EPIC - Data Protection Commissioner v. Facebook & Max Schrems (Irish High Court)

Data Protection Commissioner v. Facebook & Max Schrems (Irish High Court)

Summary |
Legal Documents |

Top News

Data Flow Deal Talks Fail Due to Lack of US Action on Privacy: The agreement on transatlantic cooperation reached by U.S. and EU leaders this week did not include the political agreement the White House was hoping for on transatlantic data deals. Last week, EPIC and 23 other leading civil society groups sent a letter to President Biden urging his Administration to ensure that any new transatlantic data transfer deal is coupled with the enactment of U.S. laws that reform government surveillance practices and provide comprehensive privacy protections. “The United States’ failure to ensure meaningful privacy protections for personal data is the reason that a growing number of countries are concerned about trans-border data flows,” the groups wrote. “Until the United States addresses this problem, concerns about data transfers to the United States will remain, and data flow agreements are likely to be invalidated.” In 2015, the Court of Justice of the European Union invalidated the U.S.-EU Safe Harbor agreement. And in July 2020, the successor agreement, Privacy Shield, was also invalidated by the same court. (Jun. 17, 2021)
EPIC, Coalition Tell Biden Administration: No Data Flows Deal Until Congress Enacts Privacy Laws: EPIC and 23 other leading civil society groups sent a letter to President Biden today urging his Administration to ensure that any new transatlantic data transfer deal is coupled with the enactment of U.S. laws that reform government surveillance practices and provide comprehensive privacy protections. “The United States’ failure to ensure meaningful privacy protections for personal data is the reason that a growing number of countries are concerned about trans-border data flows,” the groups wrote. “Until the United States addresses this problem, concerns about data transfers to the United States will remain, and data flow agreements are likely to be invalidated.” In 2015, the Court of Justice of the European Union invalidated the U.S.-EU Safe Harbor agreement. And in July 2020, the successor agreement, Privacy Shield, was also invalidated by the same court. [PRESS RELEASE] (Jun. 10, 2021)

More top news

Irish High Court Orders DPC to Move Forward in Facebook Investigation (May. 14, 2021) +

The Irish High Court today issued an order in a follow-on case to Irish Data Protection Commissioner v. Facebook and Schrems ("Schrems II") and, as a result, the investigation into Facebook's U.S.-EU data transfers will move forward. The case arises from a complaint filed with the DPC in Ireland against Facebook by privacy activist Max Schrems in 2013 alleging that the company violated EU law when it transferred personal data to the U.S. (where the company is obliged to provide access to the government). The case has since been referred two separate times to the highest court in Europe (the CJEU), and has led to the invalidation of both the U.S.-EU Safe Harbor Agreement and the U.S.-EU Privacy Shield Agreement. The CJEU in the Schrems II decision last year remanded the case to the Irish DPC to determine whether Facebook violated the law and whether it was necessary to block Facebook's U.S.-EU data transfers. The DPC later issued a Preliminary Draft Decision to Facebook and laid out procedures for the inquiry. Both Facebook and Schrems challenged the DPC procedures. The DPC agreed in a settlement with Schrems that it would complete the investigation into his original complaint. The Irish High Court today rejected Facebook's challenge to the DPC inquiry, and both the Schrems complaint and this new DPC inquiry against Facebook will move forward. EPIC participated as an amicus curiae in Schrems II, arguing that U.S. Surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.

Facebook to be Ordered to Stop Sending EU Data to U.S. (Sep. 10, 2020) +

The Irish Data Protection Commissioner has reportedly issued a preliminary order instructing Facebook to stop transferring the data of EU users to the United States. The order comes in the wake of a recent the European Court of Justice (CJEU) decision which found the Privacy Shield, which permitted companies to freely transfer users' personal data, illegally infringed EU residents' data protection and privacy rights. EPIC participated as an amicus curiae in the case, arguing that U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.

Schrems Files 101 Complaints Targeting US-EU Data Transfers (Aug. 18, 2020) +

None of Your Business, the privacy NGO established by EPIC Advisory Board member Max Schrems, has filed complaints in all 30 EU and EEA member states against 101 European companies that still forward data about each visitor to Google and Facebook. “We have done a quick search on major websites in each EU member state for code from Facebook and Google. These code snippets forward data on each visitor to Google or Facebook. Both companies admit that they transfer data of Europeans to the US for processing, where these companies are under a legal obligation to make such data available to US agencies like the NSA. Neither Google Analytics nor Facebook Connect are essential to run these webpages and are services that could have been replaced or at least deactivated by now.” says Max Schrems, honorary chair of noyb.eu. The complaints come in the wake of a recent the European Court of Justice (CJEU) decision which found the Privacy Shield, which permitted companies to freely transfer users' personal data, illegally infringed EU residents' data protection and privacy rights. EPIC participated as an amicus curiae in the case, arguing that U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.

Transatlantic Consumer Groups: No New Data Transfer Agreement Until Privacy Protections Improved (Jul. 28, 2020) +

The Transatlantic Consumer Dialogue (TACD), a coalition of US and European consumer groups, urged EU Commissioner for Justice Didier Reynders and U.S. Secretary of Commerce Wilbur Ross to stop negotiations for a new data transfer agreement following the invalidation of the EU-U.S. Privacy Shield. In Data Protection Commissioner v. Facebook & Max Schrems, the European Court of Justice (CJEU) found the Privacy Shield, which permitted companies to freely transfer users' personal data, illegally infringed EU residents' data protection and privacy rights. In its letter, TACD claims the CJEU's decision is "crystal clear," and that any future data transfer deal will not be valid until the U.S. enacts comprehensive federal privacy legislation. EPIC participated as an amicus curiae in the Schrems case, arguing that U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.

BREAKING: Top Court in Europe Invalidates EU-U.S. Privacy Shield, Citing Lack of Privacy Safeguards and Overbroad U.S. Surveillance Laws (Jul. 16, 2020) +

Today the European Court of Justice issued a decision in Irish Data Protection Commissioner v. Facebook & Schrems, a case concerning transfers of personal data by Facebook between the EU and the United States. Specifically, the court considered the validity of transfers made from companies in the EU to companies in the U.S. pursuant to standard contracts or to the EU-U.S. Privacy Shield agreement, both of which had been authorized by the European Commission. But the court held that the Privacy Shield was invalid and that transfers could not be made under the contracts where personal data is not adequately protected. Because U.S. surveillance law authorizes the mass processing of personal data transferred from abroad, under Section 702 of FISA, it "cannot ensure a level of protection essentially equivalent to that guaranteed by the Charter." EPIC participated as an amicus curiae in the case and argued that U.S. surveillance law does not provide an equivalent level of protection because it does not provide adequate protections or remedies for non-U.S. persons abroad. EPIC was represented in this case by the Free Legal Advice Centres (FLAC) and by barristers Grainne Gilmore and Colm O’Dwyer, SC. [PRESS RELEASE]

EU Legal Advisor Advances Privacy for National Security Matters (Jan. 16, 2020) +

The EU Advocate General advised the European Court of Justice that "the means and methods of combating terrorism must be compatible with the requirements of the rule of law" in a case concerning the retention of personal data for law enforcement purposes. The AG recommended limiting retention of data to data that are essential for national security and limiting access to that data subject to prior review by courts. The opinion is not binding on the Court of Justice and the Court will issue a judgment at a later date. The AG cited EPIC's expert submissions in "Schrems 2.0," another case concerning Facebook's transfer of personal data to the United States and the adequacy of U.S. privacy law.

EU Advocate General Backs Data Transfers, Criticizes Privacy Shield (Dec. 19, 2019) +

Today the EU Advocate General issued an advisory opinion in "Schrems 2.0," a case about Facebook’s transfer of personal data to the United States. The Advocate General backed data transfers generally but sharply criticized the EU-US Privacy Shield agreement. The Advocate also said that data protection authorities must enforce privacy obligations. The Advocate General cited EPIC's expert submissions in the case concerning the adequacy of US privacy law. The case follows the European Court's landmark decision in Schrems v. DPC striking down the "Safe Harbor" arrangement. The European Court of Justice is expected to issue a binding opinion in the next few months. After the original Schrems opinion, EPIC testified in Congress. EPIC's Marc Rotenberg urged Congress to "modernize" US privacy law and also establish an independent privacy agency.

Max Schrems Files GDPR Complaints with French Data Protection Agency (Dec. 10, 2019) +

European privacy advocacy group None of Your Business—led by Max Schrems—filed three complaints with the French Data Protection Authority (CNIL). The NOYB complaints charged that companies obtained "fake consent" for online tracking. Max and EPIC have challenged the use of "standard contractual clauses" in a case now before the European Court of Justice, known as "Schrems 2.0". A preliminary decision in that case is expected on December 19. Schrems met with the Privacy Coalition last month in Washington, DC to discuss the GDPR and litigation strategies.

FTC Announces Privacy Shield No Penalty Enforcement Action (Dec. 3, 2019) +

The FTC entered into settlements with four companies that misrepresented their participation in the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework. These frameworks permit the transfer of Europeans' personal data to the U.S. with an assurance of privacy protection. The settlements require the companies to halt misrepresentations about compliance, but provides no remedy to those EU citizens whose personal data was collected. EPIC has repeatedly told Congress that that the FTC lacks effective enforcement authority. In recent comments on the Privacy Shield, EPIC also noted the absence of a comprehensive U.S. federal privacy law and a data protection authority with the authority to enforce privacy rights. Under the Schrems decision, which provided the basis for the Privacy Shield, the Court of Justice explained that "everyone whose rights and freedoms are violated" have "the right to an effective remedy."

European Privacy Board Cites Concerns about EU-U.S. Privacy Shield (Nov. 14, 2019) +

In a new report the European Data Protection Board is raising concerns about the EU-U.S. Privacy Shield, a framework permitting the flow of European consumers' personal data to the U.S. The EDPB, a group of top data protection authorities from across Europe, called for more rigorous review of compliance with the Shield, urged the Privacy and Civil Liberties Oversight Board to publish assessments of U.S. surveillance, and concluded that the Shield Ombudsperson was not a sufficient remedy for potential privacy violations. The European Commission recently renewed the agreement, despite comments from EPIC and other civil society organizations highlighting U.S. mass surveillance practices and weak privacy safeguards.

EU-U.S. Privacy Shield Renewed, Still in Dispute in Court (Oct. 23, 2019) +

The European Commission has renewed the EU-U.S. Privacy Shield, a framework permitting the flow of European consumers' personal data to the U.S. The Commission concluded the recent FTC-Facebook settlement did not bar enforcement actions related to the Privacy Shield. The Commission also noted positively the appointment of a Ombudsperson to receive complaints about U.S. surveillance, FTC enforcement actions for false Privacy Shield certifications, and assurances from the U.S. intelligence community that specific selectors are used to limit foreign intelligence collection. The Commission did urge the FTC to bring actions for substantive violations of the Shield. In comments on the Privacy Shield and in a letter to Congress, EPIC called for a permanent end to the broad telephone record collection under Section 215 of the Patriot Act. The validity of the Privacy Shield is still in dispute in several cases before Europe's highest court.

Access Now Calls for Privacy Shield to be Struck Down (Sep. 18, 2019) +

Access Now has called on the European Commission to strike down the EU-U.S. Privacy Shield, a framework that permits the transfer of Europeans' personal data to the U.S. In comments to the Commission, Access Now wrote "the Privacy Shield has manifestly failed to meet the standards set by EU law from inception to today." The comments cite the limited redress provided by the Privacy Shield Ombudsperson, increased U.S. border surveillance, and the Cambridge Analytica scandal among the shortcomings in US privacy protection. EPIC's earlier comments on the Privacy Shield highlighted the failure of the U.S. to curtail surveillance authorities, the absence of a comprehensive privacy law and a data protection agency. Next month the European Commission will decide whether to renew the pact.

Company Violates Privacy Shield, FTC Imposes No Penalty (Aug. 22, 2019) +

The FTC entered into an enforcement agreement against background screening company SecurTest for falsely claiming to offer privacy protections to EU citizens. According to the FTC, SecurTest's website falsely claimed to participate in the EU-U.S. Privacy Shield, a framework that permits the transfer of Europeans' personal data to the U.S. The settlement requires Securtest to halt misrepresentations and submit to compliance monitoring, but provides no remedy to those EU citizens who used the service. In recent comments on the Privacy Shield, EPIC noted the absence in the US of a comprehensive federal privacy law and a data protection authority, with the authority to enforce privacy rights. The European Commission will formally decide whether to renew the pact this fall.

EPIC Comments on Canada Transborder Data Flow Policy (Aug. 6, 2019) +

EPIC provided comments to the Office of the Privacy Commissioner on Canada's policy for transborder data flows. EPIC urged the OPC to require that legal protection for personal data protection extend across borders, citing risks to privacy after the Capital One breach impacted affected six million Canadians. EPIC also encouraged the OPC to recognize multiple grounds for transfer, coupled with strong accountability measures. This approach is reflected in the EU General Data Protection Regulation and the Council of Europe's Modernized Privacy Convention. EPIC recently submitted comments on the third annual review of the EU-U.S. Privacy Shield, a framework that permits the transfer of Europeans' personal data to the U.S. EPIC detailed the latest developments in the U.S., including the failure to reform bulk surveillance under Section 702 of FISA, the absence of comprehensive federal privacy law and a data protection authority, the full slate appointments to the PCLOB, and U.S. endorsement of the OECD AI Principles.

EPIC Comments on Third Annual Privacy Shield Review (Jul. 15, 2019) +

EPIC provided comments to the European Commission to inform the third annual review of the EU-U.S. Privacy Shield, a framework that permits the transfer of Europeans' personal data to the U.S. EPIC detailed the latest developments in the U.S., including the failure to reform bulk surveillance under Section 702 of FISA, the absence of comprehensive federal privacy law and a data protection authority, and an executive order to collect data about non-citizens from across the federal government. EPIC also applauded appointments to the PCLOB and the U.S. endorsement of the OECD AI Principles. The Commission approved Privacy Shield last year, but urged the U.S. to adopt privacy legislation and to join the International Privacy Convention. The European Commission will make a determination about whether to renew the Privacy Shield this fall.

EPIC to Discuss US Surveillance before Top European Court (Jul. 8, 2019) +

This week EPIC Senior Counsel Alan Butler will appear before the Court of Justice for the European Union in the case Data Protection Commissioner v. Facebook. The case, known as "Schrems 2.0." follows the European Court's landmark decision in Schrems v. DPC striking down the "Safe Harbor" arrangement and leading to the creation of the "Privacy Shield." The current case considers whether the transfer of personal data to the U.S. using standard contract clauses violates the fundamental rights of Europeans. At issue is Section 702 of the FISA Amendments Act and Executive Order 12333. EPIC's Butler will provide the Court with expert analysis on U.S. surveillance law. EPIC is a party to the case, along with Austrian privacy activist Max Schrems. EPIC also recently filed a brief with the European Court of Human Rights in Big Brother Watch v. UK, arguing that the Human Rights Court should review UK-U.S. intelligence transfers in assessing UK bulk surveillance. That case will be heard July 10th.

EPIC Urges Senate to Strengthen US Privacy Laws for Cross Border Data Flows (Mar. 26, 2019) +

EPIC sent a statement to a Senate committee on Foreign Relations regarding the nomination of Keith Krach to Under Secretary of State. Krach would serve as the US Privacy Shield Ombudsperson, a pivotal role concerning the transfer of personal data between the EU and the US. EPIC took no position on the nominee, but wrote to underscore the urgency of Congressional action to safeguard the privacy interests of Americans. EPIC explained that foreign governments are reluctant to permit the transfer of the personal data of their citizens to the U.S. due to the U.S.'s lax privacy laws. EPIC recommended Congress take three steps to update U.S. privacy law: (1) enact the comprehensive baseline privacy legislation, (2) establish an independent data protection agency, and (3) ratify the International Privacy Convention.

European Privacy Board Report Criticizes Privacy Shield Compliance (Jan. 25, 2019) +

A report from the European Data Protection Board, an influential independent European privacy body, criticizes U.S. oversight of the EU-U.S. Privacy Shield. The European Commission recently renewed the framework permitting the flow of European consumers' personal data to the U.S. However, the Board now states U.S. oversight of compliance lacks "substantial checks." The EU Data Protection Board encouraged the Privacy and Civil Liberties Oversight Board to review U.S. surveillance authorities, and stated that the Privacy Shield Ombudsperson could not be considered an "effective remedy" for privacy violations. During review of Privacy Shield, EPIC cited concerns about the failure of the FTC to enforce the 2011 Consent Order against Facebook, passage of the CLOUD Act, and renewal of bulk foreign intelligence surveillance.

EU-U.S. Privacy Shield Renewed, Privacy Commitments Ignored (Dec. 19, 2018) +

The European Commission has renewed the EU-U.S. Privacy Shield, a framework permitting the flow of European consumers' personal data to the U.S. Oddly, the Commission cited the FTC investigation into the Cambridge Analytica scandal (which has produced no outcome) and the appointment of three members to the PCLOB as support for renewal. The report also overlooked the failure of the FTC to enforce the 2011 Consent Order against Facebook, which ultimately compromised the personal data of several hundred million Europeans. And the Commission had little concerns with passage of the CLOUD Act, renewal of Section 702 of FISA (permitting bulk surveillance of Europeans), and other shortcomings cited by EPIC comments and the European Parliament. The Commission did recommend an Ombudsperson for Privacy Shield (which was required in the original agreement), and encouraged the U.S. to ratify the International Privacy Convention.

U.S. Defends Privacy Shield, But Fails to Comply with Privacy Commitments (Sep. 5, 2018) +

The Department of Commerce has told the President of the European Parliament that the US is in compliance with the Privacy Shield, a pact that permits US companies to obtain the personal data of Europeans. The statement follows a resolution of Parliament to suspend the international arrangement if the U.S. did not comply in full by September 1. The Parliament cited the Cambridge Analytica data breach, the reauthorization of FISA Section 702 without reform, the failure to stand up the PCLOB, the passage of the CLOUD Act, and the absence of a Privacy Shield ombudsman. The Commerce Department disputed the Parliament's findings but failed to show progress on the issues identified. EPIC highlighted similar problems with data protection in the United States in recent comments to the European Commission. Almost six months have passed since the FTC reopened the investigation of Facebook's compliance with the 2011 consent order, which followed a complaint from EPIC and other consumer privacy organizations.

EPIC Comments on Second Annual Privacy Shield Review (Aug. 14, 2018) +

EPIC provided comments to the European Commission to inform the second annual review of the EU-U.S. Privacy Shield, a framework that permits the processing of the personal data of Europeans in the United States. EPIC detailed the latest privacy developments in the U.S., including the extension of Fourth Amendment protection to cell phone location data in Carpenter v. United States, passage of the CLOUD Act, the FTC's failure to enforce its legal judgment against Facebook, the vacancies at the PCLOB, the absence of a Privacy Shield Ombudsman at the Commerce Department, and the nomination of Judge Brett Kavanaugh to the Supreme Court. The Commission approved Privacy Shield last year, but sought additional steps by the United States. The European Parliament has called for suspension of the pact if the U.S. does not fully comply by September 1st. The European Commission will make a final determination this fall.

For Internet Policy, EPIC Urges Congress to Update U.S. Privacy Laws (Jul. 30, 2018) +

In advance of a hearing on "The Internet and Digital Communications: Examining the Impact of Global Internet Governance," EPIC urged the Senate Commerce Committee to prioritize updating U.S. privacy law to respond to changes in technology. "The failure of the United States to address the growing concerns about online privacy is threatening both the digital economy and democratic institutions," EPIC stated. EPIC explained that privacy protection is necessary to ensure the free flow of information online. EPIC again warned Congress that Europe may suspend the Privacy Shield, a framework that permits the flow of European consumers' personal data to the U.S, if the United States does not modernize privacy law and establish a federal data protection agency.

European Parliament: 'Privacy Shield' Does Not Protect Privacy, Calls for Suspension (Jul. 5, 2018) +

The European Parliament has called for the suspension of the "Privacy Shield" if the U.S. does not comply in full by September 1, 2018. The resolution states that the pact, which permits US companies to obtain the personal data of European, does not protect privacy. The Parliament cited numerous problems, including the Cambridge Analytica breach of 87 million Facebook users data, the reauthorization of FISA Section 702, the failure to appoint members to the PCLOB, and passage of the CLOUD Act, which permits US law enforcement agencies to access personal data stored in Europe. The vote of the full Parliament follows an earlier statement from the civil liberties "LIBE" committee. EPIC highlighted many of the same concerns in recent comments. EPIC also told the FTC that the Cambridge Analytica breach could have been prevented if the FTC had enforced its 2011 Consent Order with Facebook. The European Commission, the EU body in charge of the Shield, must now decide how to respond.

FTC Announces Another Privacy Settlement, But Again Imposes No Penalties (Jul. 2, 2018) +

The FTC announced today that it settled charges with ReadyTech, a California company, for misrepresenting compliance with Privacy Shield, a self-certification arrangement that allows US companies to obtain the personal data of Europeans. The FTC settlement prohibits the company from making future misrepresentations about Privacy Shield compliance, but imposes no penalties and provides no remedy to European consumers whose personal data was wrongfully obtained. Last year, the FTC settled charges with three companies that misrepresented their participation in Privacy Shield, but similarly failed to impose penalties. The European Parliament's Civil Liberties Committee ("LIBE") recently passed a resolution stating that Privacy Shield does not protect European consumers, and called for its suspension if the U.S. does not comply by September 1, 2018. LIBE specifically called attention to the Cambridge Analytica breach of 87 million Facebook users. In March, EPIC told the FTC that the Cambridge Analytica breach could have been prevented if the FTC had enforced its 2011 Consent Order with Facebook.

European Civil Liberties Committee: 'Privacy Shield' Should Be Suspended (Jun. 12, 2018) +

Members of European Parliament are calling for the suspension of the EU-U.S. Privacy Shield if the U.S. does not comply in full by September 1, 2018. The Civil Liberties Committee ("LIBE") passed a resolution stating that the pact, which permits the flow of European consumers' personal data to the U.S, does not adequately protect privacy. LIBE urged US authorities to respond without delay to the Cambridge Analytica breach of 87 million Facebook users. The groups also expressed "strong concerns" about the CLOUD Act which permits US law enforcement to unilaterally access personal data stored in Europe. EPIC recently told the FTC that the Cambridge Analytica breach could have been avoided had the agency enforced a 2011 Consent Order that EPIC and a coalition of consumer privacy groups obtained.

EPIC Seeks Records from FTC Regarding Irish Audits of Facebook (May. 11, 2018) +

EPIC has submitted a Freedom of Information Act request seeking records about the Irish Data Protection Commissioner's inquiries regarding Facebook’s compliance with the FTC's Consent Order. In 2011, the Austrian privacy group Europe-v-Facebook and other parties filed formal complaints to the Irish Data Protection Commissioner about third party access to Facebook user data. The Irish Data Protection Commissioner then initiated an audit of Facebook to assess its compliance with both Irish Data Protection Law and EU law. The 2011 Irish audit found that the safeguards for third party applications did not ensure security for user data. In a 2012 re-audit, the Irish on Commissioner found a "satisfactory response" from Facebook regarding preventing third party applications. Following the 2012 re-audit, the FTC and the Data Protection Commissioner signed a Memorandum of Understanding to exchange information to enforce compliance with privacy laws in each respective country. Two years after the Data Protection Commissioner found a "satisfactory response" from Facebook regarding third party applications, a third party application harvested the data of over 87 million users and transferred the data to Cambridge Analytica.

Facebook Denied Attempt to Delay Review of EU-US Personal Data Transfers (May. 3, 2018) +

The Irish High Court has denied Facebook's request to halt review of Data Protection Commissioner v. Facebookby Europe's top court. The case, which was recently referred to the European Court of Justice, concerns whether Facebook's transfers of personal data from Ireland to the United States violate the European Charter of Fundamental Rights. The case follows the landmark 2015 decision that the US had insufficient privacy protections to allow transfer of Europeans' personal data. Ruling against Facebook's request to delay the case further pending appeal, the Irish court said EU data subjects could be harmed if the case were delayed, and that there were “considerable concerns” about Facebook's conduct in the case. EPIC was designated the US NGO amicus curiae in this case, and provided a detailed assessment of US privacy law.

European Court of Justice Receives Key Questions on Future of EU-US Personal Data Transfers (Apr. 12, 2018) +

The Irish High Court has sent eleven questions to the European Court of Justice for review in Data Protection Commissioner v. Facebook. The case considers whether Facebook's transfers of data from Ireland to the United States violate the European Charter of Fundamental Rights. The case follows the 2015 landmark decision Schrems v. DPC, which found that the US had insufficient privacy law to protect the personal data of Europeans. The new case examines "standard contractual clauses" and whether the US provides sufficient remedies for privacy violations, whether future data transfers should be suspended, and whether the EU-US "Privacy Shield" matters. EPIC was designated the US NGO amicus curiae in this case, and provided a detailed assessment of US privacy law.

EPIC Tells House to Probe Commerce Secretary on Data Protection, Privacy Shield (Mar. 20, 2018) +

EPIC has sent a statement to the House Appropriations Committee outlining the key privacy issues facing the Secretary of Commerce. The Committee held a hearing today to discuss the FY19 budget for the Department of Commerce. EPIC stated that data protection may be "the most important issue that the Secretary of Commerce will confront over the next several years." EPIC said the FTC is simply not doing enough to safeguard the personal data of American consumers, as evidenced by this week's report on Facebook and Cambridge Analytica. EPIC also warned that Europe may suspend the Privacy Shield, a framework that permits the flow of European consumers' personal data to the U.S, if the United States does not modernize privacy law and establish a federal data protection agency.

European Court of Justice Grants Standing to Privacy Advocate But Bars Class Action under Austrian Law (Jan. 30, 2018) +

The Court of Justice of the European Union, following an advisory opinion, has determined that Max Schrem's class action in Austria cannot proceed against Facebook, but individual privacy claims can. The Court granted Schrems standing, recognizing that "the activities of publishing books, giving lectures, operating websites," and similar activities does not entail the loss of "a user's status as a 'consumer.'" However, the Court found that "the consumer forum cannot be invoked" in "claims assigned by other consumers." The class action of 25,000 consumers brought by Austrian privacy activist and EPIC Advisory Board member Max Schrems alleges that Facebook violated Europeans' privacy rights, including for transferring data to the U.S. intelligence community. Max Schrems recently launched NYOB to pursue class actions under the General Data Protection Regulation. In 2013, Max Schrems received the EPIC International Champion of Freedom Award.

Congress Renews Controversial Surveillance Measure, EU Impacted (Jan. 18, 2018) +

In a decision that could jeopardize relations with Europe, Congress has renewed "Section 702" of the Foreign Intelligence Surveillance Act, which permits broad surveillance of individuals outside of the United States. The FISA Amendment Reauthorization Act also permits government surveillance of Americans and restarts the controversial "about" collection program. Congress rejected updates, including limits on data collection, that would preserve a privacy agreement between Europe and the United States. The European Court of Justice will also soon decide whether to allow data transfers from Ireland to the United States. EPIC served as the US NGO amicus curiae in that case.

European Privacy Experts Call for New Review of EU-US Data Arrangement (Dec. 5, 2017) +

The Article 29 Working Party, a group of European privacy experts, is calling for a reexamination of the Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. In a new report, the Working Party said that "significant concerns" should be resolved by May 25, 2018 when the GDPR goes into force. If not "the members of WP29 will take appropriate action," including litigation. The Working Party cited the US failure to appoint an Ombudsperson to review complaints, vacancies at the Privacy and Civil Liberties Oversight Board, and continued mass surveillance practices by U.S. intelligence agencies. The report follows an earlier review of the EU-US agreement which found "sufficient" protection of EU personal data to the United States. EPIC Senior Counsel Alan Butler has also highlighted weaknesses in US privacy in DPC v. Facebook, a case now before the European Court of Justice. In a related development, the Working Party also established a task force which will coordinate national investigations of the Uber data breach now underway in Europe.

European Court Adviser Says Facebook Privacy Class Action Barred (Nov. 15, 2017) +

The opinion of a key adviser to the European Court of Justice holds that a class action cannot proceed against Facebook, but would permit individual privacy claims to move forward. The class action of 25,000 consumers brought by Austrian privacy activist and EPIC Advisory Board member Max Schrems alleges Facebook violated Europeans' privacy rights, including for transferring data to the U.S. intelligence community. The opinion from Advocate General Bobek said a "consumer cannot invoke, at the same time as his own claims, claims on the same subject assigned by other consumers," citing the risk of consumers shopping for the most favorable forums. The European Court of Justice typically adopts the opinions of the Advocate General. The Court of Justice will also consider DPC v. Facebook, involving whether Facebook's data transfers from Ireland to the U.S. violate European Fundamental Rights. In 2013, Max Schrems received the EPIC International Champion of Freedom Award.

European Court Adviser Says Local Regulators Can Enforce Privacy Laws Against Facebook (Oct. 24, 2017) +

The opinion of a key adviser to the European Court of Justice holds that local European data protection authorities can directly enforce privacy laws against Facebook. The case involves a German data protection authority's order to deactivate a local Facebook fan page for illegally tracking users. The opinion from Advocate General Bot said regional data protection authorities can intervene to stop unlawful data practices. The European Court of Justice typically adopts the opinions of the Advocate General. The Court of Justice will also consider DPC v. Facebook, involving whether Facebook's data transfers from Ireland to the U.S. violate European Fundamental Rights.

EU Approves Data Transfer Arrangement, But Seeks Stronger U.S. Privacy Protections (Oct. 18, 2017) +

Following the first annual review of the pact, the European Commission has approved the EU-U.S. Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. However, the Commission urged the U.S. to appoint a permanent Ombudsperson to review complaints, to restore the Privacy and Civil Liberties Oversight Board, and to pass the Obama-era Presidential Policy Directive-28 into law. In a recent letter to Congress, EPIC emphasized the need to update U.S. privacy laws. EPIC Senior Counsel Alan Butler has also highlighted weaknesses in US privacy in DPC v. Facebook, a case now before the European Court of Justice.

EPIC Urges House to Strengthen US Privacy Laws for Cross Border Data Flows (Oct. 12, 2017) +

EPIC sent a letter to a House committee on Digital Commerce and Consumer Protection for the hearing "21st Century Trade Barriers: Protectionist Cross Border Data Flow Policy's Impact on U.S. Jobs." EPIC explained that foreign governments are reluctant to permit the transfer of the personal data of their citizens to the U.S. due to the U.S.'s lax privacy laws. EPIC recommended Congress take four steps to update U.S. privacy law: (1) enact the Consumer Privacy Bill of Rights, (2) modernize the Privacy Act, (3) establish an independent data protection agency, and (4) ratify the International Privacy Convention. EPIC also noted that the Schrems II decision calls into question the viability of "Privacy Shield," the current data transfer scheme between the US and EU.

FTC Announces Privacy Shield Settlement but Imposes No Penalties (Sep. 8, 2017) +

The Federal Trade Commission announced today a settlement with three companies that misrepresented their participation in the Privacy Shield arrangement. The Privacy Shield allows companies to transfer the personal data of European consumers to the United States based on a system of industry self-certification. The FTC settlement prohibits the companies from making future false claims about compliance with Privacy Shield, but does not impose any penalty. The FTC settlement also fails to provide any remedy to the EU consumers whose personal data was wrongfully obtained, nor does it require the companies to disgorge the data they fraudulently obtained. EPIC and consumer organizations in the US and Europe have criticized Privacy Shield for failing to establish basic privacy protection and lacking effective remedies. The FTC is now soliciting public comments on the proposed settlements, and the deadline to file a comment is October 10, 2017.

European Privacy Officials Push for Answers on Status of U.S. Privacy (Jun. 13, 2017) +

The Article 29 Working Party, an expert group of European privacy officials, is pressing the European Commission to closely evaluate the EU-US Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. In a letter to the Commission, the Working Party outlined its expectations for this summer's annual review of the arrangement. The Group asked for "precise evidence" that bulk surveillance is "limited and proportionate." The Article 29 also seeks information about vacancies in key privacy oversight positions, including the Privacy and Civil Liberties Oversight Board and the Privacy Shield Ombudsperson, and any legal protections for "automated decision making." The European Parliament previously expressed alarm over the rollback of U.S. privacy safeguards necessary for the Privacy Shield. In 2015, EPIC and a coalition of privacy organizations urged the US and the EU to strengthen privacy protections following a landmark decision that found insufficient legal protections for the transfer of consumer data to the US. At a hearing before the High Court of Ireland, EPIC Senior Counsel Alan Butler made submissions in DPC v. Facebook, highlighting weaknesses in US privacy law.

EPIC Urges Senate Committee To Reform Surveillance Law (Jun. 6, 2017) +

In advance of a hearing on the Foreign Intelligence Surveillance Act, EPIC has sent a Statement to the Senate Select Committee on Intelligence urging increased transparency and new public reporting of the Government's surveillance activities. EPIC also highlighted several legal challenges to an NSA bulk surveillance program abroad. The bulk surveillance program for the communications of non-U.S. persons, sunsets on December 31, 2017. EPIC testified before the House Judiciary Committee during the 2012 FISA reauthorization hearings, recommended improved public reporting, and warned pre-Snowden that the extent of mass surveillance was much greater than was known to the public.

EPIC, Privacy Coalition Meet with EU Data Protection Supervisor (Apr. 21, 2017) +

European Data Protection Supervisor Giovanni Buttarelli spoke today to the Privacy Coalition, a nonpartisan association established in 1995 to promote dialogue on emerging privacy between civil society organizations and policy leaders. Mr. Buttarelli addressed relations between the European Union and the United States, and discussed encryption policy, the E-Privacy Regulation, the Privacy Shield, the U.S. Privacy Act as it applies to foreigners among many other topics. Recent speakers at the Privacy Coalition have included FTC Chair Maureen Ohlhausen and FCC Senior Counsel Nick Degani.

European Parliament Expresses Alarm Over Rollback of US Privacy Safeguards (Apr. 6, 2017) +

In a resolution passed today, the European Parliament expressed alarm over the rollback of U.S. privacy safeguards necessary for Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. The Parliament cited several recent developments including procedures that allow the NSA to disseminate raw data across the US government, vacancies at the Federal Trade Commission and the Privacy and Civil Liberties Oversight Board, the repeal of an FCC privacy rule, and the absence of effective redress for violations of Privacy Shield. The resolution of Parliament called on the European Commission to rigorously analyze these matters and to "take all necessary measures" to ensure the agreement respects EU privacy rights. In 2015, EPIC a coalition of privacy organizations had urged the US and the EU to strengthen privacy protections, following a landmark decision that found insufficient legal protections for the transfer of consumer data to the US.

NGOs Continue Campaign Against Privacy Shield (Mar. 2, 2017) +

In March 2016, EPIC and more than 20 civil society organizations urged European leaders to oppose adoption of the "Privacy Shield" for EU-US data flows. The NGOs wrote that the political agreement fails to provide sufficient data protection and does not respect the decision of the European Court of Justice in the Schrems case. The groups urged the US to make changes in domestic laws and international commitments to permit transfers of personal data to the US. The ACLU and Human Rights Watch have now also sent a letter asking Europe to reexamine Privacy Shield. At a hearing before the High Court of Ireland, EPIC Senior Counsel Alan Butler has made submissions in DPC v. Facebook highlighting weaknesses in US privacy law.

EPIC Urges House Committee To Ensure Transparency, Public Reporting in Surveillance Law (Mar. 1, 2017) +

In advance of a hearing on Section 702 of the Foreign Intelligence Surveillance Act, EPIC has sent a letter to the House Judiciary Committee urging increased transparency and new public reporting of the Government's surveillance activities. EPIC also highlighted that Section 702 is the central focus of multiple current legal challenges to international data transfer agreements occurring abroad. Section 702, which authorizes the bulk surveillance on the communications of non-U.S. persons, sunsets on December 31, 2017. EPIC testified before the Committee during the 2012 FISA reauthorization hearings.

EPIC in Court: Irish High Court Examines EU-US Data Transfers (Mar. 1, 2017) +

Today EPIC made submissions before the Irish High Court in Data Protection Commissioner v. Facebook, concerning privacy protections for transAtlantic data transfers. EPIC explained that "U.S. privacy law is characterized by particularly narrow conceptions of privacy and personal data, which in turn limit the scope of relevant constitutional, statutory, and regulatory privacy protections." EPIC also stated, "many of the privacy safeguards under U.S. law in fact operate to the exclusion of E.U. citizens" and that the "standing" doctrine is an overarching barrier to legal redress. EPIC is represented by FLAC (Free Legal Advice Centres), an independent human rights organization, based in Dublin, dedicated to the realization of equal justice for all. [Press Release]

European Privacy Officials Raise Concerns About US Immigration Executive Order (Feb. 22, 2017) +

The Article 29 Working Party, an expert group of European privacy officials, has raised concerns over a provision in the immigration Executive Order that would limit Privacy Act protections. The Working Party is seeking assurance from the US that the change will not threaten the privacy rights of non-US citizens established in the "Privacy Shield" and the Umbrella Agreement. EPIC is currently participating in Data Protection Commissioner v. Facebook, a case following a landmark decision that found insufficient legal protections for the transfer of European consumer data to the US.

Senators Calls for Answers from Secretary Kelly on Privacy Act Exclusion (Feb. 9, 2017) +

In a letter to DHS Secretary Kelly, Senator Markey (D-MA) and five other Senators pressed DHS about the impact of an Executive Order limiting federal Privacy Act protections. "These Privacy Act exclusions could have a devastating impact on immigrant communities and would be inconsistent with the commitments made when the government collected much of this information," the Senators contended. The Senators also called on Secretary Kelly to explain the Order's impact on international commitments that permit U.S. firms to obtain access to the data of European consumers. EPIC is participating in Data Protection Commissioner v. Facebook, a case which follows a landmark decision that found insufficient legal protections for the transfer of European consumer data to the United States.

EPIC Participates in Irish Case on Future of EU-US Data Transfers (Feb. 6, 2017) +

This week the case Data Protection Commissioner v. Facebook, concerning privacy protection for transAtlantic data transfers, begins in Ireland. The case follows a landmark decision which found insufficient legal protections for the transfer of European consumer data to the United States. Mr. Schrems, an Austrian privacy advocate, now challenges Facebook's "standard contractual clauses" as failing to protect privacy. The Irish High Court designated EPIC as the US NGO amicus curiae in the case. EPIC is represented by FLAC (Free Legal Advice Centres), an independent human rights organization, based in Dublin, dedicated to the realization of equal justice for all.

US Designates Countries Covered Under the Judicial Redress Act (Jan. 23, 2017) +

During the final week in office, the Obama Department of Justice released the list of European countries covered under the Judicial Redress Act. The Act gives citizens of these countries limited rights under the US Privacy Act. The Act implements the US-EU "Umbrella Agreement," which is a framework for transferring law enforcement data across the Atlantic. The Act came about in response to the Schrems decision, which held that the United States lacks adequate data protection. EPIC had recommended substantial changes to the Judicial Redress Act, explaining in a letter to Congress that the bill still did not provide adequate protection to permit transborder data flows and fails to provide necessary updates for U.S. citizens. EPIC successfully sued the Justice Department to obtain the full text of the Umbrella Agreement.

White House Publishes Privacy Report, Data Breaches Continue to Rise, as Obama Leaves Office (Jan. 19, 2017) +

As one of the final acts of the outgoing President, the White House has released "Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation." In 2008, President Obama announced "Change We Can Believe In" and said he would "strengthen the privacy protections for the digital age and to harness the power of technology to hold government and business accountable for violations of personal privacy." Beginning after his election, privacy groups across the county urged the President to strengthen privacy in America. In 2012, Obama proposed a Consumer Privacy Bill of Rights but no legislation followed. After the Snowden revelations, Congress enacted the Freedom Act and Obama reformed intelligence practices, but the US failed to limit data collection outside the US. The "Privacy Shield," a framework to gather data for commercial use without legal protections, was put in place even after NGOs urged comprehensive reforms in the US and the EU. Between 2009 and 2016, the levels of data breach, identity theft, and financial fraud in the United States skyrocketed, even as Americans called for stronger protections. The 2016 Presidential election was marked by data breaches, email disclosures and cyber attack The U.S. is still one of the few democratic nations in the world without a data protection agency.

EPIC Tells Senate to Probe Commerce Nominee on Data Protection, Privacy Shield (Jan. 18, 2017) +

EPIC has sent a letter to the Senate Commerce Committee outlining the key privacy issues that the next Secretary of Commerce should address. The Committee convened this week to consider the nomination of Wilbur Ross for Commerce Secretary. EPIC stated that privacy protection may be on "the most important issue that the Secretary of Commerce will confront over the next several years." EPIC urged the Committee to ensure the nominee "make clear his commitment to a comprehensive approach to data protection, based in law." EPIC warned about the inadequacy of the Privacy Shield, a non-legal framework that permits the flow of European consumers' personal data to the United States, outside of European privacy law.

New Study Shows Global Increase in Comprehensive Privacy Protections (Nov. 29, 2016) +

An updated study by David Banisar of the human rights organization Article 19 finds that over 100 countries now have data protection laws. Another 40 countries are considering new laws, and most countries have established a data protection authority to enforce privacy protections. Two EPIC publications - The Privacy Law Sourcebook 2016 and Privacy and Human Rights: An International Survey of Privacy Laws and Developments - provide an overview of privacy frameworks around the world and track emerging privacy challenges. EPIC has urged the US Congress to establish a federal privacy agency and to enact comprehensive privacy legislation.

Second Legal Challenge Launched Against "Privacy Shield" (Nov. 3, 2016) +

La Quadrature du Net, a French privacy organization, has launched a legal challenge to “Privacy Shield,” a controversial framework for the transfer of personal data from Europe to the United States. This lawsuit follows a similar challenge brought by the Irish group Digital Rights Ireland. "Privacy Shield" was the response of EU and US politicians after the European Court of Justice determined that there was insufficient legal protection for transatlantic data transfers. NGOs in the United States and Europe had urged the adoption of a comprehensive framework for data protection and said that Privacy Shield was not adequate. EPIC also testified before Congress on the need to update US privacy law. EPIC is currently participating as amicus curiae in related case brought by privacy advocate Max Schrems.

Privacy Advocates Challenge EU-US Data Transfer Agreement (Oct. 27, 2016) +

An Irish privacy organization is challenging the EU-US framework for transferring personal data, the "Privacy Shield," in the European high court. This challenge follows a decision last year invalidating the previous framework, "Safe Harbor." In that case, the Court of Justice for the European Union concluded Personal data transferred to the United States lacks adequate legal protection. EPIC is participating as amicus curiae in a related case brought by privacy advocate Max Schrems. EPIC also recently submitted a brief to the European Court of Human Rights in a challenge to UK surveillance.

Reuters: US Government Issued Secret Order to Yahoo to Scan All E-mails (Oct. 4, 2016) +

Reuters reported today that Yahoo scanned the private email of Yahoo users pursuant to a secret directive issued by the FBI. The email scanning technique, based on a search for key terms, recalled a similar FBI program “Carnivore” that was found to capture far more information than authorized, according to documents obtained by EPIC under the Freedom of Information Act. The news report also renews concerns about the scope of US Internet surveillance. The European Court of Justice struck down an EU-US data transfer deal last year, following revelations that US Internet firms collaborated with the NSA to enable mass surveillance. A related case, Irish Data Protection Commissioner v. Facebook, is now pending. The Irish High Court has selected EPIC as "a friend of the court" to "counterbalance" the submission of the United States intelligence community.

Privacy Shield Sign-ons Begin (Aug. 2, 2016) +

The European Commission announced that the EU-U.S. Privacy Shield data transfer arrangement is "fully operational" and U.S. "companies are able to sign up with the Department of Commerce." The framework was adopted by the European Commissioner objection by European data protection authorities, the European Data Protection Supervisor, the European Parliament, and EU and US NGOs. The deal will be subject to future legal scrutiny and experts predict that the "Privacy Shield will share the history of the previous Safe Harbor and be invalidated by the European Court of Justice." EPIC has urged the EU and US to strengthen safeguards for transborder data flows including redress mechanisms.

Irish Court Approves EPIC as Amicus in Schrems Case (Jul. 19, 2016) +

The Irish High Court has accepted EPIC's application to participate in a case about data protection rights and Facebook's contractual clauses. The case follows Max Schrems' complaint to the Irish Data Protection Commissioner after the European Court of Justice's decision to strike down the Safe Harbor arrangement. EPIC will provide the Irish Court, and perhaps also the Court of Justice, expert opinion on U.S. surveillance law. EPIC recently joined a case before the European Court of Human Rights concerning the activities of British and U.S. intelligence organizations. EPIC has appeared as a "friend of the court" in almost 100 cases in the United States concerning emerging privacy and civil liberties issues.

European Commission Signs Off on Flawed "Privacy Shield" (Jul. 12, 2016) +

The European Commission has approved the "Privacy Shield" which will allow companies to transfer personal data of Europeans to the U.S. without legal protections. European data protection authorities, the European Data Protection Supervisor, and EU and US NGOs identified flaws with the non-binding framework. Citing a judgement of the European high court which struck down a similar framework, Max Schrems and Jan-Philipp Albrecht predicted that the "Privacy Shield will share the history of the previous Safe Harbor and be invalidated by the European Court of Justice." EPIC and other consumer organizations urged the EU and US to strengthen safeguards for transborder data flows. According to the Federal Trade Commission, identity theft complaints in the US increased by 47% between 2014 and 2015.

Privacy Shield Revisions Fail to Satisfy Legal Requirements (Jun. 29, 2016) +

A revised draft of the Privacy Shield included some modifications on the scope of US bulk data collection, the role of the "ombudsperson," and data erasure but fails to resolve flaws previously identified by European data protection authorities and the European Data Protection Supervisor. EPIC and an international coalition of NGOs previously called for substantial changes in the Privacy Shield to respect the fundamental rights to privacy and data protection.

EPIC's Rotenberg Outlines Need for International Privacy Framework (Jun. 17, 2016) +

Speaking at the Council of Europe in Strasbourg, EPIC President Marc Rotenberg outlined the need for the US to ratify the International Privacy Convention. Rotenberg said it was "unlikely that the Privacy Shield will survive another trip to Luxembourg." The Privacy Shield is a proposed arrangement for EU-US data transfers that has come under criticism from European consumer groups, NGOs, privacy officials, and the EU Data Protection Supervisor. In 2009, more than 100 privacy groups and experts endorsed the Council of Europe Privacy Convention. In 2010 members of the EPIC Advisory Board urged then Secretary of State Hilary Clinton to seek US ratification of the Privacy Convention.

Top European Privacy Official Rejects EU-US "Privacy Shield" (May. 31, 2016) +

The European Data Protection Supervisor has determined that "Privacy Shield is not robust enough to withstand future legal scrutiny." He called for changes in the draft arrangement to permit data transfers to the United States. "Significant improvements are needed," said Giovanni Buttarelli. The Article 29 Working Party, the European Parliament, and a coalition of EU and U.S. consumer organizations have also opposed the data transfer proposal. Citing rampant data breaches in the United States, NGOs have urged strong safeguards for privacy and data protection.

European Parliament Requires Changes to Privacy Shield (May. 26, 2016) +

The European Parliament called for changes in the draft arrangement to permit data transfers to the United States. The Parliament said that officials must "fully implement" privacy recommendations and negotiate further changes to the "Privacy Shield." The European Data Protection Supervisor is expected to issue an opinion on the data transfer arrangement next week. EPIC and other consumer and privacy organizations have said that the Privacy Shield fails to provide adequate safeguards for consumers.

TACD Opposes "Privacy Shield," Urges Rejection by EU (Apr. 7, 2016) +

The Transatlantic Consumer Dialogue has urged the European Commission to reject the "Privacy Shield," a proposal to continue the transatlantic transfer of personal data from Europe to the United States. TACD warned that Privacy Shield "does not adequately protect consumers' fundamental rights to privacy" and that it does not provide "effective and meaningful data protection." European officials are carefully reviewing the proposal. EPIC and a coalition of NGOs have urged the US to adopt a robust data protection law and end 702 surveillance. The TACD is a forum of more than 70 consumer organizations in Europe and the United States.

EPIC's Rotenberg Urges European Parliament to Condition "Privacy Shield' on End of 702 Surveillance (Mar. 17, 2016) +

Speaking before the European Parliament on "Privacy Shield," Marc Rotenberg outlined several flaws in the proposed EU-US data transfer agreement, including a weak privacy framework, lack of enforcement, and a cumbersome redress mechanism. In the short term, Rotenberg recommended that the EU condition acceptance of the Privacy Shield on the end of the "702 program," which permits bulk surveillance on Europeans by the US. EPIC along with other NGOs has urged the European Commission to rewrite the Privacy Shield, saying it fails to safeguard human rights and does not reflect changes in US law as required by the Schrems decision.

NGOs - "Privacy Shield" is Failed Approach for EU-US Data Protection (Mar. 16, 2016) +

More than twenty civil society groups has urged European leaders to oppose adoption of the "Privacy Shield" for EU-US data flows. The NGOs state that the political agreement fails to provide sufficient data protection and does not respect the decision of the European Court of Justice in the Schrems case. The groups said the US must make changes in domestic laws and international commitments to comply with the decision and permit transfers of personal data. EPIC has launched "Data Protection 2016" to support stronger privacy safeguards in the US.

"Privacy Shield" Released, New Questions Raised (Feb. 29, 2016) +

The text of the "Privacy Shield" was released today by European Commission and the US Department of Commerce. The arrangement was intended to bring EU-US data transfers in line with the recent decision of the European Court of Justice in the Schrems case. But the framework appears to provide less protection than the Safe Harbor arrangement it replaces. New exceptions take broad categories of personal data entirely outside the scope of the agreement. Max Schrems said "this is far from what the Court required and does not seem like a stable solution." Privacy experts will now assess the text and determine whether it provides an adequate basis for the transfer of personal data. EU and US NGOs have urged the US to update its privacy laws.

European Commission Wrongly Denies EPIC's Request For "Privacy Shield" (Feb. 26, 2016) +

The European Commission has wrongly denied EPIC's Freedom of Information request for the text of the "Privacy Shield." The Commission said the adequacy decision about Safe Harbor is "in preparation" and "negotiations with the U.S. are still ongoing." The Commission confused the text of the political agreement, known as "the Privacy Shield," with a legal determination about whether the agreement meets EU data protection law. EPIC will pursue public release of the Privacy Shield, which was previously announced, and then the release of the adequacy determination when it is final. EU and US Consumer and privacy organizations have opposed the agreement because it fails to provide adequate privacy protections.

Department of Commerce: Privacy Shield "does not exist" (Feb. 10, 2016) +

As a response to EPIC's Freedom of Information request for the "Privacy Shield," the Commerce Department responded that "the record you requested does not exist." EU and US officials celebrated earlier this month that the EU and the US reached an agreement for transatlantic data transfers but they did not make the agreement public. Apparently there was nothing to make public since the agreement does not exist. The EPIC FOIA request is designated DOC-ITA-2016-000577.

EPIC Seeks Release of "Privacy Shield," Secret Data Transfer Agreement (Feb. 4, 2016) +

EPIC has filed emergency Freedom of Information requests with the US and the EU for release of a secret agreement for the transfer of personal data across the Atlantic. A new framework was required by a recent decision of the European Court of Justice. But European and American consumer organizations say the "Privacy Shield" does not provide adequate protection for the transfer of personal data. EPIC stated, “The public has a right to know whether this agreement provides adequate legal protection.” EPIC previously obtained the secret EU-US Umbrella Agreement in FOIA litigation.

Privacy Commissioners to Review "Privacy Shield" (Feb. 3, 2016) +

The Article 29 Working Party, the association of European Data Protection Commissioners, has said it will review the adequacy of the "Privacy Shield" proposal for transborder data flows. The Working Party said there must be (1) clear and precise rules, (2) a "necessary and proportionate" standard for data collection and access, (3) independent oversight, and (4) effective remedies for the individual. The Working Party also said it must first receive the relevant documents to assess the legal force of the arrangement and whether it will resolve "wider concerns raised by the Schrems judgement."

Anticipating Annulment, EU-US Negotiators Sign Off on "Privacy Shield" (Feb. 2, 2016) +

Disregarding a decision of the European Court of Justice, negotiators for the US Commerce Dept., the FTC, and the European Commission have agreed to allow the continued transfer of consumer data without adequate legal protection. A virtually identical arrangement was recently struck down by the Court in the Schrems case as a violation of multiple rights of Europeans, including rights to privacy, data protection, and effective redress. Consumers in the US have also expressed concern about rising levels of data breach, identity theft, and financial fraud. EPIC and many EU and US consumer organizations urged negotiators to establish strong safeguards for the transfer of personal data.

Schrems Responds to US Lobby Groups on Safe Harbor (Jan. 29, 2016) +

In a brief but clearly argued letter to European data protection authorities, Max Schrems writes that "attempts by lobby groups and the US government to 'reinterpret' or 'overturn the clear judgement of the Union's highest court are fundamentally flawed." Schrems brought the successful case to the European Court of Justice that struck down the Safe Harbor arrangement. The Schrems letter, released on International Data Protection Day, also states that a new transfer agreement must provide "protection against government surveillance and "essentially equivalent" protection against the commercial use of data by certified companies." Max Schrems received the 2013 EPIC Champion of Freedom Award.

"Clock is ticking" on Safe Harbor, says European Consumer Organization (Jan. 29, 2016) +

BEUC, the consumer organization of the European Union, has urged European policy makers to accept a revised Safe Harbor arrangement only if it complies with the Schrems decision and "guarantees that EU citizens' fundamental rights are upheld when their data is exported to the United States." Last year, 40 consumer privacy organizations in Europe and the United States urged US Secretary Pritzker and EU Commissioner Jourova to take specific steps to close the widening EU-US data divide. Secretary Pritzker has been unwilling to meet with consumer organizations.

EPIC v. DOJ: EPIC Prevails, DOJ Releases Secret EU-US Umbrella Agreement (Jan. 25, 2016) +

After months of delay, the Department of Justice has finally released to EPIC the full text of the EU-US Umbrella Agreement. EPIC sued the DOJ last year after the agency failed to act on EPIC's FOIA request for the secret agreement. Today's release comes on the heels of EPIC's opposition to the agency's attempt to further delay the Agreement's release. The Umbrella Agreement outlines data transfers between EU and US law enforcement agencies, and is the basis for the Judicial Redress Act currently before Congress. EPIC has criticized the legislation, and recently urged the Senate to delay action on the bill until the DOJ releases the Umbrella Agreement and the Judiciary Committee holds a hearing on the legislation.

EPIC Urges Senate to Postpone Action on Judicial Redress Act (Jan. 16, 2016) +

Today EPIC urged the Senate Judiciary Committee to postpone action on the Judicial Redress Act until the Department of Justice releases a secret data transfer agreement on which the bill is based. The so-called Umbrella Agreement outlines data transfers between law enforcement agencies in Europe and the United States. EPIC has sued the DOJ for release of the document. EPIC also urged the Senate Committee to conduct a public hearing on Privacy Act modernization following the massive data breach at the office of Personnel and Management.EPIC previously wrote to the House Judiciary Committee to recommend updates to the Privacy Act.

EPIC Seeks Default Judgment in Umbrella Agreement Lawsuit (Jan. 6, 2016) +

In its fight to obtain a copy of the EU-US Umbrella Agreement, EPIC asked a federal court in Washington, D.C. today to grant default judgment against the Department of Justice. EPIC sued the agency to obtain the secret agreement, which concerns the transfer of personal information between the EU and US. After the DOJ failed to answer EPIC's complaint, the court entered default against the agency. The Agreement is central to pending legislation, which the Senate Judiciary Committee is set to debate this month yet the DOJ has not made the document available to the public or to Members of Congress.

European Institutions Conclude Data Protection Reform (Dec. 15, 2015) +

The EU Commission, Parliament and Council reached an agreement on a comprehensive new privacy law after four years of negotiation. The General Data Protection Regulation establishes common privacy rules across Europe and creates strong enforcement power. The law will be fully applicable in about two years. The new law is a "major step forward for consumer protection and competition," said Jan Philip Albrecht. Sophie In’t Veld said, "The EU will now have the most extensive data protection laws in the world and will set global standards." EPIC, and many consumer privacy organization have urged the US to modernize domestic privacy law. EPIC President Marc Rotenberg told USA Today, "The U.S. will need to update privacy laws to safeguard U.S. consumers and maintain trade relations with Europe."

Senate Postpones Action on Weak EU-US Privacy Measure (Dec. 12, 2015) +

The Senate Judiciary Committee has "held over" the Judicial Redress Act, industry-sponsored legislation regarding the transfer of personal data on Europeans to the United States. European legal experts have stated that the measure does not provide meaningful protections for the data of Europeans. Forty NGOS have recommended substantial changes to privacy law in the US and the EU to make possible the continuation of transborder data flows. EPIC has also recommended specific changes to the Judicial Redress Act. European data protection agencies are expected to begin enforcement actions against US companies after January 30, 2016. According to Govtrack, the Judicial Redress Act has a "1% chance of being enacted."

Austrian Supreme Court to Consider Schrems' Case against Facebook (Dec. 4, 2015) +

The Austrian Supreme Court will decide if the Schrems case against Facebook can be brought as a class action. "The 'class action' is not only legal but also the only reasonable way to deal with thousands of identical privacy violations by Facebook," says Schrems. EPIC frequently works to protect the interests of Internet users in facing common violations of privacy rights.

Schrems Pursues Legal actions to Block Data Transfers to the US (Dec. 2, 2015) +

EU Privacy Advocate Max Schrems made new legal moves following the judgment of the European Court of Justice that struck down the Safe Harbor data transfer pact. He filed complaints with data protection officials in Ireland, Germany and Belgium to to block Facebook data transfers to the United States. Schrems says he wants to "ensure that this very crucial judgment is also enforced in practice when it comes to the US companies that are involved in US mass surveillance." NGOs in the Europe and the United Stated have urged governments to update domestic privacy laws and strengthen international commitments to enable the continued transfer of data between the EU and the US.

NGOs Reject "Safe Harbor 2.0," Urge EU and US to Protect Fundamental Rights (Nov. 12, 2015) +

Leading human rights and consumer organizations have issued a letter to urge the US and the EU to protect the fundamental right to privacy. After the Schrems decision the parties are now renegotiating the invalidated Safe Harbor arrangement. The groups warned that without significant changes to "domestic law" and "international commitments," a Safe Harbor 2.0 will almost certainly fail. NGO leaders call for a comprehensive privacy framework in the US, commitment to strong encryption and ending mass surveillance on both sides of the Atlantic.

European Commission Issues Guidance on Data Transfers Post-Schrems (Nov. 6, 2015) +

The European Commission has published guidelines for EU-US data transfer after the invalidation of the Safe Harbor framework. The Commission explained that the Safe Harbor case "underlined the importance of fundamental right to data protection." The Commission also emphasized the ongoing role of the independent data protection agencies and the Article 29 Working Party. Negotiators are attempting to create a revised arrangement. NGOs have said that fundamental rights must be protected in all data transfers. In testimony before Congress, EPIC recommended several updates to US privacy law. EPIC's Marc Rotenberg said "these changes will benefit consumers and businesses on both sides of the Atlantic."

EPIC Sues for Release of Secret EU-US "Umbrella Agreement" (Nov. 4, 2015) +

EPIC has sued the Department of Justice to obtain a secret agreement between the United States and the European Union concerning the transfer of personal information. US and EU officials finalized the so-called "Umbrella Agreement" in September, but had kept the final document secret even as Congress was voting on provisions to implement the text. "The DOJ has withheld from the public the text of an Agreement that is central to legislation currently pending before Congress and critical to a related negotiation between the United States and the European Union that implicates the fundamental rights of Americans and Europeans" wrote EPIC in the FOIA lawsuit.

EPIC to Call For Comprehensive Overhaul of U.S. Privacy Law (Nov. 2, 2015) +

In testimony before the US Congress, EPIC's Marc Rotenberg is expected to say that the recent decision of the European Court confirmed what everyone already knows, US privacy law is not adequate. "Our country suffers from an epidemic of data breaches and identity theft. And all the data indicates these problems are getting worse." EPIC, consumer allies, and privacy experts are urging the Congress to enact the Consumer Privacy Bill of Rights, modernize the Privacy Act, create an independent privacy agency, and ratify the International Privacy Convention. "These changes will benefit consumers and businesses on both sides of the Atlantic."

Civil Society Leaders in Amsterdam Issue Declaration on Fundamental Rights (Oct. 28, 2015) +

Leading digital rights and consumer privacy organizations meeting in Amsterdam have issued a declaration "Fundamental Rights are Fundamental." Calling attention to the recent success of Max Schrems and the failure of self-regulation, the organizations said the "Bridges" report is "remarkably out of touch with the current legal reality and what we need to do to address it." The NGO leaders also criticized the organizers of the Amsterdam conference for "the failure to engage" many new challenges to data protection, including "Big Data" and drone surveillance. Privacy campaigner Simon Davies wrote, "There has never been a moment in history when the privacy regulator community needs to do more to restore trust and relevance. Instead, this week signals a new low in that trust."

After FOI Request, EPIC Obtains Secret "Umbrella Agreement" from the EU Commission (Oct. 23, 2015) +

The EU Commission, in response to a freedom of information request, has released to EPIC the text of the EU-US data transfer agreement. US and EU officials finalized the so-called "Umbrella Agreement" in September, but had kept the final document secret. EPIC has filed multiple FOIA requests with US federal agencies and the European Commission to obtain public release of the document. The Agreement, alongside the Judicial Redress Act, is a key document in the aftermath of the European court decision striking down the Safe Harbor arrangement. Legal scholars who have reviewed the agreement have concluded it is deeply flawed. EPIC continues to pursue the public release of the Agreement from US federal agencies.

House Passes Faux Privacy Bill (Oct. 21, 2015) +

The House of Representatives has passed the Judicial Redress Act of 2015, which—contrary to its stated purpose—fails to extend Privacy Act protections to non-U.S. citizens. In a letter to Congress, EPIC explained that the bill does not provide adequate protection to permit transborder data flows and recommended changes to ensure protections for all personal information collected by U.S. federal agencies. Congress moved to advance the bill after announcement of the recently concluded but secret EU-US "Umbrella Agreement". EPIC submitted a Freedom of Information request for the Umbrella agreement, and recently filed an administrative appeal challenging the agency's denial of expedited processing.

Case Against Facebook Moves Forward in Ireland (Oct. 20, 2015) +

Following the ruling that invalidated the Safe Harbor arrangement, the Irish High Court has declared that the Irish Data Protection Commissioner is "obliged to investigate" Max Schrems' complaint and must follow "fair procedures under Irish and EU law." The Commissioner pledged a "quick and swift procedure." Facebook's last minute motion to join the procedure was denied. "The Schrems case underscores the need for the U.S. to strengthen its right to privacy," EPIC's Marc Rotenberg told the Washington Post.

European Data Protection Authorities Conclude Data Transfers under Safe Harbor Now Unlawful (Oct. 17, 2015) +

Following the landmark ruling that invalidated the Safe Harbor data transfer arrangement, the Article 29 Working Party, composed of privacy officials across Europe, issued a preliminary statement. They called for solutions "enabling data transfers to the territory of the United States that respect fundamental rights." They concluded that "transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful." Also, Standard Contractual Clauses and Binding Corporate Rules will not provide an adequate basis. EPIC, US and European consumer organizations have urged lawmakers in the United States to update US privacy law.

European Court Strikes Down "Safe Harbor," Focus Shifts to Adequacy of US Privacy Laws (Oct. 6, 2015) +

In a stunning decision, the European Court of Justice today ruled that the transatlantic "Safe Harbor" data pact is invalid. Consumer organizations and civil liberties groups in Europe and the United States applauded the outcome. Safe Harbor had been widely criticized for failing to provide adequate data protection for users of Internet-based services. The European Parliament earlier recommended against renewal of Safe Harbor. Max Schrems, the Austrian law student who brought the case, praised the judgement and said the "solution will very likely require severe changes in US law" not "just an update to the current 'safe harbor' system." @maxschrems @EUCourtPress

EPIC Expresses Support for Advocate General Opinion in Schrems Case (Sep. 28, 2015) +

In a statement issued today, EPIC supported a recent opinion of the Advocate General of the Court of Justice of the European Union which found that the Safe Harbor Arrangement was invalid. Safe Harbor has operated for several years as a substitute for the legal protections that would otherwise be required for the transfer of personal data across national borders. EPIC said that Safe Harbor has "given rise to significant concerns on both sides of the Atlantic about the adequacy of the privacy and security afforded personal information." Earlier today the US Mission issued a statement calling into question the opinion of the Advocate General. The Mission stated that the PRISM program, operating in conjunction with Safe Harbor and involving the mass surveillance of EU citizens, is "duly authorized by law, and strictly complies with a number of publicly disclosed controls and limitations."

Decision by EU Legal Advisor Signals End of "Safe Harbor" (Sep. 23, 2015) +

An opinion by the top advisor for Court of Justice of the European Union indicates that the "Safe Harbor" arrangement, which permits the transfer of personal data to the US without legal protection, will come to an end. Under Safe Harbor, US companies self-certify compliance with EU data protection law. But the Advocate General has found the arrangement fails to protect privacy and should be declared invalid. Max Schrems, who initiated the case in Ireland, stated "This finding, if confirmed by the court, would be a major step in limiting the legal options for US authorities to conduct mass surveillance on data held by EU companies." The European Digital Rights Initiative also supported the decision. EPIC has recommended that the US update the Privacy Act to protect EU citizens and ratify the international convention for privacy protection.

Summary

Data Protection Commissioner v. Facebook & Max Schrems is a follow up case to the landmark Court of Justice for the European Union (CJEU) ruling striking down the "Safe Harbor" arrangement for transferring personal data of EU consumers from the EU and the United States. This case, now before the CJEU, was brought originally by the Irish Data Protection Commissioner in Irish High Court. The case concerns whether transferring data to the United States using a different legal mechanism, "standard contractual clauses," violates the European Charter of Fundamental Rights.

In 2015, the Court of Justice for the European Union (CJEU) issued a ruling invalidating the "Safe Harbor", a legal mechanism for transferring EU consumers' personal data to the United States. Following the CJEU ruling, Mr. Schrems filed a renewed complaint with the Irish DPC based on Facebook’s use of “standard contractual clauses” to authorize EU-US data transfers, which provided the basis for a new case in the Irish High Court. Soon after the CJEU decision, the Irish High Court quashed the Irish DPC’s previous decision not to investigate Facebook Ireland regarding the allegations in Mr. Schrems’s first complaint. The Irish DPC then commenced an investigation. The Irish DPC considered two key issues: does the US provide adequate legal protection to EU users whose data is transferred, and, if not, could standard contractual clauses (SCCs) used by Facebook Ireland and Facebook, Inc. to regulate the transfer of that data raise the level of protection and still render transfer permissible? Simultaneously, Mr. Schrems updated his complaint with the DPC against Facebook, and he contended that U.S. surveillance law is not in line with the requirements laid down by EU law including the judgment of the CJEU in the Safe Harbor decision. The CJEU found that the US must make changes to its “domestic laws” and “international commitments” in order to provide essentially equivalent privacy and data protection to the European Union. Additionally, Mr. Schrems argued the SCCs fail to provide the adequate legal protection necessary to otherwise permit data transfers.

In May of 2016, the Irish DPC issued a Draft Decision announcing its preliminary position: that US law fails to adequately provide legal remedies to EU citizens and the SCCs could not address the deficiency in US law. As a result, the Irish DPC suggested the contractual clauses at issue were invalid under EU law. However, the Irish DPC found that, as a representative of one nation in the EU with limited authority, it did not have the ability to declare the clauses invalid under EU law; the Irish DPC argued that standard contractual clauses issued under the broader authority of the European Commission had been deemed by that Commission to authorize data transfers. The Irish DPC argued that, without a finding that the clauses are indeed invalid, they cannot complete its investigation into Facebook.

As a result, the Irish DPC brought the case back before the Irish High Court and sought referral to the the CJEU on the question of whether the standard contractual clause decisions are valid under the Charter of Fundamental Rights. EPIC was designated the sole US amicus in that case and provided detailed submissions on US surveillance and privacy law.

The High Court referred the matter to the Court of Justice for the European Union on April 12, 2018.

EPIC’s Interest

The Irish High Court accepted EPIC's application to participate in the case as the only US privacy group, to provide a counterbalancing perspective on U.S. surveillance law to the views offered by the U.S. Government. EPIC has previously participated as an amicus before other international courts. For instance, EPIC joined a case before the European Court of Human Rights concerning the activities of British and U.S. intelligence organizations. EPIC has also appeared as a "friend of the court" in almost 100 cases in the United States concerning emerging privacy and civil liberties issues.

EPIC has taken a leading role in the policy debate over data transfers between the EU and the US, advocating for adequate safeguards for transatlantic data transfers. EPIC and a coalition of EU and U.S. consumer organizations have opposed the Privacy Shield arrangement for its failure to comply with the terms set out by the CJEU in its Safe Harbor decision. Speaking before the European Parliament, Marc Rotenberg outlined several flaws in the agreement, including a weak privacy framework, lack of enforcement, and a cumbersome redress mechanism. In testimony before Congress, EPIC also criticized the prior Safe Harbor Arrangement for its lack of effective means of enforcement, redress, and accountability for privacy violations.

Legal Documents

Irish Data Protection Commissioner
- Schrems Updated Complaint (Dec. 1, 2015)
- DPC Draft Decision (May 24, 2016)
Irish High Court, No. 2016 4809P
- DPC Application for Reference to CJEU for Preliminary Ruling (July 4, 2016)
- Judgment on Amici Interventions (July 19, 2016)
- Schrems Defence (Sept. 9, 2016)
- Facebook Defence (Sept. 23, 2016)
- Amended Submission of Amicus Curiae (EPIC) (Feb. 27, 2017)
Judgment of Ms. Justice Costello delivered on the 3rd day of October, 2017 (pt. 2)
Executive Summary of the Judgment 3rd October, 2017
Hearing Transcripts