Data Protection Commissioner v. Facebook & Max Schrems (CJEU)
Top News
- Data Flow Deal Talks Fail Due to Lack of US Action on Privacy: The agreement on transatlantic cooperation reached by U.S. and EU leaders this week did not include the political agreement the White House was hoping for on transatlantic data deals. Last week, EPIC and 23 other leading civil society groups sent a letter to President Biden urging his Administration to ensure that any new transatlantic data transfer deal is coupled with the enactment of U.S. laws that reform government surveillance practices and provide comprehensive privacy protections. “The United States’ failure to ensure meaningful privacy protections for personal data is the reason that a growing number of countries are concerned about trans-border data flows,” the groups wrote. “Until the United States addresses this problem, concerns about data transfers to the United States will remain, and data flow agreements are likely to be invalidated.” In 2015, the Court of Justice of the European Union invalidated the U.S.-EU Safe Harbor agreement. And in July 2020, the successor agreement, Privacy Shield, was also invalidated by the same court. (Jun. 17, 2021)
- EPIC, Coalition Tell Biden Administration: No Data Flows Deal Until Congress Enacts Privacy Laws: EPIC and 23 other leading civil society groups sent a letter to President Biden today urging his Administration to ensure that any new transatlantic data transfer deal is coupled with the enactment of U.S. laws that reform government surveillance practices and provide comprehensive privacy protections. “The United States’ failure to ensure meaningful privacy protections for personal data is the reason that a growing number of countries are concerned about trans-border data flows,” the groups wrote. “Until the United States addresses this problem, concerns about data transfers to the United States will remain, and data flow agreements are likely to be invalidated.” In 2015, the Court of Justice of the European Union invalidated the U.S.-EU Safe Harbor agreement. And in July 2020, the successor agreement, Privacy Shield, was also invalidated by the same court. [PRESS RELEASE] (Jun. 10, 2021)
More top news
- Irish High Court Orders DPC to Move Forward in Facebook Investigation (May. 14, 2021) +
The Irish High Court today issued an
order in a follow-on case to
Irish Data Protection Commissioner v. Facebook and Schrems ("Schrems II") and, as a result, the investigation into Facebook's U.S.-EU data transfers will move forward. The case arises from a complaint filed with the DPC in Ireland against Facebook by privacy activist Max Schrems in 2013 alleging that the company violated EU law when it transferred personal data to the U.S. (where the company is obliged to provide access to the government). The case has since been referred two separate times to the highest court in Europe (the CJEU), and has led to the invalidation of both the U.S.-EU Safe Harbor Agreement and the
U.S.-EU Privacy Shield Agreement. The CJEU in the
Schrems II decision last year remanded the case to the Irish DPC to determine whether Facebook violated the law and whether it was necessary to block Facebook's U.S.-EU data transfers. The DPC later issued a Preliminary Draft Decision to Facebook and laid out procedures for the inquiry. Both Facebook and Schrems challenged the DPC procedures. The DPC agreed in a
settlement with Schrems that it would complete the investigation into his original complaint. The Irish High Court today rejected Facebook's challenge to the DPC inquiry, and both the Schrems complaint and this new DPC inquiry against Facebook will move forward. EPIC participated as an amicus curiae in Schrems II,
arguing that
U.S. Surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.
- Facebook to be Ordered to Stop Sending EU Data to U.S. (Sep. 10, 2020) +
The
Irish Data Protection Commissioner has
reportedly issued a preliminary order instructing Facebook to stop transferring the data of EU users to the United States. The order comes in the wake of a recent the
European Court of Justice (CJEU) decision which found the Privacy Shield, which permitted companies to freely transfer users' personal data, illegally infringed EU residents' data protection and privacy rights. EPIC participated as an amicus curiae in the case, arguing that U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.
- Schrems Files 101 Complaints Targeting US-EU Data Transfers (Aug. 18, 2020) +
None of Your Business, the privacy NGO established by EPIC Advisory Board member Max Schrems, has filed
complaints in all 30 EU and EEA member states against 101 European companies that still forward data about each visitor to Google and Facebook. “We have done a quick search on major websites in each EU member state for code from Facebook and Google. These code snippets forward data on each visitor to Google or Facebook. Both companies admit that they transfer data of Europeans to the US for processing, where these companies are under a legal obligation to make such data available to US agencies like the NSA. Neither Google Analytics nor Facebook Connect are essential to run these webpages and are services that could have been replaced or at least deactivated by now.” says Max Schrems, honorary chair of noyb.eu. The complaints come in the wake of a recent the
European Court of Justice (CJEU) decision which found the Privacy Shield, which permitted companies to freely transfer users' personal data, illegally infringed EU residents' data protection and privacy rights. EPIC participated as an amicus curiae in the case,
arguing that
U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.
- Transatlantic Consumer Groups: No New Data Transfer Agreement Until Privacy Protections Improved (Jul. 28, 2020) +
The Transatlantic Consumer Dialogue (TACD), a coalition of US and European consumer groups,
urged EU Commissioner for Justice Didier Reynders and U.S. Secretary of Commerce Wilbur Ross to stop negotiations for a new data transfer agreement following the invalidation of the EU-U.S. Privacy Shield. In
Data Protection Commissioner v. Facebook & Max Schrems, the European Court of Justice (CJEU) found the Privacy Shield, which permitted companies to freely transfer users' personal data, illegally infringed EU residents' data protection and privacy rights. In its
letter, TACD claims the CJEU's decision is "crystal clear," and that any future data transfer deal will not be valid until the U.S. enacts comprehensive federal privacy legislation. EPIC participated as an amicus curiae in the
Schrems case,
arguing that
U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.
- BREAKING: Top Court in Europe Invalidates EU-U.S. Privacy Shield, Citing Lack of Privacy Safeguards and Overbroad U.S. Surveillance Laws (Jul. 16, 2020) +
Today the European Court of Justice issued a
decision in
Irish Data Protection Commissioner v. Facebook & Schrems, a case concerning transfers of personal data by Facebook between the EU and the United States. Specifically, the court considered the validity of transfers made from companies in the EU to companies in the U.S. pursuant to standard contracts or to the EU-U.S. Privacy Shield agreement, both of which had been authorized by the European Commission. But the court held that the Privacy Shield was invalid and that transfers could not be made under the contracts where personal data is not adequately protected. Because U.S. surveillance law authorizes the mass processing of personal data transferred from abroad, under Section 702 of
FISA, it "cannot ensure a level of protection essentially equivalent to that guaranteed by the Charter." EPIC
participated as an amicus curiae in the case and argued that U.S. surveillance law does not provide an equivalent level of protection because it does not provide adequate protections or remedies for non-U.S. persons abroad. EPIC was represented in this case by the Free Legal Advice Centres (FLAC) and by barristers Grainne Gilmore and Colm O’Dwyer, SC. [
PRESS RELEASE]
- EU Legal Advisor Advances Privacy for National Security Matters (Jan. 16, 2020) +
The EU Advocate General
advised the European Court of Justice that "the means and methods of combating terrorism must be compatible with the requirements of the rule of law" in a case concerning the retention of personal data for law enforcement purposes. The AG recommended limiting retention of data to data that are essential for national security and limiting access to that data subject to prior review by courts. The opinion is not binding on the Court of Justice and the Court will issue a judgment at a later date. The AG
cited EPIC's expert submissions in
"Schrems 2.0," another case concerning Facebook's transfer of personal data to the United States and the adequacy of U.S. privacy law.
- EU Advocate General Backs Data Transfers, Criticizes Privacy Shield (Dec. 19, 2019) +
Today the EU Advocate General issued an
advisory opinion in
"Schrems 2.0," a case about Facebook’s transfer of personal data to the United States. The Advocate General backed data transfers generally but sharply criticized the
EU-US Privacy Shield agreement. The Advocate also said that data protection authorities must enforce privacy obligations. The Advocate General cited EPIC's expert submissions in the case concerning the adequacy of US privacy law. The case follows the European Court's landmark decision in
Schrems v. DPC striking down the
"Safe Harbor" arrangement. The European Court of Justice is expected to issue a binding opinion in the next few months. After the original Schrems opinion, EPIC
testified in Congress. EPIC's Marc Rotenberg urged Congress to "modernize" US privacy law and also establish an independent privacy agency.
- Max Schrems Files GDPR Complaints with French Data Protection Agency (Dec. 10, 2019) +
European privacy advocacy group
None of Your Business—led by Max Schrems—filed three
complaints with the French Data Protection Authority (CNIL). The NOYB complaints charged that companies obtained "fake consent" for online tracking. Max and EPIC have challenged the use of "standard contractual clauses" in a case now before the European Court of Justice, known as
"Schrems 2.0". A preliminary decision in that case is expected on December 19. Schrems
met with the
Privacy Coalition last month in Washington, DC to discuss the GDPR and litigation strategies.
- FTC Announces Privacy Shield No Penalty Enforcement Action (Dec. 3, 2019) +
The FTC entered into
settlements with four companies that misrepresented their participation in the
EU-U.S. Privacy Shield framework and the
Swiss-U.S. Privacy Shield framework. These frameworks permit the transfer of Europeans' personal data to the U.S. with an assurance of privacy protection. The settlements require the companies to halt misrepresentations about compliance, but provides no remedy to those EU citizens whose personal data was collected. EPIC has repeatedly
told Congress that that the FTC lacks effective enforcement authority. In recent
comments on the Privacy Shield, EPIC also noted the absence of a comprehensive U.S. federal privacy law and a data protection authority with the
authority to enforce privacy rights. Under the
Schrems decision, which provided the basis for the Privacy Shield, the Court of Justice
explained that "everyone whose rights and freedoms are violated" have "the right to an effective remedy."
- European Privacy Board Cites Concerns about EU-U.S. Privacy Shield (Nov. 14, 2019) +
In a new report the European Data Protection Board is raising
concerns about the
EU-U.S. Privacy Shield, a framework permitting the flow of European consumers' personal data to the U.S. The EDPB, a
group of top data protection authorities from across Europe, called for more rigorous review of compliance with the Shield, urged the Privacy and Civil Liberties Oversight Board to publish assessments of U.S. surveillance, and concluded that the Shield Ombudsperson was not a sufficient remedy for potential privacy violations. The European Commission recently
renewed the agreement, despite comments from
EPIC and
other civil society organizations highlighting U.S. mass surveillance practices and weak privacy safeguards.
- EU-U.S. Privacy Shield Renewed, Still in Dispute in Court (Oct. 23, 2019) +
The European Commission
has renewed the EU-U.S.
Privacy Shield, a framework permitting the flow of European consumers' personal data to the U.S. The Commission concluded the recent FTC-Facebook
settlement did not bar enforcement actions related to the Privacy Shield. The Commission also noted positively the appointment of a
Ombudsperson to receive complaints about U.S. surveillance, FTC
enforcement actions for false Privacy Shield certifications, and assurances from the U.S. intelligence community that specific selectors are used to limit foreign intelligence collection. The Commission did urge the FTC to bring actions for substantive violations of the Shield. In
comments on the Privacy Shield and in
a letter to Congress, EPIC called for a permanent end to the broad telephone record collection under Section 215 of the Patriot Act. The validity of the Privacy Shield is still in dispute in several
cases before Europe's highest court.
- Access Now Calls for Privacy Shield to be Struck Down (Sep. 18, 2019) +
Access Now has
called on the European Commission to strike down the EU-U.S. Privacy Shield, a framework that permits the transfer of Europeans' personal data to the U.S. In
comments to the Commission, Access Now wrote "the Privacy Shield has manifestly failed to meet the standards set by EU law from inception to today." The comments cite the limited redress provided by the Privacy Shield Ombudsperson, increased U.S. border surveillance, and the Cambridge Analytica scandal among the shortcomings in US privacy protection. EPIC's earlier
comments on the Privacy Shield highlighted the failure of the U.S. to curtail surveillance authorities, the absence of a comprehensive privacy law and a data protection agency. Next month the European Commission will decide whether to renew the pact.
- Company Violates Privacy Shield, FTC Imposes No Penalty (Aug. 22, 2019) +
The FTC entered into an
enforcement agreement against background screening company SecurTest for falsely claiming to offer privacy protections to EU citizens. According to the FTC, SecurTest's website
falsely claimed to participate in the
EU-U.S. Privacy Shield, a framework that permits the transfer of Europeans' personal data to the U.S. The settlement requires Securtest to halt misrepresentations and submit to compliance monitoring, but provides no remedy to those EU citizens who used the service. In recent
comments on the Privacy Shield, EPIC noted the absence in the US of a comprehensive federal privacy law and a data protection authority, with the
authority to enforce privacy rights. The European Commission will formally decide whether to renew the pact this fall.
- EPIC Comments on Canada Transborder Data Flow Policy (Aug. 6, 2019) +
EPIC provided
comments to the Office of the Privacy Commissioner on Canada's
policy for transborder data flows. EPIC urged the OPC to require that legal protection for personal data protection extend across borders, citing risks to privacy after the Capital One
breach impacted affected six million Canadians. EPIC also encouraged the OPC to recognize multiple grounds for transfer, coupled with strong accountability measures. This approach is reflected in the
EU General Data Protection Regulation and the
Council of Europe's Modernized Privacy Convention. EPIC recently submitted
comments on the third annual review of the
EU-U.S. Privacy Shield, a framework that permits the transfer of Europeans' personal data to the U.S. EPIC detailed the latest developments in the U.S., including the
failure to reform bulk surveillance under Section 702 of FISA, the absence of comprehensive federal privacy law and a data protection authority, the full slate appointments to the PCLOB, and U.S. endorsement of the
OECD AI Principles.
- EPIC Comments on Third Annual Privacy Shield Review (Jul. 15, 2019) +
EPIC provided
comments to the European Commission to inform the third annual review of the
EU-U.S. Privacy Shield, a framework that permits the transfer of Europeans' personal data to the U.S. EPIC detailed the latest developments in the U.S., including the
failure to reform bulk surveillance under Section 702 of FISA, the absence of comprehensive federal privacy law and a data protection authority, and an
executive order to collect data about non-citizens from across the federal government. EPIC also applauded
appointments to the PCLOB and the U.S. endorsement of the
OECD AI Principles. The Commission
approved Privacy Shield last year, but urged the U.S. to adopt privacy legislation and to join the
International Privacy Convention. The European Commission will make a determination about whether to renew the Privacy Shield this fall.
- EPIC to Discuss US Surveillance before Top European Court (Jul. 8, 2019) +
This week EPIC Senior Counsel
Alan Butler will appear before the Court of Justice for the European Union in the case
Data Protection Commissioner v. Facebook. The case, known as "Schrems 2.0." follows the European Court's landmark decision in
Schrems v. DPC striking down the
"Safe Harbor" arrangement and leading to the creation of the
"Privacy Shield." The current case considers whether the transfer of personal data to the U.S. using standard contract clauses violates the fundamental rights of Europeans. At issue is Section 702 of the FISA Amendments Act and Executive Order 12333. EPIC's Butler will provide the Court with expert analysis on U.S. surveillance law. EPIC is a party to the case, along with Austrian privacy activist Max Schrems. EPIC also recently filed a brief with the European Court of Human Rights in
Big Brother Watch v. UK, arguing that the Human Rights Court should review UK-U.S. intelligence transfers in assessing UK bulk surveillance. That case will be heard July 10th.
- EPIC Urges Senate to Strengthen US Privacy Laws for Cross Border Data Flows (Mar. 26, 2019) +
EPIC sent a
statement to a Senate committee on Foreign Relations regarding the
nomination of Keith Krach to Under Secretary of State. Krach would serve as the US Privacy Shield Ombudsperson, a pivotal role concerning the transfer of personal data between the EU and the US. EPIC took no position on the nominee, but wrote to underscore the urgency of Congressional action to safeguard the privacy interests of Americans. EPIC explained that foreign governments are reluctant to permit the transfer of the personal data of their citizens to the U.S. due to the U.S.'s lax privacy laws. EPIC recommended Congress take three steps to update U.S. privacy law: (1) enact the comprehensive baseline privacy legislation, (2)
establish an independent data protection agency, and (3) ratify the
International Privacy Convention.
- European Privacy Board Report Criticizes Privacy Shield Compliance (Jan. 25, 2019) +
A
report from the
European Data Protection Board, an influential independent European privacy body, criticizes U.S. oversight of the EU-U.S. Privacy Shield. The European Commission recently
renewed the framework permitting the flow of European consumers' personal data to the U.S. However, the Board now states U.S. oversight of compliance lacks "substantial checks." The EU Data Protection Board encouraged the Privacy and Civil Liberties Oversight Board to review U.S. surveillance authorities, and stated that the Privacy Shield Ombudsperson could not be considered an "effective remedy" for privacy violations. During review of Privacy Shield, EPIC
cited concerns about the failure of the FTC to enforce the 2011
Consent Order against Facebook, passage of the
CLOUD Act, and renewal of
bulk foreign intelligence surveillance.
- EU-U.S. Privacy Shield Renewed, Privacy Commitments Ignored (Dec. 19, 2018) +
The European Commission
has renewed the EU-U.S.
Privacy Shield, a framework permitting the flow of European consumers' personal data to the U.S. Oddly, the Commission cited the
FTC investigation into the Cambridge Analytica scandal (which has produced no outcome) and the appointment of three members to the
PCLOB as support for renewal. The report also overlooked the failure of the FTC to enforce the 2011
Consent Order against Facebook, which ultimately compromised the personal data of several hundred million Europeans. And the Commission had little concerns with passage of the
CLOUD Act, renewal of Section 702 of FISA (permitting bulk surveillance of Europeans), and other shortcomings cited by EPIC
comments and the
European Parliament. The Commission did recommend an Ombudsperson for Privacy Shield (which was required in the original agreement), and encouraged the U.S. to ratify the
International Privacy Convention.
- U.S. Defends Privacy Shield, But Fails to Comply with Privacy Commitments (Sep. 5, 2018) +
The Department of Commerce has
told the President of the European Parliament that the US is in compliance with the
Privacy Shield, a pact that permits US companies to obtain the personal data of Europeans. The statement follows a
resolution of Parliament to suspend the international arrangement if the U.S. did not comply in full by September 1. The Parliament cited the
Cambridge Analytica data breach, the reauthorization of
FISA Section 702 without reform, the failure to stand up
the PCLOB, the passage of the
CLOUD Act, and the absence of a Privacy Shield ombudsman. The Commerce Department
disputed the Parliament's findings but failed to show progress on the issues identified. EPIC highlighted similar problems with data protection in the United States in recent
comments to the European Commission. Almost six months have passed since the FTC
reopened the investigation of Facebook's compliance with the
2011 consent order, which followed a
complaint from EPIC and other consumer privacy organizations.
- EPIC Comments on Second Annual Privacy Shield Review (Aug. 14, 2018) +
EPIC provided
comments to the European Commission to inform the second annual review of the
EU-U.S. Privacy Shield, a framework that permits the processing of the personal data of Europeans in the United States. EPIC detailed the latest privacy developments in the U.S., including the extension of Fourth Amendment protection to cell phone location data in
Carpenter v. United States, passage of the
CLOUD Act, the FTC's
failure to enforce its legal judgment against Facebook, the vacancies at the PCLOB, the absence of a Privacy Shield Ombudsman at the Commerce Department, and the
nomination of Judge Brett Kavanaugh to the Supreme Court. The Commission
approved Privacy Shield last year, but sought additional steps by the United States. The European Parliament has
called for suspension of the pact if the U.S. does not fully comply by September 1st. The European Commission will make a final determination this fall.
- For Internet Policy, EPIC Urges Congress to Update U.S. Privacy Laws (Jul. 30, 2018) +
In advance of a
hearing on "The Internet and Digital Communications: Examining the Impact of Global Internet Governance," EPIC
urged the Senate Commerce Committee to prioritize updating U.S. privacy law to respond to changes in technology. "The failure of the United States to address the growing concerns about online privacy is threatening both the digital economy and democratic institutions," EPIC stated. EPIC explained that privacy protection is necessary to ensure the free flow of information online. EPIC
again warned Congress that Europe may suspend the
Privacy Shield, a framework that permits the flow of European consumers' personal data to the U.S, if the United States does not modernize privacy law and establish a federal data protection agency.
- European Parliament: 'Privacy Shield' Does Not Protect Privacy, Calls for Suspension (Jul. 5, 2018) +
The European Parliament has
called for the suspension of the
"Privacy Shield" if the U.S. does not comply in full by September 1, 2018. The
resolution states that the pact, which permits US companies to obtain the personal data of European, does not protect privacy. The Parliament cited numerous problems, including the
Cambridge Analytica breach of 87 million Facebook users data, the reauthorization of
FISA Section 702, the failure to appoint members to
the PCLOB, and passage of the
CLOUD Act, which permits US law enforcement agencies to access personal data stored in Europe. The vote of the full Parliament follows an earlier
statement from the civil liberties "LIBE" committee. EPIC highlighted many of the same concerns in recent
comments. EPIC also
told the FTC that the Cambridge Analytica breach could have been prevented if the FTC had enforced its
2011 Consent Order with Facebook. The European Commission, the EU body in charge of the Shield, must now decide how to respond.
- FTC Announces Another Privacy Settlement, But Again Imposes No Penalties (Jul. 2, 2018) +
The FTC
announced today that it settled charges with ReadyTech, a California company, for misrepresenting compliance with
Privacy Shield, a self-certification arrangement that allows US companies to obtain the personal data of Europeans. The
FTC settlement prohibits the company from making future misrepresentations about Privacy Shield compliance, but imposes no penalties and provides no remedy to European consumers whose personal data was wrongfully obtained. Last year, the FTC
settled charges with three companies that misrepresented their participation in Privacy Shield, but similarly failed to impose penalties. The European Parliament's Civil Liberties Committee ("LIBE") recently
passed a resolution stating that Privacy Shield does not protect European consumers, and called for its suspension if the U.S. does not comply by September 1, 2018. LIBE specifically called attention to the
Cambridge Analytica breach of 87 million Facebook users. In March, EPIC
told the FTC that the Cambridge Analytica breach could have been prevented if the FTC had enforced its
2011 Consent Order with Facebook.
- European Civil Liberties Committee: 'Privacy Shield' Should Be Suspended (Jun. 12, 2018) +
Members of European Parliament are
calling for the suspension of the EU-U.S.
Privacy Shield if the U.S. does not comply in full by September 1, 2018. The Civil Liberties Committee (
"LIBE")
passed a
resolution stating that the pact, which permits the flow of European consumers' personal data to the U.S, does not adequately protect privacy. LIBE urged US authorities to respond without delay to the
Cambridge Analytica breach of 87 million Facebook users. The groups also expressed "strong concerns" about the
CLOUD Act which permits US law enforcement to unilaterally access personal data stored in Europe. EPIC recently
told the FTC that the Cambridge Analytica breach could have been avoided had the agency enforced a
2011 Consent Order that EPIC and a coalition of consumer privacy groups obtained.
- EPIC Seeks Records from FTC Regarding Irish Audits of Facebook (May. 11, 2018) +
EPIC has submitted a Freedom of Information Act
request seeking records about the Irish Data Protection Commissioner's inquiries regarding Facebook’s compliance with the
FTC's Consent Order. In 2011, the Austrian privacy group
Europe-v-Facebook and other parties filed formal
complaints to the Irish Data Protection Commissioner about
third party access to Facebook user data. The Irish Data Protection Commissioner then initiated an audit of Facebook to assess its compliance with both Irish Data Protection Law and EU law. The
2011 Irish audit found that the safeguards for third party applications did not ensure security for user data. In a
2012 re-audit, the Irish on Commissioner found a "satisfactory response" from Facebook regarding preventing third party applications. Following the 2012 re-audit, the FTC and the Data Protection Commissioner signed a
Memorandum of Understanding to exchange information to enforce compliance with privacy laws in each respective country. Two years after the Data Protection Commissioner found a "satisfactory response" from Facebook regarding third party applications, a third party application harvested the data of over 87 million users and transferred the data to
Cambridge Analytica.
- Facebook Denied Attempt to Delay Review of EU-US Personal Data Transfers (May. 3, 2018) +
The Irish High Court has
denied Facebook's request to halt review of
Data Protection Commissioner v. Facebookby Europe's top court. The case, which was recently
referred to the
European Court of Justice, concerns whether Facebook's transfers of personal data from Ireland to the United States violate the European Charter of Fundamental Rights. The case follows the
landmark 2015 decision that the US had insufficient privacy protections to allow transfer of Europeans' personal data. Ruling against Facebook's request to delay the case further pending appeal, the Irish court said EU data subjects could be harmed if the case were delayed, and that there were “considerable concerns” about Facebook's conduct in the case. EPIC was
designated the US NGO amicus curiae in this case, and provided a detailed
assessment of US privacy law.
- European Court of Justice Receives Key Questions on Future of EU-US Personal Data Transfers (Apr. 12, 2018) +
The Irish High Court has sent
eleven questions to the
European Court of Justice for review in
Data Protection Commissioner v. Facebook. The case considers whether Facebook's transfers of data from Ireland to the United States violate the European Charter of Fundamental Rights. The case follows the 2015 landmark decision
Schrems v. DPC, which found that the US had insufficient privacy law to protect the personal data of Europeans. The new case examines "standard contractual clauses" and whether the US provides sufficient remedies for privacy violations, whether future data transfers should be suspended, and whether the EU-US
"Privacy Shield" matters. EPIC was
designated the US NGO amicus curiae in this case, and provided a
detailed assessment of US privacy law.
- EPIC Tells House to Probe Commerce Secretary on Data Protection, Privacy Shield (Mar. 20, 2018) +
EPIC has sent a
statement to the House Appropriations Committee outlining the key privacy issues facing the Secretary of Commerce. The Committee held a
hearing today to discuss the FY19 budget for the Department of Commerce. EPIC stated that data protection may be "the most important issue that the Secretary of Commerce will confront over the next several years." EPIC said the FTC is simply not doing enough to safeguard the personal data of American consumers, as evidenced by this week's
report on Facebook and Cambridge Analytica. EPIC also warned that Europe may suspend the
Privacy Shield, a framework that permits the flow of European consumers' personal data to the U.S, if the United States does not modernize privacy law and establish a federal data protection agency.
- European Court of Justice Grants Standing to Privacy Advocate But Bars Class Action under Austrian Law (Jan. 30, 2018) +
The Court of Justice of the European Union, following an
advisory opinion, has
determined that Max Schrem's class action in Austria cannot proceed against Facebook, but individual privacy claims can. The Court granted Schrems standing, recognizing that "the activities of publishing books, giving lectures, operating websites," and similar activities does not entail the loss of "a user's status as a 'consumer.'" However, the Court found that "the consumer forum cannot be invoked" in "claims assigned by other consumers." The class action of 25,000 consumers brought by Austrian privacy activist and EPIC Advisory Board member
Max Schrems alleges that Facebook violated Europeans' privacy rights, including for transferring data to the U.S. intelligence community. Max Schrems recently launched
NYOB to pursue class actions under the
General Data Protection Regulation. In 2013, Max Schrems received the
EPIC International Champion of Freedom Award.
- Congress Renews Controversial Surveillance Measure, EU Impacted (Jan. 18, 2018) +
In a decision that could jeopardize relations with Europe, Congress has
renewed "Section 702" of the
Foreign Intelligence Surveillance Act, which permits broad surveillance of individuals outside of the United States. The
FISA Amendment Reauthorization Act also permits government
surveillance of Americans and restarts the controversial
"about" collection program. Congress rejected
updates, including limits on data collection, that would preserve a
privacy agreement between Europe and the United States. The European Court of Justice will also soon
decide whether to allow data transfers from Ireland to the United States. EPIC
served as the US NGO amicus curiae in that case.
- European Privacy Experts Call for New Review of EU-US Data Arrangement (Dec. 5, 2017) +
The
Article 29 Working Party, a group of European privacy experts, is
calling for a reexamination of the
Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. In a new
report, the Working Party said that "significant concerns" should be resolved by May 25, 2018 when the
GDPR goes into force. If not "the members of WP29 will take appropriate action," including litigation. The Working Party cited the US failure to appoint an
Ombudsperson to review complaints, vacancies at the
Privacy and Civil Liberties Oversight Board, and continued mass surveillance practices by U.S. intelligence agencies. The report follows an earlier
review of the EU-US agreement which found "sufficient" protection of EU personal data to the United States. EPIC Senior Counsel Alan Butler has also highlighted weaknesses in US privacy in
DPC v. Facebook, a case now before the European Court of Justice. In a related development, the Working Party also established a task force which will coordinate national investigations of the Uber data breach now underway in Europe.
- European Court Adviser Says Facebook Privacy Class Action Barred (Nov. 15, 2017) +
The
opinion of a key adviser to the
European Court of Justice holds that a class action cannot proceed against Facebook, but would permit individual privacy claims to move forward. The class action of 25,000 consumers brought by Austrian privacy activist and EPIC Advisory Board member
Max Schrems alleges Facebook violated Europeans' privacy rights, including for transferring data to the U.S. intelligence community. The opinion from Advocate General Bobek said a "consumer cannot invoke, at the same time as his own claims, claims on the same subject assigned by other consumers," citing the risk of consumers shopping for the most favorable forums. The European Court of Justice typically adopts the opinions of the Advocate General. The Court of Justice will also
consider DPC v. Facebook, involving whether Facebook's data transfers from Ireland to the U.S. violate European Fundamental Rights. In 2013, Max Schrems
received the EPIC International Champion of Freedom Award.
- European Court Adviser Says Local Regulators Can Enforce Privacy Laws Against Facebook (Oct. 24, 2017) +
The
opinion of a key adviser to the
European Court of Justice holds that local European data protection authorities can directly enforce privacy laws against Facebook. The case involves a German data protection authority's order to deactivate a local Facebook fan page for illegally tracking users. The opinion from Advocate General Bot said regional data protection authorities can intervene to stop unlawful data practices. The European Court of Justice typically adopts the opinions of the Advocate General. The Court of Justice will also
consider DPC v. Facebook, involving whether Facebook's data transfers from Ireland to the U.S. violate European Fundamental Rights.
- EU Approves Data Transfer Arrangement, But Seeks Stronger U.S. Privacy Protections (Oct. 18, 2017) +
Following the first annual review of the pact, the European Commission has
approved the EU-U.S.
Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. However, the Commission
urged the U.S. to appoint a permanent
Ombudsperson to review complaints, to restore the
Privacy and Civil Liberties Oversight Board, and to pass the Obama-era
Presidential Policy Directive-28 into law. In a recent letter to
Congress, EPIC emphasized the need to update U.S. privacy laws. EPIC Senior Counsel Alan Butler has also highlighted weaknesses in US privacy in
DPC v. Facebook, a case now before the European Court of Justice.
- EPIC Urges House to Strengthen US Privacy Laws for Cross Border Data Flows (Oct. 12, 2017) +
EPIC sent a
letter to a House committee on Digital Commerce and Consumer Protection for the
hearing "21st Century Trade Barriers: Protectionist Cross Border Data Flow Policy's Impact on U.S. Jobs." EPIC explained that foreign governments are reluctant to permit the transfer of the personal data of their citizens to the U.S. due to the U.S.'s lax privacy laws. EPIC recommended Congress take four steps to update U.S. privacy law: (1) enact the Consumer Privacy Bill of Rights, (2) modernize the Privacy Act, (3) establish an independent data protection agency, and (4) ratify the International Privacy Convention. EPIC also noted that the
Schrems II decision calls into question the viability of
"Privacy Shield," the current data transfer scheme between the US and EU.
- FTC Announces Privacy Shield Settlement but Imposes No Penalties (Sep. 8, 2017) +
The Federal Trade Commission
announced today a settlement with three companies that misrepresented their participation in the
Privacy Shield arrangement. The
Privacy Shield allows companies to transfer the personal data of European consumers to the United States based on a system of industry self-certification. The FTC settlement prohibits the companies from making future false claims about compliance with Privacy Shield, but does not impose any penalty. The FTC settlement also fails to provide any remedy to the EU consumers whose personal data was wrongfully obtained, nor does it require the companies to disgorge the data they fraudulently obtained.
EPIC and consumer organizations in the
US and
Europe have criticized Privacy Shield for failing to establish basic privacy protection and lacking effective remedies. The FTC is now soliciting public comments on the proposed settlements, and the deadline to file a
comment is October 10, 2017.
- European Privacy Officials Push for Answers on Status of U.S. Privacy (Jun. 13, 2017) +
The
Article 29 Working Party, an expert group of European privacy officials, is pressing the European Commission to closely evaluate the EU-US
Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. In a
letter to the Commission, the Working Party outlined its expectations for this summer's annual review of the arrangement. The Group asked for "precise evidence" that bulk surveillance is "limited and proportionate." The Article 29 also seeks information about vacancies in key privacy oversight positions, including the
Privacy and Civil Liberties Oversight Board and the
Privacy Shield Ombudsperson, and any legal protections for "automated decision making." The European Parliament previously
expressed alarm over the rollback of U.S. privacy safeguards necessary for the Privacy Shield. In 2015, EPIC and a coalition of privacy organizations
urged the US and the EU to strengthen privacy protections following a landmark
decision that found insufficient legal protections for the transfer of consumer data to the US. At a hearing before the High Court of Ireland, EPIC Senior Counsel Alan Butler made submissions in
DPC v. Facebook, highlighting weaknesses in US privacy law.
- EPIC Urges Senate Committee To Reform Surveillance Law (Jun. 6, 2017) +
In advance of a
hearing on the
Foreign Intelligence Surveillance Act, EPIC has sent a
Statement to the Senate Select Committee on Intelligence urging increased transparency and new public reporting of the Government's surveillance activities. EPIC also highlighted several
legal challenges to an NSA bulk surveillance program abroad. The bulk surveillance program for the communications of non-U.S. persons, sunsets on December 31, 2017. EPIC
testified before the House Judiciary Committee during the 2012 FISA reauthorization hearings, recommended improved public reporting, and warned pre-Snowden that the extent of mass surveillance was much greater than was known to the public.
- EPIC, Privacy Coalition Meet with EU Data Protection Supervisor (Apr. 21, 2017) +
European Data Protection Supervisor
Giovanni Buttarelli spoke today to the Privacy Coalition, a nonpartisan association established in 1995 to promote dialogue on emerging privacy between civil society organizations and policy leaders. Mr. Buttarelli addressed relations between the European Union and the United States, and discussed encryption policy, the
E-Privacy Regulation, the
Privacy Shield, the
U.S. Privacy Act as it applies to foreigners among many other topics. Recent speakers at the Privacy Coalition have included FTC Chair Maureen Ohlhausen and FCC Senior Counsel Nick Degani.
- European Parliament Expresses Alarm Over Rollback of US Privacy Safeguards (Apr. 6, 2017) +
In a
resolution passed today, the European Parliament
expressed alarm over the rollback of U.S. privacy safeguards necessary for
Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. The Parliament cited several recent developments including
procedures that allow the NSA to disseminate raw data across the US government, vacancies at the Federal Trade Commission and the
Privacy and Civil Liberties Oversight Board, the
repeal of an FCC privacy rule, and the absence of effective redress for violations of Privacy Shield. The resolution of Parliament called on the European Commission to rigorously analyze these matters and to "take all necessary measures" to ensure the agreement respects EU privacy rights. In 2015, EPIC a coalition of privacy organizations had
urged the US and the EU to strengthen privacy protections, following a landmark
decision that found insufficient legal protections for the transfer of consumer data to the US.
- NGOs Continue Campaign Against Privacy Shield (Mar. 2, 2017) +
In March 2016, EPIC and more than
20 civil society organizations urged European leaders to oppose adoption of the
"Privacy Shield" for EU-US data flows. The NGOs
wrote that the political agreement fails to provide sufficient data protection and does not respect the decision of the European Court of Justice in the
Schrems case. The groups urged the US to make changes in domestic laws and international commitments to permit transfers of personal data to the US. The ACLU and Human Rights Watch have now also sent a
letter asking Europe to reexamine
Privacy Shield. At a hearing before the High Court of Ireland, EPIC Senior Counsel Alan Butler has made submissions in
DPC v. Facebook highlighting weaknesses in US privacy law.
- EPIC Urges House Committee To Ensure Transparency, Public Reporting in Surveillance Law (Mar. 1, 2017) +
In advance of a
hearing on Section 702 of the Foreign Intelligence Surveillance Act, EPIC has sent a
letter to the House Judiciary Committee urging increased transparency and new public reporting of the Government's surveillance activities. EPIC also highlighted that Section 702 is the central focus of multiple current
legal challenges to international data transfer agreements occurring abroad. Section 702, which authorizes the bulk surveillance on the communications of non-U.S. persons, sunsets on December 31, 2017. EPIC
testified before the Committee during the 2012 FISA reauthorization hearings.
- EPIC in Court: Irish High Court Examines EU-US Data Transfers (Mar. 1, 2017) +
Today EPIC made
submissions before the Irish High Court in
Data Protection Commissioner v. Facebook, concerning privacy protections for transAtlantic data transfers. EPIC explained that "U.S. privacy law is characterized by particularly narrow conceptions of privacy and personal data, which in turn limit the scope of relevant constitutional, statutory, and regulatory privacy protections." EPIC also stated, "many of the privacy safeguards under U.S. law in fact operate to the exclusion of E.U. citizens" and that the "standing" doctrine is an overarching barrier to legal redress. EPIC is represented by FLAC (
Free Legal Advice Centres), an independent human rights organization, based in Dublin, dedicated to the realization of equal justice for all. [
Press Release]
- European Privacy Officials Raise Concerns About US Immigration Executive Order (Feb. 22, 2017) +
The Article 29 Working Party, an expert group of European privacy officials, has
raised concerns over a provision in the immigration
Executive Order that would limit Privacy Act protections. The Working Party is seeking assurance from the US that the change will not threaten the privacy rights of non-US citizens established in the
"Privacy Shield" and the
Umbrella Agreement. EPIC is currently participating in
Data Protection Commissioner v. Facebook, a case following a landmark
decision that found insufficient legal protections for the transfer of European consumer data to the US.
- Senators Calls for Answers from Secretary Kelly on Privacy Act Exclusion (Feb. 9, 2017) +
In a
letter to DHS Secretary Kelly, Senator Markey (D-MA) and five other Senators pressed DHS about the impact of an
Executive Order limiting federal
Privacy Act protections. "These Privacy Act exclusions could have a devastating impact on immigrant communities and would be inconsistent with the commitments made when the government collected much of this information," the Senators contended. The Senators also called on Secretary Kelly to explain the Order's impact on
international commitments that permit U.S. firms to obtain access to the data of European consumers. EPIC is participating in
Data Protection Commissioner v. Facebook, a case which follows a landmark
decision that found insufficient legal protections for the transfer of European consumer data to the United States.
- EPIC Participates in Irish Case on Future of EU-US Data Transfers (Feb. 6, 2017) +
This week the case
Data Protection Commissioner v. Facebook, concerning privacy protection for transAtlantic data transfers, begins in Ireland. The case follows a landmark
decision which found insufficient legal protections for the transfer of European consumer data to the United States. Mr. Schrems, an Austrian privacy advocate, now
challenges Facebook's "standard contractual clauses" as failing to protect privacy. The Irish High Court
designated EPIC as the US NGO amicus curiae in the case. EPIC is represented by FLAC (
Free Legal Advice Centres), an independent human rights organization, based in Dublin, dedicated to the realization of equal justice for all.
- US Designates Countries Covered Under the Judicial Redress Act (Jan. 23, 2017) +
During the final week in office, the Obama Department of Justice released the
list of European countries covered under the Judicial Redress Act. The
Act gives citizens of these countries limited rights under the US Privacy Act. The Act implements the US-EU
"Umbrella Agreement," which is a framework for transferring law enforcement data across the Atlantic. The Act came about in response to the
Schrems decision, which held that the United States lacks adequate data protection. EPIC had recommended
substantial changes to the Judicial Redress Act, explaining in a
letter to Congress that the bill still did not provide adequate protection to permit
transborder data flows and fails to provide necessary updates for U.S. citizens. EPIC successfully sued the Justice Department to obtain the full text of the Umbrella Agreement.
- White House Publishes Privacy Report, Data Breaches Continue to Rise, as Obama Leaves Office (Jan. 19, 2017) +
As one of the final acts of the outgoing President, the White House has
released "Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation." In 2008, President Obama announced "Change We Can Believe In" and
said he would "strengthen the privacy protections for the digital age and to harness the power of technology to hold government and business accountable for violations of personal privacy." Beginning after his election, privacy groups across the county urged the President to strengthen privacy in America. In 2012, Obama
proposed a Consumer Privacy Bill of Rights but no legislation followed. After the Snowden revelations, Congress enacted the
Freedom Act and Obama
reformed intelligence practices, but the US failed to limit data collection outside the US. The
"Privacy Shield," a framework to gather data for commercial use without legal protections, was put in place even after NGOs
urged comprehensive reforms in the US and the EU. Between 2009 and 2016, the levels of
data breach,
identity theft, and financial fraud in the United States skyrocketed, even as Americans
called for stronger protections. The 2016 Presidential election was marked by
data breaches,
email disclosures and
cyber attack The U.S. is still one of the few democratic nations in the world without a
data protection agency.
- EPIC Tells Senate to Probe Commerce Nominee on Data Protection, Privacy Shield (Jan. 18, 2017) +
EPIC has sent a
letter to the Senate Commerce Committee outlining the key privacy issues that the next Secretary of Commerce should address. The Committee convened this week to
consider the nomination of Wilbur Ross for Commerce Secretary. EPIC stated that privacy protection may be on "the most important issue that the Secretary of Commerce will confront over the next several years." EPIC urged the Committee to ensure the nominee "make clear his commitment to a comprehensive approach to data protection, based in law." EPIC warned about the
inadequacy of the
Privacy Shield, a non-legal framework that permits the flow of European consumers' personal data to the United States, outside of European privacy law.
- New Study Shows Global Increase in Comprehensive Privacy Protections (Nov. 29, 2016) +
An updated
study by
David Banisar of the human rights organization
Article 19 finds that over 100 countries now have data protection laws. Another 40 countries are considering new laws, and most countries have established a data protection authority to enforce privacy protections. Two EPIC publications - The
Privacy Law Sourcebook 2016 and
Privacy and Human Rights: An International Survey of Privacy Laws and Developments - provide an overview of privacy frameworks around the world and track emerging privacy challenges. EPIC has urged the US Congress to establish a
federal privacy agency and to enact
comprehensive privacy legislation.
- Second Legal Challenge Launched Against "Privacy Shield" (Nov. 3, 2016) +
La Quadrature du Net, a French privacy organization, has
launched a legal challenge to “Privacy Shield,” a controversial framework for the transfer of personal data from Europe to the United States. This lawsuit follows a similar
challenge brought by the Irish group Digital Rights Ireland. "Privacy Shield" was the response of EU and US politicians after the European Court of Justice
determined that there was insufficient legal protection for transatlantic data transfers. NGOs in the United States and Europe had urged the adoption of a
comprehensive framework for data protection and
said that Privacy Shield was not adequate. EPIC also
testified before Congress on the need to update US privacy law. EPIC is currently participating as
amicus curiae in related case brought by privacy advocate Max Schrems.
- Privacy Advocates Challenge EU-US Data Transfer Agreement (Oct. 27, 2016) +
An Irish privacy organization is
challenging the EU-US framework for transferring personal data, the "
Privacy Shield," in the European high court. This challenge follows a decision last year
invalidating the previous framework, "Safe Harbor." In that case, the Court of Justice for the European Union concluded Personal data transferred to the United States lacks adequate legal protection. EPIC is participating as
amicus curiae in a related case brought by privacy advocate Max Schrems. EPIC also recently submitted a
brief to the European Court of Human Rights in a challenge to UK surveillance.
- Reuters: US Government Issued Secret Order to Yahoo to Scan All E-mails (Oct. 4, 2016) +
Reuters reported today that Yahoo scanned the private email of Yahoo users pursuant to a secret directive issued by the FBI. The email scanning technique, based on a search for key terms, recalled a similar
FBI program “Carnivore” that was found to capture far more information than authorized, according to
documents obtained by EPIC under the Freedom of Information Act. The news report also renews concerns about the scope of US Internet surveillance. The European Court of Justice
struck down an EU-US data transfer deal last year, following revelations that US Internet firms collaborated with the NSA to enable mass surveillance. A related case,
Irish Data Protection Commissioner v. Facebook, is now pending. The Irish High Court has selected EPIC as "a friend of the court" to "counterbalance" the submission of the United States intelligence community.
- Privacy Shield Sign-ons Begin (Aug. 2, 2016) +
The European Commission
announced that the
EU-U.S. Privacy Shield data transfer arrangement is "fully operational" and U.S. "companies are able to sign up with the
Department of Commerce." The framework was adopted by the European Commissioner objection by
European data protection authorities, the
European Data Protection Supervisor, the
European Parliament, and
EU and US NGOs. The deal will be subject to
future legal scrutiny and experts
predict that the "Privacy Shield will share the history of the previous Safe Harbor and be invalidated by the European Court of Justice." EPIC has
urged the EU and US to strengthen safeguards for transborder data flows including
redress mechanisms.
- Irish Court Approves EPIC as Amicus in Schrems Case (Jul. 19, 2016) +
The Irish High Court has
accepted EPIC's application to participate in a case about data protection rights and
Facebook's contractual clauses. The case follows Max Schrems'
complaint to the Irish Data Protection Commissioner after the
European Court of Justice's decision to strike down the
Safe Harbor arrangement. EPIC will provide the Irish Court, and perhaps also the Court of Justice, expert opinion on U.S. surveillance law. EPIC recently joined a
case before the European Court of Human Rights concerning the activities of British and U.S. intelligence organizations. EPIC has appeared as a "friend of the court" in
almost 100 cases in the United States concerning emerging privacy and civil liberties issues.
- European Commission Signs Off on Flawed "Privacy Shield" (Jul. 12, 2016) +
The
European Commission has approved the
"Privacy Shield" which will allow companies to
transfer personal data of Europeans to the U.S. without legal protections.
European data protection authorities, the
European Data Protection Supervisor, and
EU and US NGOs identified
flaws with the non-binding framework. Citing a judgement of the European high court which struck down a similar framework,
Max Schrems and Jan-Philipp Albrecht predicted that the "Privacy Shield will share the history of the previous Safe Harbor and be invalidated by the European Court of Justice."
EPIC and other
consumer organizations urged the EU and US to strengthen safeguards for transborder data flows. According to the Federal Trade Commission, identity theft complaints in the US
increased by 47% between 2014 and 2015.
- Privacy Shield Revisions Fail to Satisfy Legal Requirements (Jun. 29, 2016) +
A
revised draft of the
Privacy Shield included some modifications on the scope of US bulk data collection, the role of the "ombudsperson," and data erasure but fails to resolve flaws previously identified by
European data protection authorities and the
European Data Protection Supervisor.
EPIC and an international coalition of NGOs previously called for
substantial changes in the Privacy Shield to
respect the fundamental rights to privacy and data protection.
- EPIC's Rotenberg Outlines Need for International Privacy Framework (Jun. 17, 2016) +
Speaking at the
Council of Europe in Strasbourg, EPIC President Marc Rotenberg
outlined the need for the US to ratify the
International Privacy Convention. Rotenberg said it was "unlikely that the Privacy Shield will survive another trip to Luxembourg." The
Privacy Shield is a proposed arrangement for EU-US data transfers that has come under criticism from
European consumer groups, NGOs,
privacy officials, and the
EU Data Protection Supervisor. In 2009, more than 100 privacy groups and experts
endorsed the Council of Europe Privacy Convention. In 2010 members of the
EPIC Advisory Board urged then Secretary of State Hilary Clinton to seek US ratification of the Privacy Convention.
- Top European Privacy Official Rejects EU-US "Privacy Shield" (May. 31, 2016) +
The European Data Protection Supervisor has determined that "Privacy Shield is not robust enough to withstand future legal scrutiny." He
called for changes in the
draft arrangement to permit data transfers to the United States. "Significant improvements are needed,"
said Giovanni Buttarelli. The
Article 29 Working Party, the
European Parliament, and a
coalition of EU and U.S.
consumer organizations have also
opposed the data transfer proposal. Citing rampant
data breaches in the United States, NGOs have urged
strong safeguards for
privacy and data protection.
- European Parliament Requires Changes to Privacy Shield (May. 26, 2016) +
The European Parliament
called for changes in the
draft arrangement to permit data transfers to the United States. The Parliament said that officials must "fully implement"
privacy recommendations and negotiate further
changes to the "Privacy Shield." The
European Data Protection Supervisor is expected to issue an opinion on the data transfer arrangement next week.
EPIC and other
consumer and
privacy organizations have said that the Privacy Shield
fails to provide adequate safeguards for consumers.
- TACD Opposes "Privacy Shield," Urges Rejection by EU (Apr. 7, 2016) +
The
Transatlantic Consumer Dialogue has
urged the European Commission to reject the
"Privacy Shield," a proposal to continue the transatlantic transfer of personal data from Europe to the United States. TACD warned that Privacy Shield "does not adequately protect consumers' fundamental rights to privacy" and that it does not provide "effective and meaningful data protection." European officials are carefully reviewing the proposal. EPIC and a
coalition of NGOs have urged the US to adopt a
robust data protection law and
end 702 surveillance. The TACD is a forum of more than 70 consumer organizations in Europe and the United States.
- EPIC's Rotenberg Urges European Parliament to Condition "Privacy Shield' on End of 702 Surveillance (Mar. 17, 2016) +
Speaking before the European Parliament on
"Privacy Shield," Marc Rotenberg outlined several flaws in the
proposed EU-US data transfer agreement, including a weak privacy framework,
lack of enforcement, and a cumbersome redress mechanism. In the short term, Rotenberg recommended that the EU condition acceptance of the Privacy Shield on the end of the
"702 program," which permits bulk surveillance on Europeans by the US. EPIC along with other NGOs has
urged the European Commission to rewrite the Privacy Shield, saying it fails to safeguard human rights and does not reflect
changes in US law as required by the
Schrems decision.
- NGOs - "Privacy Shield" is Failed Approach for EU-US Data Protection (Mar. 16, 2016) +
More than
twenty civil society groups has urged European leaders to oppose adoption of the
"Privacy Shield" for EU-US data flows. The NGOs
state that the political agreement
fails to provide sufficient data protection and does not respect the decision of the European Court of Justice in the
Schrems case. The groups said the US must make changes in domestic laws and international commitments to comply with the decision and permit transfers of personal data. EPIC has launched
"Data Protection 2016" to support stronger privacy safeguards in the US.
- "Privacy Shield" Released, New Questions Raised (Feb. 29, 2016) +
The text of the
"Privacy Shield" was released today by European Commission and the US Department of Commerce. The arrangement was intended to bring EU-US data transfers in line with the recent decision of the European Court of Justice in the
Schrems case. But the
framework appears to provide less protection than the
Safe Harbor arrangement it replaces. New exceptions
take broad categories of personal data entirely outside the scope of the agreement. Max Schrems
said "this is far from what the Court required and does not seem like a stable solution." Privacy experts will now assess the text and
determine whether it provides an adequate basis for the transfer of personal data. EU and US NGOs have
urged the US to update its privacy laws.
- European Commission Wrongly Denies EPIC's Request For "Privacy Shield" (Feb. 26, 2016) +
The European Commission has wrongly
denied EPIC's
Freedom of Information request for the text of the
"Privacy Shield." The Commission said the adequacy decision about
Safe Harbor is "in preparation" and "negotiations with the U.S. are still ongoing." The Commission confused the text of the political agreement, known as "the Privacy Shield," with a legal determination about whether the agreement meets EU data protection law. EPIC will pursue public release of the Privacy Shield, which was
previously announced, and then the release of the adequacy determination when it is final. EU and US
Consumer and privacy organizations have
opposed the agreement because it fails to provide
adequate privacy protections.
- Department of Commerce: Privacy Shield "does not exist" (Feb. 10, 2016) +
As a
response to EPIC's Freedom of Information
request for the
"Privacy Shield," the Commerce Department responded that "the record you requested does not exist."
EU and
US officials celebrated earlier this month that the EU and the US reached an agreement for transatlantic data transfers but they did not make the agreement public. Apparently there was nothing to make public since the agreement does not exist. The EPIC FOIA request is designated DOC-ITA-2016-000577.
- EPIC Seeks Release of "Privacy Shield," Secret Data Transfer Agreement (Feb. 4, 2016) +
EPIC has filed emergency Freedom of Information requests with the
US and the
EU for release of a secret agreement for the transfer of personal data across the Atlantic. A new framework was required by a
recent decision of the European Court of Justice. But
European and American
consumer organizations say the "Privacy Shield" does not provide
adequate protection for the transfer of personal data. EPIC stated, “The public has a right to know whether this agreement provides adequate legal protection.” EPIC previously
obtained the secret
EU-US Umbrella Agreement in
FOIA litigation.
- Privacy Commissioners to Review "Privacy Shield" (Feb. 3, 2016) +
The
Article 29 Working Party, the association of European Data Protection Commissioners, has said it will review the adequacy of the
"Privacy Shield" proposal for transborder data flows. The Working Party said there must be (1) clear and precise rules, (2) a "necessary and proportionate" standard for data collection and access, (3) independent oversight, and (4) effective remedies for the individual. The Working Party also said it must first receive the relevant documents to assess the legal force of the arrangement and whether it will resolve "wider concerns raised by the
Schrems judgement."
- Anticipating Annulment, EU-US Negotiators Sign Off on "Privacy Shield" (Feb. 2, 2016) +
Disregarding a decision of the European Court of Justice, negotiators for the US Commerce Dept., the FTC, and the European Commission have
agreed to allow the continued transfer of consumer data without adequate legal protection. A
virtually identical arrangement was recently struck down by the Court in the
Schrems case as a violation of multiple rights of Europeans, including rights to privacy, data protection, and effective redress. Consumers in the US have also expressed concern about rising levels of data breach, identity theft, and financial fraud. EPIC and many EU and US consumer organizations
urged negotiators to establish strong safeguards for the transfer of personal data.
- Schrems Responds to US Lobby Groups on Safe Harbor (Jan. 29, 2016) +
In a brief but clearly argued
letter to
European data protection authorities, Max Schrems writes that "attempts by lobby groups and the US government to 'reinterpret' or 'overturn the clear judgement of the Union's highest court are fundamentally flawed." Schrems brought the
successful case to the
European Court of Justice that struck down the
Safe Harbor arrangement. The Schrems letter, released on International Data Protection Day, also states that a new transfer agreement must provide "protection against government surveillance and "essentially equivalent" protection against the commercial use of data by certified companies." Max Schrems received the
2013 EPIC Champion of Freedom Award.
- "Clock is ticking" on Safe Harbor, says European Consumer Organization (Jan. 29, 2016) +
BEUC, the consumer organization of the European Union, has
urged European policy makers to accept a revised Safe Harbor arrangement only if it complies with the
Schrems decision and "guarantees that EU citizens' fundamental rights are upheld when their data is exported to the United States." Last year, 40 consumer privacy organizations in Europe and the United States
urged US Secretary Pritzker and EU Commissioner Jourova to take specific steps to close the widening EU-US data divide. Secretary Pritzker has been unwilling to meet with consumer organizations.
- EPIC v. DOJ: EPIC Prevails, DOJ Releases Secret EU-US Umbrella Agreement (Jan. 25, 2016) +
After months of
delay, the Department of Justice has finally released to EPIC the full text of the
EU-US Umbrella Agreement. EPIC
sued the DOJ last year after the agency failed to act on EPIC's FOIA request for the secret agreement. Today's release comes on the heels of EPIC's
opposition to the agency's
attempt to further delay the Agreement's release. The Umbrella Agreement outlines data transfers between EU and US law enforcement agencies, and is the basis for the Judicial Redress Act
currently before Congress. EPIC has
criticized the legislation, and recently
urged the Senate to delay action on the bill until the DOJ releases the Umbrella Agreement and the Judiciary Committee holds a hearing on the legislation.
- EPIC Urges Senate to Postpone Action on Judicial Redress Act (Jan. 16, 2016) +
Today EPIC
urged the Senate Judiciary Committee to postpone action on the Judicial Redress Act until the Department of Justice releases a secret data transfer agreement on which the bill is based. The so-called
Umbrella Agreement outlines data transfers between law enforcement agencies in Europe and the United States. EPIC has
sued the DOJ for release of the document. EPIC also urged the Senate Committee to conduct a public hearing on Privacy Act modernization following the massive data breach at the office of Personnel and Management.EPIC previously
wrote to the House Judiciary Committee to recommend updates to the Privacy Act.
- EPIC Seeks Default Judgment in Umbrella Agreement Lawsuit (Jan. 6, 2016) +
In its
fight to obtain a copy of the
EU-US Umbrella Agreement, EPIC
asked a federal court in Washington, D.C. today to grant default judgment against the Department of Justice. EPIC
sued the agency to obtain the secret agreement, which concerns the transfer of personal information between the EU and US. After the DOJ failed to answer EPIC's complaint, the court entered
default against the agency. The Agreement is central to pending
legislation, which the Senate Judiciary Committee is
set to debate this month yet the DOJ has not made the document available to the public or to Members of Congress.
- European Institutions Conclude Data Protection Reform (Dec. 15, 2015) +
The
EU Commission, Parliament and Council reached an
agreement on a
comprehensive new privacy law after
four years of negotiation. The
General Data Protection Regulation establishes common privacy rules across Europe and creates
strong enforcement power. The
law will be fully applicable in about two years. The new law is a "major step forward for consumer protection and competition,"
said Jan Philip Albrecht. Sophie In’t Veld said, "The EU will now have the most extensive data protection laws in the world and will set global standards."
EPIC, and
many consumer privacy organization have urged the US to
modernize domestic privacy law. EPIC President Marc Rotenberg
told USA Today, "The U.S. will need to update privacy laws to safeguard U.S. consumers and maintain trade relations with Europe."
- Senate Postpones Action on Weak EU-US Privacy Measure (Dec. 12, 2015) +
The
Senate Judiciary Committee has "held over" the
Judicial Redress Act, industry-sponsored legislation regarding the transfer of personal data on Europeans to the United States. European legal experts have stated that
the measure does
not provide meaningful protections for the data of Europeans. Forty NGOS have recommended
substantial changes to privacy law in the US and the EU to make possible the continuation of transborder data flows. EPIC has also
recommended specific changes to the Judicial Redress Act. European data protection agencies are expected to begin enforcement actions against US companies after January 30, 2016. According to Govtrack, the Judicial Redress Act has a
"1% chance of being enacted."
- Austrian Supreme Court to Consider Schrems' Case against Facebook (Dec. 4, 2015) +
The Austrian Supreme Court
will decide if the
Schrems case against Facebook can be brought as a class action. "The 'class action' is not only legal but also the only reasonable way to deal with thousands of identical privacy violations by Facebook,"
says Schrems. EPIC frequently
works to protect the
interests of Internet users in
facing common violations of privacy rights.
- Schrems Pursues Legal actions to Block Data Transfers to the US (Dec. 2, 2015) +
EU Privacy Advocate
Max Schrems made
new legal moves following the
judgment of the European Court of Justice that struck down the
Safe Harbor data transfer pact. He filed
complaints with data protection officials in Ireland, Germany and Belgium to to block Facebook data transfers to the United States. Schrems
says he wants to "ensure that this very crucial judgment is also enforced in practice when it comes to the US companies that are involved in US mass surveillance." NGOs in the Europe and the United Stated have
urged governments to update domestic privacy laws and strengthen international commitments to enable the continued transfer of data between the EU and the US.
- NGOs Reject "Safe Harbor 2.0," Urge EU and US to Protect Fundamental Rights (Nov. 12, 2015) +
Leading human rights and consumer organizations have issued a
letter to urge the US and the EU to protect the
fundamental right to privacy. After the
Schrems decision the parties are now
renegotiating the invalidated
Safe Harbor arrangement. The groups warned that without significant changes to "domestic law" and "international commitments," a Safe Harbor 2.0 will almost certainly fail. NGO leaders call for a
comprehensive privacy framework in the US, commitment to
strong encryption and
ending mass surveillance on both sides of the
Atlantic.
- European Commission Issues Guidance on Data Transfers Post-Schrems (Nov. 6, 2015) +
The European Commission has published
guidelines for EU-US data transfer after the
invalidation of the Safe Harbor framework. The
Commission explained that the
Safe Harbor case "underlined the importance of
fundamental right to data protection." The Commission also emphasized the ongoing role of the independent data protection agencies and the Article 29 Working Party. Negotiators are attempting to
create a revised arrangement. NGOs have
said that fundamental rights must be protected in all data transfers. In
testimony before
Congress, EPIC recommended
several updates to US privacy law. EPIC's Marc Rotenberg said "these changes will benefit consumers and businesses on both sides of the Atlantic."
- EPIC Sues for Release of Secret EU-US "Umbrella Agreement" (Nov. 4, 2015) +
EPIC
has sued the Department of Justice to obtain a secret
agreement between the United States and the European Union concerning the transfer of personal information. US and EU officials
finalized the so-called
"Umbrella Agreement" in September, but had kept the final document
secret even as Congress was voting on provisions to implement the text. "The DOJ has withheld from the public the
text of an Agreement that is central to
legislation currently pending before Congress and critical to a
related negotiation between the
United States and the European Union that implicates the
fundamental rights of
Americans and Europeans" wrote EPIC in the FOIA lawsuit.
- EPIC to Call For Comprehensive Overhaul of U.S. Privacy Law (Nov. 2, 2015) +
In
testimony before the
US Congress, EPIC's Marc Rotenberg is expected to say that the
recent decision of the European Court confirmed what everyone already knows, US privacy law is not adequate. "Our country suffers from an epidemic of data breaches and identity theft. And all the data indicates these problems are getting worse." EPIC,
consumer allies, and
privacy experts are urging the Congress to enact the
Consumer Privacy Bill of Rights, modernize the
Privacy Act, create an independent privacy agency, and ratify the
International Privacy Convention. "These changes will benefit consumers and businesses on both sides of the Atlantic."
- Civil Society Leaders in Amsterdam Issue Declaration on Fundamental Rights (Oct. 28, 2015) +
Leading digital rights and consumer privacy organizations meeting in Amsterdam
have issued a declaration
"Fundamental Rights are Fundamental." Calling attention to the
recent success of Max Schrems and the
failure of self-regulation, the organizations said the
"Bridges" report is "remarkably out of touch with the current legal reality and what we need to do to address it." The NGO leaders also criticized the organizers of the
Amsterdam conference for "the failure to engage" many new challenges to data protection, including "Big Data" and
drone surveillance. Privacy campaigner Simon Davies
wrote, "There has never been a moment in history when the privacy regulator community needs to do more to restore trust and relevance. Instead, this week signals a new low in that trust."
- After FOI Request, EPIC Obtains Secret "Umbrella Agreement" from the EU Commission (Oct. 23, 2015) +
The EU Commission, in
response to a freedom of information request, has released to EPIC the text of the
EU-US data transfer agreement. US and EU officials
finalized the so-called
"Umbrella Agreement" in September, but had kept the final document secret. EPIC
has filed multiple
FOIA requests with US federal agencies and the European Commission to obtain public release of the document. The Agreement, alongside the
Judicial Redress Act, is a
key document in the
aftermath of the European court decision
striking down the
Safe Harbor arrangement. Legal scholars who have reviewed the agreement have
concluded it is deeply flawed. EPIC continues to pursue the public release of the Agreement from US federal agencies.
- House Passes Faux Privacy Bill (Oct. 21, 2015) +
The House of Representatives has
passed the Judicial Redress Act of 2015, which—contrary to its stated purpose—fails to extend Privacy Act protections to non-U.S. citizens. In a
letter to Congress, EPIC explained that the bill
does not provide adequate protection to permit
transborder data flows and
recommended changes to ensure protections for all personal information collected by U.S. federal agencies. Congress moved to advance the bill after announcement of the recently concluded but
secret EU-US "Umbrella Agreement". EPIC submitted a
Freedom of Information request for the Umbrella agreement, and recently filed an
administrative appeal challenging the agency's denial of expedited processing.
- Case Against Facebook Moves Forward in Ireland (Oct. 20, 2015) +
Following the
ruling that
invalidated the Safe Harbor arrangement, the Irish High Court has declared that the Irish Data Protection Commissioner is
"obliged to investigate" Max
Schrems' complaint and must follow "fair procedures under Irish and
EU law." The Commissioner pledged a "quick and swift procedure." Facebook's last minute motion to join the procedure was denied. "The Schrems case
underscores the need for the U.S. to
strengthen its
right to privacy," EPIC's Marc Rotenberg
told the Washington Post.
- European Data Protection Authorities Conclude Data Transfers under Safe Harbor Now Unlawful (Oct. 17, 2015) +
Following the
landmark ruling that
invalidated the Safe Harbor data transfer arrangement, the
Article 29 Working Party, composed of privacy officials across Europe, issued a preliminary statement. They called for
solutions "enabling data transfers to the territory of the United States that respect fundamental rights." They concluded that "transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful." Also,
Standard Contractual Clauses and Binding Corporate Rules will not provide an adequate basis.
EPIC, US and European consumer organizations have urged lawmakers in the United States to update US privacy law.
- European Court Strikes Down "Safe Harbor," Focus Shifts to Adequacy of US Privacy Laws (Oct. 6, 2015) +
In a
stunning decision, the
European Court of Justice today ruled that the transatlantic "Safe Harbor" data pact is invalid.
Consumer organizations and
civil liberties groups in Europe and the United States applauded the
outcome. Safe Harbor had been
widely criticized for failing to provide adequate data protection for users of Internet-based services. The European Parliament earlier
recommended against renewal of Safe Harbor. Max Schrems, the Austrian law student who brought the case, praised the judgement and
said the "solution will very likely require severe changes in US law" not "just an update to the current 'safe harbor' system." @maxschrems @EUCourtPress
- EPIC Expresses Support for Advocate General Opinion in Schrems Case (Sep. 28, 2015) +
In a
statement issued today, EPIC supported a recent
opinion of the Advocate General of the Court of Justice of the European Union which found that the
Safe Harbor Arrangement was invalid. Safe Harbor has operated for several years as a substitute for the legal protections that would otherwise be required for the transfer of personal data across national borders. EPIC said that Safe Harbor has "given rise to significant concerns on both sides of the Atlantic about the adequacy of the privacy and security afforded personal information." Earlier today the US Mission issued a
statement calling into question the opinion of the Advocate General. The Mission stated that the PRISM program, operating in conjunction with Safe Harbor and involving the mass surveillance of EU citizens, is "duly authorized by law, and strictly complies with a number of publicly disclosed controls and limitations."
- Decision by EU Legal Advisor Signals End of "Safe Harbor" (Sep. 23, 2015) +
An
opinion by the top advisor for Court of Justice of the European Union
indicates that the "Safe Harbor" arrangement, which permits the transfer of personal data to the US without legal protection, will come to an end. Under
Safe Harbor, US companies self-certify compliance with EU data protection law. But the Advocate General has found the arrangement fails to protect privacy and should be declared invalid.
Max Schrems, who
initiated the case in Ireland, stated "This finding, if confirmed by the court, would be a major step in limiting the legal options for US authorities to conduct mass surveillance on data held by EU companies." The European Digital Rights Initiative also
supported the decision. EPIC has
recommended that the US update the Privacy Act to protect EU citizens and
ratify the
international convention for privacy protection.
Summary
Data Protection Commissioner v. Facebook & Max Schrems is a case before the Court of Justice for the European Union (CJEU) concerning the protection of personal data transferred from Facebook Ireland to Facebook US. The case follows the landmark ruling by the CJEU in "Schrems I" striking down the US-EU "Safe Harbor" agreement, which had previously authorized transfers of personal data from the EU and the United States. The Irish DPC v. Facebook & Schrems ("Schrems II") case arose from a complaint filed by the Irish Data Protection Commissioner in Irish High Court seeking a reference of fundamental EU law questions to the CJEU. The case concerns whether data transfers pursuant to the "standard contractual clauses" that were previously approved by the European Commission violates the European Charter of Fundamental Rights.
Following the CJEU ruling in Schrems I invalidating the "Safe Harbor" agreement, Austrian privacy activist Max Schrems filed a renewed complaint with the Irish Data Protection Commissioner challenging Facebook’s transfers of his personal data to the United States. The Irish DPC determined that Facebook was transferring personal data to the US pursuant to the standard contractual clauses (SCCs). EU law permits transfers of personal data to other countries even if there is no "adequacy" determination for the target jurisdiction, so long as the transferring entity uses an approved mechanism to provide sufficient data privacy safeguards. One of the mechanisms approved by the European Commission are certain "standard contractual clauses." But mr Schrems argued that Facebook's transfers to the U.S. violated his fundamental rights under EU Law despite the existence of these contracts. In response, the Irish DPC investigated into two key issues: whether the US provides adequate legal protection to EU users whose data is transferred, and, if not, could the SCCs used by Facebook Ireland and Facebook, Inc. to regulate the transfer of that data raise the level of protection and still render transfer permissible? The DPC determined that US law fails to adequately provide legal remedies to EU citizens and the SCCs did not provide an adequate remedy above and beyond that shortcoming. The Irish DPC brought suit in Irish High Court, requesting that the court refer legal questions to the CJEU concerning the validity of the SCCs and whether the transfers violated fundamental rights in the EU. The Irish High Court selected four groups to file as amicus in that case, and EPIC was selected and provided detailed submissions on US surveillance and privacy law.
On October 3, 2017, the High Court ruled that there were "well founded" concerns that SCCs violate European fundamental rights and that it would send the case to the CJEU. The High Court formally referred the case to the CJEU on April 12, 2018. The referral asked the CJEU to address eleven questions related to the validity of the SCC.
Questions referred
1.
In circumstances in which personal data is transferred by a private company from a European Union (EU) member state to a private company in a third country for a commercial purpose pursuant to Decision 2010/87/EU1 as amended by Commission Decision 2016/22972 (“the SCC Decision”) and may be further processed in the third country by its authorities for purposes of national security but also for purposes of law enforcement and the conduct of the foreign affairs of the third country, does EU law (including the Charter of Fundamental Rights of the European Union (“the Charter”)) apply to the transfer of the data notwithstanding the provisions of Article 4(2) of TEU in relation to nationalsecurity and the provisions of the first indent of Article 3(2) of Directive 95/46/EC3 (“the Directive”) in relation to public security, defence and State security?
2.
(1) In determining whether there is a violation of the rights of an individual through the transfer of data from the EU to a third country under the SCC Decision where it may be further processed for national security purposes, is the relevant comparator for the purposes of the Directive: a) The Charter, TEU, TFEU, the Directive, ECHR (or any other provision of EU law); or b) The national laws of one or more member states?
(2) If the relevant comparator is b), are the practices in the context of national security in one or more member states also to be included in the comparator?
3.
When assessing whether a third country ensures the level of protection required by EU law to personal data transferred to that country for the purposes of Article 26 of the Directive, ought the level of protection in the third country be assessed by reference to:
a) The applicable rules in the third country resulting from its domestic law or international commitments, and the practice designed to ensure compliance with those rules, to include the professional rules and security measures which are complied with in the third country; OR
b) The rules referred to in a) together with such administrative, regulatory and compliance practices and policy safeguards, procedures, protocols, oversight mechanisms and non judicial remedies as are in place in the third country?
4.
Given the facts found by the High Court in relation to US law, if personal data is transferred from the EU to the US under the SCC Decision does this violate the rights of individuals under Articles 7 and/or 8 of the Charter?
5.
Given the facts found by the High Court in relation to US law, if personal data is transferred from the EU to the US under the SCC Decision:
a) Does the level of protection afforded by the US respect the essence of an individual’s right to a judicial remedy for breach of his or her data privacy rights guaranteed by Article 47 of the Charter?
If the answer to a) is yes,
b) Are the limitations imposed by US law on an individual’s right to a judicial remedy in the context of US national security proportionate within the meaning of Article 52 of the Charter and do not exceed what is necessary in a democratic society for national security purposes?
6.
(1) What is the level of protection required to be afforded to personal data transferred to a third country pursuant to standard contractual clauses adopted in accordance with a decision of the Commission under Article 26(4) in light of the provisions of the Directive and in particular Articles 25 and 26 read in the light of the Charter?
(2) What are the matters to be taken into account in assessing whether the level of protection afforded to data transferred to a third country under the SCC Decision satisfies the requirements of the Directive and the Charter?
7.
Does the fact that the standard contractual clauses apply as between the data exporter and the data importer and do not bind the national authorities of a third country who may require the data importer to make available to its security services for further processing the personal data transferred pursuant to the clauses provided for in the SCC Decision preclude the clauses from adducing adequate safeguards as envisaged by Article 26(2) of the Directive?
8.
If a third country data importer is subject to surveillance laws that in the view of a data protection authority conflict with the clauses of the Annex to the SCC Decision or Article 25 and 26 of the Directive and/or the Charter, is a data protection authority required to use its enforcement powers under Article 28(3) of the Directive to suspend data flows or is the exercise of those powers limited to exceptional cases only, in light of Recital 11 of the Directive, or can a data protection authority use its discretion not to suspend data flows?
9
(1) For the purposes of Article 25(6) of the Directive, does Decision (EU) 2016/12504 (“the Privacy Shield Decision”) constitute a finding of general application binding on data protection authorities and the courts of the member states to the effect that the US ensures an adequate level of protection within the meaning of Article 25(2) of the Directive by reason of its domestic law or of the international commitments it has entered into?
(2) If it does not, what relevance, if any, does the Privacy Shield Decision have in the assessment conducted into the adequacy of the safeguards provided to data transferred to the United States which is transferred pursuant to the SCC Decision?
10.
Given the findings of the High Court in relation to US law, does the provision of the Privacy Shield ombudsperson under Annex A to Annex III of the Privacy Shield Decision when taken in conjunction with the existing regime in the United States ensure that the US provides a remedy to data subjects whose personal data is transferred to the US under the SCC Decision that is compatible with Article 47 of the Charter?
11.
Does the SCC Decision violate Articles 7, 8 and/or 47 of the Charter?
EPIC’s Interest
The Irish High Court accepted EPIC's application to participate in the case below, as the only US privacy group, to provide a counterbalancing perspective on U.S. surveillance law to the views offered by the U.S. Government. EPIC has previously participated as an amicus before other international courts. For instance, EPIC joined a case before the European Court of Human Rights concerning the activities of British and U.S. intelligence organizations. EPIC has also appeared as a "friend of the court" in almost 100 cases in the United States concerning emerging privacy and civil liberties issues.
EPIC has taken a leading role in the policy debate over data transfers between the EU and the US, advocating for adequate safeguards for transatlantic data transfers. EPIC and a coalition of EU and U.S. consumer organizations have opposed the Privacy Shield arrangement for its failure to comply with the terms set out by the CJEU in its Safe Harbor decision. Speaking before the European Parliament, Marc Rotenberg outlined several flaws in the agreement, including a weak privacy framework, lack of enforcement, and a cumbersome redress mechanism. In testimony before Congress, EPIC also criticized the prior Safe Harbor Arrangement for its lack of effective means of enforcement, redress, and accountability for privacy violations.
Legal Documents
Judgement of the Court (Grand Chamber), Data Protection Commissioner v. Facebook Ireland Ltd & Maximillian Schrems, Case C-311/18 (July 16, 2020)
Irish High Court Referral to the CJEU (April 12, 2018)
Irish High Court Judgment (Oct. 3, 2017)
Opinion of the Advocate General (December 19, 2019)
Resources
- EPIC, Max Schrems v Data Protection Commissioner (CJEU, "Safe Harbor" case)
- EPIC, Data Protection Commissioner v. Facebook & Max Schrems (Irish High Court, Standard Contractual Clauses case)
- EPIC Submissions to the Irish High Court, Data Protection Commissioner v. Facebook & Max Schrems (Feb. 27, 2017)
- NOYB, EU-US Data Transfers
- EPIC, General Data Protection Regulation
- EPIC, Privacy Shield EU-U.S. Data Transfer Arrangement
- EPIC, Statement to House Appropriations Committee (Mar. 20, 2018)
- European Commission, Commission Implementing Decision of 12.7.2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield
- European Commission, Annexes to the Commission Implementing Decision (July 12, 2016)
- US Department of Commerce, EU-US Privacy Shield Framework Principles
- US Department of Commerce, EU-US Privacy Shield Framework Principles
- Article 29 Working Party, Report on EU-US Privacy Shield Annual Review (Nov. 28, 2017)
- Press Release,EU-US Privacy Shield data exchange deal: US must comply by 1 September, say MEPs (June 12, 2018)
- Alan Butler, United States of America ∙ Whither Privacy Shield in the Trump Era? EDPL (2017)
Relevant CJEU Caselaw
News
- Justin Hemmings, European Parliament’s Civil Liberties Committee Targets EU-U.S. Privacy Shield, Cloud Act, JD Supra (June 14, 2018)
- Natasha Lomas, Pressure mounts on EU-US Privacy Shield after Facebook-Cambridge Analytica data scandal, Tech Crunch (June 12, 2018)
- Rebecca Hill, EU-US Privacy Shield not up to snuff, data tap should be turned off - MEPs, Register (June 12, 2018)
- Thomas Shaw, Revamping Contracts For GDPR: You're Just Getting Started, Law360 (June 7, 2018)
- Mary Carolan, High Court rejects Facebook bid to stall European court action, Irish Times (May 2, 2018)
- Natasha Lomas,
Facebook denied a stay to Schrems II privacy referral, TechCrunch (May 2, 2018)
- Eleven questions from Schrems case to be referred to CJEU, Scottish Legal News (Apr. 13, 2018)
- Rebecca Hill, Schrems' Facebook case edges closer to ruling over EU-US data flows, Register (Apr. 12, 2018)
- Thomas Shaw, A deep dive into the 'Schrems II' case, IAPP (Feb. 27, 2018)
- Kevin Cahill, Max Schrems’s mass surveillance complaint knocked back another year or two by Irish judge, Computer Weekly (October 2017)
- Mary Carolan, High Court to rule on landmark data privacy case next week, Irish Times (Sept. 28, 2017)