in turn limit the scope of relevant constitutional, statutory, and regulatory privacy protections.” EPIC also stated, “many of the privacy safeguards under U.S. law in fact operate to the exclusion of E.U. citizens” and that the “standing” doctrine is an overarching barrier to legal redress. EPIC is represented by FLAC (
Free Legal Advice Centres), an independent human rights organization, based in Dublin, dedicated to the realization of equal justice for all. [
Press Release]
- European Privacy Officials Raise Concerns About US Immigration Executive Order (Feb. 22, 2017) +
The Article 29 Working Party, an expert group of European privacy officials, has
raised concerns over a provision in the immigration
Executive Order that would limit Privacy Act protections. The Working Party is seeking assurance from the US that the change will not threaten the privacy rights of non-US citizens established in the
“Privacy Shield” and the
Umbrella Agreement. EPIC is currently participating in
Data Protection Commissioner v. Facebook, a case following a landmark
decision that found insufficient legal protections for the transfer of European consumer data to the US.
- Senators Calls for Answers from Secretary Kelly on Privacy Act Exclusion (Feb. 9, 2017) +
In a
letter to DHS Secretary Kelly, Senator Markey (D-MA) and five other Senators pressed DHS about the impact of an
Executive Order limiting federal
Privacy Act protections. “These Privacy Act exclusions could have a devastating impact on immigrant communities and would be inconsistent with the commitments made when the government collected much of this information,” the Senators contended. The Senators also called on Secretary Kelly to explain the Order’s impact on
international commitments that permit U.S. firms to obtain access to the data of European consumers. EPIC is participating in
Data Protection Commissioner v. Facebook, a case which follows a landmark
decision that found insufficient legal protections for the transfer of European consumer data to the United States.
- EPIC Participates in Irish Case on Future of EU-US Data Transfers (Feb. 6, 2017) +
This week the case
Data Protection Commissioner v. Facebook, concerning privacy protection for transAtlantic data transfers, begins in Ireland. The case follows a landmark
decision which found insufficient legal protections for the transfer of European consumer data to the United States. Mr. Schrems, an Austrian privacy advocate, now
challenges Facebook’s “standard contractual clauses” as failing to protect privacy. The Irish High Court
designated EPIC as the US NGO amicus curiae in the case. EPIC is represented by FLAC (
Free Legal Advice Centres), an independent human rights organization, based in Dublin, dedicated to the realization of equal justice for all.
- US Designates Countries Covered Under the Judicial Redress Act (Jan. 23, 2017) +
During the final week in office, the Obama Department of Justice released the
list of European countries covered under the Judicial Redress Act. The
Act gives citizens of these countries limited rights under the US Privacy Act. The Act implements the US-EU
“Umbrella Agreement,” which is a framework for transferring law enforcement data across the Atlantic. The Act came about in response to the
Schrems decision, which held that the United States lacks adequate data protection. EPIC had recommended
substantial changes to the Judicial Redress Act, explaining in a
letter to Congress that the bill still did not provide adequate protection to permit
transborder data flows and fails to provide necessary updates for U.S. citizens. EPIC successfully sued the Justice Department to obtain the full text of the Umbrella Agreement.
- White House Publishes Privacy Report, Data Breaches Continue to Rise, as Obama Leaves Office (Jan. 19, 2017) +
As one of the final acts of the outgoing President, the White House has
released “Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation.” In 2008, President Obama announced “Change We Can Believe In” and
said he would “strengthen the privacy protections for the digital age and to harness the power of technology to hold government and business accountable for violations of personal privacy.” Beginning after his election, privacy groups across the county urged the President to strengthen privacy in America. In 2012, Obama
proposed a Consumer Privacy Bill of Rights but no legislation followed. After the Snowden revelations, Congress enacted the
Freedom Act and Obama
reformed intelligence practices, but the US failed to limit data collection outside the US. The
“Privacy Shield,” a framework to gather data for commercial use without legal protections, was put in place even after NGOs
urged comprehensive reforms in the US and the EU. Between 2009 and 2016, the levels of
data breach,
identity theft, and financial fraud in the United States skyrocketed, even as Americans
called for stronger protections. The 2016 Presidential election was marked by
data breaches,
email disclosures and
cyber attack The U.S. is still one of the few democratic nations in the world without a
data protection agency.
- New Study Shows Global Increase in Comprehensive Privacy Protections (Nov. 29, 2016) +
An updated
study by
David Banisar of the human rights organization
Article 19 finds that over 100 countries now have data protection laws. Another 40 countries are considering new laws, and most countries have established a data protection authority to enforce privacy protections. Two EPIC publications – The
Privacy Law Sourcebook 2016 and
Privacy and Human Rights: An International Survey of Privacy Laws and Developments – provide an overview of privacy frameworks around the world and track emerging privacy challenges. EPIC has urged the US Congress to establish a
federal privacy agency and to enact
comprehensive privacy legislation.
- Second Legal Challenge Launched Against “Privacy Shield” (Nov. 3, 2016) +
La Quadrature du Net, a French privacy organization, has
launched a legal challenge to “Privacy Shield,” a controversial framework for the transfer of personal data from Europe to the United States. This lawsuit follows a similar
challenge brought by the Irish group Digital Rights Ireland. “Privacy Shield” was the response of EU and US politicians after the European Court of Justice
determined that there was insufficient legal protection for transatlantic data transfers. NGOs in the United States and Europe had urged the adoption of a
comprehensive framework for data protection and
said that Privacy Shield was not adequate. EPIC also
testified before Congress on the need to update US privacy law. EPIC is currently participating as
amicus curiae in related case brought by privacy advocate Max Schrems.
- Privacy Advocates Challenge EU-US Data Transfer Agreement (Oct. 27, 2016) +
An Irish privacy organization is
challenging the EU-US framework for transferring personal data, the “
Privacy Shield,” in the European high court. This challenge follows a decision last year
invalidating the previous framework, “Safe Harbor.” In that case, the Court of Justice for the European Union concluded Personal data transferred to the United States lacks adequate legal protection. EPIC is participating as
amicus curiae in a related case brought by privacy advocate Max Schrems. EPIC also recently submitted a
brief to the European Court of Human Rights in a challenge to UK surveillance.
- Reuters: US Government Issued Secret Order to Yahoo to Scan All E-mails (Oct. 4, 2016) +
Reuters reported today that Yahoo scanned the private email of Yahoo users pursuant to a secret directive issued by the FBI. The email scanning technique, based on a search for key terms, recalled a similar
FBI program “Carnivore” that was found to capture far more information than authorized, according to
documents obtained by EPIC under the Freedom of Information Act. The news report also renews concerns about the scope of US Internet surveillance. The European Court of Justice
struck down an EU-US data transfer deal last year, following revelations that US Internet firms collaborated with the NSA to enable mass surveillance. A related case,
Irish Data Protection Commissioner v. Facebook, is now pending. The Irish High Court has selected EPIC as “a friend of the court” to “counterbalance” the submission of the United States intelligence community.
- Irish Court Approves EPIC as Amicus in Schrems Case (Jul. 19, 2016) +
The Irish High Court has
accepted EPIC’s application to participate in a case about data protection rights and
Facebook’s contractual clauses. The case follows Max Schrems’
complaint to the Irish Data Protection Commissioner after the
European Court of Justice’s decision to strike down the
Safe Harbor arrangement. EPIC will provide the Irish Court, and perhaps also the Court of Justice, expert opinion on U.S. surveillance law. EPIC recently joined a
case before the European Court of Human Rights concerning the activities of British and U.S. intelligence organizations. EPIC has appeared as a “friend of the court” in
almost 100 cases in the United States concerning emerging privacy and civil liberties issues.
- European Commission Signs Off on Flawed “Privacy Shield” (Jul. 12, 2016) +
The
European Commission has approved the
“Privacy Shield” which will allow companies to
transfer personal data of Europeans to the U.S. without legal protections.
European data protection authorities, the
European Data Protection Supervisor, and
EU and US NGOs identified
flaws with the non-binding framework. Citing a judgement of the European high court which struck down a similar framework,
Max Schrems and Jan-Philipp Albrecht predicted that the “Privacy Shield will share the history of the previous Safe Harbor and be invalidated by the European Court of Justice.”
EPIC and other
consumer organizations urged the EU and US to strengthen safeguards for transborder data flows. According to the Federal Trade Commission, identity theft complaints in the US
increased by 47% between 2014 and 2015.
- EPIC’s Rotenberg Outlines Need for International Privacy Framework (Jun. 17, 2016) +
Speaking at the
Council of Europe in Strasbourg, EPIC President Marc Rotenberg
outlined the need for the US to ratify the
International Privacy Convention. Rotenberg said it was “unlikely that the Privacy Shield will survive another trip to Luxembourg.” The
Privacy Shield is a proposed arrangement for EU-US data transfers that has come under criticism from
European consumer groups, NGOs,
privacy officials, and the
EU Data Protection Supervisor. In 2009, more than 100 privacy groups and experts
endorsed the Council of Europe Privacy Convention. In 2010 members of the
EPIC Advisory Board urged then Secretary of State Hilary Clinton to seek US ratification of the Privacy Convention.
- Top European Privacy Official Rejects EU-US “Privacy Shield” (May. 31, 2016) +
The European Data Protection Supervisor has determined that “Privacy Shield is not robust enough to withstand future legal scrutiny.” He
called for changes in the
draft arrangement to permit data transfers to the United States. “Significant improvements are needed,”
said Giovanni Buttarelli. The
Article 29 Working Party, the
European Parliament, and a
coalition of EU and U.S.
consumer organizations have also
opposed the data transfer proposal. Citing rampant
data breaches in the United States, NGOs have urged
strong safeguards for
privacy and data protection.
- European Parliament Requires Changes to Privacy Shield (May. 26, 2016) +
The European Parliament
called for changes in the
draft arrangement to permit data transfers to the United States. The Parliament said that officials must “fully implement”
privacy recommendations and negotiate further
changes to the “Privacy Shield.” The
European Data Protection Supervisor is expected to issue an opinion on the data transfer arrangement next week.
EPIC and other
consumer and
privacy organizations have said that the Privacy Shield
fails to provide adequate safeguards for consumers.
- TACD Opposes “Privacy Shield,” Urges Rejection by EU (Apr. 7, 2016) +
The
Transatlantic Consumer Dialogue has
urged the European Commission to reject the
“Privacy Shield,” a proposal to continue the transatlantic transfer of personal data from Europe to the United States. TACD warned that Privacy Shield “does not adequately protect consumers’ fundamental rights to privacy” and that it does not provide “effective and meaningful data protection.” European officials are carefully reviewing the proposal. EPIC and a
coalition of NGOs have urged the US to adopt a
robust data protection law and
end 702 surveillance. The TACD is a forum of more than 70 consumer organizations in Europe and the United States.
- EPIC’s Rotenberg Urges European Parliament to Condition “Privacy Shield’ on End of 702 Surveillance (Mar. 17, 2016) +
Speaking before the European Parliament on
“Privacy Shield,” Marc Rotenberg outlined several flaws in the
proposed EU-US data transfer agreement, including a weak privacy framework,
lack of enforcement, and a cumbersome redress mechanism. In the short term, Rotenberg recommended that the EU condition acceptance of the Privacy Shield on the end of the
“702 program,” which permits bulk surveillance on Europeans by the US. EPIC along with other NGOs has
urged the European Commission to rewrite the Privacy Shield, saying it fails to safeguard human rights and does not reflect
changes in US law as required by the
Schrems decision.
- NGOs – “Privacy Shield” is Failed Approach for EU-US Data Protection (Mar. 16, 2016) +
More than
twenty civil society groups has urged European leaders to oppose adoption of the
“Privacy Shield” for EU-US data flows. The NGOs
state that the political agreement
fails to provide sufficient data protection and does not respect the decision of the European Court of Justice in the
Schrems case. The groups said the US must make changes in domestic laws and international commitments to comply with the decision and permit transfers of personal data. EPIC has launched
“Data Protection 2016” to support stronger privacy safeguards in the US.
- “Privacy Shield” Released, New Questions Raised (Feb. 29, 2016) +
The text of the
“Privacy Shield” was released today by European Commission and the US Department of Commerce. The arrangement was intended to bring EU-US data transfers in line with the recent decision of the European Court of Justice in the
Schrems case. But the
framework appears to provide less protection than the
Safe Harbor arrangement it replaces. New exceptions
take broad categories of personal data entirely outside the scope of the agreement. Max Schrems
said “this is far from what the Court required and does not seem like a stable solution.” Privacy experts will now assess the text and
determine whether it provides an adequate basis for the transfer of personal data. EU and US NGOs have
urged the US to update its privacy laws.
- European Commission Wrongly Denies EPIC’s Request For “Privacy Shield” (Feb. 26, 2016) +
The European Commission has wrongly
denied EPIC’s
Freedom of Information request for the text of the
“Privacy Shield.” The Commission said the adequacy decision about
Safe Harbor is “in preparation” and “negotiations with the U.S. are still ongoing.” The Commission confused the text of the political agreement, known as “the Privacy Shield,” with a legal determination about whether the agreement meets EU data protection law. EPIC will pursue public release of the Privacy Shield, which was
previously announced, and then the release of the adequacy determination when it is final. EU and US
Consumer and privacy organizations have
opposed the agreement because it fails to provide
adequate privacy protections.
- Department of Commerce: Privacy Shield “does not exist” (Feb. 10, 2016) +
As a
response to EPIC’s Freedom of Information
request for the
“Privacy Shield,” the Commerce Department responded that “the record you requested does not exist.”
EU and
US officials celebrated earlier this month that the EU and the US reached an agreement for transatlantic data transfers but they did not make the agreement public. Apparently there was nothing to make public since the agreement does not exist. The EPIC FOIA request is designated DOC-ITA-2016-000577.
- EPIC Seeks Release of “Privacy Shield,” Secret Data Transfer Agreement (Feb. 4, 2016) +
EPIC has filed emergency Freedom of Information requests with the
US and the
EU for release of a secret agreement for the transfer of personal data across the Atlantic. A new framework was required by a
recent decision of the European Court of Justice. But
European and American
consumer organizations say the “Privacy Shield” does not provide
adequate protection for the transfer of personal data. EPIC stated, “The public has a right to know whether this agreement provides adequate legal protection.” EPIC previously
obtained the secret
EU-US Umbrella Agreement in
FOIA litigation.
- Privacy Commissioners to Review “Privacy Shield” (Feb. 3, 2016) +
The
Article 29 Working Party, the association of European Data Protection Commissioners, has said it will review the adequacy of the
“Privacy Shield” proposal for transborder data flows. The Working Party said there must be (1) clear and precise rules, (2) a “necessary and proportionate” standard for data collection and access, (3) independent oversight, and (4) effective remedies for the individual. The Working Party also said it must first receive the relevant documents to assess the legal force of the arrangement and whether it will resolve “wider concerns raised by the
Schrems judgement.”
- Anticipating Annulment, EU-US Negotiators Sign Off on “Privacy Shield” (Feb. 2, 2016) +
Disregarding a decision of the European Court of Justice, negotiators for the US Commerce Dept., the FTC, and the European Commission have
agreed to allow the continued transfer of consumer data without adequate legal protection. A
virtually identical arrangement was recently struck down by the Court in the
Schrems case as a violation of multiple rights of Europeans, including rights to privacy, data protection, and effective redress. Consumers in the US have also expressed concern about rising levels of data breach, identity theft, and financial fraud. EPIC and many EU and US consumer organizations
urged negotiators to establish strong safeguards for the transfer of personal data.
- Schrems Responds to US Lobby Groups on Safe Harbor (Jan. 29, 2016) +
In a brief but clearly argued
letter to
European data protection authorities, Max Schrems writes that “attempts by lobby groups and the US government to ‘reinterpret’ or ‘overturn the clear judgement of the Union’s highest court are fundamentally flawed.” Schrems brought the
successful case to the
European Court of Justice that struck down the
Safe Harbor arrangement. The Schrems letter, released on International Data Protection Day, also states that a new transfer agreement must provide “protection against government surveillance and “essentially equivalent” protection against the commercial use of data by certified companies.” Max Schrems received the
2013 EPIC Champion of Freedom Award.
- “Clock is ticking” on Safe Harbor, says European Consumer Organization (Jan. 29, 2016) +
BEUC, the consumer organization of the European Union, has
urged European policy makers to accept a revised Safe Harbor arrangement only if it complies with the
Schrems decision and “guarantees that EU citizens’ fundamental rights are upheld when their data is exported to the United States.” Last year, 40 consumer privacy organizations in Europe and the United States
urged US Secretary Pritzker and EU Commissioner Jourova to take specific steps to close the widening EU-US data divide. Secretary Pritzker has been unwilling to meet with consumer organizations.
- EPIC v. DOJ: EPIC Prevails, DOJ Releases Secret EU-US Umbrella Agreement (Jan. 25, 2016) +
After months of
delay, the Department of Justice has finally released to EPIC the full text of the
EU-US Umbrella Agreement. EPIC
sued the DOJ last year after the agency failed to act on EPIC’s FOIA request for the secret agreement. Today’s release comes on the heels of EPIC’s
opposition to the agency’s
attempt to further delay the Agreement’s release. The Umbrella Agreement outlines data transfers between EU and US law enforcement agencies, and is the basis for the Judicial Redress Act
currently before Congress. EPIC has
criticized the legislation, and recently
urged the Senate to delay action on the bill until the DOJ releases the Umbrella Agreement and the Judiciary Committee holds a hearing on the legislation.
- EPIC Urges Senate to Postpone Action on Judicial Redress Act (Jan. 16, 2016) +
Today EPIC
urged the Senate Judiciary Committee to postpone action on the Judicial Redress Act until the Department of Justice releases a secret data transfer agreement on which the bill is based. The so-called
Umbrella Agreement outlines data transfers between law enforcement agencies in Europe and the United States. EPIC has
sued the DOJ for release of the document. EPIC also urged the Senate Committee to conduct a public hearing on Privacy Act modernization following the massive data breach at the office of Personnel and Management.EPIC previously
wrote to the House Judiciary Committee to recommend updates to the Privacy Act.
- EPIC Seeks Default Judgment in Umbrella Agreement Lawsuit (Jan. 6, 2016) +
In its
fight to obtain a copy of the
EU-US Umbrella Agreement, EPIC
asked a federal court in Washington, D.C. today to grant default judgment against the Department of Justice. EPIC
sued the agency to obtain the secret agreement, which concerns the transfer of personal information between the EU and US. After the DOJ failed to answer EPIC’s complaint, the court entered
default against the agency. The Agreement is central to pending
legislation, which the Senate Judiciary Committee is
set to debate this month yet the DOJ has not made the document available to the public or to Members of Congress.
- European Institutions Conclude Data Protection Reform (Dec. 15, 2015) +
The
EU Commission, Parliament and Council reached an
agreement on a
comprehensive new privacy law after
four years of negotiation. The
General Data Protection Regulation establishes common privacy rules across Europe and creates
strong enforcement power. The
law will be fully applicable in about two years. The new law is a “major step forward for consumer protection and competition,”
said Jan Philip Albrecht. Sophie In’t Veld said, “The EU will now have the most extensive data protection laws in the world and will set global standards.”
EPIC, and
many consumer privacy organization have urged the US to
modernize domestic privacy law. EPIC President Marc Rotenberg
told USA Today, “The U.S. will need to update privacy laws to safeguard U.S. consumers and maintain trade relations with Europe.”
- Senate Postpones Action on Weak EU-US Privacy Measure (Dec. 12, 2015) +
The
Senate Judiciary Committee has “held over” the
Judicial Redress Act, industry-sponsored legislation regarding the transfer of personal data on Europeans to the United States. European legal experts have stated that
the measure does
not provide meaningful protections for the data of Europeans. Forty NGOS have recommended
substantial changes to privacy law in the US and the EU to make possible the continuation of transborder data flows. EPIC has also
recommended specific changes to the Judicial Redress Act. European data protection agencies are expected to begin enforcement actions against US companies after January 30, 2016. According to Govtrack, the Judicial Redress Act has a
“1% chance of being enacted.”
- Austrian Supreme Court to Consider Schrems’ Case against Facebook (Dec. 4, 2015) +
The Austrian Supreme Court
will decide if the
Schrems case against Facebook can be brought as a class action. “The ‘class action’ is not only legal but also the only reasonable way to deal with thousands of identical privacy violations by Facebook,”
says Schrems. EPIC frequently
works to protect the
interests of Internet users in
facing common violations of privacy rights.
- Schrems Pursues Legal actions to Block Data Transfers to the US (Dec. 2, 2015) +
EU Privacy Advocate
Max Schrems made
new legal moves following the
judgment of the European Court of Justice that struck down the
Safe Harbor data transfer pact. He filed
complaints with data protection officials in Ireland, Germany and Belgium to to block Facebook data transfers to the United States. Schrems
says he wants to “ensure that this very crucial judgment is also enforced in practice when it comes to the US companies that are involved in US mass surveillance.” NGOs in the Europe and the United Stated have
urged governments to update domestic privacy laws and strengthen international commitments to enable the continued transfer of data between the EU and the US.
- NGOs Reject “Safe Harbor 2.0,” Urge EU and US to Protect Fundamental Rights (Nov. 12, 2015) +
Leading human rights and consumer organizations have issued a
letter to urge the US and the EU to protect the
fundamental right to privacy. After the
Schrems decision the parties are now
renegotiating the invalidated
Safe Harbor arrangement. The groups warned that without significant changes to “domestic law” and “international commitments,” a Safe Harbor 2.0 will almost certainly fail. NGO leaders call for a
comprehensive privacy framework in the US, commitment to
strong encryption and
ending mass surveillance on both sides of the
Atlantic.
- European Commission Issues Guidance on Data Transfers Post-Schrems (Nov. 6, 2015) +
The European Commission has published
guidelines for EU-US data transfer after the
invalidation of the Safe Harbor framework. The
Commission explained that the
Safe Harbor case “underlined the importance of
fundamental right to data protection.” The Commission also emphasized the ongoing role of the independent data protection agencies and the Article 29 Working Party. Negotiators are attempting to
create a revised arrangement. NGOs have
said that fundamental rights must be protected in all data transfers. In
testimony before
Congress, EPIC recommended
several updates to US privacy law. EPIC’s Marc Rotenberg said “these changes will benefit consumers and businesses on both sides of the Atlantic.”
- EPIC Sues for Release of Secret EU-US “Umbrella Agreement” (Nov. 4, 2015) +
EPIC
has sued the Department of Justice to obtain a secret
agreement between the United States and the European Union concerning the transfer of personal information. US and EU officials
finalized the so-called
“Umbrella Agreement” in September, but had kept the final document
secret even as Congress was voting on provisions to implement the text. “The DOJ has withheld from the public the
text of an Agreement that is central to
legislation currently pending before Congress and critical to a
related negotiation between the
United States and the European Union that implicates the
fundamental rights of
Americans and Europeans” wrote EPIC in the FOIA lawsuit.
- EPIC to Call For Comprehensive Overhaul of U.S. Privacy Law (Nov. 2, 2015) +
In
testimony before the
US Congress, EPIC’s Marc Rotenberg is expected to say that the
recent decision of the European Court confirmed what everyone already knows, US privacy law is not adequate. “Our country suffers from an epidemic of data breaches and identity theft. And all the data indicates these problems are getting worse.” EPIC,
consumer allies, and
privacy experts are urging the Congress to enact the
Consumer Privacy Bill of Rights, modernize the
Privacy Act, create an independent privacy agency, and ratify the
International Privacy Convention. “These changes will benefit consumers and businesses on both sides of the Atlantic.”
- Civil Society Leaders in Amsterdam Issue Declaration on Fundamental Rights (Oct. 28, 2015) +
Leading digital rights and consumer privacy organizations meeting in Amsterdam
have issued a declaration
“Fundamental Rights are Fundamental.” Calling attention to the
recent success of Max Schrems and the
failure of self-regulation, the organizations said the
“Bridges” report is “remarkably out of touch with the current legal reality and what we need to do to address it.” The NGO leaders also criticized the organizers of the
Amsterdam conference for “the failure to engage” many new challenges to data protection, including “Big Data” and
drone surveillance. Privacy campaigner Simon Davies
wrote, “There has never been a moment in history when the privacy regulator community needs to do more to restore trust and relevance. Instead, this week signals a new low in that trust.”
- After FOI Request, EPIC Obtains Secret “Umbrella Agreement” from the EU Commission (Oct. 23, 2015) +
The EU Commission, in
response to a freedom of information request, has released to EPIC the text of the
EU-US data transfer agreement. US and EU officials
finalized the so-called
“Umbrella Agreement” in September, but had kept the final document secret. EPIC
has filed multiple
FOIA requests with US federal agencies and the European Commission to obtain public release of the document. The Agreement, alongside the
Judicial Redress Act, is a
key document in the
aftermath of the European court decision
striking down the
Safe Harbor arrangement. Legal scholars who have reviewed the agreement have
concluded it is deeply flawed. EPIC continues to pursue the public release of the Agreement from US federal agencies.
- House Passes Faux Privacy Bill (Oct. 21, 2015) +
The House of Representatives has
passed the Judicial Redress Act of 2015, which—contrary to its stated purpose—fails to extend Privacy Act protections to non-U.S. citizens. In a
letter to Congress, EPIC explained that the bill
does not provide adequate protection to permit
transborder data flows and
recommended changes to ensure protections for all personal information collected by U.S. federal agencies. Congress moved to advance the bill after announcement of the recently concluded but
secret EU-US “Umbrella Agreement”. EPIC submitted a
Freedom of Information request for the Umbrella agreement, and recently filed an
administrative appeal challenging the agency’s denial of expedited processing.
- Case Against Facebook Moves Forward in Ireland (Oct. 20, 2015) +
Following the
ruling that
invalidated the Safe Harbor arrangement, the Irish High Court has declared that the Irish Data Protection Commissioner is
“obliged to investigate” Max
Schrems’ complaint and must follow “fair procedures under Irish and
EU law.” The Commissioner pledged a “quick and swift procedure.” Facebook’s last minute motion to join the procedure was denied. “The Schrems case
underscores the need for the U.S. to
strengthen its
right to privacy,” EPIC’s Marc Rotenberg
told the Washington Post.
- European Data Protection Authorities Conclude Data Transfers under Safe Harbor Now Unlawful (Oct. 17, 2015) +
Following the
landmark ruling that
invalidated the Safe Harbor data transfer arrangement, the
Article 29 Working Party, composed of privacy officials across Europe, issued a preliminary statement. They called for
solutions “enabling data transfers to the territory of the United States that respect fundamental rights.” They concluded that “transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful.” Also,
Standard Contractual Clauses and Binding Corporate Rules will not provide an adequate basis.
EPIC, US and European consumer organizations have urged lawmakers in the United States to update US privacy law.
- European Court Strikes Down “Safe Harbor,” Focus Shifts to Adequacy of US Privacy Laws (Oct. 6, 2015) +
In a
stunning decision, the
European Court of Justice today ruled that the transatlantic “Safe Harbor” data pact is invalid.
Consumer organizations and
civil liberties groups in Europe and the United States applauded the
outcome. Safe Harbor had been
widely criticized for failing to provide adequate data protection for users of Internet-based services. The European Parliament earlier
recommended against renewal of Safe Harbor. Max Schrems, the Austrian law student who brought the case, praised the judgement and
said the “solution will very likely require severe changes in US law” not “just an update to the current ‘safe harbor’ system.” @maxschrems @EUCourtPress
- EPIC Expresses Support for Advocate General Opinion in Schrems Case (Sep. 28, 2015) +
In a
statement issued today, EPIC supported a recent
opinion of the Advocate General of the Court of Justice of the European Union which found that the
Safe Harbor Arrangement was invalid. Safe Harbor has operated for several years as a substitute for the legal protections that would otherwise be required for the transfer of personal data across national borders. EPIC said that Safe Harbor has “given rise to significant concerns on both sides of the Atlantic about the adequacy of the privacy and security afforded personal information.” Earlier today the US Mission issued a
statement calling into question the opinion of the Advocate General. The Mission stated that the PRISM program, operating in conjunction with Safe Harbor and involving the mass surveillance of EU citizens, is “duly authorized by law, and strictly complies with a number of publicly disclosed controls and limitations.”
- Decision by EU Legal Advisor Signals End of “Safe Harbor” (Sep. 23, 2015) +
An
opinion by the top advisor for Court of Justice of the European Union
indicates that the “Safe Harbor” arrangement, which permits the transfer of personal data to the US without legal protection, will come to an end. Under
Safe Harbor, US companies self-certify compliance with EU data protection law. But the Advocate General has found the arrangement fails to protect privacy and should be declared invalid.
Max Schrems, who
initiated the case in Ireland, stated “This finding, if confirmed by the court, would be a major step in limiting the legal options for US authorities to conduct mass surveillance on data held by EU companies.” The European Digital Rights Initiative also
supported the decision. EPIC has
recommended that the US update the Privacy Act to protect EU citizens and
ratify the
international convention for privacy protection.
Background
The Law of Data Transfers: the Data Protection Directive, Safe Harbor, and Privacy Shield
The Schrems cases address one of the core tensions between EU and US privacy law, and the international agreements and contracts that have been used to address the data protection gap. The key issue in both cases is whether US law ensures adequate protection for personal data, as required to permit international data transfers under EU law.
Unlike in the United States, the default rule in the European Union is that data transfers are prohibited; a transfer of personal data is permitted only if certain criteria are met. The European Data Protection Directive is the EU law embodying this norm. The Directive states that transfer of personal data to a third country may take place only if that country ensures an adequate level of data protection. The Directive also provides that the European Commission may find a third country ensures an adequate level of protection. If the Commission adopts a decision to that effect, the transfer of personal data to the third country concerned may take place.
In July 2000, the European Commission adopted a decision declaring that the United States provides for adequate safeguards for data protection. The decision of the Commission was based on the Safe Harbor framework. The Safe Harbor arrangement consisted of data protection principles to which to which American companies could subscribe voluntarily in order to engage in cross-border data transfers. Thus, the protections for user data relied on the self-assessment and self-certification by private companies.
As is discussed in greater detail below, in October of 2015, the Court of Justice for the European Union ruled that the Safe Harbor framework was invalid.
Shortly thereafter, the EU and US began negotiating a replacement agreement: the EU-US Privacy Shield. The European Commission adopted Privacy Shield on July 12, 2016, and US companies have begun to self-certify and transfer data under the agreement. However, the Privacy Shield shares many of the same problems as the Safe Harbor framework, including the reliance on self-certification by US companies.
Max Schrems v. Irish Data Protection Commissioner (the “Safe Harbor” Decision):
This case arose from proceedings before the Irish Data Protection Commissioner (DPC) brought by Max Schrems, an Austrian PhD student and privacy activist.
The data that Mr. Schrems, a Facebook user, provided to Facebook was transferred from Facebook’s Irish subsidiary (Facebook Ireland) to Facebook’s servers located in the United States (Facebook, Inc.). Mr. Schrems lodged a complaint with the Irish data protection authority, taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency), the law and practices of the US offer no real protection against surveillance by the US of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 2000 the Commission considered that, under the ‘safe harbour’ scheme, the US ensures an adequate level of protection of the personal data transferred.
Mr. Schrems appealed the decision of the DPC before the Irish High Court. The Court decided to stay the proceedings and to refer the following question to the CJEU for preliminary ruling:
May and/or must the national data protection supervisory authority conduct his or her own investigation of the adequacy of data protection in a third country or the Commissioner is absolutely bound by the Commission’s decision?
On September 23, 2015, Advocate General Yves Bot issued his opinion on the case. The Advocate General’s opinion indicated that the Safe Harbor arrangement, which permitted the transfer of personal data from the EU to the US, must end because the arrangement failed to provide the requisite legal protection under EU law and thus “must be declared invalid.” The CJEU issued its ruling on October 6, 2015, agreeing with the Advocate and invalidating Safe Harbor. The Court ruled that (1) national data protection authorities have the right to investigate the adequacy of data transfers under the EU-US Safe Harbor arrangement or any other arrangements concluded pursuant to an adequacy decision by the European Commission for that matter, and (2) the Safe Harbor arrangement should be invalid due to the lack of adequacy.
EPIC’s Interest
EPIC has long been involved in the policy debate over data transfers between the EU and the US, advocating for adequate safeguards for personal data regardless of where it resides. EPIC and a coalition of EU and U.S. consumer organizations have opposed the Privacy Shield arrangement for its failure to comply with the terms set out by the CJEU in its Safe Harbor decision. Speaking before the European Parliament, Marc Rotenberg outlined several flaws in the agreement, including a weak privacy framework, lack of enforcement, and a cumbersome redress mechanism. In testimony before Congress, EPIC also criticized the prior Safe Harbor Arrangement for its lack of effective means of enforcement, redress, and accountability for privacy violations.
EPIC has participated as an amicus before international courts concerning the lack of safeguards for data transferred internationally. EPIC was chosen by the Irish High Court to make amicus submissions in the related case Data Protection Commissioner v. Facebook and Schrems, and also made amicus submissions in that case before the Court of Justice of the European Union. EPIC also previously joined a case before the European Court of Human Rights concerning the activities of British and U.S. intelligence organizations. EPIC has also appeared as a “friend of the court” in almost 100 cases in the United States concerning emerging privacy and civil liberties issues.
Legal Documents
Irish Data Protection Commissioner
Irish High Court, No. 2013 765JR
CJEU, Case C‑362/14
Advocate General’s Opinion on Case C-362/14 Maximillian Schrems v Data Protection Commissioner (Sept 23, 2015)
Ruling on Safe Harbor (October 6, 2015)
- EPIC webpage, EU Data Protection Directive (2016)
- EPIC webpage, Privacy Shield EU-U.S. Data Transfer Arrangement (2016)
- EPIC webpage, Max Schrems v Irish Data Protection Commissioner (Safe Harbor), (2016)
- European Commission, Model Contracts for the transfer of personal data to third countries (2016)
- Courts Service Ireland, High Court (2016)
- Commission Implementing Decision of 12.7.2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield
- Annexes to the Commission Implementing Decision (July 12, 2016)
- EU-US Privacy Shield Framework Principles issued by the US Department of Commerce
- Europe v Facebook, US Government wants to intervene in European Facebook Case (June 13, 2016)
- Trans Atlantic Consumer Dialogue, Resolution on the EU-U.S. Privacy Shield Proposal (April 7, 2016)
- Commission Communication on the Transfer of Personal Data from the EU to the United States of America under Schrems (November 6, 2015)
- EPIC’s Testimony before Congress on Safe Harbor (November 3, 2015)
- Max Schrems, First Thoughts on Decision C-362/14, Europe v Facebook (October, 2015)
- Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).
- Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (OJ 2000 L 215, p. 7).
- Europe v Facebook website
- Safe Harbor Framework
NGO Statements
- Marc Rotenberg, Anna Fielder, Jeff Chester, Letters to the Editor of the New York Times on Digital Privacy, in the U.S. and Europe (October, 2015)
- Max Schrems, First Thoughts on Decision C-362/14, Europe v Facebook (October, 2015)
- EU and US organisations welcome the European Court of Justice Safe Harbor Ruling, TACD (October 15, 2015)
- EPIC, Decision by EU Legal Advisor Signals End of “Safe Harbor” (September 23, 2015)
- EPIC, EPIC Expresses Support for Advocate General Opinion in Schrems Case (September 28, 2015)
- EPIC, Advocate General Correctly Determines that Safe Harbor Fails to Protects Privacy and Does Not Establish Trust, Threatening Data Flows that Underpin Transatlantic Trade (September 28, 2015)
- Simon Davies, Five uncomfortable facts about the CJEU Safe Harbour decision, Privacy Surgeon (October, 2015)
- Dr Gus Hosein, There is no Safe Harbour from U.S. Authorities, Privacy International (October 6, 2015)
- Joe McNamee, Fifteen years late, Safe Harbor hits the rocks, European Digital Rights (October 6, 2015)
- BEUC, Historic victory for Europeans’ personal data rights, BEUC (October 6, 2015)
- TACD, TACD Statement in Response to European Court of Justice Safe Harbour Ruling, TACD (October 6, 2015)
- Estelle Masse, How safe is the “Safe Harbour”? A close look at the “Schrems” case on the eve of the ruling, access (October 6, 2015)
News
- Joe Uchill, US to Join Irish Facebook Case, The Hill (July 19, 2016)
- RTE News, US govt can join legal action over data transfers – High Court (July 19, 2016)
- Glyn Moody, In “an unusual move,” US government asks to join key EU Facebook privacy case, Ars Technica (June 13, 2016)
- Cryptic Safe Harbor Pact ‘Privacy Shield’: Public, Possibly Soon, Forbes, February 6, 2016
- EU-US Privacy Shield offers flimsy protection, InfoWorld, February 5, 2016
- The new Safe Harbor agreement: Will it survive Europe’s paranoia?, American Enterprise Institute, February 5, 2016
- U.S. and European Officials Fail to Reach Agreement for New Data Transfer Deal, JDSupra, February 4, 2016
- U.S. and Europe in ‘Safe Harbor’ Data Deal, but Legal Fight May Await, New York Times, February 2, 2016
More news
- Negotiators miss deadline for transatlantic data agreement, The Hill, February 1, 2016
- EU lawmakers skeptical new data deal will hold up in court, The Hill, February 1, 2016
- EU-US Safe Harbor: Judicial Redress Act Vote Delayed, Forbes, January 21, 2016
- EU regulators could freeze data transfers with US, The Hill, January 21, 2016
- EU wants tougher privacy controls in new Safe Harbor, The Hill, January 19, 2016
- Glyn Moody, Safe Harbor 2.0 framework begins to capsize as January deadline nears, ars technica (November 16, 2015)
- Jacob Fischler, Fortify New US-EU Data Transfer Pact, Privacy Groups Urge, Law360 (November 16, 2015)
- Natalia Drozdiak and Stephen Fidler, EU Justice Chief Vera Jourova Speaks on Negotiating New Safe Harbor Pact, The wall Street Journal (November 12, 2015)
- NGOs Reject “Safe Harbor 2.0”, Urge EU and US to Protect Fundamental Rights (November 12, 2015)
- Brooke Gladstone, Safe Harbor No More, NPR OnTheMedia (October 16, 2015)
- Safe Harbour ruling: MEPs called for clarity and effective protection, European Parliament Justice and Home Affairs (October 15, 2015)
- Robert Levine, Behind the European Privacy Ruling That’s Confounding Silicon Valley, The New York Times (October 9, 2015)
- Julia Powles, Tech companies like Facebook not above the law, says Max Schrems, The Guardian (October, 2015)
- Amie Stepanovich, Opinion: With pervasive government surveillance, there are no safe harbors, The Christian Science Monitor (October 8, 2015)
- Elizabeth Weise, Europe’s top court rejects ‘Safe Harbor’ ruling, USA Today (October 6, 2015)
- Andrew Griffin, Jamie Merrill, European court rules ‘Safe Harbour’ treaty that saw Facebook hand over user data to US is invalid, after challenge by student, Independent (October 6, 2015)
- World Wide Web Foundation, Privacy before Profit: European Court of Justice Rules “Safe Harbor” is invalid (October 6, 2015)
- TV Interview with Max Schrems, ORF TVTECH (October 6, 2015)
- Leo Kelion, Facebook data transfers threatened by Safe Harbour ruling, BBC (October 6, 2015)
- European Digital Rights, Safe Harbor: European Court Advocate General says Agreement should be declared invalid (September 23, 2015)
- Mark Scott, European Court Adviser Calls Trans-Atlantic Data-Sharing Pact Insufficient, The New York Times (September 23, 2015)
- Owen Bowcott, Facebook case may force European firms to change data storage practices, The Guardian (September 23, 2015)
- Yves Eudes, Pourquoi l’accord Safe Harbor sur les données personnelles cristallise les tensions, Le Monde (September 25, 2015)
- Patrick Beuth, Facebook braucht eninen Plan B, Die Zeit (September 23, 2015)