EU Data Protection Directive

• Introduction |
• Background |
• European Commission |
• EU/US Transatlantic Agreement

Top News

• European Commission Proposes Risk-Based AI Regulation, Banning 'Unacceptable' Uses: The European Commission released a long-awaited proposal for how to regulate AI throughout the European Union. The proposed regulation includes a ban on “unacceptable” uses of AI such as general social scoring and “real time remote biometric identification” for law enforcement. The proposal also imposes testing and transparency obligations for "high-risk" uses of AI, including a publicly accessible EU database on stand-alone “high-risk” systems. The proposal requires notice to individuals when they interact with certain types of AI and “conformity” assessments for "high-risk" systems. The prohibitions on unacceptable AI are very limited and many of the strongest provisions are subject to vast exceptions. However, a penalty of up to 4% of annual revenue on companies that violate the regulation is included. EPIC has called for prohibitions on secret scoring, mass surveillance, and facial recognition. EPIC urges legislators to implement the OECD Principles on AI and adopt the Universal Guidelines of AI. (Apr. 22, 2021)
• Schrems Files 101 Complaints Targeting US-EU Data Transfers : None of Your Business, the privacy NGO established by EPIC Advisory Board member Max Schrems, has filed complaints in all 30 EU and EEA member states against 101 European companies that still forward data about each visitor to Google and Facebook. “We have done a quick search on major websites in each EU member state for code from Facebook and Google. These code snippets forward data on each visitor to Google or Facebook. Both companies admit that they transfer data of Europeans to the US for processing, where these companies are under a legal obligation to make such data available to US agencies like the NSA. Neither Google Analytics nor Facebook Connect are essential to run these webpages and are services that could have been replaced or at least deactivated by now.” says Max Schrems, honorary chair of noyb.eu. The complaints come in the wake of a recent the European Court of Justice (CJEU) decision which found the Privacy Shield, which permitted companies to freely transfer users' personal data, illegally infringed EU residents' data protection and privacy rights. EPIC participated as an amicus curiae in the case, arguing that U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad. (Aug. 18, 2020)
More top news »
Top European Court to Review National Data Retention Laws » (Sep. 9, 2019)
Today, the Court of Justice for the European Union will hear challenges to the data retention laws of the UK, Belgium, and France. The Court previously invalidated European and national data retention laws that required companies to retain communications data for law enforcement purposes. The Court said the laws were a "particularly serious" interference with the right to privacy. The new challenges, brought by civil society organizations, contend that European national laws fail to comply with the earlier rulings. EPIC recently urged the FCC to repeal a similar regulation that requires the retention of US telephone records, following an earlier petition to the agency. When the FCC docketed the EPIC petition for public comment, every comment received supported an end to the data retention regulation.
European Privacy Experts Call for New Review of EU-US Data Arrangement » (Dec. 5, 2017)
The Article 29 Working Party, a group of European privacy experts, is calling for a reexamination of the Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. In a new report, the Working Party said that "significant concerns" should be resolved by May 25, 2018 when the GDPR goes into force. If not "the members of WP29 will take appropriate action," including litigation. The Working Party cited the US failure to appoint an Ombudsperson to review complaints, vacancies at the Privacy and Civil Liberties Oversight Board, and continued mass surveillance practices by U.S. intelligence agencies. The report follows an earlier review of the EU-US agreement which found "sufficient" protection of EU personal data to the United States. EPIC Senior Counsel Alan Butler has also highlighted weaknesses in US privacy in DPC v. Facebook, a case now before the European Court of Justice. In a related development, the Working Party also established a task force which will coordinate national investigations of the Uber data breach now underway in Europe.
European Court Holds Camera Surveillance of University Lecture Halls Violates Privacy » (Nov. 29, 2017)
In the case of Antović and Mirković v. Montenegro, the European Court of Human Rights held that camera surveillance in lecture halls at the University of Montenegro's School of Mathematics violated Article 8 of the European Convention on Human Rights (the right to respect one's "private and family life"). The decision follows earlier cases of the Court which recognize privacy rights in the workplace. Some U.S. law schools have deemed all classrooms and meetings rooms as "recordable spaces" and state that voluntary participation therefore constitutes a waiver of legal claims. EPIC has protected the human right to privacy through third-party intervention in the European Court of Human Rights as well as documented the spread of CCTV surveillance technology across American cities. EPIC's Privacy Law Sourcebook provides background on US and international privacy law. The Privacy Law and Society website provides more information about international privacy law.
European Privacy Officials Push for Answers on Status of U.S. Privacy » (Jun. 13, 2017)
The Article 29 Working Party, an expert group of European privacy officials, is pressing the European Commission to closely evaluate the EU-US Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. In a letter to the Commission, the Working Party outlined its expectations for this summer's annual review of the arrangement. The Group asked for "precise evidence" that bulk surveillance is "limited and proportionate." The Article 29 also seeks information about vacancies in key privacy oversight positions, including the Privacy and Civil Liberties Oversight Board and the Privacy Shield Ombudsperson, and any legal protections for "automated decision making." The European Parliament previously expressed alarm over the rollback of U.S. privacy safeguards necessary for the Privacy Shield. In 2015, EPIC and a coalition of privacy organizations urged the US and the EU to strengthen privacy protections following a landmark decision that found insufficient legal protections for the transfer of consumer data to the US. At a hearing before the High Court of Ireland, EPIC Senior Counsel Alan Butler made submissions in DPC v. Facebook, highlighting weaknesses in US privacy law.
European Privacy Officials Back "E-Privacy" Directive Updates » (Apr. 12, 2017)
The Article 29 Working Party, an expert group of European privacy officials, has issued an opinion supporting a key proposal to modernize EU privacy law for electronic communications. The updated e-Privacy Regulation would extend consumer safeguards to users of all online communications services, cover content and metadata, and limit tracking of internet users. The Working Party welcomed the harmonization of privacy standards across the European Union, but cautioned that the Privacy Directive must offer protections at least as strong as the recently adopted General Data Protection Regulation. EPIC had urged the US Federal Communication Commission to adopt a similar, comprehensive approach to communications privacy. A narrow FCC rule covering only ISPs was recently rescinded by Congress, folding under attacks that it unreasonably singled out a sector of the communications industry.
Europe to Update Consumer Privacy Rules » (Jan. 10, 2017)
The European Commission has released its proposal to update EU law on privacy and security safeguards for electronic communications. The revamped e-Privacy Regulation would extend important new safeguards to users of all online communications services, including email, instant messaging, and social media. The proposal would also protect both communications content and metadata, and would limit tracking of internet users. In the US, the FCC recently adopted modest privacy rules that apply only to broadband services offered by telecom companies, despite EPIC's repeated advice to the FCC to address "the full range of communications privacy issues facing US consumers." The Commission's update of the e-Privacy Directive follows the recently adopted General Data Protection Regulation, and must next be adopted by the European Parliament and European Council.
Rep. Sensenbrenner Warns Trump on EU-US Data Flows » (Dec. 21, 2016)
Congressman James Sensenbrenner has sent a letter to President-elect Donald Trump urging him to retain Presidential Policy Directive 28, which governs domestic and foreign signals intelligence activity. The Directive requires the intelligence community to safeguard the personal information of all individuals regardless of nationality. Sensenbrenner noted that PPD 28 also serves as a foundation for the “Privacy Shield,” a framework for commercial data flows between Europe and the United States. EPIC has urged the EU and US to strengthen safeguards for transborder data flows and is currently participating as amicus curiae in a legal challenge to Privacy Shield brought by privacy advocate Max Schrems.
European Court of Justice Holds that Data Retention Laws Violate EU Law » (Dec. 21, 2016)
In a major privacy decision, the Court of Justice of the European Union has ruled that data retention schemes enacted by member states violate EU law. The case involved challenges to data retention laws in Sweden and Britain. The Court of Justice found that subscriber data, which "contain information on the private life of natural persons," "may only be stored to the extent that is necessary for the provision of the service for the purpose of billing and for interconnection payments, and for a limited time." The court further explained that fighting terrorism or crime is not, by itself, justification for indiscriminate, blanket data retention. In 2014, the Court struck down the EU Data Retention Directive, which had required telephone and Internet companies to keep traffic and location data as well as user identifying information for use in subsequent investigations of serious crimes. EPIC has advocated against mandatory data retention and currently has a petition pending before the FCC to overturn the regulation requiring the retention of phone records of US telephone customers.
European Parliament Explores Algorithmic Transparency » (Nov. 7, 2016)
A hearing today in the European Parliament brought together technologists, ethicists, and policymakers to examine "Algorithmic Accountability and Transparency in the Digital Economy." Recently German Chancellor Angela Merkel spoke against secret algorithms, warning that that there must be more transparency and accountability. EPIC has promoted Algorithmic Transparency for many years and is currently litigating several cases on the front lines of AI, including EPIC v. FAA (drones), Cahen v. Toyota (autonomous vehicles), and algorithms in criminal justice. EPIC has also proposed two amendments to Asimov's Rules of Robotics, requiring autonomous devices to reveal the basis of their decisions and to reveal their actual identity.
European Data Protection Supervisor Calls for Stronger Protections for Electronic Communications » (Jul. 27, 2016)
The top European data protection official, the European Data Protection Supervisor, has called for strong privacy protections in the "ePrivacy Directive", an updated framework to safeguard personal information. "The scope of new ePrivacy rules needs to be broad enough to cover all forms of electronic communications irrespective of network or service used." The Data Protection Supervisor also said the legislation should "allow users to use end-to- end encryption without back doors". NGOs and data protection officials have also called for the reform of the European legislation after the adoption of the General Data Protection Regulation. EPIC has urged the FCC to establish a comprehensive framework for communications privacy, noting the work now underway in Europe to update privacy laws.
Top European Privacy Official Rejects EU-US "Privacy Shield" » (May. 31, 2016)
The European Data Protection Supervisor has determined that "Privacy Shield is not robust enough to withstand future legal scrutiny." He called for changes in the draft arrangement to permit data transfers to the United States. "Significant improvements are needed," said Giovanni Buttarelli. The Article 29 Working Party, the European Parliament, and a coalition of EU and U.S. consumer organizations have also opposed the data transfer proposal. Citing rampant data breaches in the United States, NGOs have urged strong safeguards for privacy and data protection.
European Parliament Requires Changes to Privacy Shield » (May. 26, 2016)
The European Parliament called for changes in the draft arrangement to permit data transfers to the United States. The Parliament said that officials must "fully implement" privacy recommendations and negotiate further changes to the "Privacy Shield." The European Data Protection Supervisor is expected to issue an opinion on the data transfer arrangement next week. EPIC and other consumer and privacy organizations have said that the Privacy Shield fails to provide adequate safeguards for consumers.
Top EU Legal Advisor Says IP Addresses are PII » (May. 12, 2016)
The Advocate General, top advisor to the European Court of Justice, has issued an opinion today about Internet anonymity. He found that dynamic IP addresses are personal data subject to data protection law. The opinion concerns the case of German pirate party politician and privacy activist Patrick Breyer who is suing the German government over logging visits to government websites. "Generation Internet has a right to access information on-line just as unmonitored and without inhibition as our parents read the paper," says Breyer. The opinion is not legally binding but "is usually a good indication of how the court will eventually rule". EPIC has supported Internet anonymity since the 1990s and brought a similar challenge to the US government tracking of users of government website.
European Parliament Adopts Comprehensive Data Protection Regulation » (Apr. 14, 2016)
The European Parliament finalized a historic reform of EU data protection legislation, which will have legal force in July 2018. "The new General Data Protection Regulation will enable people to regain control of their personal data in the digital age," said Parliament Member Jan Philipp Albrecht. The rules include data breach notification, coordinated enforcement, enhanced penalties, strengthened consent, and new measures to promote privacy innovation. EPIC and EU and US consumer groups have supported the European law, stating that it provides "important new protections for the privacy and security of consumers."
EU Officials Call for Changes in Privacy Agreement » (Apr. 13, 2016)
European privacy officials announced today that there must be changes in the draft proposal for EU-US data transfers. The Article 29 Working Party has "strong concerns" that the current text fails to provide adequate protection against commercial misuse and bulk surveillance. The Working Party cited the complexity of the redress mechanism, the lack of independence of the ombudsman, as well as the broad uses of personal data that would be permitted under the agreement. Privacy and consumer organizations have urged the EU to oppose the Privacy Shield proposal.
NGOs - "Privacy Shield" is Failed Approach for EU-US Data Protection » (Mar. 16, 2016)
More than twenty civil society groups has urged European leaders to oppose adoption of the "Privacy Shield" for EU-US data flows. The NGOs state that the political agreement fails to provide sufficient data protection and does not respect the decision of the European Court of Justice in the Schrems case. The groups said the US must make changes in domestic laws and international commitments to comply with the decision and permit transfers of personal data. EPIC has launched "Data Protection 2016" to support stronger privacy safeguards in the US.
European Commission Wrongly Denies EPIC's Request For "Privacy Shield" » (Feb. 26, 2016)
The European Commission has wrongly denied EPIC's Freedom of Information request for the text of the "Privacy Shield." The Commission said the adequacy decision about Safe Harbor is "in preparation" and "negotiations with the U.S. are still ongoing." The Commission confused the text of the political agreement, known as "the Privacy Shield," with a legal determination about whether the agreement meets EU data protection law. EPIC will pursue public release of the Privacy Shield, which was previously announced, and then the release of the adequacy determination when it is final. EU and US Consumer and privacy organizations have opposed the agreement because it fails to provide adequate privacy protections.
Privacy Commissioners to Review "Privacy Shield" » (Feb. 3, 2016)
The Article 29 Working Party, the association of European Data Protection Commissioners, has said it will review the adequacy of the "Privacy Shield" proposal for transborder data flows. The Working Party said there must be (1) clear and precise rules, (2) a "necessary and proportionate" standard for data collection and access, (3) independent oversight, and (4) effective remedies for the individual. The Working Party also said it must first receive the relevant documents to assess the legal force of the arrangement and whether it will resolve "wider concerns raised by the Schrems judgement."
EPIC v. DOJ: EPIC Prevails, DOJ Releases Secret EU-US Umbrella Agreement » (Jan. 25, 2016)
After months of delay, the Department of Justice has finally released to EPIC the full text of the EU-US Umbrella Agreement. EPIC sued the DOJ last year after the agency failed to act on EPIC's FOIA request for the secret agreement. Today's release comes on the heels of EPIC's opposition to the agency's attempt to further delay the Agreement's release. The Umbrella Agreement outlines data transfers between EU and US law enforcement agencies, and is the basis for the Judicial Redress Act currently before Congress. EPIC has criticized the legislation, and recently urged the Senate to delay action on the bill until the DOJ releases the Umbrella Agreement and the Judiciary Committee holds a hearing on the legislation.
European Commission Issues Guidance on Data Transfers Post-Schrems » (Nov. 6, 2015)
The European Commission has published guidelines for EU-US data transfer after the invalidation of the Safe Harbor framework. The Commission explained that the Safe Harbor case "underlined the importance of fundamental right to data protection." The Commission also emphasized the ongoing role of the independent data protection agencies and the Article 29 Working Party. Negotiators are attempting to create a revised arrangement. NGOs have said that fundamental rights must be protected in all data transfers. In testimony before Congress, EPIC recommended several updates to US privacy law. EPIC's Marc Rotenberg said "these changes will benefit consumers and businesses on both sides of the Atlantic."
After FOI Request, EPIC Obtains Secret "Umbrella Agreement" from the EU Commission » (Oct. 23, 2015)
The EU Commission, in response to a freedom of information request, has released to EPIC the text of the EU-US data transfer agreement. US and EU officials finalized the so-called "Umbrella Agreement" in September, but had kept the final document secret. EPIC has filed multiple FOIA requests with US federal agencies and the European Commission to obtain public release of the document. The Agreement, alongside the Judicial Redress Act, is a key document in the aftermath of the European court decision striking down the Safe Harbor arrangement. Legal scholars who have reviewed the agreement have concluded it is deeply flawed. EPIC continues to pursue the public release of the Agreement from US federal agencies.
House Passes Faux Privacy Bill » (Oct. 21, 2015)
The House of Representatives has passed the Judicial Redress Act of 2015, which—contrary to its stated purpose—fails to extend Privacy Act protections to non-U.S. citizens. In a letter to Congress, EPIC explained that the bill does not provide adequate protection to permit transborder data flows and recommended changes to ensure protections for all personal information collected by U.S. federal agencies. Congress moved to advance the bill after announcement of the recently concluded but secret EU-US "Umbrella Agreement". EPIC submitted a Freedom of Information request for the Umbrella agreement, and recently filed an administrative appeal challenging the agency's denial of expedited processing.
Case Against Facebook Moves Forward in Ireland » (Oct. 20, 2015)
Following the ruling that invalidated the Safe Harbor arrangement, the Irish High Court has declared that the Irish Data Protection Commissioner is "obliged to investigate" Max Schrems' complaint and must follow "fair procedures under Irish and EU law." The Commissioner pledged a "quick and swift procedure." Facebook's last minute motion to join the procedure was denied. "The Schrems case underscores the need for the U.S. to strengthen its right to privacy," EPIC's Marc Rotenberg told the Washington Post.
European Data Protection Authorities Conclude Data Transfers under Safe Harbor Now Unlawful » (Oct. 17, 2015)
Following the landmark ruling that invalidated the Safe Harbor data transfer arrangement, the Article 29 Working Party, composed of privacy officials across Europe, issued a preliminary statement. They called for solutions "enabling data transfers to the territory of the United States that respect fundamental rights." They concluded that "transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful." Also, Standard Contractual Clauses and Binding Corporate Rules will not provide an adequate basis. EPIC, US and European consumer organizations have urged lawmakers in the United States to update US privacy law.
European Court Strikes Down "Safe Harbor," Focus Shifts to Adequacy of US Privacy Laws » (Oct. 6, 2015)
In a stunning decision, the European Court of Justice today ruled that the transatlantic "Safe Harbor" data pact is invalid. Consumer organizations and civil liberties groups in Europe and the United States applauded the outcome. Safe Harbor had been widely criticized for failing to provide adequate data protection for users of Internet-based services. The European Parliament earlier recommended against renewal of Safe Harbor. Max Schrems, the Austrian law student who brought the case, praised the judgement and said the "solution will very likely require severe changes in US law" not "just an update to the current 'safe harbor' system." @maxschrems @EUCourtPress
Decision by EU Legal Advisor Signals End of "Safe Harbor" » (Sep. 23, 2015)
An opinion by the top advisor for Court of Justice of the European Union indicates that the "Safe Harbor" arrangement, which permits the transfer of personal data to the US without legal protection, will come to an end. Under Safe Harbor, US companies self-certify compliance with EU data protection law. But the Advocate General has found the arrangement fails to protect privacy and should be declared invalid. Max Schrems, who initiated the case in Ireland, stated "This finding, if confirmed by the court, would be a major step in limiting the legal options for US authorities to conduct mass surveillance on data held by EU companies." The European Digital Rights Initiative also supported the decision. EPIC has recommended that the US update the Privacy Act to protect EU citizens and ratify the international convention for privacy protection.
Google Ordered to Comply with Ruling of European High Court » (Sep. 21, 2015)
The French Data Protection Authority, the "CNIL," has ordered Google to comply with the judgement of the Court of Justice of the European Union concerning the "Right to be Forgotten." The CNIL rejected Google's proposal to remove only a few links to the personal information it publicized widely around the world. The President of the CNIL said the decision "simply requests full observance of European legislation by non European players offering their services in Europe." EPIC has previously explained that the right to privacy is global and that the position of Google, as an operator of search engines around the world, does not make sense.
New Report Highlights Consumer Goals for EU Privacy Law » (Sep. 17, 2015)
BEUC, The European Consumer Organization, has published "My Personal Data", outlining key requirements for negotiations in Europe on the General Data Protection Regulations. BEUC underscored "the urgent need to put consumers back in control over the way their personal data is processed online." The BEUC report emphasized strong data protection principles, enhanced rights for individuals, and a comprehensive enforcement scheme. EU negotiations involve a "trilogue" of the European Parliament, the Council, and the Commission, with the EU Data Supervisor also playing an active role. In the U.S., EPIC supports the Consumer Privacy Bill of Rights and organized a coalition of consumer privacy groups to urge President Obama to enact the privacy framework into law.
EU and US Reach Agreement on Data Protection for Investigations » (Sep. 9, 2015)
US officials have concluded an agreement with their European counterparts on data protection for transatlantic criminal investigations. The EU Justice Commissioner stated "Once in force, this agreement will guarantee a high level of protection of all personal data when transferred between law enforcement authorities across the Atlantic." The US Congress must next pass the Judicial Redress Act for the "Umbrella Agreement" to take effect. EPIC has previously urged US ratification of Council of Europe Convention 108, "the most widely known international framework for privacy protection."
Top EU Officials Calls Privacy Reform "Europe's Big Opportunity" » (Jul. 27, 2015)
Giovanni Buttarelli, the European Data Protection Supervisor, has announced "Recommendations on the EU's Options for Data Protection Reform." The Opinion sets out an assessment and recommendation for the new European Union privacy law. EU and US NGOs, including EPIC, have urged the adoption of strong safeguards. In response, the President of the European Commission stated recently that "proposed data protection rules will not drop below the level" of current law.
France Tells Google Apply Right to Be Forgotten Worldwide or Face Fines » (Jun. 12, 2015)
French authorities have threatened Google with fines if it fails to apply Europe's right to be forgotten ruling to the search engine's global domains, including Google.com. Google has been reluctant to apply the landmark decision broadly, even after officials across Europe made clear that Google is violating the court judgement if it routinely discloses sensitive personal information to Internet users worldwide. EPIC explained in US News & World Report and USA Today that Google's position is illogical and inconsistent. According to a recent survey, nine out of ten voters in the United States want the right to delete links to personal information.
EU NGOs Push for Strong Data Protection Legislation » (Jun. 9, 2015)
Following a meeting with EU NGOs, the European Data Protection Supervisor expressed support for a high level of data protection in the General Data Protection Regulation, In April, EPIC and a coalition of over sixty NGOs from around the world urged European Commissioner President Juncker to uphold robust data protection standards as the European Union considers the new Regulation. The European Commission previously promised that the Data Protection Regulation would be at least as strong as the 1995 Data Directive it replaces.
European Court of Justice Hears Case Challenging "Safe Harbor" Agreement and NSA Spying » (Mar. 24, 2015)
The Court of Justice for the European Union heard arguments this week in Maximilian Schrems v. Data Protection Commissioner, a case filed in Ireland following the revelations of the NSA PRISM program. At issue is whether the disclosure of EU citizens' data by Facebook and other Internet companies to the NSA violates the EU Charter of Fundamental Rights, and whether the EU-US "Safe Harbor" agreement provides "adequate" data protection. A decision is likely later this year. Schrems is the recipient of the 2013 EPIC International Privacy Champion Award.
Japan Adopts "Right to Be Forgotten" » (Oct. 14, 2014)
A Japanese court has ordered Google to delete about half of the search result for a man linked to a crime he didn't commit. Judge Nobuyuki Seki of the Tokyo District Court said that the search results "infringe personal rights," and had harmed the plaintiff. A recent poll also found that 61 percent of Americans favor the EU Court of Justice decision regarding the right to be forgotten. And Canada is now debating the establishment of a similar legal right. For more information, see EPIC: Right to Be Forgotten, EPIC: Public Opinions and Privacy, and EPIC: Expungement.
EU Progress on Data Protection » (Jun. 9, 2014)
Speaking in Luxembourg this week, EU Commissioner Viviane Reding said that the EU Council moved forward two key data protection goals in 2014. First, there is "agreement on the rules that govern data transfers to third countries." Second, "Ministers agreed on the territorial scope of the data protection regulation. In simple words: EU data protection law will apply to non-European companies if they do business on our territory." Ms. Reding said the EU is on track to ensure "the completion of the Digital Single Market by 2015. For more information, see EPIC - EU Data Protection Directive, EPIC - Council of Europe Privacy Convention and EPIC - "23 US NGOs Support EU Data Protection Regulation."
European High Court Strikes Down Data Retention Law » (Apr. 8, 2014)
In a far-reaching and dramatic opinion, the European Court of Justice has ruled that the mass storage of telecommunications data violates the fundamental right to privacy and is illegal. The Data Retention Directive required telephone and Internet companies to keep traffic and location data as well as user identifying information for use in subsequent investigations of serious crimes. According to the Court, the Directive imposed "a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary." The Court found that the collection of metadata constitutes the processing of personal data and must therefore comply with Article 8 of the Charter of Rights. The Court also said to find a privacy violation, "it does not matter whether the information on the private lives concerned is sensitive or whether the persons concerned have been inconvenienced in any way." Last year EPIC, joined by dozens of legal scholars and former members of the Church Committee, urged the US Supreme Court to find the NSA's telephone record collection program unlawful. For more information, see EPIC - Data Retention, In re EPIC.
European Parliament Committee Approves Comprehensive Privacy Law » (Oct. 21, 2013)
The civil liberties committee of the European Parliament has voted to approve the EU Data Protection Regulation. Before voting, members of the committee inserted stronger safeguards for data transfers to non-EU countries, an explicit consent requirement, a right to erasure, and larger fines for noncomplying businesses. The regulation is a comprehensive update of the 1995 EU Data Protection Directive that sets out new enforcement powers for privacy agencies. In 2012 and 2013, over twenty US consumer, privacy, and civil liberties groups sent letters to the European Parliament in support of the new data protection law. Until the U.S. passes comprehensive privacy legislation, the groups wrote, "the European Union offers the best prospect for the protection of Internet users around the globe." EPIC spoke recently before the European Parliament in support of the initiative. For more information, see EPIC: EU Data Protection Directive.
EPIC's Rotenberg Addresses European Parliament » (Oct. 3, 2013)
EPIC President Marc Rotenberg addressed the European Parliament on the issue of The Electronic Mass Surveillance of EU Citizens. The Committee on Civil Liberties, Justice, and Home Affairs has convened a series of hearings to examine reports of the monitoring and surveillance of Europeans. Mr. Rotenberg explained that there is now a vigorous debate in the United States and that there would be some changes to the Foreign Intelligence Surveillance Act concerning surveillance within the United States. But he also warned that US lawmakers were unlikely to make changes that respond to the concerns of European citizens. He urged EU lawmakers to suspend trade negotiations with the US pending an adequate resolution of the surveillance inquiry. He also suggested a review of the PNR and SWIFT data transfer arrangements, which lack Privacy Act safeguards. Finally, Mr. Rotenberg recommended the adoption of an international framework for privacy protection.
European Parliament to Investigate US NSA Surveillance Programs and impact on EU Citizens' Privacy » (Jul. 5, 2013)
The European Parliament has voted overwhelmingly (483 to 98, with 65 abstentions) to investigate "PRISM" and other surveillance programs of the US National Security Agency. (Press release.) The investigation with be undertaken by the influential Committee on Civil Liberties, Justice, and Home Affairs ("LIBE"). Members of Parliament also urged European representatives to reexamine current arrangements that allow the transfer of banking and travel data from EU countries to the United States. The resolution was adopted as the European Union is considering a new trade deal with the United States and a proposal to strengthen privacy protections is pending. EPIC has appeared several times before the European Parliament to urge the adoption of a comprehensive privacy framework to safeguard the transatlantic transfer of personal information. For more information, see EPIC - EU Data Protection Directive, and Madrid Privacy Declaration.
European Commissioner Asks Attorney General to Explain US Spying » (Jun. 13, 2013)
European Justice Commissioner Viviane Reding has demanded that U.S. Attorney General Eric Holder explain the scope of US data collection about EU citizens. "Direct access of US law enforcement to the data of EU citizens on servers of US companies should be excluded unless in clearly defined, exceptional and judicially reviewable situations," the Commissioner wrote. The Commissioner's request is similar to that made by other European officials, such as German Justice Minister Sabine Leutheusser-Schnarrenberger, who also stated that "all facts must be put on the table." Recent reports indicate that United States lobbied the European Commission to weaken a comprehensive data protection law now pending in the European Parliament. Earlier this year, EPIC joined a coalition of leading US consumer and civil liberties organizations that expressed concern about the role of US officials in the development of European privacy law. The letter stated that "without exception," members of the European Parliament reported that the US government was "mounting an unprecedented lobbying campaign to limit the protections that European law would provide." For more information, see EPIC: EU Data Protection Regulation.
EU Citizens Launch "Naked Citizen Campaign" to Safeguard Privacy » (May. 8, 2013)
Objecting to business efforts to block updates to European Union data protection laws, a coalition of European Internet rights, freedom and privacy organizations have launched the Naked Citizen campaign. The organizations stated, "The campaign is a response to the unprecedented lobbying from tech companies, the US Government and the advertising industry. They are all trying to weaken the Regulation and make it easier for companies to use personal information in opaque, unaccountable ways." The groups published a new report -- "Don't let corporation strip citizens of their right to privacy" -- which describes the need to adopt stronger data protection rights. US consumer organizations have expressed support for the effort to modernize European Union privacy law. EPIC also supports US ratification of the Council of Europe Privacy Convention. For more information, see EPIC - EU Data Protection Directive and EPIC - Council of Europe Privacy Convention.
US NGOs Urge US Government To Support EU Privacy Proposals » (Feb. 5, 2013)
EPIC has joined a coalition of leading US consumer and civil liberties organizations who have expressed concern about the role of US officials in the development of European privacy law. In a letter to the US Secretaries of State, Justice, and Commerce, the groups wrote to seek a meeting to ensure that US lobbying efforts in Europe "are not averse to the views expressed by the president." The letter states that "without exception," members of the European Parliament reported that US governmental agencies and businesses were "mounting an unprecedented lobbying campaign to limit the protections that European law would provide." The letter, endorsed by 18 US NGOss, emphasizes the President's commitment to protecting privacy, set out in the Consumer Privacy Bill of Rights. Last fall, EPIC Executive Director Marc Rotenberg testified in support of a proposed EU privacy reform before the European Parliament, and a groups of transatlantic consumer organizations wrote a letter expressing their support for the EU effort to update and modernize privacy law. For more information, see EPIC: EU Data Protection Directive.
European Parliament Moves Forward on Privacy Update » (Jan. 8, 2013)
The European Parliament has indicated strong support for a proposal put forward by the European Commission to update European Union privacy law. In reports on the the New Directive and New Regulation, the Parliament recommends greater power for data protection agencies and new rights for data subjects. The comprehensive update of the 1995 EU Data Protection Directive simplifies compliance procedures and also creates new incentives for anonymized and psuedonymized data to help protect privacy. Last fall, EPIC President Marc Rotenberg testified before the European Parliament in support of the proposed reform. More than 20 US consumer organizations have expressed support for the European privacy initiative. For more information, see EPIC: EU Data Protection Directive.
CPDP 2013 Calls for Papers in Advance of January Conference » (Sep. 7, 2012)
The 6th Annual Computers, Privacy and Data Protection Conference has announced a Call for Papers. The conference will take place January 23-25, 2013, in Brussels. Both experienced and junior researchers, as well as Ph.D. candidates, are invited to submit work. The theme of the 2013 CPDP conference is “Reloading Data Protection.” Organizers are particularly interested in papers focusing on technology’s relationship to privacy, data protection, non-discrimination and surveillance. Deadline for submissions is October 19, 2012. EPIC is a participant in CPDP conferences and presents the ”EPIC International Champion of Freedom Awards” at CPDP. For more information, see EPIC Champion of Freedom Press Release, EPIC: EU Law, EPIC: Privacy.
U.S. Consumer Groups Endorse Proposed European Privacy Law » (Sep. 5, 2012)
In a letter to members of the European Parliament, over twenty U.S. consumer organizations expressed support for the new European data protection law. The coalition, including Consumers Union, Consumer Federation of America, and Public Citizen, said that the proposed regulation "provides important new protections for the privacy and security of consumers." The groups also explained that the European effort will raise privacy standards for consumers in other parts of the world. The European Union privacy regulation is a comprehensive update of the 1995 EU Data Protection Directive and adopts innovative new approaches to privacy protection, such as "Privacy by Design." BEUC, the association of European consumer groups, has also expressed support for the new law. For more information, see EPIC: EU Data Protection Directive.
European Consumer Organizations Back New EU Privacy Effort » (Aug. 22, 2012)
BEUC, the association of European consumer organizations, has published a Position Paper on Data Protection supporting a new European Union privacy initiative. BEUC states that the proposed Privacy Regulation "addresses the main challenges and the shortcomings of the current framework with the aim of enhancing the rights of data subjects and restoring control over the processing of their own personal data," but BEUC cautions that "several provisions still need to be clarified to ensure the EU framework is effective and becomes the global standard for data protection." The Trans Atlantic Consumer Dialogue, a coalition of US and European consumer groups, has also expressed support for the EU initiative. For more information, see EPIC: EU Data Protection Directive.
European Expert Group Affirms Privacy Rules for Cloud Service Providers » (Jul. 3, 2012)
The Article 29 Working Party, representing the privacy agencies of European Union countries, has released a new Opinion in which it states that cloud service providers will be subject to the EU Data Protection Directive. The expert group also advises users of cloud-based services to conduct a comprehensive and thorough risk analysis of cloud services. In 2009, EPIC urged the US Federal Trade Commission to develop privacy standards for Cloud Computing services. See EPIC - Cloud Computing.
EU and US Privacy Officials Convene » (Mar. 19, 2012)
Policymakers from the United States and the European Union are participating in a joint conference today on Privacy and Protection of Personal Data. EU Vice President Viviane Reding and US Commerce Secretary John Bryson issued a common statement reaffirming a commitment to privacy protection. US and EU consumer and privacy organizations also issued a statement commending the new US Consumer Privacy Bill of Rights but cautioning that the US has far more to do to safeguard the interests of users of new Internet-based services. For more information, see Public Voice - The Madrid Declaration.
EU Justice Minister Warns US on "Self Regulation," Draft European Privacy Law Now Available » (Dec. 7, 2011)
EU Justice Minister Viviane Reding warned this week at a speech in Brussels that a US plan for privacy self-regulation will "not be sufficient" to protect the flow of personal data between Europe and the United States. Reding also said that European companies were likely to rely on European cloud service providers as long as the US Patriot Act remained the law in the US. A draft of the European Union’s new General Data Protection Regulation is now available. The Regulation is a sweeping and comprehensive update of the 1995 EU Data Protection Directive that sets out new enforcement powers for privacy agencies. Meanwhile, a spokesperson for the White House again pledged that a long-delayed paper on privacy would soon be available. For more information, see EPIC: EU Data Protection Directive.

Introduction

The European Union is based on the respect for fundamental rights. The European Convention on Human Rights and Article 8 of the Charter of Fundamental Rights of the European Union expressly recognizes the fundamental right to the protection of personal data. For several years, law enforcement agencies in various countries have urged the adoption of "data retention" requirements, which would compel communications service providers to routinely capture and archive information detailing the telephone calls, e-mail messages and other communications of their users. While many providers currently retain certain traffic data for billing and other business-related purposes for short periods of time, there are no government-imposed retention requirements in the major industrialized countries.

The "Directive 95/46 of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data" (Data Protection Directive 95/46/EC) was established to provide a regulatory framework to guarantee secure and free movement of personal data across the national borders of the EU member countries, in addition to setting a baseline of security around personal information wherever it is stored, transmitted or processed.The Directive contains 33 articles in 8 chapters. The Directive went into effect in October, 1998. This general Data Protection Directive has been complemented by other legal instruments, such as the e-Privacy Directive for the communications sector. There are also specific rules for the protection of personal data in police and judicial cooperation in criminal matters (Framework Decision 2008/977/JHA).

In 2009, the European Commission launched a review of the current legal framework on data protection, starting with a high-level conference in May 2009, followed by a public consultation running until the end of 2009. Targeted stakeholders consultations were organized throughout 2010. Appearing before the European Parliament on October 26, 2010, EPIC President Marc Rotenberg urged the adoption of a comprehensive framework to protect the flow of personal data between the United States and the European Union. Citing the growing concern about the misuse of sensitive data and the absence of effective legal remedies, Mr. Rotenberg said it was time for the US and the EU to develop an effective legal framework that would safeguard the rights of citizens and the users of Internet-based services. EPIC strongly supports full implementation of the EU Data Protection Directive as well as other efforts to fully safeguard the fundamental rights of citizens, consumers, and users of Internet-based services. This principles should apply to data collection that occurs by both private and public entities.

In 2010, the European Commission circulated a document to the European Parliament, The Council of Europe, The Economic and Social Committee and The Committee of the Regions containing a draft strategy for improvements in data protection, including a set of proposals to change the EU Data Protection Directive. The key components of the new strategy appear to include:

• The establishment of EU-wide registration forms for databases
• New rules on privacy notices, including the promulgation of EU "standard form privacy information notices" and special rules with respect to minors
• New rules that strengthen and clarify the concept of consent to the collection, use and transfer of data
• New rules on data minimization
• The creation of a "right to be forgotten" by giving a right to demand deletion of data no longer needed for the purpose for which it was collected
• The creation of a right of "data portability," allowing individuals to take his/her photos, medical records or a list of friends from an application or service and transfer them into another one
• New rules on what constitutes "sensitive data"
• New remedies for violations of privacy, including expanded criminal sanctions and empowering data protection authorities with the right to go to court
• The establishment of security breach notification rules
• Clarification on the legal rules that will attach to data stored in the cloud, regardless of the geographic location of the controller
• The possible introduction of an "accountability" principle to ensure compliance with data protection laws
• New rules that make the appointment of corporate Data Protection Officers mandatory, along with privacy impact assessments and the employment of privacy by design principles
• The encouragement of self-regulatory schemes and privacy seals
• Improvements in current procedures for international data transfers, in order to ensure a more uniform and coherent EU approach vis-à-vis third countries and international organizations
• Clarification of the Commission's adequacy procedure and improved specification of the criteria and standards for assessing the level of data protection in a third countries
• A re-definition of standard data protection clauses to be used in international agreements, contracts, binding corporate rules or other legally binding instruments.
• Clarifying and strengthening the status and the powers of the national Data Protection Authorities in the new legal framework, including the concept of "complete independence"
• Exploration of ways to improve the cooperation and coordination between Data Protection Authorities and to ensure better enforcement of EU rules, particularly on issues having a cross-border dimension. This may include strengthening the role of the Article 29 Working Party and providing it with additional powers in order to give a European response to breaches of data protection rules at EU level, or to create a European Data Protection Authority.
• Enhancing international privacy enforcement in a cooperative fashion.

On November 4, 2010 the European Commission released a communication outlining its preliminary proposals to revise the EU Data Protection Directive (95/46/EC). The EU Commission announced a strategy to "protect individuals data in all policy areas, including law enforcement, while reducing red tape for business and guaranteeing the free circulation of data within the EU." This policy review will be used by the European Commission with the results of a public consultation to revise the EU's 1995 Data Protection Directive. Public submissions and comments can be made on the European Commission's public consultation web site until January 15, 2011. The EU Commission will then propose legislation in 2011.

The EU Commission's strategy sets out proposals on how to modernize the EU framework for data protection rules through a series of the following key goals:

• Strengthening the Rights of Individuals so that the collection and use of personal data is limited to the minimum necessary. Individuals should also be clearly informed in a transparent way on how, why, by whom, and for how long their data is collected and used. People should be able to give their informed consent to the processing of their personal data, for example when surfing online, and should have the "right to be forgotten" when their data is no longer needed or they want their data to be deleted.
• Enhancing the Free Flow of Information in the Single Market Dimension by reducing the administrative burden on companies and ensuring a true level-playing field. Current differences in implementing EU data protection rules and a lack of clarity about which country's rules apply harm the free flow of personal data within the EU and raise costs.
• Extending Privacy Safeguards to Police and Criminal Justice Records Systems so that individuals' personal data is also protected in these areas. Under the Lisbon Treaty, the EU now has the possibility to lay down comprehensive and coherent rules on data protection for all sectors, including police and criminal justice. Naturally, the specificities and needs of these sectors will be taken into account. Under the review, data retained for law enforcement purposes should also be covered by the new legislative framework. The Commission is also reviewing the 2006 Data Retention Directive, under which companies are required to store communication traffic data for a period of between six months and two years.
• Ensuring High Levels of Protection for Data Transferred Outside of the European Union by improving and streamlining procedures for international data transfers. The EU should strive for the same levels of protection in cooperation with third countries and promote high standards for data protection at a global level.
• More Effective Enforcement of Privacy Rules by strengthening and further harmonizing the role and powers of Data Protection Authorities. Improved cooperation and coordination is also strongly needed to ensure a more consistent application of data protection rules across the Single Market.

A draft version of the EU General Data Protection Regulation was released on the Internet in December 2011. The draft builds on Charter of Fundamental Rights of the European Union, which establishes a right of Information Privacy. Topics covered in the draft regulations include:

• Rights of Data Subjects - Transparency, Access to Data, Rectification, Erasure, Right to Object to Profiling
• Obligations of Companies - Data Security, Data Protection Assessment
• Increased Powers for Data Protection Agencies and New Efforts for Coordination and Collaboration
• New Remedies and Sanctions

Once the new measures are finalized they will need to be adopted by the European Council and the European Parliament.

Background

The Data Protection Directive 95/46/EC defines the basics elements of data protection that member states must transpose into national law. Each state manages the regulation of data protection and its enforcement within its jurisdiction, and data protection commissioners from the EU states participate in a working group at the community level, pursuant to Article 29 of the Directive.

Personal data is defined in the Data Protection Directive 95/46/EC as any information that relates to an "identified or identifiable natural person." The Directive mandates that the data controller ensure compliance with the principles relating to data quality and provides a list of legitimate reasons for data processing. The data controller has information duties toward the data subject whenever personal data is collected directly from the person concerned or obtained otherwise. The data controller is also mandated to implement appropriate technical and organizational measures against unlawful destruction, accidental loss or unauthorized alteration, disclosure or access.

Data subjects' individual rights, as established by the Directive, are: the right to know who the data controller is, the recipient of the data and the purpose of the processing; the right to have inaccurate data rectified; a right of recourse in the event of unlawful processing; and the right to withhold permission to use data in some circumstances. For example, individuals have the right to opt-out free of charge from receiving direct marketing material. The EU Data Protection Directive contains strengthened protections concerning the use of sensitive personal data relating, for example, to health, sex life or religious or philosophical beliefs.

Enforcement of the regulatory framework on the processing of personal data can either be through administrative proceedings of the supervisory authority or judicial remedies. Member states' supervisory authorities are endowed with investigative powers and effective powers of intervention, such as powers to order blocking, erasure and destruction of data or to impose a temporary or definite ban on processing. Any person who has suffered damage as a result of an unlawful processing operation is entitled to receive compensation from the liable controller. The Data Protection Directive provides a mechanism by which transfers of personal data outside the territory of the EU have to meet a level of processing "adequate" to the one prescribed by the directive's provisions.

European Commission

• Cecilia Malmström Member of the European Commission responsible for Home Affairs Taking on the Data Retention Directive European Commission conference in Brussels. (Dec. 3, 2010)
• The "moment of truth" for the Data Retention Directive: EDPS demands clear evidence of necessity. Peter Hustinx, the European Data Protection Supervisor strongly argued in favor of seizing the opportunity of the ongoing evaluation process to clearly demonstrate the necessity and justification for the Data Retention Directive. (Dec. 3, 2010)
• European Commission ready to start talks with US on personal data agreement to fight terrorism or crime. EU Justice Ministers approved the start of talks between the European Union and the United States on a personal data protection agreement when cooperating to fight terrorism or crime. The aim is to ensure a high level of protection of personal information like passenger data or financial information that is transferred as part of transatlantic cooperation in criminal matters. Once in place, the agreement would enhance citizens' right to access, rectify or delete data when it is processed with the aim to prevent, investigate, detect or prosecute criminal offenses, including terrorism.(Dec. 3, 2010)
• Viviane Reding Vice-President of the European Commission, responsible for Justice, Fundamental Rights and Citizenship Privacy matters - Why the EU needs new personal data protection rules The European Data Protection and Privacy Conference Brussels. (Nov. 30, 2010)
• Council of Europe adopts recommendation on profiling and data protection. The Committee of Ministers for the Council of Europe has adopted a new recommendation on profiling and data protection, the first text to lay down internationally-agreed minimum privacy standards to be implemented through national legislation and self-regulation. (Nov. 25, 2010)
Read more »
EU Counter-Terrorism policy: EDPS calls for a systematic and consistent approach to avoid unnecessary restrictions to privacy (Nov. 24, 2010)
Art. 29 Working Party to Discuss EU Data Directive Change Proposals. The Art. 29 Working Party will discuss at its December 7-8, 2010 meeting in Brussels the European Commission's outline proposals for amending the EU Data Protection Directive. Particularly Art. 29 Working Party will discuss the role of DPA's under Art. 28 (6) of the Data Directive. (Nov. 17, 2010)
Data protection reform strategy: EDPS urges Commission to meet the challenge of an ambitious reform for a strong and effective data protection. The European Data Protection Supervisor welcomed the EU Commission's communication and expressed his full support to the issues identified and to its main lines of action as a first step in a revision process. He highlighted in particular his support to achieving further harmonization of national data protection legislation, the need for a technologically neutral approach, the inclusion of the principles of privacy by design and accountability, the introduction of a mandatory security breach notification covering all relevant sectors, and the inclusion of the areas of police and justice in the general framework. (Nov. 15, 2010)
European Commission sets out strategy to strengthen EU data protection rules. The EU Commission announced a strategy to "protect individuals data in all policy areas, including law enforcement, while reducing red tape for business and guaranteeing the free circulation of data within the EU." This policy review will be used by the European Commission with the results of a public consultation to revise the EU's 1995 Data Protection Directive. Public submissions and comments can be made on the European Commission's public consultation web site until January 15, 2011. The EU Commission will then propose legislation in 2011. (Nov. 4, 2010)
Data Protection: Commission to refer Austria to Court for lack of independence of data protection authority. (Oct. 28, 2010)
Data protection in transatlantic relations: searching for a framework agreement. Future EU-US data protection agreement in the framework of police and judicial cooperation in criminal matters was discussed on October, 2010 by MEPs, representatives of the Council and the Commission, the US ambassador to the EU and several experts in the field from both sides of the Atlantic. The hearing, organized by the EP's Civil Liberties Committee, was divided in three sessions and focused on issues such as strengthening the transatlantic dialogs on data protection, shared values, constitutional constraints and possible common solutions or the impact of a new EU-US framework agreement. (Oct. 27, 2010)
Speech of the Vice-President of the European Commission responsible for Justice, Fundamental Rights and Citizenship Towards a true Single Market of data protection Meeting of the Article 29 Working Party "Review of the Data protection legal framework" Brussels. (July 14, 2010)
European Commission seeks high privacy standards in EU-US data protection agreement. (May 26, 2010)
Europeans' Privacy will be big challenge in next decade, says EU Commissioner. (Jan. 28, 2010)
Communication from the Commission to the European Parliament and the Council: An area of freedom, security and justice serving the citizen. (Oct. 6, 2009)
Personal data - more use, more protection?. (May 19-20, 2009)
Communication from the Commission to the European Parliament and the Council on the follow-up of the Work programme for a better implementation of the Data Protection Directive. (Mar. 7, 2007)