EPIC - EPIC International Program

EPIC International Program

Important Documents |
Resources |
Media Coverage

EPIC's international work promotes privacy and open government laws and policies globally with a focus on EU-US relations. EPIC pursues international privacy and freedom of information cases and submits amicus briefs before the European Court of Human Rights and other European institutions. EPIC facilitates civil society participation in OECD's work.

Top News

European Commission Proposes Risk-Based AI Regulation, Banning 'Unacceptable' Uses: The European Commission released a long-awaited proposal for how to regulate AI throughout the European Union. The proposed regulation includes a ban on “unacceptable” uses of AI such as general social scoring and “real time remote biometric identification” for law enforcement. The proposal also imposes testing and transparency obligations for "high-risk" uses of AI, including a publicly accessible EU database on stand-alone “high-risk” systems. The proposal requires notice to individuals when they interact with certain types of AI and “conformity” assessments for "high-risk" systems. The prohibitions on unacceptable AI are very limited and many of the strongest provisions are subject to vast exceptions. However, a penalty of up to 4% of annual revenue on companies that violate the regulation is included. EPIC has called for prohibitions on secret scoring, mass surveillance, and facial recognition. EPIC urges legislators to implement the OECD Principles on AI and adopt the Universal Guidelines of AI. (Apr. 22, 2021)
Schrems Files 101 Complaints Targeting US-EU Data Transfers : None of Your Business, the privacy NGO established by EPIC Advisory Board member Max Schrems, has filed complaints in all 30 EU and EEA member states against 101 European companies that still forward data about each visitor to Google and Facebook. “We have done a quick search on major websites in each EU member state for code from Facebook and Google. These code snippets forward data on each visitor to Google or Facebook. Both companies admit that they transfer data of Europeans to the US for processing, where these companies are under a legal obligation to make such data available to US agencies like the NSA. Neither Google Analytics nor Facebook Connect are essential to run these webpages and are services that could have been replaced or at least deactivated by now.” says Max Schrems, honorary chair of noyb.eu. The complaints come in the wake of a recent the European Court of Justice (CJEU) decision which found the Privacy Shield, which permitted companies to freely transfer users' personal data, illegally infringed EU residents' data protection and privacy rights. EPIC participated as an amicus curiae in the case, arguing that U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad. (Aug. 18, 2020)

More top news

On International Privacy Day, EPIC Urges Congress to Act on Privacy (Jan. 28, 2020) +

On January 28, EPIC celebrates International Privacy Day, which commemorates Council of Europe Convention 108, the first international privacy convention. Today EPIC urged Congress to take three steps to safeguard the personal data of Americans: (1) enact comprehensive baseline legislation, (2) establish a data protection agency, and (3) ratify the International Privacy Convention. EPIC and consumer organizations have long urged the United States to endorse the Privacy Convention, which establishes a global framework for the free flow of personal data. The complete text of the Privacy Convention is in the EPIC Privacy Law Sourcebook, available at the EPIC Bookstore. Follow #DataProtectionDay.

Top European Court to Review National Data Retention Laws (Sep. 9, 2019) +

Today, the Court of Justice for the European Union will hear challenges to the data retention laws of the UK, Belgium, and France. The Court previously invalidated European and national data retention laws that required companies to retain communications data for law enforcement purposes. The Court said the laws were a "particularly serious" interference with the right to privacy. The new challenges, brought by civil society organizations, contend that European national laws fail to comply with the earlier rulings. EPIC recently urged the FCC to repeal a similar regulation that requires the retention of US telephone records, following an earlier petition to the agency. When the FCC docketed the EPIC petition for public comment, every comment received supported an end to the data retention regulation.

EPIC to Discuss US Surveillance before Top European Court (Jul. 8, 2019) +

This week EPIC Senior Counsel Alan Butler will appear before the Court of Justice for the European Union in the case Data Protection Commissioner v. Facebook. The case, known as "Schrems 2.0." follows the European Court's landmark decision in Schrems v. DPC striking down the "Safe Harbor" arrangement and leading to the creation of the "Privacy Shield." The current case considers whether the transfer of personal data to the U.S. using standard contract clauses violates the fundamental rights of Europeans. At issue is Section 702 of the FISA Amendments Act and Executive Order 12333. EPIC's Butler will provide the Court with expert analysis on U.S. surveillance law. EPIC is a party to the case, along with Austrian privacy activist Max Schrems. EPIC also recently filed a brief with the European Court of Human Rights in Big Brother Watch v. UK, arguing that the Human Rights Court should review UK-U.S. intelligence transfers in assessing UK bulk surveillance. That case will be heard July 10th.

EU Receives 95,000 Privacy Complaints, Still No News from US FTC on Facebook Case (Jan. 28, 2019) +

According to the European Commission, recent figures from the European Data Protection Board reveal that EU Data Protection Authorities have received more than 95,000 complaints from citizens across the continent. In a joint statement on International Privacy Day, the Commissioners said "Citizens have become more conscious of the importance of data protection and of their rights. And they are now exercising these rights, as national Data Protection Authorities see in their daily work." The European Data Protection Board also reported that the majority of the complaints were related to activities such as telemarketing, promotional e-mails, and video surveillance. In the United States, the Federal Trade Commission announced in March 2018 that it was reopening the Facebook investigation, following news that Cambridge Analytica improperly harvested the personal data of 87 millions users. Still no word from the FTC on how that one case is proceeding.

EPIC Urges Secretary of State to Support International Privacy Convention (Apr. 16, 2018) +

EPIC submitted a statement following the Senate nomination hearing on Mike Pompeo for Secretary of State. EPIC said that the US Secretary of State should uphold privacy as a fundamental human right around the world. The United States Department of State publishes an annual human rights report that covers "internationally recognized individual, civil, political, and worker rights, as set forth in the Universal Declaration of Human Rights and other international agreements." EPIC also said that "international agreements provide the best opportunity to establish data protection standards" and urged the Secretary of State to ratify the International Privacy Convention. Privacy experts and advocates have also called for adoption of the Madrid Privacy Declaration, a comprehensive framework for data protection.

EPIC Amicus: Supreme Court Divided Over Microsoft Stored Communications Case (Feb. 28, 2018) +

This week, the Supreme Court heard arguments in United States v. Microsoft Corps., a case concerning law enforcement access to personal data stored in Ireland. The Court appeared divided during the argument, but both Justice Ginsburg and Justice Alito appeared to agree that Congress and not the Court was better positioned to find a solution. In an amicus brief, EPIC urged the Supreme Court to respect international privacy standards. EPIC wrote, the "Supreme Court should not authorize searches in foreign jurisdictions that violate international human rights norms." EPIC cited important cases from the European Court of Human Rights and the European Court of Justice. EPIC warned that "a ruling for the government would also invite other countries to disregard sovereign authority." EPIC has long supported international standards for privacy protection, and EPIC has urged U.S. ratification of the Council of Europe Privacy Convention. EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Carpenter v. United States (privacy of cellphone data), Byrd v. United States (searches of rental cars), and Dahda v. United States (wiretapping).

In Supreme Court Brief, EPIC Backs International Privacy Standards (Jan. 18, 2018) +

EPIC has filed an amicus brief in United States v. Microsoft, a case before the US Supreme Court concerning law enforcement access to personal data stored in Ireland. EPIC urged the Supreme Court to respect international privacy standards and not to extend U.S. domestic law to foreign jurisdictions. EPIC wrote, the "Supreme Court should not authorize searches in foreign jurisdictions that violate international human rights norms." EPIC cited important cases from the European Court of Human Rights and the European Court of Justice. EPIC has long supported international standards for privacy protection, and EPIC has urged U.S. ratification of the Council of Europe Privacy Convention. EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Carpenter v. United States (privacy of cellphone data), Byrd v. United States (searches of rental cars), and Dahda v. United States (wiretapping).

European Privacy Experts Call for New Review of EU-US Data Arrangement (Dec. 5, 2017) +

The Article 29 Working Party, a group of European privacy experts, is calling for a reexamination of the Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. In a new report, the Working Party said that "significant concerns" should be resolved by May 25, 2018 when the GDPR goes into force. If not "the members of WP29 will take appropriate action," including litigation. The Working Party cited the US failure to appoint an Ombudsperson to review complaints, vacancies at the Privacy and Civil Liberties Oversight Board, and continued mass surveillance practices by U.S. intelligence agencies. The report follows an earlier review of the EU-US agreement which found "sufficient" protection of EU personal data to the United States. EPIC Senior Counsel Alan Butler has also highlighted weaknesses in US privacy in DPC v. Facebook, a case now before the European Court of Justice. In a related development, the Working Party also established a task force which will coordinate national investigations of the Uber data breach now underway in Europe.

European Court Holds Camera Surveillance of University Lecture Halls Violates Privacy (Nov. 29, 2017) +

In the case of Antović and Mirković v. Montenegro, the European Court of Human Rights held that camera surveillance in lecture halls at the University of Montenegro's School of Mathematics violated Article 8 of the European Convention on Human Rights (the right to respect one's "private and family life"). The decision follows earlier cases of the Court which recognize privacy rights in the workplace. Some U.S. law schools have deemed all classrooms and meetings rooms as "recordable spaces" and state that voluntary participation therefore constitutes a waiver of legal claims. EPIC has protected the human right to privacy through third-party intervention in the European Court of Human Rights as well as documented the spread of CCTV surveillance technology across American cities. EPIC's Privacy Law Sourcebook provides background on US and international privacy law. The Privacy Law and Society website provides more information about international privacy law.

European Privacy Officials Push for Answers on Status of U.S. Privacy (Jun. 13, 2017) +

The Article 29 Working Party, an expert group of European privacy officials, is pressing the European Commission to closely evaluate the EU-US Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. In a letter to the Commission, the Working Party outlined its expectations for this summer's annual review of the arrangement. The Group asked for "precise evidence" that bulk surveillance is "limited and proportionate." The Article 29 also seeks information about vacancies in key privacy oversight positions, including the Privacy and Civil Liberties Oversight Board and the Privacy Shield Ombudsperson, and any legal protections for "automated decision making." The European Parliament previously expressed alarm over the rollback of U.S. privacy safeguards necessary for the Privacy Shield. In 2015, EPIC and a coalition of privacy organizations urged the US and the EU to strengthen privacy protections following a landmark decision that found insufficient legal protections for the transfer of consumer data to the US. At a hearing before the High Court of Ireland, EPIC Senior Counsel Alan Butler made submissions in DPC v. Facebook, highlighting weaknesses in US privacy law.

European Privacy Officials Back "E-Privacy" Directive Updates (Apr. 12, 2017) +

The Article 29 Working Party, an expert group of European privacy officials, has issued an opinion supporting a key proposal to modernize EU privacy law for electronic communications. The updated e-Privacy Regulation would extend consumer safeguards to users of all online communications services, cover content and metadata, and limit tracking of internet users. The Working Party welcomed the harmonization of privacy standards across the European Union, but cautioned that the Privacy Directive must offer protections at least as strong as the recently adopted General Data Protection Regulation. EPIC had urged the US Federal Communication Commission to adopt a similar, comprehensive approach to communications privacy. A narrow FCC rule covering only ISPs was recently rescinded by Congress, folding under attacks that it unreasonably singled out a sector of the communications industry.

EPIC in Court: Irish High Court Examines EU-US Data Transfers (Mar. 1, 2017) +

Today EPIC made submissions before the Irish High Court in Data Protection Commissioner v. Facebook, concerning privacy protections for transAtlantic data transfers. EPIC explained that "U.S. privacy law is characterized by particularly narrow conceptions of privacy and personal data, which in turn limit the scope of relevant constitutional, statutory, and regulatory privacy protections." EPIC also stated, "many of the privacy safeguards under U.S. law in fact operate to the exclusion of E.U. citizens" and that the "standing" doctrine is an overarching barrier to legal redress. EPIC is represented by FLAC (Free Legal Advice Centres), an independent human rights organization, based in Dublin, dedicated to the realization of equal justice for all. [Press Release]

US Designates Countries Covered Under the Judicial Redress Act (Jan. 23, 2017) +

During the final week in office, the Obama Department of Justice released the list of European countries covered under the Judicial Redress Act. The Act gives citizens of these countries limited rights under the US Privacy Act. The Act implements the US-EU "Umbrella Agreement," which is a framework for transferring law enforcement data across the Atlantic. The Act came about in response to the Schrems decision, which held that the United States lacks adequate data protection. EPIC had recommended substantial changes to the Judicial Redress Act, explaining in a letter to Congress that the bill still did not provide adequate protection to permit transborder data flows and fails to provide necessary updates for U.S. citizens. EPIC successfully sued the Justice Department to obtain the full text of the Umbrella Agreement.

Europe to Update Consumer Privacy Rules (Jan. 10, 2017) +

The European Commission has released its proposal to update EU law on privacy and security safeguards for electronic communications. The revamped e-Privacy Regulation would extend important new safeguards to users of all online communications services, including email, instant messaging, and social media. The proposal would also protect both communications content and metadata, and would limit tracking of internet users. In the US, the FCC recently adopted modest privacy rules that apply only to broadband services offered by telecom companies, despite EPIC's repeated advice to the FCC to address "the full range of communications privacy issues facing US consumers." The Commission's update of the e-Privacy Directive follows the recently adopted General Data Protection Regulation, and must next be adopted by the European Parliament and European Council.

Rep. Sensenbrenner Warns Trump on EU-US Data Flows (Dec. 21, 2016) +

Congressman James Sensenbrenner has sent a letter to President-elect Donald Trump urging him to retain Presidential Policy Directive 28, which governs domestic and foreign signals intelligence activity. The Directive requires the intelligence community to safeguard the personal information of all individuals regardless of nationality. Sensenbrenner noted that PPD 28 also serves as a foundation for the “Privacy Shield,” a framework for commercial data flows between Europe and the United States. EPIC has urged the EU and US to strengthen safeguards for transborder data flows and is currently participating as amicus curiae in a legal challenge to Privacy Shield brought by privacy advocate Max Schrems.

European Court of Justice Holds that Data Retention Laws Violate EU Law (Dec. 21, 2016) +

In a major privacy decision, the Court of Justice of the European Union has ruled that data retention schemes enacted by member states violate EU law. The case involved challenges to data retention laws in Sweden and Britain. The Court of Justice found that subscriber data, which "contain information on the private life of natural persons," "may only be stored to the extent that is necessary for the provision of the service for the purpose of billing and for interconnection payments, and for a limited time." The court further explained that fighting terrorism or crime is not, by itself, justification for indiscriminate, blanket data retention. In 2014, the Court struck down the EU Data Retention Directive, which had required telephone and Internet companies to keep traffic and location data as well as user identifying information for use in subsequent investigations of serious crimes. EPIC has advocated against mandatory data retention and currently has a petition pending before the FCC to overturn the regulation requiring the retention of phone records of US telephone customers.

European Parliament Explores Algorithmic Transparency (Nov. 7, 2016) +

A hearing today in the European Parliament brought together technologists, ethicists, and policymakers to examine "Algorithmic Accountability and Transparency in the Digital Economy." Recently German Chancellor Angela Merkel spoke against secret algorithms, warning that that there must be more transparency and accountability. EPIC has promoted Algorithmic Transparency for many years and is currently litigating several cases on the front lines of AI, including EPIC v. FAA (drones), Cahen v. Toyota (autonomous vehicles), and algorithms in criminal justice. EPIC has also proposed two amendments to Asimov's Rules of Robotics, requiring autonomous devices to reveal the basis of their decisions and to reveal their actual identity.

Second Legal Challenge Launched Against "Privacy Shield" (Nov. 3, 2016) +

La Quadrature du Net, a French privacy organization, has launched a legal challenge to “Privacy Shield,” a controversial framework for the transfer of personal data from Europe to the United States. This lawsuit follows a similar challenge brought by the Irish group Digital Rights Ireland. "Privacy Shield" was the response of EU and US politicians after the European Court of Justice determined that there was insufficient legal protection for transatlantic data transfers. NGOs in the United States and Europe had urged the adoption of a comprehensive framework for data protection and said that Privacy Shield was not adequate. EPIC also testified before Congress on the need to update US privacy law. EPIC is currently participating as amicus curiae in related case brought by privacy advocate Max Schrems.

Privacy Advocates Challenge EU-US Data Transfer Agreement (Oct. 27, 2016) +

An Irish privacy organization is challenging the EU-US framework for transferring personal data, the "Privacy Shield," in the European high court. This challenge follows a decision last year invalidating the previous framework, "Safe Harbor." In that case, the Court of Justice for the European Union concluded Personal data transferred to the United States lacks adequate legal protection. EPIC is participating as amicus curiae in a related case brought by privacy advocate Max Schrems. EPIC also recently submitted a brief to the European Court of Human Rights in a challenge to UK surveillance.

European Data Protection Supervisor Calls for Stronger Protections for Electronic Communications (Jul. 27, 2016) +

The top European data protection official, the European Data Protection Supervisor, has called for strong privacy protections in the "ePrivacy Directive", an updated framework to safeguard personal information. "The scope of new ePrivacy rules needs to be broad enough to cover all forms of electronic communications irrespective of network or service used." The Data Protection Supervisor also said the legislation should "allow users to use end-to- end encryption without back doors". NGOs and data protection officials have also called for the reform of the European legislation after the adoption of the General Data Protection Regulation. EPIC has urged the FCC to establish a comprehensive framework for communications privacy, noting the work now underway in Europe to update privacy laws.

Irish Court Approves EPIC as Amicus in Schrems Case (Jul. 19, 2016) +

The Irish High Court has accepted EPIC's application to participate in a case about data protection rights and Facebook's contractual clauses. The case follows Max Schrems' complaint to the Irish Data Protection Commissioner after the European Court of Justice's decision to strike down the Safe Harbor arrangement. EPIC will provide the Irish Court, and perhaps also the Court of Justice, expert opinion on U.S. surveillance law. EPIC recently joined a case before the European Court of Human Rights concerning the activities of British and U.S. intelligence organizations. EPIC has appeared as a "friend of the court" in almost 100 cases in the United States concerning emerging privacy and civil liberties issues.

EPIC's Rotenberg Outlines Need for International Privacy Framework (Jun. 17, 2016) +

Speaking at the Council of Europe in Strasbourg, EPIC President Marc Rotenberg outlined the need for the US to ratify the International Privacy Convention. Rotenberg said it was "unlikely that the Privacy Shield will survive another trip to Luxembourg." The Privacy Shield is a proposed arrangement for EU-US data transfers that has come under criticism from European consumer groups, NGOs, privacy officials, and the EU Data Protection Supervisor. In 2009, more than 100 privacy groups and experts endorsed the Council of Europe Privacy Convention. In 2010 members of the EPIC Advisory Board urged then Secretary of State Hilary Clinton to seek US ratification of the Privacy Convention.

Top European Privacy Official Rejects EU-US "Privacy Shield" (May. 31, 2016) +

The European Data Protection Supervisor has determined that "Privacy Shield is not robust enough to withstand future legal scrutiny." He called for changes in the draft arrangement to permit data transfers to the United States. "Significant improvements are needed," said Giovanni Buttarelli. The Article 29 Working Party, the European Parliament, and a coalition of EU and U.S. consumer organizations have also opposed the data transfer proposal. Citing rampant data breaches in the United States, NGOs have urged strong safeguards for privacy and data protection.

European Parliament Requires Changes to Privacy Shield (May. 26, 2016) +

The European Parliament called for changes in the draft arrangement to permit data transfers to the United States. The Parliament said that officials must "fully implement" privacy recommendations and negotiate further changes to the "Privacy Shield." The European Data Protection Supervisor is expected to issue an opinion on the data transfer arrangement next week. EPIC and other consumer and privacy organizations have said that the Privacy Shield fails to provide adequate safeguards for consumers.

Top EU Legal Advisor Says IP Addresses are PII (May. 12, 2016) +

The Advocate General, top advisor to the European Court of Justice, has issued an opinion today about Internet anonymity. He found that dynamic IP addresses are personal data subject to data protection law. The opinion concerns the case of German pirate party politician and privacy activist Patrick Breyer who is suing the German government over logging visits to government websites. "Generation Internet has a right to access information on-line just as unmonitored and without inhibition as our parents read the paper," says Breyer. The opinion is not legally binding but "is usually a good indication of how the court will eventually rule". EPIC has supported Internet anonymity since the 1990s and brought a similar challenge to the US government tracking of users of government website.

European Parliament Adopts Comprehensive Data Protection Regulation (Apr. 14, 2016) +

The European Parliament finalized a historic reform of EU data protection legislation, which will have legal force in July 2018. "The new General Data Protection Regulation will enable people to regain control of their personal data in the digital age," said Parliament Member Jan Philipp Albrecht. The rules include data breach notification, coordinated enforcement, enhanced penalties, strengthened consent, and new measures to promote privacy innovation. EPIC and EU and US consumer groups have supported the European law, stating that it provides "important new protections for the privacy and security of consumers."

EU Officials Call for Changes in Privacy Agreement (Apr. 13, 2016) +

European privacy officials announced today that there must be changes in the draft proposal for EU-US data transfers. The Article 29 Working Party has "strong concerns" that the current text fails to provide adequate protection against commercial misuse and bulk surveillance. The Working Party cited the complexity of the redress mechanism, the lack of independence of the ombudsman, as well as the broad uses of personal data that would be permitted under the agreement. Privacy and consumer organizations have urged the EU to oppose the Privacy Shield proposal.

TACD Opposes "Privacy Shield," Urges Rejection by EU (Apr. 7, 2016) +

The Transatlantic Consumer Dialogue has urged the European Commission to reject the "Privacy Shield," a proposal to continue the transatlantic transfer of personal data from Europe to the United States. TACD warned that Privacy Shield "does not adequately protect consumers' fundamental rights to privacy" and that it does not provide "effective and meaningful data protection." European officials are carefully reviewing the proposal. EPIC and a coalition of NGOs have urged the US to adopt a robust data protection law and end 702 surveillance. The TACD is a forum of more than 70 consumer organizations in Europe and the United States.

EPIC's Rotenberg Urges European Parliament to Condition "Privacy Shield' on End of 702 Surveillance (Mar. 17, 2016) +

Speaking before the European Parliament on "Privacy Shield," Marc Rotenberg outlined several flaws in the proposed EU-US data transfer agreement, including a weak privacy framework, lack of enforcement, and a cumbersome redress mechanism. In the short term, Rotenberg recommended that the EU condition acceptance of the Privacy Shield on the end of the "702 program," which permits bulk surveillance on Europeans by the US. EPIC along with other NGOs has urged the European Commission to rewrite the Privacy Shield, saying it fails to safeguard human rights and does not reflect changes in US law as required by the Schrems decision.

NGOs - "Privacy Shield" is Failed Approach for EU-US Data Protection (Mar. 16, 2016) +

More than twenty civil society groups has urged European leaders to oppose adoption of the "Privacy Shield" for EU-US data flows. The NGOs state that the political agreement fails to provide sufficient data protection and does not respect the decision of the European Court of Justice in the Schrems case. The groups said the US must make changes in domestic laws and international commitments to comply with the decision and permit transfers of personal data. EPIC has launched "Data Protection 2016" to support stronger privacy safeguards in the US.

"Privacy Shield" Released, New Questions Raised (Feb. 29, 2016) +

The text of the "Privacy Shield" was released today by European Commission and the US Department of Commerce. The arrangement was intended to bring EU-US data transfers in line with the recent decision of the European Court of Justice in the Schrems case. But the framework appears to provide less protection than the Safe Harbor arrangement it replaces. New exceptions take broad categories of personal data entirely outside the scope of the agreement. Max Schrems said "this is far from what the Court required and does not seem like a stable solution." Privacy experts will now assess the text and determine whether it provides an adequate basis for the transfer of personal data. EU and US NGOs have urged the US to update its privacy laws.

European Commission Wrongly Denies EPIC's Request For "Privacy Shield" (Feb. 26, 2016) +

The European Commission has wrongly denied EPIC's Freedom of Information request for the text of the "Privacy Shield." The Commission said the adequacy decision about Safe Harbor is "in preparation" and "negotiations with the U.S. are still ongoing." The Commission confused the text of the political agreement, known as "the Privacy Shield," with a legal determination about whether the agreement meets EU data protection law. EPIC will pursue public release of the Privacy Shield, which was previously announced, and then the release of the adequacy determination when it is final. EU and US Consumer and privacy organizations have opposed the agreement because it fails to provide adequate privacy protections.

"Judicial Redress Act" Provides Little Redress (Feb. 12, 2016) +

The Judicial Redress Act of 2015, enacted by Congress and now on to the President for signature, fails to extend Privacy Act protections to non-U.S. citizens. EPIC previously recommended changes to protect transborder data flows. The bill, as adopted, coerces European countries to transfer data to the US, even without adequate protection, or be denied legal rights. Congress adopted the narrow amendment to the Privacy Act without any changes to benefit U.S. citizens even after a data breach compromised 21.5 records maintained by the Office of Personnel Management. EPIC explained that the OPM breach made clear the need for updates to the federal privacy law.

Department of Commerce: Privacy Shield "does not exist" (Feb. 10, 2016) +

As a response to EPIC's Freedom of Information request for the "Privacy Shield," the Commerce Department responded that "the record you requested does not exist." EU and US officials celebrated earlier this month that the EU and the US reached an agreement for transatlantic data transfers but they did not make the agreement public. Apparently there was nothing to make public since the agreement does not exist. The EPIC FOIA request is designated DOC-ITA-2016-000577.

Hackers Breach US Government Database, No Recourse for Non-Americans (Feb. 9, 2016) +

Less than a week after the European and US governments struck a deal for a framework to permit transborder data flows of personal data, hackers breached sensitive personal data at the US Department of Homeland Security. The DHS stores vast amounts of personal information on non-US persons, including detailed travel information. Under current law, non-US persons have no legal rights when federal agencies fail to safeguard their personal data. EPIC is seeking release of the so-called "Privacy Shield" and has launched a new campaign to promote Data Protection in the United States.

EPIC Seeks Release of "Privacy Shield," Secret Data Transfer Agreement (Feb. 4, 2016) +

EPIC has filed emergency Freedom of Information requests with the US and the EU for release of a secret agreement for the transfer of personal data across the Atlantic. A new framework was required by a recent decision of the European Court of Justice. But European and American consumer organizations say the "Privacy Shield" does not provide adequate protection for the transfer of personal data. EPIC stated, “The public has a right to know whether this agreement provides adequate legal protection.” EPIC previously obtained the secret EU-US Umbrella Agreement in FOIA litigation.

Privacy Commissioners to Review "Privacy Shield" (Feb. 3, 2016) +

The Article 29 Working Party, the association of European Data Protection Commissioners, has said it will review the adequacy of the "Privacy Shield" proposal for transborder data flows. The Working Party said there must be (1) clear and precise rules, (2) a "necessary and proportionate" standard for data collection and access, (3) independent oversight, and (4) effective remedies for the individual. The Working Party also said it must first receive the relevant documents to assess the legal force of the arrangement and whether it will resolve "wider concerns raised by the Schrems judgement."

Anticipating Annulment, EU-US Negotiators Sign Off on "Privacy Shield" (Feb. 2, 2016) +

Disregarding a decision of the European Court of Justice, negotiators for the US Commerce Dept., the FTC, and the European Commission have agreed to allow the continued transfer of consumer data without adequate legal protection. A virtually identical arrangement was recently struck down by the Court in the Schrems case as a violation of multiple rights of Europeans, including rights to privacy, data protection, and effective redress. Consumers in the US have also expressed concern about rising levels of data breach, identity theft, and financial fraud. EPIC and many EU and US consumer organizations urged negotiators to establish strong safeguards for the transfer of personal data.

Schrems Responds to US Lobby Groups on Safe Harbor (Jan. 29, 2016) +

In a brief but clearly argued letter to European data protection authorities, Max Schrems writes that "attempts by lobby groups and the US government to 'reinterpret' or 'overturn the clear judgement of the Union's highest court are fundamentally flawed." Schrems brought the successful case to the European Court of Justice that struck down the Safe Harbor arrangement. The Schrems letter, released on International Data Protection Day, also states that a new transfer agreement must provide "protection against government surveillance and "essentially equivalent" protection against the commercial use of data by certified companies." Max Schrems received the 2013 EPIC Champion of Freedom Award.

"Clock is ticking" on Safe Harbor, says European Consumer Organization (Jan. 29, 2016) +

BEUC, the consumer organization of the European Union, has urged European policy makers to accept a revised Safe Harbor arrangement only if it complies with the Schrems decision and "guarantees that EU citizens' fundamental rights are upheld when their data is exported to the United States." Last year, 40 consumer privacy organizations in Europe and the United States urged US Secretary Pritzker and EU Commissioner Jourova to take specific steps to close the widening EU-US data divide. Secretary Pritzker has been unwilling to meet with consumer organizations.

EPIC Celebrates International Privacy Day (Jan. 28, 2016) +

EPIC celebrates January 28, International Privacy Day, which commemorates the signing of Convention 108, on January 28, 1981. The Privacy Convention was the first binding international treaty for privacy and data protection. EPIC and consumer organizations have called on the United States to ratify Convention 108. NGOs and Privacy experts have also expressed support for the Madrid Declaration, a substantial document that reaffirms international instruments for privacy protection, identifies new challenges, and calls for concrete actions.

U.S. Law Firm Argues U.S. Privacy Law "Essentially Equivalent" (Jan. 27, 2016) +

A recent report from a U.S. law firm concludes that the United States offers essentially equivalent privacy protection to Europe. The report also finds that "This body of laws ensures that government access to data for law-enforcement and intelligence purposes is limited to what is necessary and proportionate." Of course, all travel records of Europeans are routinely transferred to the U.S. Department of Homeland Security without any legal protection. Under Section 702 of the Patriot Act, the US government routinely obtains vast amounts of personal data on non-US persons, including communications logs and website activity. Executive Order 12333 provides even broader surveillance authorities.

EPIC v. DOJ: EPIC Prevails, DOJ Releases Secret EU-US Umbrella Agreement (Jan. 25, 2016) +

After months of delay, the Department of Justice has finally released to EPIC the full text of the EU-US Umbrella Agreement. EPIC sued the DOJ last year after the agency failed to act on EPIC's FOIA request for the secret agreement. Today's release comes on the heels of EPIC's opposition to the agency's attempt to further delay the Agreement's release. The Umbrella Agreement outlines data transfers between EU and US law enforcement agencies, and is the basis for the Judicial Redress Act currently before Congress. EPIC has criticized the legislation, and recently urged the Senate to delay action on the bill until the DOJ releases the Umbrella Agreement and the Judiciary Committee holds a hearing on the legislation.

EPIC Seeks to Intervene in Privacy Case Before European Court of Human Rights (Jan. 22, 2016) +

EPIC has asked the European Court of Human Rights for permission to submit an amicus brief in a case concerning mass surveillance. Ten international human rights NGOs brought the case to challenge UK surveillance laws and practices. The case concerns Tempora, PRISM, and Upstream programs, and the interception of communications by UK intelligence services and the National Security Agency. EPIC proposes to assist the Court in understanding U.S. surveillance law, and to provide relevant information EPIC has obtained through freedom of information litigation. EPIC routinely files amicus briefs in cases concerning emerging privacy and civil liberties issues.

EPIC Urges Senate to Postpone Action on Judicial Redress Act (Jan. 16, 2016) +

Today EPIC urged the Senate Judiciary Committee to postpone action on the Judicial Redress Act until the Department of Justice releases a secret data transfer agreement on which the bill is based. The so-called Umbrella Agreement outlines data transfers between law enforcement agencies in Europe and the United States. EPIC has sued the DOJ for release of the document. EPIC also urged the Senate Committee to conduct a public hearing on Privacy Act modernization following the massive data breach at the office of Personnel and Management.EPIC previously wrote to the House Judiciary Committee to recommend updates to the Privacy Act.

EPIC Seeks Default Judgment in Umbrella Agreement Lawsuit (Jan. 6, 2016) +

In its fight to obtain a copy of the EU-US Umbrella Agreement, EPIC asked a federal court in Washington, D.C. today to grant default judgment against the Department of Justice. EPIC sued the agency to obtain the secret agreement, which concerns the transfer of personal information between the EU and US. After the DOJ failed to answer EPIC's complaint, the court entered default against the agency. The Agreement is central to pending legislation, which the Senate Judiciary Committee is set to debate this month yet the DOJ has not made the document available to the public or to Members of Congress.

European Institutions Conclude Data Protection Reform (Dec. 15, 2015) +

The EU Commission, Parliament and Council reached an agreement on a comprehensive new privacy law after four years of negotiation. The General Data Protection Regulation establishes common privacy rules across Europe and creates strong enforcement power. The law will be fully applicable in about two years. The new law is a "major step forward for consumer protection and competition," said Jan Philip Albrecht. Sophie In’t Veld said, "The EU will now have the most extensive data protection laws in the world and will set global standards." EPIC, and many consumer privacy organization have urged the US to modernize domestic privacy law. EPIC President Marc Rotenberg told USA Today, "The U.S. will need to update privacy laws to safeguard U.S. consumers and maintain trade relations with Europe."

Senate Postpones Action on Weak EU-US Privacy Measure (Dec. 12, 2015) +

The Senate Judiciary Committee has "held over" the Judicial Redress Act, industry-sponsored legislation regarding the transfer of personal data on Europeans to the United States. European legal experts have stated that the measure does not provide meaningful protections for the data of Europeans. Forty NGOS have recommended substantial changes to privacy law in the US and the EU to make possible the continuation of transborder data flows. EPIC has also recommended specific changes to the Judicial Redress Act. European data protection agencies are expected to begin enforcement actions against US companies after January 30, 2016. According to Govtrack, the Judicial Redress Act has a "1% chance of being enacted."

EPIC Celebrates Human Rights Day (Dec. 10, 2015) +

On December 10, EPIC celebrates international Human Rights Day. On December 10, 1948, the United Nations adopted the Universal Declaration of Human Rights. The Declaration sets out civil, political, cultural, economic, and social rights. EPIC pursues the global recognition of privacy, a fundamental right set out in Article 12 of the Universal Declaration. Follow @EPICPrivacy on Twitter! #HumanRightsDay

Austrian Supreme Court to Consider Schrems' Case against Facebook (Dec. 4, 2015) +

The Austrian Supreme Court will decide if the Schrems case against Facebook can be brought as a class action. "The 'class action' is not only legal but also the only reasonable way to deal with thousands of identical privacy violations by Facebook," says Schrems. EPIC frequently works to protect the interests of Internet users in facing common violations of privacy rights.

Schrems Pursues Legal actions to Block Data Transfers to the US (Dec. 2, 2015) +

EU Privacy Advocate Max Schrems made new legal moves following the judgment of the European Court of Justice that struck down the Safe Harbor data transfer pact. He filed complaints with data protection officials in Ireland, Germany and Belgium to to block Facebook data transfers to the United States. Schrems says he wants to "ensure that this very crucial judgment is also enforced in practice when it comes to the US companies that are involved in US mass surveillance." NGOs in the Europe and the United Stated have urged governments to update domestic privacy laws and strengthen international commitments to enable the continued transfer of data between the EU and the US.

NGOs Reject "Safe Harbor 2.0," Urge EU and US to Protect Fundamental Rights (Nov. 12, 2015) +

Leading human rights and consumer organizations have issued a letter to urge the US and the EU to protect the fundamental right to privacy. After the Schrems decision the parties are now renegotiating the invalidated Safe Harbor arrangement. The groups warned that without significant changes to "domestic law" and "international commitments," a Safe Harbor 2.0 will almost certainly fail. NGO leaders call for a comprehensive privacy framework in the US, commitment to strong encryption and ending mass surveillance on both sides of the Atlantic.

European Commission Issues Guidance on Data Transfers Post-Schrems (Nov. 6, 2015) +

The European Commission has published guidelines for EU-US data transfer after the invalidation of the Safe Harbor framework. The Commission explained that the Safe Harbor case "underlined the importance of fundamental right to data protection." The Commission also emphasized the ongoing role of the independent data protection agencies and the Article 29 Working Party. Negotiators are attempting to create a revised arrangement. NGOs have said that fundamental rights must be protected in all data transfers. In testimony before Congress, EPIC recommended several updates to US privacy law. EPIC's Marc Rotenberg said "these changes will benefit consumers and businesses on both sides of the Atlantic."

EPIC Sues for Release of Secret EU-US "Umbrella Agreement" (Nov. 4, 2015) +

EPIC has sued the Department of Justice to obtain a secret agreement between the United States and the European Union concerning the transfer of personal information. US and EU officials finalized the so-called "Umbrella Agreement" in September, but had kept the final document secret even as Congress was voting on provisions to implement the text. "The DOJ has withheld from the public the text of an Agreement that is central to legislation currently pending before Congress and critical to a related negotiation between the United States and the European Union that implicates the fundamental rights of Americans and Europeans" wrote EPIC in the FOIA lawsuit.

EPIC to Call For Comprehensive Overhaul of U.S. Privacy Law (Nov. 2, 2015) +

In testimony before the US Congress, EPIC's Marc Rotenberg is expected to say that the recent decision of the European Court confirmed what everyone already knows, US privacy law is not adequate. "Our country suffers from an epidemic of data breaches and identity theft. And all the data indicates these problems are getting worse." EPIC, consumer allies, and privacy experts are urging the Congress to enact the Consumer Privacy Bill of Rights, modernize the Privacy Act, create an independent privacy agency, and ratify the International Privacy Convention. "These changes will benefit consumers and businesses on both sides of the Atlantic."

Civil Society Leaders in Amsterdam Issue Declaration on Fundamental Rights (Oct. 28, 2015) +

Leading digital rights and consumer privacy organizations meeting in Amsterdam have issued a declaration "Fundamental Rights are Fundamental." Calling attention to the recent success of Max Schrems and the failure of self-regulation, the organizations said the "Bridges" report is "remarkably out of touch with the current legal reality and what we need to do to address it." The NGO leaders also criticized the organizers of the Amsterdam conference for "the failure to engage" many new challenges to data protection, including "Big Data" and drone surveillance. Privacy campaigner Simon Davies wrote, "There has never been a moment in history when the privacy regulator community needs to do more to restore trust and relevance. Instead, this week signals a new low in that trust."

After FOI Request, EPIC Obtains Secret "Umbrella Agreement" from the EU Commission (Oct. 23, 2015) +

The EU Commission, in response to a freedom of information request, has released to EPIC the text of the EU-US data transfer agreement. US and EU officials finalized the so-called "Umbrella Agreement" in September, but had kept the final document secret. EPIC has filed multiple FOIA requests with US federal agencies and the European Commission to obtain public release of the document. The Agreement, alongside the Judicial Redress Act, is a key document in the aftermath of the European court decision striking down the Safe Harbor arrangement. Legal scholars who have reviewed the agreement have concluded it is deeply flawed. EPIC continues to pursue the public release of the Agreement from US federal agencies.

House Passes Faux Privacy Bill (Oct. 21, 2015) +

The House of Representatives has passed the Judicial Redress Act of 2015, which—contrary to its stated purpose—fails to extend Privacy Act protections to non-U.S. citizens. In a letter to Congress, EPIC explained that the bill does not provide adequate protection to permit transborder data flows and recommended changes to ensure protections for all personal information collected by U.S. federal agencies. Congress moved to advance the bill after announcement of the recently concluded but secret EU-US "Umbrella Agreement". EPIC submitted a Freedom of Information request for the Umbrella agreement, and recently filed an administrative appeal challenging the agency's denial of expedited processing.

Case Against Facebook Moves Forward in Ireland (Oct. 20, 2015) +

Following the ruling that invalidated the Safe Harbor arrangement, the Irish High Court has declared that the Irish Data Protection Commissioner is "obliged to investigate" Max Schrems' complaint and must follow "fair procedures under Irish and EU law." The Commissioner pledged a "quick and swift procedure." Facebook's last minute motion to join the procedure was denied. "The Schrems case underscores the need for the U.S. to strengthen its right to privacy," EPIC's Marc Rotenberg told the Washington Post.

European Data Protection Authorities Conclude Data Transfers under Safe Harbor Now Unlawful (Oct. 17, 2015) +

Following the landmark ruling that invalidated the Safe Harbor data transfer arrangement, the Article 29 Working Party, composed of privacy officials across Europe, issued a preliminary statement. They called for solutions "enabling data transfers to the territory of the United States that respect fundamental rights." They concluded that "transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful." Also, Standard Contractual Clauses and Binding Corporate Rules will not provide an adequate basis. EPIC, US and European consumer organizations have urged lawmakers in the United States to update US privacy law.

European Court Strikes Down "Safe Harbor," Focus Shifts to Adequacy of US Privacy Laws (Oct. 6, 2015) +

In a stunning decision, the European Court of Justice today ruled that the transatlantic "Safe Harbor" data pact is invalid. Consumer organizations and civil liberties groups in Europe and the United States applauded the outcome. Safe Harbor had been widely criticized for failing to provide adequate data protection for users of Internet-based services. The European Parliament earlier recommended against renewal of Safe Harbor. Max Schrems, the Austrian law student who brought the case, praised the judgement and said the "solution will very likely require severe changes in US law" not "just an update to the current 'safe harbor' system." @maxschrems @EUCourtPress

EPIC Expresses Support for Advocate General Opinion in Schrems Case (Sep. 28, 2015) +

In a statement issued today, EPIC supported a recent opinion of the Advocate General of the Court of Justice of the European Union which found that the Safe Harbor Arrangement was invalid. Safe Harbor has operated for several years as a substitute for the legal protections that would otherwise be required for the transfer of personal data across national borders. EPIC said that Safe Harbor has "given rise to significant concerns on both sides of the Atlantic about the adequacy of the privacy and security afforded personal information." Earlier today the US Mission issued a statement calling into question the opinion of the Advocate General. The Mission stated that the PRISM program, operating in conjunction with Safe Harbor and involving the mass surveillance of EU citizens, is "duly authorized by law, and strictly complies with a number of publicly disclosed controls and limitations."

Decision by EU Legal Advisor Signals End of "Safe Harbor" (Sep. 23, 2015) +

An opinion by the top advisor for Court of Justice of the European Union indicates that the "Safe Harbor" arrangement, which permits the transfer of personal data to the US without legal protection, will come to an end. Under Safe Harbor, US companies self-certify compliance with EU data protection law. But the Advocate General has found the arrangement fails to protect privacy and should be declared invalid. Max Schrems, who initiated the case in Ireland, stated "This finding, if confirmed by the court, would be a major step in limiting the legal options for US authorities to conduct mass surveillance on data held by EU companies." The European Digital Rights Initiative also supported the decision. EPIC has recommended that the US update the Privacy Act to protect EU citizens and ratify the international convention for privacy protection.

Google Ordered to Comply with Ruling of European High Court (Sep. 21, 2015) +

The French Data Protection Authority, the "CNIL," has ordered Google to comply with the judgement of the Court of Justice of the European Union concerning the "Right to be Forgotten." The CNIL rejected Google's proposal to remove only a few links to the personal information it publicized widely around the world. The President of the CNIL said the decision "simply requests full observance of European legislation by non European players offering their services in Europe." EPIC has previously explained that the right to privacy is global and that the position of Google, as an operator of search engines around the world, does not make sense.

New Report Highlights Consumer Goals for EU Privacy Law (Sep. 17, 2015) +

BEUC, The European Consumer Organization, has published "My Personal Data", outlining key requirements for negotiations in Europe on the General Data Protection Regulations. BEUC underscored "the urgent need to put consumers back in control over the way their personal data is processed online." The BEUC report emphasized strong data protection principles, enhanced rights for individuals, and a comprehensive enforcement scheme. EU negotiations involve a "trilogue" of the European Parliament, the Council, and the Commission, with the EU Data Supervisor also playing an active role. In the U.S., EPIC supports the Consumer Privacy Bill of Rights and organized a coalition of consumer privacy groups to urge President Obama to enact the privacy framework into law.

European Privacy Supervisor Proposes Ethics Board (Sep. 12, 2015) +

The European Data Protection Supervisor will establish a new Ethics Board and has urged exploration of the "ethical dimension in future technologies to retain the value of human dignity and prevent individuals being reduced to mere data subjects." The recommendation follows the EDPS 2015-2019 Action Plan, announced earlier this year. EPIC has previously noted that computer scientists were among the first to establish ethical obligations for the development and use of new information technologies.

EU and US Reach Agreement on Data Protection for Investigations (Sep. 9, 2015) +

US officials have concluded an agreement with their European counterparts on data protection for transatlantic criminal investigations. The EU Justice Commissioner stated "Once in force, this agreement will guarantee a high level of protection of all personal data when transferred between law enforcement authorities across the Atlantic." The US Congress must next pass the Judicial Redress Act for the "Umbrella Agreement" to take effect. EPIC has previously urged US ratification of Council of Europe Convention 108, "the most widely known international framework for privacy protection."

Top EU Officials Calls Privacy Reform "Europe's Big Opportunity" (Jul. 27, 2015) +

Giovanni Buttarelli, the European Data Protection Supervisor, has announced "Recommendations on the EU's Options for Data Protection Reform." The Opinion sets out an assessment and recommendation for the new European Union privacy law. EU and US NGOs, including EPIC, have urged the adoption of strong safeguards. In response, the President of the European Commission stated recently that "proposed data protection rules will not drop below the level" of current law.

France Tells Google Apply Right to Be Forgotten Worldwide or Face Fines (Jun. 12, 2015) +

French authorities have threatened Google with fines if it fails to apply Europe's right to be forgotten ruling to the search engine's global domains, including Google.com. Google has been reluctant to apply the landmark decision broadly, even after officials across Europe made clear that Google is violating the court judgement if it routinely discloses sensitive personal information to Internet users worldwide. EPIC explained in US News & World Report and USA Today that Google's position is illogical and inconsistent. According to a recent survey, nine out of ten voters in the United States want the right to delete links to personal information.

EU NGOs Push for Strong Data Protection Legislation (Jun. 9, 2015) +

Following a meeting with EU NGOs, the European Data Protection Supervisor expressed support for a high level of data protection in the General Data Protection Regulation, In April, EPIC and a coalition of over sixty NGOs from around the world urged European Commissioner President Juncker to uphold robust data protection standards as the European Union considers the new Regulation. The European Commission previously promised that the Data Protection Regulation would be at least as strong as the 1995 Data Directive it replaces.

European Court of Justice Hears Case Challenging "Safe Harbor" Agreement and NSA Spying (Mar. 24, 2015) +

The Court of Justice for the European Union heard arguments this week in Maximilian Schrems v. Data Protection Commissioner, a case filed in Ireland following the revelations of the NSA PRISM program. At issue is whether the disclosure of EU citizens' data by Facebook and other Internet companies to the NSA violates the EU Charter of Fundamental Rights, and whether the EU-US "Safe Harbor" agreement provides "adequate" data protection. A decision is likely later this year. Schrems is the recipient of the 2013 EPIC International Privacy Champion Award.

EU Officials: Court Ruling on "Right to be Forgotten" Applies Worldwide (Dec. 1, 2014) +

Privacy regulators in the European Union have issued guidelines calling for the recent "Right to be Forgotten" ruling to apply worldwide. In May, the European Union Court of Justice ruled that a European Union citizen can ask search engines to remove links in search results based on the citizen's name. However, Google chose to remove the links for only certain domains, leaving the private information subject to the ruling accessible to most users. The new report makes clear that the ruling should apply across all search engine services. The EU officials explain, "limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient means to satisfactorily guarantee the rights of data subjects according to the ruling." For more information, see Fact Sheet on the Right to Be Forgotten, EPIC: Right to Be Forgotten, EPIC: International Privacy Law, EPIC: Expungement.

European Privacy Groups Boycott Google Roadshow (Nov. 5, 2014) +

Leading European privacy organizations have turned down invitations from Google to participate in a series of events organized by the Internet giant, designed to raise questions about a decision of the European Court of Justice regarding the right to privacy. The European Consumer Organization (BEUC), the European Digital Rights Initiative (EDRi), and Privacy International are among several of the groups that are not participating in the Google meetings. EU policymakers have also challenged the company for attacking a judicial decision of the high court of the European Union, describing the tour as a "publicity stunt." For more information, see Fact Sheet on the Right to Be Forgotten, EPIC: Right to Be Forgotten, EPIC: International Privacy Law, EPIC: Expungement, and Rotenberg, "EU Court Strikes Blow for Privacy" (USA Today).

Japan Adopts "Right to Be Forgotten" (Oct. 14, 2014) +

A Japanese court has ordered Google to delete about half of the search result for a man linked to a crime he didn't commit. Judge Nobuyuki Seki of the Tokyo District Court said that the search results "infringe personal rights," and had harmed the plaintiff. A recent poll also found that 61 percent of Americans favor the EU Court of Justice decision regarding the right to be forgotten. And Canada is now debating the establishment of a similar legal right. For more information, see EPIC: Right to Be Forgotten, EPIC: Public Opinions and Privacy, and EPIC: Expungement.

Privacy Panel Backs PRISM Program (Jul. 3, 2014) +

In a surprising report, the US Privacy and Civil Liberties Oversight Board has endorsed the US government's routine collection of the Internet activities of non-US persons, broadly referred to as the "PRISM Program." The NSA obtains this information from Internet companies located in the United States. The Board cited the value of the program and compliance with the law, but said little about the impact on non-US persons. EPIC opposed a similar program concerning the collection of domestic telephone records in a petition to the US Supreme Court last year. EPIC has also said that the collection of communications by the US should be subject to international privacy law, such as the International Covenant on Civil and Political Rights. It is anticipated that foreign countries will continue to transfer cloud-based services away from US firms because of the lax privacy safeguards in the United States. For more information, see EPIC: In re EPIC and EPIC: International Privacy Standards.

EU Progress on Data Protection (Jun. 9, 2014) +

Speaking in Luxembourg this week, EU Commissioner Viviane Reding said that the EU Council moved forward two key data protection goals in 2014. First, there is "agreement on the rules that govern data transfers to third countries." Second, "Ministers agreed on the territorial scope of the data protection regulation. In simple words: EU data protection law will apply to non-European companies if they do business on our territory." Ms. Reding said the EU is on track to ensure "the completion of the Digital Single Market by 2015. For more information, see EPIC - EU Data Protection Directive, EPIC - Council of Europe Privacy Convention and EPIC - "23 US NGOs Support EU Data Protection Regulation."

European High Court Strikes Down Data Retention Law (Apr. 8, 2014) +

In a far-reaching and dramatic opinion, the European Court of Justice has ruled that the mass storage of telecommunications data violates the fundamental right to privacy and is illegal. The Data Retention Directive required telephone and Internet companies to keep traffic and location data as well as user identifying information for use in subsequent investigations of serious crimes. According to the Court, the Directive imposed "a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary." The Court found that the collection of metadata constitutes the processing of personal data and must therefore comply with Article 8 of the Charter of Rights. The Court also said to find a privacy violation, "it does not matter whether the information on the private lives concerned is sensitive or whether the persons concerned have been inconvenienced in any way." Last year EPIC, joined by dozens of legal scholars and former members of the Church Committee, urged the US Supreme Court to find the NSA's telephone record collection program unlawful. For more information, see EPIC - Data Retention, In re EPIC.

"I will reform our surveillance programs," President Obama Tells Nation (Jan. 29, 2014) +

Stating that "America must move off a permanent war footing," President Obama announced (video) at the State of the Union that "working with this Congress, I will reform our surveillance programs." (50:30) The President continued, (text) "because the vital work of intelligence community depends on public confidence, here and abroad, that the privacy of ordinary people is not being violated." Citing the need to close the prison in Guantanamo, the President also said "we counter terrorism not just through intelligence and military action but by remaining true to our constitutional ideals and setting an example for the rest of the world." EPIC and other consumer privacy organizations have urged the President to move forward the Consumer Privacy Bill of Rights and to support the International Privacy Convention.

EPIC Gives 2014 International Award to European Parliament Member Jan Albrecht (Jan. 27, 2014) +

EPIC has given the 2014 International Champion of Freedom Award to European Parliament Member Jan Philipp Albrecht for "modernizing and defending the law of data protection." As a rapporteur for the Committee on Civl Liberties, Justice and Home Affairs, Albrecht has led the effort in the European Parliament to update European privacy law. He is also an outspoken defender of privacy rights and has promoted the investigation of the NSA program of mass surveillance. Albrecht received the award from EPIC at the annual Computers, Privacy, and Data Protection conference in Brussels. Previous award recipients include privacy activist Max Schrems, Canadian Privacy Commissioner Jennifer Stoddart, European Parliamentarian Sophie In't Veld, Australian Jurist Michael Kirby, and Constitutional Law Scholar Stefano Rodotà. The award is given by EPIC annually in recognition of January 28, International Privacy Day.

European Parliament Committee Approves Comprehensive Privacy Law (Oct. 21, 2013) +

The civil liberties committee of the European Parliament has voted to approve the EU Data Protection Regulation. Before voting, members of the committee inserted stronger safeguards for data transfers to non-EU countries, an explicit consent requirement, a right to erasure, and larger fines for noncomplying businesses. The regulation is a comprehensive update of the 1995 EU Data Protection Directive that sets out new enforcement powers for privacy agencies. In 2012 and 2013, over twenty US consumer, privacy, and civil liberties groups sent letters to the European Parliament in support of the new data protection law. Until the U.S. passes comprehensive privacy legislation, the groups wrote, "the European Union offers the best prospect for the protection of Internet users around the globe." EPIC spoke recently before the European Parliament in support of the initiative. For more information, see EPIC: EU Data Protection Directive.

EPIC's Rotenberg Addresses European Parliament (Oct. 3, 2013) +

EPIC President Marc Rotenberg addressed the European Parliament on the issue of The Electronic Mass Surveillance of EU Citizens. The Committee on Civil Liberties, Justice, and Home Affairs has convened a series of hearings to examine reports of the monitoring and surveillance of Europeans. Mr. Rotenberg explained that there is now a vigorous debate in the United States and that there would be some changes to the Foreign Intelligence Surveillance Act concerning surveillance within the United States. But he also warned that US lawmakers were unlikely to make changes that respond to the concerns of European citizens. He urged EU lawmakers to suspend trade negotiations with the US pending an adequate resolution of the surveillance inquiry. He also suggested a review of the PNR and SWIFT data transfer arrangements, which lack Privacy Act safeguards. Finally, Mr. Rotenberg recommended the adoption of an international framework for privacy protection.

OECD Releases Updated Privacy Guidelines (Sep. 15, 2013) +

The Organization for Economic Cooperation and Development has released the 2013 revisions to its privacy guidelines. The revisions build from the original guidelines, developed in 1980, and retain the core set of Fair Information Practices while updating the framework to address new challenges, such as national implementation and cross-border enforcement. The OECD explains that the revisions aim to "focus on the practical implementation of privacy protection" and to "address the global dimension of privacy through improved interoperability." EPIC Executive Director Marc Rotenberg, a member of the expert review group, has said that “the OECD Privacy Guidelines are the most influential international framework for privacy ever established.” For more information, see EPIC: International Privacy Standards.

EPIC Supports International Principles for Privacy Protection (Jul. 31, 2013) +

EPIC has joined with leading human rights organizations and privacy experts in support of the "International Principles on the Application of Human Rights to Communications Surveillance." The Principles were adopted in response to growing concern about the surveillance of Internet communications by governments and private companies. Among the key principles in the framework document are Necessity, Adequacy, Proportionality, Competent Judicial Authority, Due Process, User Notification, Transparency, Public Oversight, and Safeguards Against Illegitimate Access.

European Parliament to Investigate US NSA Surveillance Programs and impact on EU Citizens' Privacy (Jul. 5, 2013) +

The European Parliament has voted overwhelmingly (483 to 98, with 65 abstentions) to investigate "PRISM" and other surveillance programs of the US National Security Agency. (Press release.) The investigation with be undertaken by the influential Committee on Civil Liberties, Justice, and Home Affairs ("LIBE"). Members of Parliament also urged European representatives to reexamine current arrangements that allow the transfer of banking and travel data from EU countries to the United States. The resolution was adopted as the European Union is considering a new trade deal with the United States and a proposal to strengthen privacy protections is pending. EPIC has appeared several times before the European Parliament to urge the adoption of a comprehensive privacy framework to safeguard the transatlantic transfer of personal information. For more information, see EPIC - EU Data Protection Directive, and Madrid Privacy Declaration.

European Commissioner Asks Attorney General to Explain US Spying (Jun. 13, 2013) +

European Justice Commissioner Viviane Reding has demanded that U.S. Attorney General Eric Holder explain the scope of US data collection about EU citizens. "Direct access of US law enforcement to the data of EU citizens on servers of US companies should be excluded unless in clearly defined, exceptional and judicially reviewable situations," the Commissioner wrote. The Commissioner's request is similar to that made by other European officials, such as German Justice Minister Sabine Leutheusser-Schnarrenberger, who also stated that "all facts must be put on the table." Recent reports indicate that United States lobbied the European Commission to weaken a comprehensive data protection law now pending in the European Parliament. Earlier this year, EPIC joined a coalition of leading US consumer and civil liberties organizations that expressed concern about the role of US officials in the development of European privacy law. The letter stated that "without exception," members of the European Parliament reported that the US government was "mounting an unprecedented lobbying campaign to limit the protections that European law would provide." For more information, see EPIC: EU Data Protection Regulation.

EU Citizens Launch "Naked Citizen Campaign" to Safeguard Privacy (May. 8, 2013) +

Objecting to business efforts to block updates to European Union data protection laws, a coalition of European Internet rights, freedom and privacy organizations have launched the Naked Citizen campaign. The organizations stated, "The campaign is a response to the unprecedented lobbying from tech companies, the US Government and the advertising industry. They are all trying to weaken the Regulation and make it easier for companies to use personal information in opaque, unaccountable ways." The groups published a new report -- "Don't let corporation strip citizens of their right to privacy" -- which describes the need to adopt stronger data protection rights. US consumer organizations have expressed support for the effort to modernize European Union privacy law. EPIC also supports US ratification of the Council of Europe Privacy Convention. For more information, see EPIC - EU Data Protection Directive and EPIC - Council of Europe Privacy Convention.

US NGOs Urge US Government To Support EU Privacy Proposals (Feb. 5, 2013) +

EPIC has joined a coalition of leading US consumer and civil liberties organizations who have expressed concern about the role of US officials in the development of European privacy law. In a letter to the US Secretaries of State, Justice, and Commerce, the groups wrote to seek a meeting to ensure that US lobbying efforts in Europe "are not averse to the views expressed by the president." The letter states that "without exception," members of the European Parliament reported that US governmental agencies and businesses were "mounting an unprecedented lobbying campaign to limit the protections that European law would provide." The letter, endorsed by 18 US NGOss, emphasizes the President's commitment to protecting privacy, set out in the Consumer Privacy Bill of Rights. Last fall, EPIC Executive Director Marc Rotenberg testified in support of a proposed EU privacy reform before the European Parliament, and a groups of transatlantic consumer organizations wrote a letter expressing their support for the EU effort to update and modernize privacy law. For more information, see EPIC: EU Data Protection Directive.

European Parliament Moves Forward on Privacy Update (Jan. 8, 2013) +

The European Parliament has indicated strong support for a proposal put forward by the European Commission to update European Union privacy law. In reports on the the New Directive and New Regulation, the Parliament recommends greater power for data protection agencies and new rights for data subjects. The comprehensive update of the 1995 EU Data Protection Directive simplifies compliance procedures and also creates new incentives for anonymized and psuedonymized data to help protect privacy. Last fall, EPIC President Marc Rotenberg testified before the European Parliament in support of the proposed reform. More than 20 US consumer organizations have expressed support for the European privacy initiative. For more information, see EPIC: EU Data Protection Directive.

CPDP 2013 Calls for Papers in Advance of January Conference (Sep. 7, 2012) +

The 6th Annual Computers, Privacy and Data Protection Conference has announced a Call for Papers. The conference will take place January 23-25, 2013, in Brussels. Both experienced and junior researchers, as well as Ph.D. candidates, are invited to submit work. The theme of the 2013 CPDP conference is “Reloading Data Protection.” Organizers are particularly interested in papers focusing on technology’s relationship to privacy, data protection, non-discrimination and surveillance. Deadline for submissions is October 19, 2012. EPIC is a participant in CPDP conferences and presents the ”EPIC International Champion of Freedom Awards” at CPDP. For more information, see EPIC Champion of Freedom Press Release, EPIC: EU Law, EPIC: Privacy.

U.S. Consumer Groups Endorse Proposed European Privacy Law (Sep. 5, 2012) +

In a letter to members of the European Parliament, over twenty U.S. consumer organizations expressed support for the new European data protection law. The coalition, including Consumers Union, Consumer Federation of America, and Public Citizen, said that the proposed regulation "provides important new protections for the privacy and security of consumers." The groups also explained that the European effort will raise privacy standards for consumers in other parts of the world. The European Union privacy regulation is a comprehensive update of the 1995 EU Data Protection Directive and adopts innovative new approaches to privacy protection, such as "Privacy by Design." BEUC, the association of European consumer groups, has also expressed support for the new law. For more information, see EPIC: EU Data Protection Directive.

European Consumer Organizations Back New EU Privacy Effort (Aug. 22, 2012) +

BEUC, the association of European consumer organizations, has published a Position Paper on Data Protection supporting a new European Union privacy initiative. BEUC states that the proposed Privacy Regulation "addresses the main challenges and the shortcomings of the current framework with the aim of enhancing the rights of data subjects and restoring control over the processing of their own personal data," but BEUC cautions that "several provisions still need to be clarified to ensure the EU framework is effective and becomes the global standard for data protection." The Trans Atlantic Consumer Dialogue, a coalition of US and European consumer groups, has also expressed support for the EU initiative. For more information, see EPIC: EU Data Protection Directive.

US Pushes Forward Flawed International Privacy Framework (Jul. 30, 2012) +

The United States is the lone signatory for the Asia-Pacific Economic Cooperation’s Cross Border Privacy Rules. The APEC Cross Border Privacy Rules set out a self-regulatory framework for the transfer of personal data across national borders. APEC is an inter-governmental organization with 21 member economies that promotes business and trade in the Asia-Pacific region. APEC established a Privacy Framework in 2004 that is generally considered among the weakest privacy frameworks in the world. In 2006, EPIC and a coalition of consumer groups submitted comments to the Department of Commerce detailing the shortcomings of the APEC framework and recommending stronger safeguards for consumers. For more information, see EPIC: International Privacy Standards and EPIC: APEC Privacy Framework.

European Expert Group Affirms Privacy Rules for Cloud Service Providers (Jul. 3, 2012) +

The Article 29 Working Party, representing the privacy agencies of European Union countries, has released a new Opinion in which it states that cloud service providers will be subject to the EU Data Protection Directive. The expert group also advises users of cloud-based services to conduct a comprehensive and thorough risk analysis of cloud services. In 2009, EPIC urged the US Federal Trade Commission to develop privacy standards for Cloud Computing services. See EPIC - Cloud Computing.

EU and US Privacy Officials Convene (Mar. 19, 2012) +

Policymakers from the United States and the European Union are participating in a joint conference today on Privacy and Protection of Personal Data. EU Vice President Viviane Reding and US Commerce Secretary John Bryson issued a common statement reaffirming a commitment to privacy protection. US and EU consumer and privacy organizations also issued a statement commending the new US Consumer Privacy Bill of Rights but cautioning that the US has far more to do to safeguard the interests of users of new Internet-based services. For more information, see Public Voice - The Madrid Declaration.

EPIC Expresses Support for International Privacy Convention (Jan. 27, 2012) +

Speaking this week at the Computers, Privacy and Data Protection conference, EPIC President Marc Rotenberg expressed support for the Council of Europe Privacy Convention. Two years ago, twenty-nine members of the of the EPIC Advisory Board, experts in privacy law and technology, sent a letter to US Secretary of State Hillary Clinton to urge that the United States begin the process of ratification of the Council of Europe Convention on Privacy. They wrote, "privacy is a fundamental human right. In the 21st century, it may become one of the most critical human rights of all." Speaking in Brussels, Mr. Rotenberg reiterated EPIC's support for the Convention and also called attention to recent changes that modernize and update the international privacy framework.

Senator Leahy Expresses Support for International Privacy Day (Jan. 24, 2012) +

Senator Patrick Leahy, theChairman of the Senate Judiciary Committee, offered a statement commemorating Data Privacy Day, which takes place on January 28. Senator Leahy urged the Congress to adopt comprehensive data privacy legislation to "better protect Americans' sensitive personal data and reduce the risk of data security breaches." He also recommended changes to the Electronic Privacy Communications Act to "reflect the realities of our time" and to "keep us safe from cyber threats." EPIC will be participating in the annual Computers, Privacy, and Data Protection conference, taking place this week in Brussels. EPIC will also be announcing the recipients of the 2012 International Champion of Freedom Award and the 2012 US Privacy Champion Award. Join International Privacy Day on Facebook.

EU Justice Minister Warns US on "Self Regulation," Draft European Privacy Law Now Available (Dec. 7, 2011) +

EU Justice Minister Viviane Reding warned this week at a speech in Brussels that a US plan for privacy self-regulation will "not be sufficient" to protect the flow of personal data between Europe and the United States. Reding also said that European companies were likely to rely on European cloud service providers as long as the US Patriot Act remained the law in the US. A draft of the European Union’s new General Data Protection Regulation is now available. The Regulation is a sweeping and comprehensive update of the 1995 EU Data Protection Directive that sets out new enforcement powers for privacy agencies. Meanwhile, a spokesperson for the White House again pledged that a long-delayed paper on privacy would soon be available. For more information, see EPIC: EU Data Protection Directive.

European Data Protection Supervisor Suggests Repeal of Data Retention Directive (Jun. 3, 2011) +

The European Data Protection Supervisor Peter Hustinx has raised the possibility of repealing Europe's Data Retention Directive. which requires telecommunication companies and ISPs to retain user data for law enforcement purposes. According to Hustinx, the Directive does not provide clear guidance about why this data must be retained or who will have access to it. In his opinion, Hustinx stated that the Directive does not meet the requirements set out by the rights to privacy and data protection, and asked the European Commission to consider all options "including the possibility of repealing the Directive." Several European courts have also found that the Directive violates Article 8 of the European Convention on Human Rights. For more information, see EPIC: Data Retention.

European Privacy Officials Release New Report on Mobile Privacy (May. 19, 2011) +

A report from the Data Protecting Working Party on Geolocation Services and Smart Mobile Devices recommends new privacy safeguards, including limitations on data collection and retention. Other recent reports from the Data Protection Working Party cover such topics as Data Breaches, Smart Meters, and RFID Applications. For more information, see EPIC - International Privacy Standards.

EPIC's Rotenberg Repeats Call for US to Ratify International Privacy Convention (Jan. 28, 2011) +

Speaking before the Council of Europe and the European Commission at a high-level meeting in Brussels, EPIC President Marc Rotenberg urged the United States to ratify "Convention 108," the International Privacy Convention. Rotenberg pointed out that the United States had recently ratified the Council of Europe Convention on Cybercrime and had urged its allies to do so as well. Rotenberg's remarks followed a letter from EPIC to Secretary of State Hilary Clinton a year earlier asking that the United States begin the process of ratification. Rotenberg said the Convention is a "remarkable document that recognizes the value of innovation and the importance of fundamental freedoms." For more information, see Public Voice - The Madrid Declaration and EPIC - EU Data Directive.

European Data Protection Supervisor Endorses Commission Strategy for Strong and Effective Data Protection (Nov. 29, 2010) +

During a press conference, Peter Hustinx, the European Data Protection Supervisor, discussed the future of the EU legal framework for data protection and supported the recent EU Commission strategy to strengthen EU data protection rules. The European Commission communication proposes to "protect individuals' data in all policy areas, including law enforcement, while reducing red tape for business and guaranteeing the free circulation of data within the EU." The key goals include strengthening the rights of individuals, enhancing the free flow of information, extending privacy safeguards to police and criminal justice records systems, ensuring high levels of protection for data transferred outside of the European Union, and more effective enforcement of privacy rules. For more information, see EPIC - EU Data Protection Directive.

EPIC International Privacy Project

Currently Featured Topics

Amicus

Liberty v. GCHQ

FOIA

EPIC v. DOJ - Umbrella Agreement

Comments

In the Matter of Apperian, Inc., et al. ("Safe Harbor comments"), Feb. 20, 2014

Testimony

Marc Rotenberg, "The Reform of the EU Data Protection Framework— Building Trust in a Digital and Global World," Committee of the European Parliament on Civil Liberties, Justice, and Home Affairs, European Parliament (October 2012).
EPIC, Comments submitted in consideration of the Article 29 Data Protection Working Party, "Working Document on Data Protection Issues related to RFID Technology" (April 2005).
Marc Rotenberg, Privacy and Data Protection, Committee on Citizen's Freedoms and Rights, Justice and Home Affairs, and the Committee on Legal Affairs and the Internal Markets, European Parliament (February 2000).

Additional Topics

Important International Documents

Draft COE Declaration on Freedom of Communication on the Internet. November 29, 2002.
Article 12 of the Universal Declaration of Human Rights states that " No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."
The International Covenant on Civil and Political Rights also includes a provision for privacy protection similar to the article in the Universal Declaration.

More International Documents

In February 2014, British European Parliament Member Claude Moraes released a report on government surveillance by the United States and EU member states and the effect of these programs on citizens’ fundamental rights.

The OECD Guidelines is one of the primary documents for international privacy protection. The Guidelines were set out in 1981 and concern primarily stored data. For more information, see EPIC: OECD Releases Updated Guidelines.

The Council of Europe Convention is another European approach to privacy protection from 1981. Its requirements are binding on all signatory countries. See Also EPIC: Council of European Privacy Convention.

The EC Data Protection Directive is the current focus of privacy discussion in Europe. The directive attempts to harmonize the various national privacy laws in Europe to promote European-wide commerce. The current version is likely to undergo further changes before it is finally adopted by the European Community.

The UN Resolution on Surveillance was adopted in December 2013, in light of the Snowden disclosures, unanimously recognizing online privacy as a fundamental right. The resolution called on member states to adopt laws and procedures that comport with international law, emphasizing that "the same rights that people have offline must also be protected online, including the right to privacy."

In November 2013, the European Union Adopted a resolution on Internet Freedom, identifying central pillars of that freedom which included promoting the accessibility and openness of the Internet and the privacy rights of Internet users.

In 2012, the EU began considering a draft proposal to comprehensively update the 1995 General Data Protection Regulation. In October 2013, the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) voted to adopt a revised draft which contains new regulations on private use of personal data and law enforcement use of personal data. The draft, which seeks to protect the “fundamental right[]… to the protection of personal data,” now must be passed by the European Parliament to become law. See Also EPIC: EU Data Protection Directive.

In December 2012, Jan Phillip Albrecht, a German Member of the European Parliament, rappeteur of the LIBE Committee, and a prominent privacy advocate, released a report proposing amendments to the 2012 Data Protection Regulation.

Resources

Privacy International maintains a privacy archive of international materials on privacy protection, including laws, treaties, country reports, and proposed standards.