Schrems v. Data Protection Commissioner
Two of the most important international privacy cases in recent history arose from complaints against Facebook brought to the Irish Data Protection Commissioner by an Austrian privacy advocate named Max Schrems. In the complaints, Mr. Schrems challenged the transfer of his data (and the data of EU citizens’ generally) to the United States by Facebook, which is incorporated in Ireland. The first Schrems case (“Schrems I”) led the Court of Justice of the European Union on October 6, 2015, to invalidate the Safe Harbor arrangement, which governed data transfers between the EU and the US. After that case was remanded to the Irish data protection authority, the Commissioner filed a second suit (“Schrems II”) in the Irish High Court to determine whether the “standard contractual clauses” used by Facebook to authorize the transfer of personal data to the U.S. post-Safe Harbor provide adequate protection for E.U. citizens. EPIC has been selected by the Irish High Court to provide an amicus submission in Schrems II to “counterbalance” the submission of the U.S. Government.
- European Privacy Officials Push for Answers on Status of U.S. Privacy: The Article 29 Working Party, an expert group of European privacy officials, is pressing the European Commission to closely evaluate the EU-US Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. In a letter to the Commission, the Working Party outlined its expectations for this summer's annual review of the arrangement. The Group asked for "precise evidence" that bulk surveillance is "limited and proportionate." The Article 29 also seeks information about vacancies in key privacy oversight positions, including the Privacy and Civil Liberties Oversight Board and the Privacy Shield Ombudsperson, and any legal protections for "automated decision making." The European Parliament previously expressed alarm over the rollback of U.S. privacy safeguards necessary for the Privacy Shield. In 2015, EPIC and a coalition of privacy organizations urged the US and the EU to strengthen privacy protections following a landmark decision that found insufficient legal protections for the transfer of consumer data to the US. At a hearing before the High Court of Ireland, EPIC Senior Counsel Alan Butler made submissions in DPC v. Facebook, highlighting weaknesses in US privacy law. (Jun. 13, 2017)
- EPIC Urges Senate Committee To Reform Surveillance Law: In advance of a hearing on the Foreign Intelligence Surveillance Act, EPIC has sent a Statement to the Senate Select Committee on Intelligence urging increased transparency and new public reporting of the Government's surveillance activities. EPIC also highlighted several legal challenges to an NSA bulk surveillance program abroad. The bulk surveillance program for the communications of non-U.S. persons, sunsets on December 31, 2017. EPIC testified before the House Judiciary Committee during the 2012 FISA reauthorization hearings, recommended improved public reporting, and warned pre-Snowden that the extent of mass surveillance was much greater than was known to the public. (Jun. 6, 2017)
- NGOs Continue Campaign Against Privacy Shield (Mar. 2, 2017) +
- EPIC Urges House Committee To Ensure Transparency, Public Reporting in Surveillance Law (Mar. 1, 2017) +
- EPIC in Court: Irish High Court Examines EU-US Data Transfers (Mar. 1, 2017) +
- European Privacy Officials Raise Concerns About US Immigration Executive Order (Feb. 22, 2017) +
- Senators Calls for Answers from Secretary Kelly on Privacy Act Exclusion (Feb. 9, 2017) +
- EPIC Participates in Irish Case on Future of EU-US Data Transfers (Feb. 6, 2017) +
- US Designates Countries Covered Under the Judicial Redress Act (Jan. 23, 2017) +
- White House Publishes Privacy Report, Data Breaches Continue to Rise, as Obama Leaves Office (Jan. 19, 2017) +
- New Study Shows Global Increase in Comprehensive Privacy Protections (Nov. 29, 2016) +
- Second Legal Challenge Launched Against "Privacy Shield" (Nov. 3, 2016) +
- Privacy Advocates Challenge EU-US Data Transfer Agreement (Oct. 27, 2016) +
- Reuters: US Government Issued Secret Order to Yahoo to Scan All E-mails (Oct. 4, 2016) +
- Irish Court Approves EPIC as Amicus in Schrems Case (Jul. 19, 2016) +
- European Commission Signs Off on Flawed "Privacy Shield" (Jul. 12, 2016) +
- EPIC's Rotenberg Outlines Need for International Privacy Framework (Jun. 17, 2016) +
- Top European Privacy Official Rejects EU-US "Privacy Shield" (May. 31, 2016) +
- European Parliament Requires Changes to Privacy Shield (May. 26, 2016) +
- TACD Opposes "Privacy Shield," Urges Rejection by EU (Apr. 7, 2016) +
- EPIC's Rotenberg Urges European Parliament to Condition "Privacy Shield' on End of 702 Surveillance (Mar. 17, 2016) +
- NGOs - "Privacy Shield" is Failed Approach for EU-US Data Protection (Mar. 16, 2016) +
- "Privacy Shield" Released, New Questions Raised (Feb. 29, 2016) +
- European Commission Wrongly Denies EPIC's Request For "Privacy Shield" (Feb. 26, 2016) +
- Department of Commerce: Privacy Shield "does not exist" (Feb. 10, 2016) +
- EPIC Seeks Release of "Privacy Shield," Secret Data Transfer Agreement (Feb. 4, 2016) +
- Privacy Commissioners to Review "Privacy Shield" (Feb. 3, 2016) +
- Anticipating Annulment, EU-US Negotiators Sign Off on "Privacy Shield" (Feb. 2, 2016) +
- Schrems Responds to US Lobby Groups on Safe Harbor (Jan. 29, 2016) +
- "Clock is ticking" on Safe Harbor, says European Consumer Organization (Jan. 29, 2016) +
- EPIC v. DOJ: EPIC Prevails, DOJ Releases Secret EU-US Umbrella Agreement (Jan. 25, 2016) +
- EPIC Urges Senate to Postpone Action on Judicial Redress Act (Jan. 16, 2016) +
- EPIC Seeks Default Judgment in Umbrella Agreement Lawsuit (Jan. 6, 2016) +
- European Institutions Conclude Data Protection Reform (Dec. 15, 2015) +
- Senate Postpones Action on Weak EU-US Privacy Measure (Dec. 12, 2015) +
- Austrian Supreme Court to Consider Schrems' Case against Facebook (Dec. 4, 2015) +
- Schrems Pursues Legal actions to Block Data Transfers to the US (Dec. 2, 2015) +
- NGOs Reject "Safe Harbor 2.0," Urge EU and US to Protect Fundamental Rights (Nov. 12, 2015) +
- European Commission Issues Guidance on Data Transfers Post-Schrems (Nov. 6, 2015) +
- EPIC Sues for Release of Secret EU-US "Umbrella Agreement" (Nov. 4, 2015) +
- EPIC to Call For Comprehensive Overhaul of U.S. Privacy Law (Nov. 2, 2015) +
- Civil Society Leaders in Amsterdam Issue Declaration on Fundamental Rights (Oct. 28, 2015) +
- After FOI Request, EPIC Obtains Secret "Umbrella Agreement" from the EU Commission (Oct. 23, 2015) +
- House Passes Faux Privacy Bill (Oct. 21, 2015) +
- Case Against Facebook Moves Forward in Ireland (Oct. 20, 2015) +
- European Data Protection Authorities Conclude Data Transfers under Safe Harbor Now Unlawful (Oct. 17, 2015) +
- European Court Strikes Down "Safe Harbor," Focus Shifts to Adequacy of US Privacy Laws (Oct. 6, 2015) +
- EPIC Expresses Support for Advocate General Opinion in Schrems Case (Sep. 28, 2015) +
- Decision by EU Legal Advisor Signals End of "Safe Harbor" (Sep. 23, 2015) +
More top news
The Law of Data Transfers: the Data Protection Directive, Safe Harbor, and Privacy Shield
The Schrems cases address one of the core tensions between EU and US privacy law, and the international agreements and contracts that have been used to address the data protection gap. The key issue in both cases is whether US law ensures adequate protection for personal data, as required to permit international data transfers under EU law.
Unlike in the United States, the default rule in the European Union is that data transfers are prohibited; a transfer of personal data is permitted only if certain criteria are met. The European Data Protection Directive is the EU law embodying this norm. The Directive states that transfer of personal data to a third country may take place only if that country ensures an adequate level of data protection. The Directive also provides that the European Commission may find a third country ensures an adequate level of protection. If the Commission adopts a decision to that effect, the transfer of personal data to the third country concerned may take place.
In July 2000, the European Commission adopted a decision declaring that the United States provides for adequate safeguards for data protection. The decision of the Commission was based on the Safe Harbor framework. The Safe Harbor arrangement consisted of data protection principles to which to which American companies could subscribe voluntarily in order to engage in cross-border data transfers. Thus, the protections for user data relied on the self-assessment and self-certification by private companies.
As is discussed in greater detail below, in October of 2015, the Court of Justice for the European Union ruled that the Safe Harbor framework was invalid.
Shortly thereafter, the EU and US began negotiating a replacement agreement: the EU-US Privacy Shield. The European Commission adopted Privacy Shield on July 12, 2016, and US companies have begun to self-certify and transfer data under the agreement. However, the Privacy Shield shares many of the same problems as the Safe Harbor framework, including the reliance on self-certification by US companies.
Schrems I (Safe Harbor): Max Schrems v. Irish Data Protection Commissioner
This case arose from proceedings before the Irish Data Protection Commissioner (DPC) brought by Max Schrems, an Austrian PhD student and privacy activist.
The data that Mr. Schrems, a Facebook user, provided to Facebook was transferred from Facebook’s Irish subsidiary (Facebook Ireland) to Facebook’s servers located in the United States (Facebook, Inc.). Mr. Schrems lodged a complaint with the Irish data protection authority, taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency), the law and practices of the US offer no real protection against surveillance by the US of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 2000 the Commission considered that, under the ‘safe harbour’ scheme, the US ensures an adequate level of protection of the personal data transferred.
Mr. Schrems appealed the decision of the DPC before the Irish High Court. The Court decided to stay the proceedings and to refer the following question to the CJEU for preliminary ruling:
May and/or must the national data protection supervisory authority conduct his or her own investigation of the adequacy of data protection in a third country or the Commissioner is absolutely bound by the Commission’s decision?
On September 23, 2015, Advocate General Yves Bot issued his opinion on the case. The Advocate General's opinion indicated that the Safe Harbor arrangement, which permitted the transfer of personal data from the EU to the US, must end because the arrangement failed to provide the requisite legal protection under EU law and thus "must be declared invalid." The CJEU issued its ruling on October 6, 2015, agreeing with the Advocate and invalidating Safe Harbor. The Court ruled that (1) national data protection authorities have the right to investigate the adequacy of data transfers under the EU-US Safe Harbor arrangement or any other arrangements concluded pursuant to an adequacy decision by the European Commission for that matter, and (2) the Safe Harbor arrangement should be invalid due to the lack of adequacy.
Schrems II (Standard Contractual Clauses): Irish Data Protection Commissioner v. Facebook and Max Schrems
Following the CJEU ruling, Mr. Schrems filed a renewed complaint with the Irish DPC based on Facebook’s use of “standard contractual clauses” to authorize EU-US data transfers, which provided the basis for a new case in the Irish High Court. Soon after the CJEU decision, the Irish High Court quashed the Irish DPC’s previous decision not to investigate Facebook Ireland regarding the allegations in Mr. Schrems’s first complaint. The Irish DPC then commenced an investigation. The Irish DPC considered two key issues: does the US provide adequate legal protection to EU users whose data is transferred, and, if not, could standard contractual clauses (SCCs) used by Facebook Ireland and Facebook, Inc. to regulate the transfer of that data raise the level of protection and still render transfer permissible? Simultaneously, Mr. Schrems updated his complaint with the DPC against Facebook, and he contended that U.S. surveillance law is not in line with the requirements laid down by EU law including the judgment of the CJEU in the Safe Harbor decision. The CJEU found that the US must make changes to its “domestic laws” and “international commitments” in order to provide essentially equivalent privacy and data protection to the European Union. Additionally, Mr. Schrems argued the SCCs fail to provide the adequate legal protection necessary to otherwise permit data transfers.
In May of 2016, the Irish DPC issued a Draft Decision announcing its preliminary position: that US law fails to adequately provide legal remedies to EU citizens and the SCCs could not address the deficiency in US law. As a result, the Irish DPC suggested the contractual clauses at issue were invalid under EU law. However, the Irish DPC found that, as a representative of one nation in the EU with limited authority, it did not have the ability to declare the clauses invalid under EU law; the Irish DPC argued that standard contractual clauses issued under the broader authority of the European Commission had been deemed by that Commission to authorize data transfers. The Irish DPC argued that, without a finding that the clauses are indeed invalid, they cannot complete its investigation into Facebook.
As a result, the Irish DPC brought the case back before the Irish High Court and is seeking a referral to the the CJEU on the question of whether the standard contractual clause decisions are valid under the Charter of Fundamental Rights. The High Court granted EPIC's application to intervene as an amicus curiae in the case, which opened in February 2017.
Day 1 (Feb. 7, 2017): The DPC v. Facebook and Schrems hearing commenced before the Irish Commercial Court in Dublin, Ireland, on the morning of Tuesday February 7th with the introduction of counsel and the beginning of Opening Statements and the introduction of evidence on behalf of the Data Protection Commissioner (DPC). The first day of the hearing ran for 4.5 hours and began with an outline of the DPC's case.
The DPC first noted her view that "she is obliged, as she sees it, under the decision in Schrems 1 as we call it to bring this matter before the court if, having received the complaint which she did receive from Mr. Schrems, she formed the view that Mr. Schrems' complaints or some of them were well founded. The DPC explained that she was requesting that the Irish Court refer the validity question to the European Court of Justice "because what the European court said is that the Commissioner has to bring the matter before the national court and if the national court shares her concerns as to the validity of the particular Commission decisions in question, which have to do with these contractual clauses that the data transfer is permitted under, if the court shares those concerns it is then a matter for the European court to decide the issue of the validity of these Commission decisions and this court then makes a reference from here to the European Court of Justice."
In particular, the DPC explained, "the ultimate decision, and the decision has to be taken by the Court of Justice, concerns the validity of the Commission decisions containing the standard contractual clauses or the SCCs as they are referred to." The DPC noted that a "great deal" of factual evidence concerning U.S. law has been submitted in the case in the form of expert testimony. In considering the validity of the SCCs, the DPC looked firstly at "the essential equivalence of the legal rules" between the EU and the U.S. Then "if that test is failed" the DPC found that she must look at whether "the SCCs are designed to remedy that and they are designed to bring about the situation where the recipients of the data in the United States who subscribe to these contractual clauses under the SCC decisions, does that regime of SCCs in a sense make up for the inadequacy of the legal protection and bring about the result in essence that there is an equivalent form of protection." The DPC took the position that "only the Court of Justice has the jurisdiction" to "declare a Commission decision to be invalid" and, therefore, that the Irish Court would "have to make a reference to the European court if you are satisfied, in the way it was put in the Schrems decision which we'll be coming to, that you share the doubts that the Commissioner has."
After the DPC outlined her opening argument, she began to open the relevant EU authorities to the court, including Articles 7, 8, 47, 52, and 53 of the Charter of Fundamental Rights. The DPC also opened portions of Article 16 of the Treaty on the Functioning of the European Union (TFEU) before moving on to the Directive 95/46/EC and, in particular, Articles 25 and 26 of the Directive. The DPC then referred to the EU Commission's Safe Harbour decision (No. 2000/520) and the history of the Schrems I case. The DPC then opened a report issued prior to Schrems I by an ad hoc working group of the EU and U.S., which was published on November 27th 2013 and addressed the issue of U.S. surveillance law in light of the Snowden revelations. This report was then considered by the Irish Court judge in the initial Schrems I decision, which the DPC opened to the court. The DPC then went on to open several data protection decisions by the Court of Justice, including Digital Rights -v- Communications Minister, Schrems v. Data Protection Commissioner, and Digital Rights Ireland. Finally, the DPC began to open the revised complaint filed by Mr. Schrems that gave rise to this case.
Day 2 (Feb. 8, 2017): The DPC v. Facebook and Schrems hearing continued on Wednesday February 8th. The DPC began by opening her Draft Decision to the court. Following introduction of the draft decision, the DPC began to open the U.S. legal authorities, including sections of the Foreign Intelligence Surveillance Act, 50 U.S.C. §§ 1801 et seq., and, in particular, the FISA Amendments Act of 2008, 50 U.S.C. § 1881a. The DPC continued to outline the relevant statutory provisions, including the administrative and judicial remedies available under FISA: 50 U.S.C. §§ 1806, 1809, 1810. The DPC also introduced a case relevant to these provisions, Al Haramain Islamic Foundation v. Obama, 705 F.3d 845 (9th Cir. 2012), in which the Ninth Circuit held that the United States cannot be held liable under FISA § 1810 because the provision does not include an explicit waiver of sovereign immunity.
The DPC then began to open the Electronic Communications Privacy Act (ECPA) to the court, including the Wiretap Act and Stored Communications Act sections. In order to explain the "willfulness" requirement in 18 U.S.C. § 2712, the DPC introduced a recent district court decision, Fikre v. FBI, 142 F. Supp. 3d 1152 (D. Ore. 2015), which held that both knowing and reckless violations of statutory provisions can constitute "willful" violations under § 2712. That section acts as a waiver of sovereign immunity where the government has willfully violated any provision in the Wiretap Act, the Stored Communications Act, or three enumerated FISA provisions: § 1806(a), § 1825(a), or § 1845(a).
After introducing the court to ECPA, the DPC moved on to open provisions of the Privacy Act and the Judicial Redress Act. The DPC outlined the structure of the Privacy Act and discussed the exceptions. In particular, the DPC drew the court's attention to the "routine use" exception, which the DPC's expert Professor Neil Richards explained was "a very broad exception that, in the minds of many distinguished scholarly and practical commentators on privacy law, has the potential to be the proverbial exception that swallows the rule." Then DPC then went on to outline the remedies available under the Privacy Act, and introduced two Supreme Court decisions limiting those remedies: FAA v. Cooper, 132 S. Ct. 1441 (2012), in which the court held that the statute did not waive sovereign immunity for suits against the Government to recover nonpecuinary damages, and Doe v. Chao, 540 U.S. 614 (2004), in which the court held that plaintiffs cannot recover the minimum statutory damages under the Privacy Act unless they can prove "actual damages." The DPC also introduced the judge to the administrative review provisions of the Administrative Procedure Act (APA), 5 U.S.C. §§ 702, 704, and 706.
After introducing relevant statutory provisions, the DPC went on to open to the court cases related to the Article III standing doctrine. The first case introduced was the Supreme Court's decision in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), in which the court held that groups and individuals who had reason to believe that their international communications would be subject to interception under Section 702 had not alleged a "certainly impending" injury as necessary to establish Article III standing to sue. The second standing case introduced was the Supreme Court's recent decision in Spokeo v. Robins, 136 S. Ct. 1540 (2016), in which the court held that Article III requires a court to establish that the plaintiff suffered a "concrete injury" even if they have alleged a violation of a federal privacy statute (such as the Fair Credit Reporting Act). The DPC also opened a Fourth Amendment case to the court: United States v. Verdugo-Urquidez, 494 U.S. 259 (1989), in which the court held that the Fourth Amendment does not apply to the search and seizure of property owned by a nonresident alien located in a foreign country.
Finally, the DPC moved on from the statutes and cases, and began to open for the judge Presidential Policy Directive 28 (PPD-28), an executive order adopted by President Obama in 2014 that outlined certain privacy protections that should be extended to non-U.S. persons in the signals intelligence context. In particular, PPD-28 outlined four general "principles" limiting signals intelligence collection.
Day 3 (Feb. 9, 2017):
Day 4 (Feb. 10, 2017):
Day 5 (Feb. 15, 2017):
The Irish High Court accepted EPIC's application to participate in Schrems II as the only NGO from the United States. EPIC will provide the Irish Court, and likely the CJEU, with a perspective on U.S. surveillance law to “counterbalance” the views offered by the U.S. Government. EPIC recently joined a case before the European Court of Human Rights concerning the activities of British and U.S. intelligence organizations. EPIC has appeared as a "friend of the court" in almost 100 cases in the United States concerning emerging privacy and civil liberties issues.
EPIC has provided expert opinion to decision makers during the negotiations about data transfers between the EU and the US. EPIC has urged both sides to respect the decision of the Court of Justice of the European Union in the Safe Harbor case and provide adequate protections for personal data in transatlantic transfers. EPIC and a coalition of EU and U.S. consumer organizations have opposed the Privacy Shield arrangement.
Speaking before the European Parliament on "Privacy Shield," Marc Rotenberg outlined several flaws in the proposed EU-US data transfer agreement, including a weak privacy framework, lack of enforcement, and a cumbersome redress mechanism. In the short term, Rotenberg recommended that the EU condition acceptance of the Privacy Shield on the end of the "702 program," which permits bulk surveillance on Europeans by the US.
In ACLU v Clapper EPIC petitioned the Supreme Court to halt the disclosure of the telephone records of millions of Americans, arguing that FISC did not have statutory authority to compel Verizon to turn over all domestic telephone metadata to the National Security Administration (NSA).
As a member of the Trans Atlantic Consumer Dialogue (TACD), EPIC has been advocating for adequate safeguards for transatlantic data transfers and the revision of the Safe Harbor arrangement. Since its formation in 1998, TACD has developed into a thriving network of over 75 leading organizations representing the consumer interest on both sides of the Atlantic. TACD previously criticized Safe Harbor for its lack of effective means of enforcement, redress, and accountability for privacy violations. The has called upon the US to develop legal means to safeguard the privacy of US consumers based on Fair Information Practices as articulated in the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Most recently, the TACD counseled against the adoption of the Privacy Shield, urging the US to first put in place an enforceable, comprehensive legal framework supporting privacy.
- Irish Data Protection Commissioner
- Schrems Complaint to the DPC (June 25, 2013)
- High Court Reference to the CJEU for Preliminary Ruling (July 17, 2014)
- CJEU, Case C‑362/14
- Advocate General's Opinion on Case C-362/14 Maximillian Schrems v Data Protection Commissioner (Sept 23, 2015)
- Ruling on Safe Harbor (October 6, 2015)
- Irish Data Protection Commissioner
- Schrems Updated Complaint (Dec. 1, 2015)
- DPC Draft Decision (May 24, 2016)
- Irish High Court, No. 2016 4809P
- EPIC webpage, EU Data Protection Directive (2016)
- EPIC webpage, Privacy Shield EU-U.S. Data Transfer Arrangement (2016)
- EPIC webpage, Max Schrems v Irish Data Protection Commissioner (Safe Harbor), (2016)
- European Commission, Model Contracts for the transfer of personal data to third countries (2016)
- Courts Service Ireland, High Court (2016)
- Commission Implementing Decision of 12.7.2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield
- Annexes to the Commission Implementing Decision (July 12, 2016)
- EU-US Privacy Shield Framework Principles issued by the US Department of Commerce
- Europe v Facebook, US Government wants to intervene in European Facebook Case (June 13, 2016)
- TACD, TACD Resolution on the EU-U.S. Privacy Shield Proposal
- (April 7, 2016)
- Commission Communication on the Transfer of Personal Data from the EU to the United States of America under Schrems (November 6, 2015)
- EPIC's Testimony before Congress on Safe Harbor (November 3, 2015)
- Max Schrems, First Thoughts on Decision C-362/14, Europe v Facebook (October, 2015)
- Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).
- Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (OJ 2000 L 215, p. 7).
- Europe v Facebook website
- Safe Harbor Framework
- Marc Rotenberg, Anna Fielder, Jeff Chester, Letters to the Editor of the New York Times on Digital Privacy, in the U.S. and Europe (October, 2015)
- Max Schrems, First Thoughts on Decision C-362/14, Europe v Facebook (October, 2015)
- EU and US organisations welcome the European Court of Justice Safe Harbor Ruling, TACD (October 15, 2015)
- EPIC, Decision by EU Legal Advisor Signals End of "Safe Harbor" (September 23, 2015)
- EPIC, EPIC Expresses Support for Advocate General Opinion in Schrems Case (September 28, 2015)
- EPIC, Advocate General Correctly Determines that Safe Harbor Fails to Protects Privacy and Does Not Establish Trust, Threatening Data Flows that Underpin Transatlantic Trade (September 28, 2015)
- Simon Davies, Five uncomfortable facts about the CJEU Safe Harbour decision, Privacy Surgeon (October, 2015)
- Dr Gus Hosein, There is no Safe Harbour from U.S. Authorities, Privacy International (October 6, 2015)
- Joe McNamee, Fifteen years late, Safe Harbor hits the rocks, European Digital Rights (October 6, 2015)
- BEUC, Historic victory for Europeans’ personal data rights, BEUC (October 6, 2015)
- TACD, TACD Statement in Response to European Court of Justice Safe Harbour Ruling, TACD (October 6, 2015)
- Estelle Masse, How safe is the “Safe Harbour”? A close look at the “Schrems” case on the eve of the ruling, access (October 6, 2015)
- Joe Uchill, US to Join Irish Facebook Case, The Hill (July 19, 2016)
- RTE News, US govt can join legal action over data transfers - High Court (July 19, 2016)
- Glyn Moody, In “an unusual move,” US government asks to join key EU Facebook privacy case, Ars Technica (June 13, 2016)
- Cryptic Safe Harbor Pact 'Privacy Shield': Public, Possibly Soon, Forbes, February 6, 2016
- EU-US Privacy Shield offers flimsy protection, InfoWorld, February 5, 2016
- The new Safe Harbor agreement: Will it survive Europe’s paranoia?, American Enterprise Institute, February 5, 2016
- U.S. and European Officials Fail to Reach Agreement for New Data Transfer Deal, JDSupra, February 4, 2016
- U.S. and Europe in ‘Safe Harbor’ Data Deal, but Legal Fight May Await, New York Times, February 2, 2016
- Negotiators miss deadline for transatlantic data agreement, The Hill, February 1, 2016
- EU lawmakers skeptical new data deal will hold up in court, The Hill, February 1, 2016
- EU-US Safe Harbor: Judicial Redress Act Vote Delayed, Forbes, January 21, 2016
- EU regulators could freeze data transfers with US, The Hill, January 21, 2016
- EU wants tougher privacy controls in new Safe Harbor, The Hill, January 19, 2016
- Glyn Moody, Safe Harbor 2.0 framework begins to capsize as January deadline nears, ars technica (November 16, 2015)
- Jacob Fischler, Fortify New US-EU Data Transfer Pact, Privacy Groups Urge, Law360 (November 16, 2015)
- Natalia Drozdiak and Stephen Fidler, EU Justice Chief Vera Jourova Speaks on Negotiating New Safe Harbor Pact, The wall Street Journal (November 12, 2015)
- NGOs Reject "Safe Harbor 2.0", Urge EU and US to Protect Fundamental Rights (November 12, 2015)
- Brooke Gladstone, Safe Harbor No More, NPR OnTheMedia (October 16, 2015)
- Safe Harbour ruling: MEPs called for clarity and effective protection, European Parliament Justice and Home Affairs (October 15, 2015)
- Robert Levine, Behind the European Privacy Ruling That’s Confounding Silicon Valley, The New York Times (October 9, 2015)
- Julia Powles, Tech companies like Facebook not above the law, says Max Schrems, The Guardian (October, 2015)
- Amie Stepanovich, Opinion: With pervasive government surveillance, there are no safe harbors, The Christian Science Monitor (October 8, 2015)
- Elizabeth Weise, Europe's top court rejects 'Safe Harbor' ruling, USA Today (October 6, 2015)
- Andrew Griffin, Jamie Merrill, European court rules 'Safe Harbour' treaty that saw Facebook hand over user data to US is invalid, after challenge by student, Independent (October 6, 2015)
- World Wide Web Foundation, Privacy before Profit: European Court of Justice Rules “Safe Harbor” is invalid (October 6, 2015)
- TV Interview with Max Schrems, ORF TVTECH (October 6, 2015)
- Leo Kelion, Facebook data transfers threatened by Safe Harbour ruling , BBC (October 6, 2015)
- European Digital Rights, Safe Harbor: European Court Advocate General says Agreement should be declared invalid (September 23, 2015)
- Mark Scott, European Court Adviser Calls Trans-Atlantic Data-Sharing Pact Insufficient, The New York Times (September 23, 2015)
- Owen Bowcott, Facebook case may force European firms to change data storage practices, The Guardian (September 23, 2015)
- Yves Eudes, Pourquoi l’accord Safe Harbor sur les données personnelles cristallise les tensions, Le Monde (September 25, 2015)
- Patrick Beuth, Facebook braucht eninen Plan B, Die Zeit (September 23, 2015)
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
by Ryan Calo, A. Michael Froomkin,