Council of Europe Privacy Convention

• Background |
• Convention 108 (1981) |
• Convention 108+ (2018) |
• EPIC Work |
• Resources
• Primary Documents

Top News

• EPIC Signs on to Protect Encryption in the Brazilian Code of Criminal Procedure Updates: EPIC has joined other members of the Global Encryption Coalition in a letter urging Brazil to address proposed updates to the Brazilian Code of Criminal Procedure that would threaten encryption and data security in Brazil. The text as it stands could force companies using strong security protections - such as end-to-end encryption - to introduce security flaws into their systems to be used as backdoors for law enforcement. Such measures endanger users and encourage exploitation of these weaknesses. EPIC led the effort in the United States in the 1990s to support strong encryption tools and played a key role in the development of the international framework for cryptography policy that favored the deployment of strong security measures to safeguard personal information. EPIC also filed an amicus brief in Apple v. FBI in support of encryption. (Jun. 29, 2021)
• Data Flow Deal Talks Fail Due to Lack of US Action on Privacy: The agreement on transatlantic cooperation reached by U.S. and EU leaders this week did not include the political agreement the White House was hoping for on transatlantic data deals. Last week, EPIC and 23 other leading civil society groups sent a letter to President Biden urging his Administration to ensure that any new transatlantic data transfer deal is coupled with the enactment of U.S. laws that reform government surveillance practices and provide comprehensive privacy protections. “The United States’ failure to ensure meaningful privacy protections for personal data is the reason that a growing number of countries are concerned about trans-border data flows,” the groups wrote. “Until the United States addresses this problem, concerns about data transfers to the United States will remain, and data flow agreements are likely to be invalidated.” In 2015, the Court of Justice of the European Union invalidated the U.S.-EU Safe Harbor agreement. And in July 2020, the successor agreement, Privacy Shield, was also invalidated by the same court. (Jun. 17, 2021)

More top news

EPIC, Coalition Tell Biden Administration: No Data Flows Deal Until Congress Enacts Privacy Laws + (Jun. 10, 2021)

EPIC and 23 other leading civil society groups sent a letter to President Biden today urging his Administration to ensure that any new transatlantic data transfer deal is coupled with the enactment of U.S. laws that reform government surveillance practices and provide comprehensive privacy protections. “The United States’ failure to ensure meaningful privacy protections for personal data is the reason that a growing number of countries are concerned about trans-border data flows,” the groups wrote. “Until the United States addresses this problem, concerns about data transfers to the United States will remain, and data flow agreements are likely to be invalidated.” In 2015, the Court of Justice of the European Union invalidated the U.S.-EU Safe Harbor agreement. And in July 2020, the successor agreement, Privacy Shield, was also invalidated by the same court. [PRESS RELEASE]

European Commission Proposes Risk-Based AI Regulation, Banning 'Unacceptable' Uses + (Apr. 22, 2021)

The European Commission released a long-awaited proposal for how to regulate AI throughout the European Union. The proposed regulation includes a ban on “unacceptable” uses of AI such as general social scoring and “real time remote biometric identification” for law enforcement. The proposal also imposes testing and transparency obligations for "high-risk" uses of AI, including a publicly accessible EU database on stand-alone “high-risk” systems. The proposal requires notice to individuals when they interact with certain types of AI and “conformity” assessments for "high-risk" systems. The prohibitions on unacceptable AI are very limited and many of the strongest provisions are subject to vast exceptions. However, a penalty of up to 4% of annual revenue on companies that violate the regulation is included. EPIC has called for prohibitions on secret scoring, mass surveillance, and facial recognition. EPIC urges legislators to implement the OECD Principles on AI and adopt the Universal Guidelines of AI.

Mauritius Ratifies Convention 108+, 36 Countries Back Privacy Convention + (Sep. 15, 2020)

This week, Mauritius signed and ratified the Modernized International Privacy Convention. Mauritius became the sixth state to officially ratify the modernized Convention 108, and the 36th country to become a signatory. The Council of Europe Convention 108+ is the first and only binding international legal instrument for data protection. Updated in 2018, the Modernized Convention includes new provisions on biometric data, algorithmic transparency, enhanced oversight. Non-members of the Council of Europe are able to sign the Convention, and EPIC and consumer groups have long urged the United States to ratify the international Privacy Convention.

Facebook to be Ordered to Stop Sending EU Data to U.S. + (Sep. 10, 2020)

The Irish Data Protection Commissioner has reportedly issued a preliminary order instructing Facebook to stop transferring the data of EU users to the United States. The order comes in the wake of a recent the European Court of Justice (CJEU) decision which found the Privacy Shield, which permitted companies to freely transfer users' personal data, illegally infringed EU residents' data protection and privacy rights. EPIC participated as an amicus curiae in the case, arguing that U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.

Schrems Files 101 Complaints Targeting US-EU Data Transfers + (Aug. 18, 2020)

None of Your Business, the privacy NGO established by EPIC Advisory Board member Max Schrems, has filed complaints in all 30 EU and EEA member states against 101 European companies that still forward data about each visitor to Google and Facebook. “We have done a quick search on major websites in each EU member state for code from Facebook and Google. These code snippets forward data on each visitor to Google or Facebook. Both companies admit that they transfer data of Europeans to the US for processing, where these companies are under a legal obligation to make such data available to US agencies like the NSA. Neither Google Analytics nor Facebook Connect are essential to run these webpages and are services that could have been replaced or at least deactivated by now.” says Max Schrems, honorary chair of noyb.eu. The complaints come in the wake of a recent the European Court of Justice (CJEU) decision which found the Privacy Shield, which permitted companies to freely transfer users' personal data, illegally infringed EU residents' data protection and privacy rights. EPIC participated as an amicus curiae in the case, arguing that U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.

BREAKING: Top Court in Europe Invalidates EU-U.S. Privacy Shield, Citing Lack of Privacy Safeguards and Overbroad U.S. Surveillance Laws + (Jul. 16, 2020)

Today the European Court of Justice issued a decision in Irish Data Protection Commissioner v. Facebook & Schrems, a case concerning transfers of personal data by Facebook between the EU and the United States. Specifically, the court considered the validity of transfers made from companies in the EU to companies in the U.S. pursuant to standard contracts or to the EU-U.S. Privacy Shield agreement, both of which had been authorized by the European Commission. But the court held that the Privacy Shield was invalid and that transfers could not be made under the contracts where personal data is not adequately protected. Because U.S. surveillance law authorizes the mass processing of personal data transferred from abroad, under Section 702 of FISA, it "cannot ensure a level of protection essentially equivalent to that guaranteed by the Charter." EPIC participated as an amicus curiae in the case and argued that U.S. surveillance law does not provide an equivalent level of protection because it does not provide adequate protections or remedies for non-U.S. persons abroad. EPIC was represented in this case by the Free Legal Advice Centres (FLAC) and by barristers Grainne Gilmore and Colm O’Dwyer, SC. [PRESS RELEASE]

Germany's Highest Court Rules Facebook Illegally Combines Users' Data, Abusing Its Market Dominance + (Jun. 24, 2020)

In an important decision for data privacy, Germany's Federal Court of Justice sided with antitrust regulators in a case challenging Facebook’s practice of combining user data across different sources, including WhatsApp and Instagram. The Court held that Facebook’s terms of use were abusive because they did not allow users to use the platform without also consenting to Facebook’s collection of their data from other sites. The decision emphasized Facebook’s dominant market position in Germany and recognized that Facebook thus had a special responsibility towards maintaining market competition. EPIC has repeatedly urged U.S. antitrust agencies to more aggressively regulate Facebook and other platforms, whose large mergers compromise user privacy and consolidate market power in a handful of companies. EPIC recently objected to the FTC’s settlement with Facebook. EPIC continues to work with international stakeholders to ensure user privacy.

Global Privacy Assembly Surveys Policies on Coronavirus + (Apr. 3, 2020)

The Global Privacy Assembly, the international network of data protection officials, has published Data protection and Coronavirus (COVID-19) resources. The GPA stated that it "recognises the unprecedented challenges being faced to address the spread of Coronavirus (COVID-19). Data protection authorities across the world stand ready to help facilitate swift and safe data sharing to fight COVID-19, while still providing the protections the public expects." EPIC is also tracking privacy statements from UN Human Rights experts, the Council of Europe, German data protection experts, NGOs, the European Data Protection Board, and the World Health Organization.

Council of Europe Issues Statement on COVID-19 and Data Protection + (Mar. 30, 2020)

Today the Council of Europe published a Joint Statement on The Right to Data Protection in the Context of the COVID-19 Pandemic. The statement was published by Alessandra Pierucci, Chair of the Committee of Convention 108 and Jean-Philippe Walter, Data Protection Commissioner of the Council of Europe. The COE Statement advises that "States have to address the threat resulting from the COVID-19 pandemic in respect of democracy, rule of law and human rights, including the rights to privacy and data protection." The Council further states that even during a public health crisis, "human rights(such as the International Covenant on Civil and Political Rights and the European Convention on Human Rights) cannot be suspended but only derogated or restricted by law, to the extent strictly required by the exigencies of the situation, while respecting the essence of the fundamental rights and freedoms." The COE notes that "anonymised data is not covered by data protection requirements. The use of aggregate location information . . . would thus not be prevented by data protection requirements." EPIC has worked closely with the Council of Europe on updates to the Council of Europe Privacy Convention, recommended US ratification of the Convention, and recently advised the COE on AI policy. The text of the COE Privacy Convention is contained in the EPIC Policy Law Sourcebook.

On International Privacy Day, EPIC Urges Congress to Act on Privacy + (Jan. 28, 2020)

On January 28, EPIC celebrates International Privacy Day, which commemorates Council of Europe Convention 108, the first international privacy convention. Today EPIC urged Congress to take three steps to safeguard the personal data of Americans: (1) enact comprehensive baseline legislation, (2) establish a data protection agency, and (3) ratify the International Privacy Convention. EPIC and consumer organizations have long urged the United States to endorse the Privacy Convention, which establishes a global framework for the free flow of personal data. The complete text of the Privacy Convention is in the EPIC Privacy Law Sourcebook, available at the EPIC Bookstore. Follow #DataProtectionDay.

EU Legal Advisor Advances Privacy for National Security Matters + (Jan. 16, 2020)

The EU Advocate General advised the European Court of Justice that "the means and methods of combating terrorism must be compatible with the requirements of the rule of law" in a case concerning the retention of personal data for law enforcement purposes. The AG recommended limiting retention of data to data that are essential for national security and limiting access to that data subject to prior review by courts. The opinion is not binding on the Court of Justice and the Court will issue a judgment at a later date. The AG cited EPIC's expert submissions in "Schrems 2.0," another case concerning Facebook's transfer of personal data to the United States and the adequacy of U.S. privacy law.

Swiss Sign Convention 108+, 35 Countries Back Privacy Convention + (Nov. 21, 2019)

This week, Switzerland signed the Modernized International Privacy Convention. With the Swiss signature thirty-five countries now back Convention 108+. The Council of Europe Convention 108+ is the first and only binding international legal instrument for data protection. Updated in 2018, the Modernized Convention includes new provisions on biometric data, algorithmic transparency, enhanced oversight. Non-members of the Council of Europe are able to sign the Convention, and EPIC and consumer groups have long urged the United States to ratify the international Privacy Convention.

UK Releases US-UK CLOUD Act Agreement + (Oct. 7, 2019)

The UK has released the text of the US-UK CLOUD Act Agreement. The agreement permits cross-border access to personal data without judicial approval, allows for law enforcement investigations under lower standards than in the U.S., and lacks notice to data subjects who are subject to surveillance. In testimony before the European Parliament, EPIC International Counsel Eleni Kyriakides argued that cross-border access to personal data should ensure robust human rights protections, such as notice, judicial authorization, and transparency.

EPIC, Coalition Call for NGO Role in Privacy Convention Oversight + (Sep. 13, 2019)

EPIC, the Australian Privacy Foundation, and Privacy International submitted comments calling for a greater NGO role in oversight of the International Privacy Convention. The Council of Europe Convention 108+ is the first and only binding international legal instrument for data protection. Updated in 2018, the Modernized Convention includes new articles on biometric data and algorithmic transparency, and enhanced compliance with convention terms. The coalition comments urge the Council of Europe to include NGOs in compliance review groups, increase transparency of the review process, and to evaluate national privacy remedies and derogations from the Convention. EPIC and consumer groups have also long urged the United States to ratify the international Privacy Convention.

U.S. Releases Annual Human Rights Report + (Mar. 14, 2019)

The U.S. Department of State has released the annual report on human rights practices across the globe. The State Dept. report reviews adherence to "internationally recognized individual, civil, political, and worker rights, as set forth in the Universal Declaration of Human Rights and other international agreements," including the arbitrary or unlawful interference with privacy. The 2018 report highlights China's social credit system which "quantifies a person's loyalty to the government by monitoring citizens' online activity and relationships." The report also cites the Indian Supreme Court ruling that privacy is a fundamental right and Turkish authorities' investigation of more than 45,000 social media accounts between 2016 and April 2018. Two EPIC publications - The Privacy Law Sourcebook 2018 and Privacy and Human Rights: An International Survey of Privacy Laws and Developments - provide a comprehensive overview of privacy frameworks around the world and track emerging privacy challenges.

EPIC Files Brief on Government Hacking With Court of Human Rights + (Feb. 28, 2019)

EPIC has filed a brief with the European Court of Human Rights detailing the public safety and privacy risks of government hacking. Privacy International v. United Kingdom asks whether remote hacking by UK intelligence services violates the European Charter of Fundamental Rights. The Court recently granted EPIC's request to intervene in the case. "Hacking tools stockpiled by governments could be used by criminals to mount cyberattacks," EPIC's brief states. EPIC also explained that "Government hacking weakens security safeguards." EPIC has long advocated for strong cybersecurity policies.

European Data Supervisor Releases Annual Report, Warns US on Bulk Collection + (Feb. 26, 2019)

European Data Protection Supervisor Giovanni Buttarelli released the 2018 EDPS annual report. Among recent accomplishments are the 2018 Conference on Digital Ethics, adoption of an EU-Japanese data transfer deal, and implementation of the GDPR. At a press conference for the report's release, Buttarelli also recommended that the United States enact a federal privacy law, ratify the Council of Europe Privacy, Convention, and resolve long-standing concerns about mass surveillance. "In my opinion, bulk collection as such is not fully compatible with our system," Buttarelli said. EPIC has long recommended that the United States ratify the International Privacy Convention. EPIC has also proposed changes to Section 702 of the Patriot Act, which permits the bulk collection of the personal data of Europeans.

Grand Chamber of Human Rights Court to Review UK Surveillance + (Feb. 5, 2019)

The European Court of Human Rights Grand Chamber has agreed to review Big Brother Watch v. UK, a case concerning UK surveillance power revealed by Edward Snowden. Last year the Court ruled that the communications surveillance regime narrowly violated human rights, and stopped short of ruling that bulk surveillance violated fundamental rights. The Grand Chamber, a larger panel of judges, has now agreed to hear the case again. The Chamber only agrees to review cases raising important human rights issues. The groups that brought the case requested referral and urged the Court to rule mass surveillance incompatible with human rights. EPIC filed a brief in the original case explaining that the US, which transfers intelligence data to the UK, has "technological capacities" enabling "wide scale surveillance" and that US law do not restrict surveillance of non-U.S. persons abroad. In an article, EPIC called the initial ruling against UK surveillance "narrow" but "important."

EU Receives 95,000 Privacy Complaints, Still No News from US FTC on Facebook Case + (Jan. 28, 2019)

According to the European Commission, recent figures from the European Data Protection Board reveal that EU Data Protection Authorities have received more than 95,000 complaints from citizens across the continent. In a joint statement on International Privacy Day, the Commissioners said "Citizens have become more conscious of the importance of data protection and of their rights. And they are now exercising these rights, as national Data Protection Authorities see in their daily work." The European Data Protection Board also reported that the majority of the complaints were related to activities such as telemarketing, promotional e-mails, and video surveillance. In the United States, the Federal Trade Commission announced in March 2018 that it was reopening the Facebook investigation, following news that Cambridge Analytica improperly harvested the personal data of 87 millions users. Still no word from the FTC on how that one case is proceeding.

EPIC Asks UN to Question US About Privacy Violations by Private Firms + (Jan. 10, 2019)

As part of a routine review, EPIC asked the United Nations Human Rights Committee to question the US about the failure to protect individuals against privacy violations by private industry. This year the Committee will review US compliance with human rights obligations under the International Covenant on Civil and Political Rights. EPIC explained that countries "have a duty to protect individuals against human rights violations by non-state actors," and pointed to Article 17 in the international agreement. "Despite record-breaking data breaches, identity theft, and extensive corporate surveillance, the U.S still lacks both comprehensive privacy legislation and a data protection authority," EPIC concluded. The EPIC 2018 Privacy Law Sourcebook provides a comprehensive overview of privacy laws in the US and around the world.

International Privacy Convention Open for Signature + (Oct. 11, 2018)

The Council of Europe has opened for signature updates to Convention 108, the international Privacy Convention. Among other changes, the modernized Convention requires prompt data breach notification, establishes national supervisory authorities to ensure compliance, permits transfers abroad only when personal data is sufficiently protected, and provides new user rights, including algorithmic transparency. Twenty-one nations have signed the treaty. Many more are expected to sign. EPIC and consumer coalitions have urged the United States to ratify the international Privacy Convention. The complete text of the modernized Convention will be available in the 2018 edition of the Privacy Law Sourcebook, available at the EPIC Bookstore.

International Privacy Experts Adopt Recommendations for Cross-Border Law Enforcement Requests for Data + (Aug. 14, 2018)

The International Working Group on Data Protection in Telecommunications has adopted new recommendations to protect individual rights during criminal cross-border law enforcement. The Berlin-based Working Group includes Data Protection Authorities and experts who assess emerging privacy challenges. The Working Group on Data Protection calls on governments and international organisations to ensure law enforcement requests accord with international human rights norms. The Working Group recommends specific safeguards for data protection and privacy, including accountability, procedural fairness, notice and an opportunity to challenge. EPIC addressed similar issues in an amicus brief for the US Supreme Court in the Microsoft case. EPIC and a coalition of civil society organizations recently urged the Council of Europe to protect human rights in the proposed revision to the Convention on Cybercrime. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute.

EPIC Advises NTIA on International Internet Policy + (Aug. 1, 2018)

EPIC submitted comments in response to the the National Telecommunications and Information Administration's request for recommendations on its international internet policy priorities. NTIA is the Executive Branch agency that is principally responsible by law for advising the President on telecommunications and information policy issues. EPIC recommended that the administration (1) enact comprehensive privacy law, based on the OECD Privacy Guidelines); (2) encourage US firms to comply with GDPR; and (3) ratify the Council of Europe Privacy Convention. EPIC has urged Congress to update U.S. privacy laws and recently wrote in the Financial Times that “Instead of criticizing the EU effort, the Commerce Department should help develop a comprehensive strategy to update US data protection laws.” EPIC comments to the NTIA also addressed Algorithmic Transparency, security standards for the Internet of Things, and data minimization.

Council of Europe Modernizes International Privacy Convention + (May. 18, 2018)

The Council of Europe has updated Convention 108, the first international treaty for privacy and data protection. Among other changes, the amending protocol requires prompt data breach notification, establishes national supervisory authorities to ensure compliance, permits transfers abroad only when personal data is sufficiently protected, and provides new user rights including algorithmic transparency. EPIC and consumer coalitions have urged the United States to ratify the International Privacy Convention. The complete text of the Privacy Convention is contained in the Privacy Law Sourcebook, available at the EPIC Bookstore.

Transatlantic Consumer Dialogue Publishes "10 Things to Know About the GDPR" + (May. 8, 2018)

The Transatlantic Consumer Dialogue, a coalition of more than 70 consumer organizations in Europe and North America, has made available "10 Things to Know About the GDPR." The analysis details key elements of the new European privacy law. TACD wrote, "People's data should be treated with the highest privacy protections no matter where they are based. Privacy is a fundamental human right and data protection is intrinsically linked to it." Last month, TACD sent a letter to Mark Zuckerberg urging Facebook to comply with the GDPR as a baseline standard for all Facebook users worldwide. TACD will host a press conference on GDPR with EPIC in Washington DC on May 16. EPIC makes available the complete text of the GDPR and related materials in the Privacy Law Sourcebook.

Facebook Denied Attempt to Delay Review of EU-US Personal Data Transfers + (May. 3, 2018)

The Irish High Court has denied Facebook's request to halt review of Data Protection Commissioner v. Facebookby Europe's top court. The case, which was recently referred to the European Court of Justice, concerns whether Facebook's transfers of personal data from Ireland to the United States violate the European Charter of Fundamental Rights. The case follows the landmark 2015 decision that the US had insufficient privacy protections to allow transfer of Europeans' personal data. Ruling against Facebook's request to delay the case further pending appeal, the Irish court said EU data subjects could be harmed if the case were delayed, and that there were “considerable concerns” about Facebook's conduct in the case. EPIC was designated the US NGO amicus curiae in this case, and provided a detailed assessment of US privacy law.

EPIC Urges Secretary of State to Support International Privacy Convention + (Apr. 16, 2018)

EPIC submitted a statement following the Senate nomination hearing on Mike Pompeo for Secretary of State. EPIC said that the US Secretary of State should uphold privacy as a fundamental human right around the world. The United States Department of State publishes an annual human rights report that covers "internationally recognized individual, civil, political, and worker rights, as set forth in the Universal Declaration of Human Rights and other international agreements." EPIC also said that "international agreements provide the best opportunity to establish data protection standards" and urged the Secretary of State to ratify the International Privacy Convention. Privacy experts and advocates have also called for adoption of the Madrid Privacy Declaration, a comprehensive framework for data protection.

European Court of Justice Receives Key Questions on Future of EU-US Personal Data Transfers + (Apr. 12, 2018)

The Irish High Court has sent eleven questions to the European Court of Justice for review in Data Protection Commissioner v. Facebook. The case considers whether Facebook's transfers of data from Ireland to the United States violate the European Charter of Fundamental Rights. The case follows the 2015 landmark decision Schrems v. DPC, which found that the US had insufficient privacy law to protect the personal data of Europeans. The new case examines "standard contractual clauses" and whether the US provides sufficient remedies for privacy violations, whether future data transfers should be suspended, and whether the EU-US "Privacy Shield" matters. EPIC was designated the US NGO amicus curiae in this case, and provided a detailed assessment of US privacy law.

Zuckerberg Confirms Global Compliance with GDPR + (Apr. 11, 2018)

In response to a series of questions from Rep. Gene Green, (D-TX), Facebook CEO Mark Zuckerberg confirmed that Facebook will comply with the new European Union privacy law - "the GDPR" - in all jurisdictions. Earlier this week, the Transatlantic Consumer Dialogue (TACD), a coalition of more than 70 consumer organization in North America and Europe, sent a letter to Mr. Zuckerberg urging him to comply with the GDPR as a baseline standard for all Facebook users worldwide. TACD wrote, "The GDPR helps ensure that companies such as yours operate in an accountable and transparent manner, subject to the rule of law and democratic process."

EPIC Provides U.S. Report for Privacy Experts Meeting + (Apr. 9, 2018)

EPIC has provided a comprehensive report explaining the latest developments in U.S. privacy law and policy for the 63rd meeting of the International Working Group on Data Protection. The Working Group includes Data Protection Authorities and experts from around the world who work together to address emerging privacy challenges. The EPIC 2018 report details the CLOUD Act, the FTC's failure to enforce its legal judgment against Facebook, the ongoing investigation of the Russian interference in the 2016 election, federal nominees to the FTC and PCLOB, recent legislative proposals on Artificial Intelligence, and more. The 64th meeting of the IWG will take place in Queenstown, New Zealand on November 29-30. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute.

EPIC to UNESCO: Algorithmic Transparency is an Internet Universality Indicator + (Mar. 16, 2018)

EPIC has provided comments to UNESCO on a proposed framework for Internet Universality Indicators. The UNESCO framework emphasizes Rights, Openness, Accessibility, and Multistakeholder participation. UNESCO said that the framework will help guide protections for fundamental rights. EPIC also proposed "Algorithmic Transparency" as a key indicator of Internet Universality. EPIC highlighted the risk of secret profiling, content filtering, the skewing of search results, and adverse decisionmaking, based on opaque algorithms. EPIC has worked closely with UNESCO for over 20 years on Internet policy issues. At UNESCO headquarters in 2015, EPIC said that algorithmic transparency should be a fundamental human right.

International Privacy Experts Adopt Privacy Recommendations for Web Registration + (Mar. 9, 2018)

The International Working Group on Data Protection has adopted new recommendations to enhance the privacy of website registration data. The Berlin-based Working Group includes Data Protection Authorities and experts who assess emerging privacy challenges. The "Working Paper on Privacy and Data Protection Issues with Regard to Registrant data and the WHOIS Directory" highlights privacy risks of the current registration system. When registering a new website with ICANN, the personal data of website owners is published in a widely accessible database. The Working Group recommends limitations on disclosure consistent with the purpose of registration - to provide limited contact information to resolve technical concerns. Registration data is also subject to the GDPR. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute.

EPIC Amicus: Supreme Court Divided Over Microsoft Stored Communications Case + (Feb. 28, 2018)

This week, the Supreme Court heard arguments in United States v. Microsoft Corps., a case concerning law enforcement access to personal data stored in Ireland. The Court appeared divided during the argument, but both Justice Ginsburg and Justice Alito appeared to agree that Congress and not the Court was better positioned to find a solution. In an amicus brief, EPIC urged the Supreme Court to respect international privacy standards. EPIC wrote, the "Supreme Court should not authorize searches in foreign jurisdictions that violate international human rights norms." EPIC cited important cases from the European Court of Human Rights and the European Court of Justice. EPIC warned that "a ruling for the government would also invite other countries to disregard sovereign authority." EPIC has long supported international standards for privacy protection, and EPIC has urged U.S. ratification of the Council of Europe Privacy Convention. EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Carpenter v. United States (privacy of cellphone data), Byrd v. United States (searches of rental cars), and Dahda v. United States (wiretapping).

EPIC Supports Data Protection Legislation for India + (Jan. 31, 2018)

In response to a white paper on data protection from the Indian government, EPIC provided detailed comments, backing comprehensive legislation. The white paper analyzes data protection laws from around the world, comparing the approaches of different countries. The Indian government proposes a data protection framework based on seven principles: (1) technology agnosticism, (2) holistic application, (3) informed consent, (4) data minimization, (5) controller accountability, (6) structured enforcement, and (7) deterrent penalties. In comments on the proposal, EPIC backed India's efforts to adopt data protection legislation, and recommended also a private right of action and breach notification. Last year, the Supreme Court of India ruled that privacy is a fundamental right. EPIC's report Privacy and Human Rights provides an overview of privacy frameworks around the world.

Congress Renews Controversial Surveillance Measure, EU Impacted + (Jan. 18, 2018)

In a decision that could jeopardize relations with Europe, Congress has renewed "Section 702" of the Foreign Intelligence Surveillance Act, which permits broad surveillance of individuals outside of the United States. The FISA Amendment Reauthorization Act also permits government surveillance of Americans and restarts the controversial "about" collection program. Congress rejected updates, including limits on data collection, that would preserve a privacy agreement between Europe and the United States. The European Court of Justice will also soon decide whether to allow data transfers from Ireland to the United States. EPIC served as the US NGO amicus curiae in that case.

In Supreme Court Brief, EPIC Backs International Privacy Standards + (Jan. 18, 2018)

EPIC has filed an amicus brief in United States v. Microsoft, a case before the US Supreme Court concerning law enforcement access to personal data stored in Ireland. EPIC urged the Supreme Court to respect international privacy standards and not to extend U.S. domestic law to foreign jurisdictions. EPIC wrote, the "Supreme Court should not authorize searches in foreign jurisdictions that violate international human rights norms." EPIC cited important cases from the European Court of Human Rights and the European Court of Justice. EPIC has long supported international standards for privacy protection, and EPIC has urged U.S. ratification of the Council of Europe Privacy Convention. EPIC routinely participates as amicus curiae in privacy cases before the Supreme Court, most recently in Carpenter v. United States (privacy of cellphone data), Byrd v. United States (searches of rental cars), and Dahda v. United States (wiretapping).

European Court Holds Camera Surveillance of University Lecture Halls Violates Privacy + (Nov. 29, 2017)

In the case of Antović and Mirković v. Montenegro, the European Court of Human Rights held that camera surveillance in lecture halls at the University of Montenegro's School of Mathematics violated Article 8 of the European Convention on Human Rights (the right to respect one's "private and family life"). The decision follows earlier cases of the Court which recognize privacy rights in the workplace. Some U.S. law schools have deemed all classrooms and meetings rooms as "recordable spaces" and state that voluntary participation therefore constitutes a waiver of legal claims. EPIC has protected the human right to privacy through third-party intervention in the European Court of Human Rights as well as documented the spread of CCTV surveillance technology across American cities. EPIC's Privacy Law Sourcebook provides background on US and international privacy law. The Privacy Law and Society website provides more information about international privacy law.

EPIC Provides U.S. Report for Privacy Experts Meeting + (Nov. 27, 2017)

EPIC has provided a comprehensive report explaining the latest developments in U.S. privacy law and policy to the International Working Group on Data Protection in Telecommunications. The Berlin-based Working Group includes Data Protection Authorities and experts, from around the world, who work together to address emerging privacy challenges. The EPIC report details legislative proposals to address privacy and security risks of automated vehicles, pending Supreme Court case concerning cell phone location tracking Carpenter v. United States, U.S. investigation of the Russian interference in the 2016 election, the Equifax data breach, and more. The 62nd meeting to the IWG will take place in Paris, France on November 27-28. In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute.

European Court Adviser Says Facebook Privacy Class Action Barred + (Nov. 15, 2017)

The opinion of a key adviser to the European Court of Justice holds that a class action cannot proceed against Facebook, but would permit individual privacy claims to move forward. The class action of 25,000 consumers brought by Austrian privacy activist and EPIC Advisory Board member Max Schrems alleges Facebook violated Europeans' privacy rights, including for transferring data to the U.S. intelligence community. The opinion from Advocate General Bobek said a "consumer cannot invoke, at the same time as his own claims, claims on the same subject assigned by other consumers," citing the risk of consumers shopping for the most favorable forums. The European Court of Justice typically adopts the opinions of the Advocate General. The Court of Justice will also consider DPC v. Facebook, involving whether Facebook's data transfers from Ireland to the U.S. violate European Fundamental Rights. In 2013, Max Schrems received the EPIC International Champion of Freedom Award.

European Court Adviser Says Local Regulators Can Enforce Privacy Laws Against Facebook + (Oct. 24, 2017)

The opinion of a key adviser to the European Court of Justice holds that local European data protection authorities can directly enforce privacy laws against Facebook. The case involves a German data protection authority's order to deactivate a local Facebook fan page for illegally tracking users. The opinion from Advocate General Bot said regional data protection authorities can intervene to stop unlawful data practices. The European Court of Justice typically adopts the opinions of the Advocate General. The Court of Justice will also consider DPC v. Facebook, involving whether Facebook's data transfers from Ireland to the U.S. violate European Fundamental Rights.

EU Approves Data Transfer Arrangement, But Seeks Stronger U.S. Privacy Protections + (Oct. 18, 2017)

Following the first annual review of the pact, the European Commission has approved the EU-U.S. Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. However, the Commission urged the U.S. to appoint a permanent Ombudsperson to review complaints, to restore the Privacy and Civil Liberties Oversight Board, and to pass the Obama-era Presidential Policy Directive-28 into law. In a recent letter to Congress, EPIC emphasized the need to update U.S. privacy laws. EPIC Senior Counsel Alan Butler has also highlighted weaknesses in US privacy in DPC v. Facebook, a case now before the European Court of Justice.

EPIC Urges House to Strengthen US Privacy Laws for Cross Border Data Flows + (Oct. 12, 2017)

EPIC sent a letter to a House committee on Digital Commerce and Consumer Protection for the hearing "21st Century Trade Barriers: Protectionist Cross Border Data Flow Policy's Impact on U.S. Jobs." EPIC explained that foreign governments are reluctant to permit the transfer of the personal data of their citizens to the U.S. due to the U.S.'s lax privacy laws. EPIC recommended Congress take four steps to update U.S. privacy law: (1) enact the Consumer Privacy Bill of Rights, (2) modernize the Privacy Act, (3) establish an independent data protection agency, and (4) ratify the International Privacy Convention. EPIC also noted that the Schrems II decision calls into question the viability of "Privacy Shield," the current data transfer scheme between the US and EU.

NGOs to Meet with Privacy Commissioners at Public Voice Event in Hong Kong + (Sep. 19, 2017)

The Public Voice will host an event with NGOs and Privacy Commissioners at the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong. "Emerging Privacy Issues: A Dialogue Between NGOs & DPAs" will address emerging privacy issues, including biometric identification, Algorithmic transparency, border surveillance, the India privacy decision, and implementation of the GDPR. Speakers include Chairman Isabelle Falque-Pterrotin of the CNIL and Article 29 Working Party, Commissioner John Edwards of New Zealand, and Director Eduardo Bertoni of Argentina. Also participating will be representatives of Access Now, EPIC, GP Digital, Privacy International, and the World Privacy Forum. The Public Voice, established in 1996, facilitates public participation in decisions concerning the future of the Internet.

EPIC, Global Coalition Recommend Human Rights Protections for Cybercrime Proposal + (Sep. 18, 2017)

EPIC joined European Digital Rights (EDRI) and a coalition of organizations to advise the Council of Europe about protecting human rights during trans-national criminal investigations. The "Global Civil Submission" states that a proposed update to the Convention on Cybercrime should include compliance with human rights principles and data protection standards for transnational data transfers. Several years ago, EPIC opposed the U.S. ratification of the Convention on Cybercrime, citing its sweeping expansion of law enforcement authority. However, EPIC and the U.S. Privacy Coalition have long campaigned for the United States ratification "Convention 108," the International Privacy Convention.

Call For Papers - CPDP 2018 "The Internet of Bodies" + (Sep. 7, 2017)

Computers, Privacy, and Data Protection, the leading international conference devoted to privacy and data protection, has opened a call for papers ahead of the 2018 conference. The conference theme is "The Internet of Bodies" and will be held on 24-26 January 2018 in Brussels. The CPDP2018 call for papers is addressed to all researchers who wish to present papers at this year's conference. Papers will be reviewed by the CPDP Scientific Committee. EPIC is one of the founders of CPDP and an annual sponsor of the event. The EPIC International Champion of Freedom Award will be presented at CPDP.

International Privacy Experts Adopt Statements on E-Learning, Intelligence Gathering + (Aug. 14, 2017)

The International Working Group on Data Protection in Telecommunications has adopted new recommendations to improve privacy and security standards for e-learning platforms and government intelligence gathering. The Berlin-based Working Group includes Data Protection Authorities and experts who work together to address emerging privacy challenges. The Working Paper on "E-Learning Platforms" highlights privacy risks including excessive collection of students' personal data. "Towards International Principles or Instruments to Govern Intelligence Gathering" recmmendsthat DPAs participate in developing an international instrument governing intelligence activities and recommends authorities promote principles concerning "Legitimacy," "Rule of Law," and "Oversight." In April 2017, EPIC hosted the 61st meeting of the IWG in Washington, D.C. at the Goethe-Institut, Germany's cultural institute.

UK Government Releases Statement of Intent Describing New Data Protection Bill + (Aug. 10, 2017)

The UK has released a statement of intent describing a forthcoming bill that would make major revisions to the the country's data protection law. The new rules would follow the EU's General Data Protection Regulation by strengthening rules for obtaining consent, making it easier for consumers to withdraw consent, and improving consumers' ability to access, move, and remove data about themselves. The bill would also expand the definition of "personal data" to include DNA and IP addresses and would make it a crime to re-identify individuals from anonymized data. EPIC supported the GDPR and the right to be forgotten, has explained that IP addresses are personal data, and has warned of the risks of improperly "de-identified" data. EPIC recently filed a complaint asking the FTC to investigate Google's use of a proprietary, secret algorithm Google claims can "de-identify" consumers while tracking their purchases.

European Court Halts Retention, Bulk Transfer of Passenger Data + (Jul. 26, 2017)

The top EU Court has struck down an EU-Canada agreement on the processing of airline passenger records. The Passenger Name Record agreement mandated data retention and permitted the bulk transfer of personal data provided by passengers booking a flight. The Court of Justice of the EU explained "the PNR agreement may not be concluded in its current form because several of its provisions are incompatible with the fundamental rights recognised by the EU." The data can reveal "a complete travel itinerary, travel habits, relationships existing between two or more individuals, and information on the financial situation of air passengers, their dietary habits or their state of health." The European Digital Rights Initiative praised the outcome. The EU and US have a similar agreement that permits retention of personal data for 15 years. EPIC has criticized overbroad passenger data transfers, and argued the EU-US agreement violates the EU data protection directive.

European Privacy Officials Push for Answers on Status of U.S. Privacy + (Jun. 13, 2017)

The Article 29 Working Party, an expert group of European privacy officials, is pressing the European Commission to closely evaluate the EU-US Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. In a letter to the Commission, the Working Party outlined its expectations for this summer's annual review of the arrangement. The Group asked for "precise evidence" that bulk surveillance is "limited and proportionate." The Article 29 also seeks information about vacancies in key privacy oversight positions, including the Privacy and Civil Liberties Oversight Board and the Privacy Shield Ombudsperson, and any legal protections for "automated decision making." The European Parliament previously expressed alarm over the rollback of U.S. privacy safeguards necessary for the Privacy Shield. In 2015, EPIC and a coalition of privacy organizations urged the US and the EU to strengthen privacy protections following a landmark decision that found insufficient legal protections for the transfer of consumer data to the US. At a hearing before the High Court of Ireland, EPIC Senior Counsel Alan Butler made submissions in DPC v. Facebook, highlighting weaknesses in US privacy law.

European Data Protection Supervisor Backs "E-Privacy" Directive Updates + (May. 1, 2017)

European Data Protection Supervisor Giovanni Buttarelli, one of Europe's top privacy officials, published an opinion backing a key update to EU privacy law. The updated e-Privacy Regulation would extend consumer safeguards to users of all online communications services, cover content and metadata, and limit tracking of internet users. The EDPS welcomed the "ambitious attempt to provide for the comprehensive protection of electronic communications." However, the EDPS opinion also emphasized the need to strengthen privacy protections, raising concern about the proposal's complexity and failure to cover data processing beyond communications services providers. The EDPS's statement follows a supportive opinion from the Article 29 Working Party, an expert group of European privacy officials. EPIC recently hosted Mr. Buttarelli in Washington, DC to speak before the Privacy Coalition, a nonpartisan association established in 1995 to promote dialogue on emerging privacy issues between civil society organizations and policy leaders.

EPIC Hosts International Meeting of Data Protection Experts + (Apr. 25, 2017)

This week EPIC hosted the 61st meeting of the International Working Group on Data Protection in Telecommunications in Washington, D.C. Twice a year, the Berlin-based Working Group convenes data protection authorities and privacy experts from around the world to develop recommendations on emerging privacy challenges. The IWG recently issued recommendations on topics including Biometrics in Online Authentication, Location Tracking, and Intelligent Video Analytics. The IWG meeting was held at the Goethe-Institut, Germany's cultural institute. Through June 2016 the Institut is presenting the "Plurality of Privacy Project," a transatlantic theater project focused on the value of privacy. EPIC previously hosted a meeting of the IWG in Washington, DC in the spring of 2004.

EPIC, Privacy Coalition Meet with EU Data Protection Supervisor + (Apr. 21, 2017)

European Data Protection Supervisor Giovanni Buttarelli spoke today to the Privacy Coalition, a nonpartisan association established in 1995 to promote dialogue on emerging privacy between civil society organizations and policy leaders. Mr. Buttarelli addressed relations between the European Union and the United States, and discussed encryption policy, the E-Privacy Regulation, the Privacy Shield, the U.S. Privacy Act as it applies to foreigners among many other topics. Recent speakers at the Privacy Coalition have included FTC Chair Maureen Ohlhausen and FCC Senior Counsel Nick Degani.

Government Argues for PRISM Reauthorization in New Report + (Apr. 20, 2017)

The Office of the Director of National Intelligence has released a report on the controversial Section 702 "PRISM" program, which is set to expire on December 31, 2017. The report argues for renewal, but significant questions remain about the PRISM program. Despite repeated requests from Congress, the ODNI has refused to reveal the number of U.S. persons who are swept up in PRISM surveillance every year. EPIC sent a letter to the House Judiciary Committee urging public reporting of the Government's surveillance activities. EPIC also warned that the Section 702 legal controversy could block international data transfers.

European Privacy Officials Back "E-Privacy" Directive Updates + (Apr. 12, 2017)

The Article 29 Working Party, an expert group of European privacy officials, has issued an opinion supporting a key proposal to modernize EU privacy law for electronic communications. The updated e-Privacy Regulation would extend consumer safeguards to users of all online communications services, cover content and metadata, and limit tracking of internet users. The Working Party welcomed the harmonization of privacy standards across the European Union, but cautioned that the Privacy Directive must offer protections at least as strong as the recently adopted General Data Protection Regulation. EPIC had urged the US Federal Communication Commission to adopt a similar, comprehensive approach to communications privacy. A narrow FCC rule covering only ISPs was recently rescinded by Congress, folding under attacks that it unreasonably singled out a sector of the communications industry.

EPIC Celebrates International Privacy Day + (Jan. 28, 2017)

On January 28, EPIC celebrates International Privacy Day, which commemorates Convention 108, the first international treaty for privacy and data protection. EPIC and consumer organizations have urged the United States to ratify the International Privacy Convention. NGOs and Privacy experts have also expressed support for the Madrid Declaration, a substantial document that reaffirms international instruments for privacy protection, identifies new challenges, and calls for concrete actions. The complete text of the Privacy Convention is contained in the Privacy Law Sourcebook, available at the EPIC Bookstore.

US Designates Countries Covered Under the Judicial Redress Act + (Jan. 23, 2017)

During the final week in office, the Obama Department of Justice released the list of European countries covered under the Judicial Redress Act. The Act gives citizens of these countries limited rights under the US Privacy Act. The Act implements the US-EU "Umbrella Agreement," which is a framework for transferring law enforcement data across the Atlantic. The Act came about in response to the Schrems decision, which held that the United States lacks adequate data protection. EPIC had recommended substantial changes to the Judicial Redress Act, explaining in a letter to Congress that the bill still did not provide adequate protection to permit transborder data flows and fails to provide necessary updates for U.S. citizens. EPIC successfully sued the Justice Department to obtain the full text of the Umbrella Agreement.

EPIC Urges Senate Committee to Ensure UN Ambassador Supports International Privacy Convention + (Jan. 18, 2017)

EPIC has sent a statement to the Senate Foreign Relations Committee urging that the next UN Ambassador to advocate for human rights, particularly the right to privacy and the right to freedom of expression as set out in the Universal Declaration of Human Rights. EPIC also wrote that the UN Ambassador should support US ratification of the Council of Europe Privacy Convention, which is critical to the continued flow of personal data around the world. EPIC and consumer organizations have called on the United States to ratify the Privacy Convention. Next week, many countries around the world will recognize January 28, International Privacy Day, which celebrates the International Privacy Convention.

EPIC Tells Senate to Probe Commerce Nominee on Data Protection, Privacy Shield + (Jan. 18, 2017)

EPIC has sent a letter to the Senate Commerce Committee outlining the key privacy issues that the next Secretary of Commerce should address. The Committee convened this week to consider the nomination of Wilbur Ross for Commerce Secretary. EPIC stated that privacy protection may be on "the most important issue that the Secretary of Commerce will confront over the next several years." EPIC urged the Committee to ensure the nominee "make clear his commitment to a comprehensive approach to data protection, based in law." EPIC warned about the inadequacy of the Privacy Shield, a non-legal framework that permits the flow of European consumers' personal data to the United States, outside of European privacy law.

European Communications Privacy Law Strengthens Rights for Internet Users + (Dec. 14, 2016)

A draft of the update to the European "e-Privacy Directive" provides important new safeguards for users of Internet-based services. The new regulation will apply to all online communications services, including email, instant messaging, and social media. The updated privacy law will limit tracking and profiling of Internet users. The report notes that lax rules for companies such as Facebook and Skype, "create a void of protection of confidentiality for the users of these services." The US FCC recently adopted modest privacy rules that apply only to broadband services offered by telecom companies, despite EPIC's repeated advice to the FCC to address "the full range of communications privacy issues facing US consumers." The EU Commission's update of the e-Privacy Directive follows the recently adopted General Data Protection Regulation. The Commission's formal proposal is expected in January of 2017

Second Legal Challenge Launched Against "Privacy Shield" + (Nov. 3, 2016)

La Quadrature du Net, a French privacy organization, has launched a legal challenge to “Privacy Shield,” a controversial framework for the transfer of personal data from Europe to the United States. This lawsuit follows a similar  challenge brought by the Irish group Digital Rights Ireland. "Privacy Shield" was the response of EU and US politicians after the European Court of Justice determined that there was insufficient legal protection for transatlantic data transfers. NGOs in the United States and Europe had urged the adoption of a comprehensive framework for data protection and said that Privacy Shield was not adequate. EPIC also testified before Congress on the need to update US privacy law. EPIC is currently participating as amicus curiae in related case brought by privacy advocate Max Schrems.

Germany Prohibits WhatsApp Data Transfer to Facebook + (Sep. 27, 2016)

Germany’s privacy regulator has ordered Facebook to immediately stop collecting and storing user data from WhatsApp, and to delete all WhatsApp user data that has already been transferred. In a statement, German officials said that WhatsApp’s new data transfer policy constitutes “an infringement of national data protection law.” EU Competition Commissioner Margrethe Vestager has also opened an investigation into WhatsApp’s privacy changes, which contradict previous commitments to users and regulators. EPIC filed a complaint with the FTC over the policy change, and more than a dozen consumer groups have backed these efforts. The FTC responded it would “carefully review” EPIC’s complaint. The FTC has previously stated, “When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises.”

EPIC Republishes "Privacy and Human Rights," Most Comprehensive Survey of Privacy Law and Practices Ever + (Sep. 12, 2016)

EPIC has published the first digital edition of Privacy and Human Rights: An International Survey of Privacy Laws and Developments. The report by EPIC and Privacy International provides an overview of key privacy topics in over 75 countries around the world. The report outlines legal protections, new challenges, and important issues and events relating to privacy. Topics include biometric identification, Internet advertising, and location privacy. Over 1,100 pages, almost 6,000 footnotes, and more than 300 contributors. Now available online.

European Data Protection Supervisor Calls for Stronger Protections for Electronic Communications + (Jul. 27, 2016)

The top European data protection official, the European Data Protection Supervisor, has called for strong privacy protections in the "ePrivacy Directive", an updated framework to safeguard personal information. "The scope of new ePrivacy rules needs to be broad enough to cover all forms of electronic communications irrespective of network or service used." The Data Protection Supervisor also said the legislation should "allow users to use end-to- end encryption without back doors". NGOs and data protection officials have also called for the reform of the European legislation after the adoption of the General Data Protection Regulation. EPIC has urged the FCC to establish a comprehensive framework for communications privacy, noting the work now underway in Europe to update privacy laws.

Irish Court Approves EPIC as Amicus in Schrems Case + (Jul. 19, 2016)

The Irish High Court has accepted EPIC's application to participate in a case about data protection rights and Facebook's contractual clauses. The case follows Max Schrems' complaint to the Irish Data Protection Commissioner after the European Court of Justice's decision to strike down the Safe Harbor arrangement. EPIC will provide the Irish Court, and perhaps also the Court of Justice, expert opinion on U.S. surveillance law. EPIC recently joined a case before the European Court of Human Rights concerning the activities of British and U.S. intelligence organizations. EPIC has appeared as a "friend of the court" in almost 100 cases in the United States concerning emerging privacy and civil liberties issues.

US Government Loses on Overseas Data Searches + (Jul. 14, 2016)

A federal appeals court has ruled that the U.S. government cannot seize user data in foreign data centers under the Stored Communications Act. The decision reverses a lower court opinion that would have required Microsoft to hand over the contents of an email account stored  in Ireland. The appeals court concluded that the purpose of the Act was to protect “users’ privacy interests in stored communications” not the creation of law enforcement powers that could reach overseas. The decision will likely bolster efforts to keep data in jurisdictions with stronger privacy safeguards. EPIC has recommended US ratification of the International Privacy Convention to preserve trans border data flows.

European Commission Signs Off on Flawed "Privacy Shield" + (Jul. 12, 2016)

The European Commission has approved the "Privacy Shield" which will allow companies to transfer personal data of Europeans to the U.S. without legal protections. European data protection authorities, the European Data Protection Supervisor, and EU and US NGOs identified flaws with the non-binding framework. Citing a judgement of the European high court which struck down a similar framework, Max Schrems and Jan-Philipp Albrecht predicted that the "Privacy Shield will share the history of the previous Safe Harbor and be invalidated by the European Court of Justice." EPIC and other consumer organizations urged the EU and US to strengthen safeguards for transborder data flows. According to the Federal Trade Commission, identity theft complaints in the US increased by 47% between 2014 and 2015.

EPIC's Rotenberg Outlines Need for International Privacy Framework + (Jun. 17, 2016)

Speaking at the Council of Europe in Strasbourg, EPIC President Marc Rotenberg outlined the need for the US to ratify the International Privacy Convention. Rotenberg said it was "unlikely that the Privacy Shield will survive another trip to Luxembourg." The Privacy Shield is a proposed arrangement for EU-US data transfers that has come under criticism from European consumer groups, NGOs, privacy officials, and the EU Data Protection Supervisor. In 2009, more than 100 privacy groups and experts endorsed the Council of Europe Privacy Convention. In 2010 members of the EPIC Advisory Board urged then Secretary of State Hilary Clinton to seek US ratification of the Privacy Convention.

Top European Privacy Official Rejects EU-US "Privacy Shield" + (May. 31, 2016)

The European Data Protection Supervisor has determined that "Privacy Shield is not robust enough to withstand future legal scrutiny." He called for changes in the draft arrangement to permit data transfers to the United States. "Significant improvements are needed," said Giovanni Buttarelli. The Article 29 Working Party, the European Parliament, and a coalition of EU and U.S. consumer organizations have also opposed the data transfer proposal. Citing rampant data breaches in the United States, NGOs have urged strong safeguards for privacy and data protection.

European Parliament Requires Changes to Privacy Shield + (May. 26, 2016)

The European Parliament called for changes in the draft arrangement to permit data transfers to the United States. The Parliament said that officials must "fully implement" privacy recommendations and negotiate further changes to the "Privacy Shield." The European Data Protection Supervisor is expected to issue an opinion on the data transfer arrangement next week. EPIC and other consumer and privacy organizations have said that the Privacy Shield fails to provide adequate safeguards for consumers.

European Parliament Adopts Comprehensive Data Protection Regulation + (Apr. 14, 2016)

The European Parliament finalized a historic reform of EU data protection legislation, which will have legal force in July 2018. "The new General Data Protection Regulation will enable people to regain control of their personal data in the digital age," said Parliament Member Jan Philipp Albrecht. The rules include data breach notification, coordinated enforcement, enhanced penalties, strengthened consent, and new measures to promote privacy innovation. EPIC and EU and US consumer groups have supported the European law, stating that it provides "important new protections for the privacy and security of consumers."

TACD Opposes "Privacy Shield," Urges Rejection by EU + (Apr. 7, 2016)

The Transatlantic Consumer Dialogue has urged the European Commission to reject the "Privacy Shield," a proposal to continue the transatlantic transfer of personal data from Europe to the United States. TACD warned that Privacy Shield "does not adequately protect consumers' fundamental rights to privacy" and that it does not provide "effective and meaningful data protection." European officials are carefully reviewing the proposal. EPIC and a coalition of NGOs have urged the US to adopt a robust data protection law and end 702 surveillance. The TACD is a forum of more than 70 consumer organizations in Europe and the United States.

EPIC's Rotenberg Urges European Parliament to Condition "Privacy Shield' on End of 702 Surveillance + (Mar. 17, 2016)

Speaking before the European Parliament on "Privacy Shield," Marc Rotenberg outlined several flaws in the proposed EU-US data transfer agreement, including a weak privacy framework, lack of enforcement, and a cumbersome redress mechanism. In the short term, Rotenberg recommended that the EU condition acceptance of the Privacy Shield on the end of the "702 program," which permits bulk surveillance on Europeans by the US. EPIC along with other NGOs has urged the European Commission to rewrite the Privacy Shield, saying it fails to safeguard human rights and does not reflect changes in US law as required by the Schrems decision.

"Privacy Shield" Released, New Questions Raised + (Feb. 29, 2016)

The text of the "Privacy Shield" was released today by European Commission and the US Department of Commerce. The arrangement was intended to bring EU-US data transfers in line with the recent decision of the European Court of Justice in the Schrems case. But the framework appears to provide less protection than the Safe Harbor arrangement it replaces. New exceptions take broad categories of personal data entirely outside the scope of the agreement. Max Schrems said "this is far from what the Court required and does not seem like a stable solution." Privacy experts will now assess the text and determine whether it provides an adequate basis for the transfer of personal data. EU and US NGOs have urged the US to update its privacy laws.

"Judicial Redress Act" Provides Little Redress + (Feb. 12, 2016)

The Judicial Redress Act of 2015, enacted by Congress and now on to the President for signature, fails to extend Privacy Act protections to non-U.S. citizens. EPIC previously recommended changes to protect transborder data flows. The bill, as adopted, coerces European countries to transfer data to the US, even without adequate protection, or be denied legal rights. Congress adopted the narrow amendment to the Privacy Act without any changes to benefit U.S. citizens even after a data breach compromised 21.5 records maintained by the Office of Personnel Management. EPIC explained that the OPM breach made clear the need for updates to the federal privacy law.

Department of Commerce: Privacy Shield "does not exist" + (Feb. 10, 2016)

As a response to EPIC's Freedom of Information request for the "Privacy Shield," the Commerce Department responded that "the record you requested does not exist." EU and US officials celebrated earlier this month that the EU and the US reached an agreement for transatlantic data transfers but they did not make the agreement public. Apparently there was nothing to make public since the agreement does not exist. The EPIC FOIA request is designated DOC-ITA-2016-000577.

Hackers Breach US Government Database, No Recourse for Non-Americans + (Feb. 9, 2016)

Less than a week after the European and US governments struck a deal for a framework to permit transborder data flows of personal data, hackers breached sensitive personal data at the US Department of Homeland Security. The DHS stores vast amounts of personal information on non-US persons, including detailed travel information. Under current law, non-US persons have no legal rights when federal agencies fail to safeguard their personal data. EPIC is seeking release of the so-called "Privacy Shield" and has launched a new campaign to promote Data Protection in the United States.

EPIC Seeks Release of "Privacy Shield," Secret Data Transfer Agreement + (Feb. 4, 2016)

EPIC has filed emergency Freedom of Information requests with the US and the EU for release of a secret agreement for the transfer of personal data across the Atlantic. A new framework was required by a recent decision of the European Court of Justice. But European and American consumer organizations say the "Privacy Shield" does not provide adequate protection for the transfer of personal data. EPIC stated, “The public has a right to know whether this agreement provides adequate legal protection.” EPIC previously obtained the secret EU-US Umbrella Agreement in FOIA litigation.

Privacy Commissioners to Review "Privacy Shield" + (Feb. 3, 2016)

The Article 29 Working Party, the association of European Data Protection Commissioners, has said it will review the adequacy of the "Privacy Shield" proposal for transborder data flows. The Working Party said there must be (1) clear and precise rules, (2) a "necessary and proportionate" standard for data collection and access, (3) independent oversight, and (4) effective remedies for the individual. The Working Party also said it must first receive the relevant documents to assess the legal force of the arrangement and whether it will resolve "wider concerns raised by the Schrems judgement."

Anticipating Annulment, EU-US Negotiators Sign Off on "Privacy Shield" + (Feb. 2, 2016)

Disregarding a decision of the European Court of Justice, negotiators for the US Commerce Dept., the FTC, and the European Commission have agreed to allow the continued transfer of consumer data without adequate legal protection. A virtually identical arrangement was recently struck down by the Court in the Schrems case as a violation of multiple rights of Europeans, including rights to privacy, data protection, and effective redress. Consumers in the US have also expressed concern about rising levels of data breach, identity theft, and financial fraud. EPIC and many EU and US consumer organizations urged negotiators to establish strong safeguards for the transfer of personal data.

Schrems Responds to US Lobby Groups on Safe Harbor + (Jan. 29, 2016)

In a brief but clearly argued letter to European data protection authorities, Max Schrems writes that "attempts by lobby groups and the US government to 'reinterpret' or 'overturn the clear judgement of the Union's highest court are fundamentally flawed." Schrems brought the successful case to the European Court of Justice that struck down the Safe Harbor arrangement. The Schrems letter, released on International Data Protection Day, also states that a new transfer agreement must provide "protection against government surveillance and "essentially equivalent" protection against the commercial use of data by certified companies." Max Schrems received the 2013 EPIC Champion of Freedom Award.

"Clock is ticking" on Safe Harbor, says European Consumer Organization + (Jan. 29, 2016)

BEUC, the consumer organization of the European Union, has urged European policy makers to accept a revised Safe Harbor arrangement only if it complies with the Schrems decision and "guarantees that EU citizens' fundamental rights are upheld when their data is exported to the United States." Last year, 40 consumer privacy organizations in Europe and the United States urged US Secretary Pritzker and EU Commissioner Jourova to take specific steps to close the widening EU-US data divide. Secretary Pritzker has been unwilling to meet with consumer organizations.

EPIC Celebrates International Privacy Day + (Jan. 28, 2016)

EPIC celebrates January 28, International Privacy Day, which commemorates the signing of Convention 108, on January 28, 1981. The Privacy Convention was the first binding international treaty for privacy and data protection. EPIC and consumer organizations have called on the United States to ratify Convention 108. NGOs and Privacy experts have also expressed support for the Madrid Declaration, a substantial document that reaffirms international instruments for privacy protection, identifies new challenges, and calls for concrete actions.

U.S. Law Firm Argues U.S. Privacy Law "Essentially Equivalent" + (Jan. 27, 2016)

A recent report from a U.S. law firm concludes that the United States offers essentially equivalent privacy protection to Europe. The report also finds that "This body of laws ensures that government access to data for law-enforcement and intelligence purposes is limited to what is necessary and proportionate." Of course, all travel records of Europeans are routinely transferred to the U.S. Department of Homeland Security without any legal protection. Under Section 702 of the Patriot Act, the US government routinely obtains vast amounts of personal data on non-US persons, including communications logs and website activity. Executive Order 12333 provides even broader surveillance authorities.

EPIC v. DOJ: EPIC Prevails, DOJ Releases Secret EU-US Umbrella Agreement + (Jan. 25, 2016)

After months of delay, the Department of Justice has finally released to EPIC the full text of the EU-US Umbrella Agreement. EPIC sued the DOJ last year after the agency failed to act on EPIC's FOIA request for the secret agreement. Today's release comes on the heels of EPIC's opposition to the agency's attempt to further delay the Agreement's release. The Umbrella Agreement outlines data transfers between EU and US law enforcement agencies, and is the basis for the Judicial Redress Act currently before Congress. EPIC has criticized the legislation, and recently urged the Senate to delay action on the bill until the DOJ releases the Umbrella Agreement and the Judiciary Committee holds a hearing on the legislation.

EPIC Seeks to Intervene in Privacy Case Before European Court of Human Rights + (Jan. 22, 2016)

EPIC has asked the European Court of Human Rights for permission to submit an amicus brief in a case concerning mass surveillance. Ten international human rights NGOs brought the case to challenge UK surveillance laws and practices. The case concerns Tempora, PRISM, and Upstream programs, and the interception of communications by UK intelligence services and the National Security Agency. EPIC proposes to assist the Court in understanding U.S. surveillance law, and to provide relevant information EPIC has obtained through freedom of information litigation. EPIC routinely files amicus briefs in cases concerning emerging privacy and civil liberties issues.

EPIC Seeks Default Judgment in Umbrella Agreement Lawsuit + (Jan. 6, 2016)

In its fight to obtain a copy of the EU-US Umbrella Agreement, EPIC asked a federal court in Washington, D.C. today to grant default judgment against the Department of Justice. EPIC sued the agency to obtain the secret agreement, which concerns the transfer of personal information between the EU and US. After the DOJ failed to answer EPIC's complaint, the court entered default against the agency. The Agreement is central to pending legislation, which the Senate Judiciary Committee is set to debate this month yet the DOJ has not made the document available to the public or to Members of Congress.

EPIC Celebrates Human Rights Day + (Dec. 10, 2015)

On December 10, EPIC celebrates international Human Rights Day. On December 10, 1948, the United Nations adopted the Universal Declaration of Human Rights. The Declaration sets out civil, political, cultural, economic, and social rights. EPIC pursues the global recognition of privacy, a fundamental right set out in Article 12 of the Universal Declaration. Follow @EPICPrivacy on Twitter! #HumanRightsDay

Decision by EU Legal Advisor Signals End of "Safe Harbor" + (Sep. 23, 2015)

An opinion by the top advisor for Court of Justice of the European Union indicates that the "Safe Harbor" arrangement, which permits the transfer of personal data to the US without legal protection, will come to an end. Under Safe Harbor, US companies self-certify compliance with EU data protection law. But the Advocate General has found the arrangement fails to protect privacy and should be declared invalid. Max Schrems, who initiated the case in Ireland, stated "This finding, if confirmed by the court, would be a major step in limiting the legal options for US authorities to conduct mass surveillance on data held by EU companies." The European Digital Rights Initiative also supported the decision. EPIC has recommended that the US update the Privacy Act to protect EU citizens and ratify the international convention for privacy protection.

EU Officials: Court Ruling on "Right to be Forgotten" Applies Worldwide + (Dec. 1, 2014)

Privacy regulators in the European Union have issued guidelines calling for the recent "Right to be Forgotten" ruling to apply worldwide. In May, the European Union Court of Justice ruled that a European Union citizen can ask search engines to remove links in search results based on the citizen's name. However, Google chose to remove the links for only certain domains, leaving the private information subject to the ruling accessible to most users. The new report makes clear that the ruling should apply across all search engine services. The EU officials explain, "limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient means to satisfactorily guarantee the rights of data subjects according to the ruling." For more information, see Fact Sheet on the Right to Be Forgotten, EPIC: Right to Be Forgotten, EPIC: International Privacy Law, EPIC: Expungement.

European Privacy Groups Boycott Google Roadshow + (Nov. 5, 2014)

Leading European privacy organizations have turned down invitations from Google to participate in a series of events organized by the Internet giant, designed to raise questions about a decision of the European Court of Justice regarding the right to privacy. The European Consumer Organization (BEUC), the European Digital Rights Initiative (EDRi), and Privacy International are among several of the groups that are not participating in the Google meetings. EU policymakers have also challenged the company for attacking a judicial decision of the high court of the European Union, describing the tour as a "publicity stunt." For more information, see Fact Sheet on the Right to Be Forgotten, EPIC: Right to Be Forgotten, EPIC: International Privacy Law, EPIC: Expungement, and Rotenberg, "EU Court Strikes Blow for Privacy" (USA Today).

Privacy Panel Backs PRISM Program + (Jul. 3, 2014)

In a surprising report, the US Privacy and Civil Liberties Oversight Board has endorsed the US government's routine collection of the Internet activities of non-US persons, broadly referred to as the "PRISM Program." The NSA obtains this information from Internet companies located in the United States. The Board cited the value of the program and compliance with the law, but said little about the impact on non-US persons. EPIC opposed a similar program concerning the collection of domestic telephone records in a petition to the US Supreme Court last year. EPIC has also said that the collection of communications by the US should be subject to international privacy law, such as the International Covenant on Civil and Political Rights. It is anticipated that foreign countries will continue to transfer cloud-based services away from US firms because of the lax privacy safeguards in the United States. For more information, see EPIC: In re EPIC and EPIC: International Privacy Standards.

"I will reform our surveillance programs," President Obama Tells Nation + (Jan. 29, 2014)

Stating that "America must move off a permanent war footing," President Obama announced (video) at the State of the Union that "working with this Congress, I will reform our surveillance programs." (50:30) The President continued, (text) "because the vital work of intelligence community depends on public confidence, here and abroad, that the privacy of ordinary people is not being violated." Citing the need to close the prison in Guantanamo, the President also said "we counter terrorism not just through intelligence and military action but by remaining true to our constitutional ideals and setting an example for the rest of the world." EPIC and other consumer privacy organizations have urged the President to move forward the Consumer Privacy Bill of Rights and to support the International Privacy Convention.

EPIC Gives 2014 International Award to European Parliament Member Jan Albrecht + (Jan. 27, 2014)

EPIC has given the 2014 International Champion of Freedom Award to European Parliament Member Jan Philipp Albrecht for "modernizing and defending the law of data protection." As a rapporteur for the Committee on Civl Liberties, Justice and Home Affairs, Albrecht has led the effort in the European Parliament to update European privacy law. He is also an outspoken defender of privacy rights and has promoted the investigation of the NSA program of mass surveillance. Albrecht received the award from EPIC at the annual Computers, Privacy, and Data Protection conference in Brussels. Previous award recipients include privacy activist Max Schrems, Canadian Privacy Commissioner Jennifer Stoddart, European Parliamentarian Sophie In't Veld, Australian Jurist Michael Kirby, and Constitutional Law Scholar Stefano Rodotà. The award is given by EPIC annually in recognition of January 28, International Privacy Day.

OECD Releases Updated Privacy Guidelines + (Sep. 15, 2013)

The Organization for Economic Cooperation and Development has released the 2013 revisions to its privacy guidelines. The revisions build from the original guidelines, developed in 1980, and retain the core set of Fair Information Practices while updating the framework to address new challenges, such as national implementation and cross-border enforcement. The OECD explains that the revisions aim to "focus on the practical implementation of privacy protection" and to "address the global dimension of privacy through improved interoperability." EPIC Executive Director Marc Rotenberg, a member of the expert review group, has said that “the OECD Privacy Guidelines are the most influential international framework for privacy ever established.” For more information, see EPIC: International Privacy Standards.

EPIC Supports International Principles for Privacy Protection + (Jul. 31, 2013)

EPIC has joined with leading human rights organizations and privacy experts in support of the "International Principles on the Application of Human Rights to Communications Surveillance." The Principles were adopted in response to growing concern about the surveillance of Internet communications by governments and private companies. Among the key principles in the framework document are Necessity, Adequacy, Proportionality, Competent Judicial Authority, Due Process, User Notification, Transparency, Public Oversight, and Safeguards Against Illegitimate Access.

US Pushes Forward Flawed International Privacy Framework + (Jul. 30, 2012)

The United States is the lone signatory for the Asia-Pacific Economic Cooperation’s Cross Border Privacy Rules. The APEC Cross Border Privacy Rules set out a self-regulatory framework for the transfer of personal data across national borders. APEC is an inter-governmental organization with 21 member economies that promotes business and trade in the Asia-Pacific region. APEC established a Privacy Framework in 2004 that is generally considered among the weakest privacy frameworks in the world. In 2006, EPIC and a coalition of consumer groups submitted comments to the Department of Commerce detailing the shortcomings of the APEC framework and recommending stronger safeguards for consumers. For more information, see EPIC: International Privacy Standards and EPIC: APEC Privacy Framework.

EPIC Expresses Support for International Privacy Convention + (Jan. 27, 2012)

Speaking this week at the Computers, Privacy and Data Protection conference, EPIC President Marc Rotenberg expressed support for the Council of Europe Privacy Convention. Two years ago, twenty-nine members of the of the EPIC Advisory Board, experts in privacy law and technology, sent a letter to US Secretary of State Hillary Clinton to urge that the United States begin the process of ratification of the Council of Europe Convention on Privacy. They wrote, "privacy is a fundamental human right. In the 21st century, it may become one of the most critical human rights of all." Speaking in Brussels, Mr. Rotenberg reiterated EPIC's support for the Convention and also called attention to recent changes that modernize and update the international privacy framework.

Senator Leahy Expresses Support for International Privacy Day + (Jan. 24, 2012)

Senator Patrick Leahy, theChairman of the Senate Judiciary Committee, offered a statement commemorating Data Privacy Day, which takes place on January 28. Senator Leahy urged the Congress to adopt comprehensive data privacy legislation to "better protect Americans' sensitive personal data and reduce the risk of data security breaches." He also recommended changes to the Electronic Privacy Communications Act to "reflect the realities of our time" and to "keep us safe from cyber threats." EPIC will be participating in the annual Computers, Privacy, and Data Protection conference, taking place this week in Brussels. EPIC will also be announcing the recipients of the 2012 International Champion of Freedom Award and the 2012 US Privacy Champion Award. Join International Privacy Day on Facebook.

Background

The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108), drawn up within the Council of Europe by a committee of governmental experts under the authority of the European Committee on Legal Co-operation (CDCJ), was opened for signature by the Member States of the Council of Europe on 28 January 1981 in Strasbourg. The Convention is the first and only binding international legal instrument protecting data privacy. COE 108 is open to any country, including countries which are not Members of the Council of Europe.

In 2018, the Convention was updated to address emerging privacy challenges posed by new information and communication technologies, and to strengthening enforcement of the Convention. The update is known as the Modernized Convention 108, or Convention 108+.

Convention 108 (1981)

The object of the Convention is to strengthen data protection - the legal protection of individuals with regard to automatic processing of personal information. The 1981 Convention reflected the need for new legal rules in the face of increasing reliance on digital data due to higher storage capacity, lower costs of processing, and the skyrocketing growth in data transactions. Many national legal systems lacked comprehensive data protection general rules on the collection, storage, and use of personal information. Therefore, Council of Europe sought greater unity in the protection of "the individual against abuses which may accompany the collection and processing of personal data" and to manage the "transfrontier flow of personal data."

The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was opened for signature in Strasbourg, France on January 28, 1981. Since 2006, 28 January has been celebrated annually around the world as Privacy Day. The COE 108 has been signed and ratified by all 47 members of the Council of Europe, and ratified by seven non COE countries.

As the explanatory memorandum states, the convention has three parts (1) substantive law provisions in the form of basic principles; (2) special rules on transborder data flows; (3) mechanisms for mutual assistance and consultation between the Parties.

The Convention requires requires parties to pass into domestic law the data protection principles sed out in the Convention. These include:

The Convention also encourages the free flow of data, preventing parties from requiring special authorization to other parties except for narrow circumstances. Finally, the Convention sets up a system of cooperation in implementing the system, and establishes a Consultative Committee to oversee and implement the convention.

Convention 108+ (2018)

A lengthy review process beginning in 2013 resulted in a 2018 amending protocol . This protocol the Modernized Privacy Convention or Convention 108+. The aim of the modernization was both to address privacy challenges from new technologies and to strengthen enforcement.

Among other changes, the modernized Convention:

The revisions were opened for signature on October 11, 2018. Thus far, twenty-six COE member and one non-member states have signed on to the amending protocol.

EPIC's Work

EPIC has long campaigned for the United States to ratify the International Privacy Convention.

In 2009, the U.S. Privacy Coalition including EPIC launched the campaign to urge the US Government to support the Council of Europe Privacy Convention and proposed a resolution for the U.S. Senate. The resolution reads:

Expressing a need for the accession to the Council of Europe's Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data

Whereas privacy is a fundamental right, valued by all Americans;

Whereas the increase of automatic processing and sharing of data continuously intensifies the need for more effective implementation and execution of legal instruments;

Whereas data security breaches along with cases of identity theft continue to pose a substantial risk to American consumers and businesses;

Whereas the continued transfer of personal data across national borders raises increasing concerns about the adequacy of privacy protection:

Whereas the current sectoral approach of legislation in the United States is insufficient for appropriate privacy and data protection;

Whereas the domain of privacy and data protection is international and requires an overarching framework in order to acknowledge and protect the fundamental rights of citizens;

Whereas the Council of Europe Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data is the most fundamental international instrument in the field: Now, therefore, be it

Resolved, That the Senate-

(1) requests accession to the Council of Europe's Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data

Signed,

.................

In 2010, twenty-nine members of the EPIC Advisory Board wrote to Secretary of State Hillary Rodham Clinton to urge that the United States begin the process of ratification of Council of Europe Convention 108. In 2011, EPIC President Marc Rotenberg addressed the European Parliament and European Commission at a high level meeting to call for U.S. ratification, and the Trans Atlantic Consumer Dialogue, a coalition of consumer groups, called for ratification to bridge the gap in EU-U.S. privacy protection.

The complete text of the modernized Convention will be available in the 2018 edition of the Privacy Law Sourcebook, available at the EPIC Bookstore.

Resources

• Coalition Letter to Council of Europe (July 4, 2018)
• Letter from EPIC to Senate Judiciary Committee (March 26, 2019)
• Comments of EPIC to NTIA (July 31, 2018)
• Letter from EPIC to House Commerce Committee (October 11, 2017)
• Remarks of EPIC President Marc Rotenberg “Accession to Convention 108: Benefits and Commitments” (June 17, 2016)
• Testimony of EPIC President Marc Rotenberg before the House Commerce Committee (November 3, 2015)
• Letter from EPIC, et. al, to President Obama (January 22, 2014)
• TACD, Consumer Privacy Rights (May 2012)
• EPIC's Rotenberg Repeats Call for US to Ratify International Privacy Convention, J.D. Supra (January 31, 2011)
• Letter from members of the EPIC Advisory Board to Secretary Clinton (Jan. 28, 2010)
• Privacy Coalition Resolution (2009)

Primary Documents

• Convention 108 Text
• Convention 108 Explanatory Report
• Convention 108 Ratifications
• 2018 Amending Protocol Text
• 2018 Amending Protocol Ratifications