Privacy Shield EU-U.S. Data Transfer Arrangement
Summary
On February 29, 2016, the European Commission and the Obama Administration released the proposed EU-U.S. Privacy Shield. The Privacy Shield aims to replace the Safe Harbor framework for commercial data flows between the EU and the U.S., which was struck down by the Court of Justice of the European Union in October 2015. The Privacy Shield agreement is to serve as the basis for an “adequacy” decision by the European Commission that the U.S. has a satisfactory system regarding data protection, including addressing issues related to government surveillance and consumer privacy.
Top News
- Data Flow Deal Talks Fail Due to Lack of US Action on Privacy: The agreement on transatlantic cooperation reached by U.S. and EU leaders this week did not include the political agreement the White House was hoping for on transatlantic data deals. Last week, EPIC and 23 other leading civil society groups sent a letter to President Biden urging his Administration to ensure that any new transatlantic data transfer deal is coupled with the enactment of U.S. laws that reform government surveillance practices and provide comprehensive privacy protections. “The United States’ failure to ensure meaningful privacy protections for personal data is the reason that a growing number of countries are concerned about trans-border data flows,” the groups wrote. “Until the United States addresses this problem, concerns about data transfers to the United States will remain, and data flow agreements are likely to be invalidated.” In 2015, the Court of Justice of the European Union invalidated the U.S.-EU Safe Harbor agreement. And in July 2020, the successor agreement, Privacy Shield, was also invalidated by the same court. (Jun. 17, 2021)
- EPIC, Coalition Tell Biden Administration: No Data Flows Deal Until Congress Enacts Privacy Laws: EPIC and 23 other leading civil society groups sent a letter to President Biden today urging his Administration to ensure that any new transatlantic data transfer deal is coupled with the enactment of U.S. laws that reform government surveillance practices and provide comprehensive privacy protections. “The United States’ failure to ensure meaningful privacy protections for personal data is the reason that a growing number of countries are concerned about trans-border data flows,” the groups wrote. “Until the United States addresses this problem, concerns about data transfers to the United States will remain, and data flow agreements are likely to be invalidated.” In 2015, the Court of Justice of the European Union invalidated the U.S.-EU Safe Harbor agreement. And in July 2020, the successor agreement, Privacy Shield, was also invalidated by the same court. [PRESS RELEASE] (Jun. 10, 2021)
More top news
- Facebook to be Ordered to Stop Sending EU Data to U.S. (Sep. 10, 2020) +
The
Irish Data Protection Commissioner has
reportedly issued a preliminary order instructing Facebook to stop transferring the data of EU users to the United States. The order comes in the wake of a recent the
European Court of Justice (CJEU) decision which found the Privacy Shield, which permitted companies to freely transfer users' personal data, illegally infringed EU residents' data protection and privacy rights. EPIC participated as an amicus curiae in the case, arguing that U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.
- Schrems Files 101 Complaints Targeting US-EU Data Transfers (Aug. 18, 2020) +
None of Your Business, the privacy NGO established by EPIC Advisory Board member Max Schrems, has filed
complaints in all 30 EU and EEA member states against 101 European companies that still forward data about each visitor to Google and Facebook. “We have done a quick search on major websites in each EU member state for code from Facebook and Google. These code snippets forward data on each visitor to Google or Facebook. Both companies admit that they transfer data of Europeans to the US for processing, where these companies are under a legal obligation to make such data available to US agencies like the NSA. Neither Google Analytics nor Facebook Connect are essential to run these webpages and are services that could have been replaced or at least deactivated by now.” says Max Schrems, honorary chair of noyb.eu. The complaints come in the wake of a recent the
European Court of Justice (CJEU) decision which found the Privacy Shield, which permitted companies to freely transfer users' personal data, illegally infringed EU residents' data protection and privacy rights. EPIC participated as an amicus curiae in the case,
arguing that
U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.
- Transatlantic Consumer Groups: No New Data Transfer Agreement Until Privacy Protections Improved (Jul. 28, 2020) +
The Transatlantic Consumer Dialogue (TACD), a coalition of US and European consumer groups,
urged EU Commissioner for Justice Didier Reynders and U.S. Secretary of Commerce Wilbur Ross to stop negotiations for a new data transfer agreement following the invalidation of the EU-U.S. Privacy Shield. In
Data Protection Commissioner v. Facebook & Max Schrems, the European Court of Justice (CJEU) found the Privacy Shield, which permitted companies to freely transfer users' personal data, illegally infringed EU residents' data protection and privacy rights. In its
letter, TACD claims the CJEU's decision is "crystal clear," and that any future data transfer deal will not be valid until the U.S. enacts comprehensive federal privacy legislation. EPIC participated as an amicus curiae in the
Schrems case,
arguing that
U.S. surveillance law does not provide adequate privacy protections or remedies for non-U.S. persons abroad.
- BREAKING: Top Court in Europe Invalidates EU-U.S. Privacy Shield, Citing Lack of Privacy Safeguards and Overbroad U.S. Surveillance Laws (Jul. 16, 2020) +
Today the European Court of Justice issued a
decision in
Irish Data Protection Commissioner v. Facebook & Schrems, a case concerning transfers of personal data by Facebook between the EU and the United States. Specifically, the court considered the validity of transfers made from companies in the EU to companies in the U.S. pursuant to standard contracts or to the EU-U.S. Privacy Shield agreement, both of which had been authorized by the European Commission. But the court held that the Privacy Shield was invalid and that transfers could not be made under the contracts where personal data is not adequately protected. Because U.S. surveillance law authorizes the mass processing of personal data transferred from abroad, under Section 702 of
FISA, it "cannot ensure a level of protection essentially equivalent to that guaranteed by the Charter." EPIC
participated as an amicus curiae in the case and argued that U.S. surveillance law does not provide an equivalent level of protection because it does not provide adequate protections or remedies for non-U.S. persons abroad. EPIC was represented in this case by the Free Legal Advice Centres (FLAC) and by barristers Grainne Gilmore and Colm O’Dwyer, SC. [
PRESS RELEASE]
- EU Advocate General Backs Data Transfers, Criticizes Privacy Shield (Dec. 19, 2019) +
Today the EU Advocate General issued an
advisory opinion in
"Schrems 2.0," a case about Facebook’s transfer of personal data to the United States. The Advocate General backed data transfers generally but sharply criticized the
EU-US Privacy Shield agreement. The Advocate also said that data protection authorities must enforce privacy obligations. The Advocate General cited EPIC's expert submissions in the case concerning the adequacy of US privacy law. The case follows the European Court's landmark decision in
Schrems v. DPC striking down the
"Safe Harbor" arrangement. The European Court of Justice is expected to issue a binding opinion in the next few months. After the original Schrems opinion, EPIC
testified in Congress. EPIC's Marc Rotenberg urged Congress to "modernize" US privacy law and also establish an independent privacy agency.
- FTC Announces Privacy Shield No Penalty Enforcement Action (Dec. 3, 2019) +
The FTC entered into
settlements with four companies that misrepresented their participation in the
EU-U.S. Privacy Shield framework and the
Swiss-U.S. Privacy Shield framework. These frameworks permit the transfer of Europeans' personal data to the U.S. with an assurance of privacy protection. The settlements require the companies to halt misrepresentations about compliance, but provides no remedy to those EU citizens whose personal data was collected. EPIC has repeatedly
told Congress that that the FTC lacks effective enforcement authority. In recent
comments on the Privacy Shield, EPIC also noted the absence of a comprehensive U.S. federal privacy law and a data protection authority with the
authority to enforce privacy rights. Under the
Schrems decision, which provided the basis for the Privacy Shield, the Court of Justice
explained that "everyone whose rights and freedoms are violated" have "the right to an effective remedy."
- European Privacy Board Cites Concerns about EU-U.S. Privacy Shield (Nov. 14, 2019) +
In a new report the European Data Protection Board is raising
concerns about the
EU-U.S. Privacy Shield, a framework permitting the flow of European consumers' personal data to the U.S. The EDPB, a
group of top data protection authorities from across Europe, called for more rigorous review of compliance with the Shield, urged the Privacy and Civil Liberties Oversight Board to publish assessments of U.S. surveillance, and concluded that the Shield Ombudsperson was not a sufficient remedy for potential privacy violations. The European Commission recently
renewed the agreement, despite comments from
EPIC and
other civil society organizations highlighting U.S. mass surveillance practices and weak privacy safeguards.
- EU-U.S. Privacy Shield Renewed, Still in Dispute in Court (Oct. 23, 2019) +
The European Commission
has renewed the EU-U.S.
Privacy Shield, a framework permitting the flow of European consumers' personal data to the U.S. The Commission concluded the recent FTC-Facebook
settlement did not bar enforcement actions related to the Privacy Shield. The Commission also noted positively the appointment of a
Ombudsperson to receive complaints about U.S. surveillance, FTC
enforcement actions for false Privacy Shield certifications, and assurances from the U.S. intelligence community that specific selectors are used to limit foreign intelligence collection. The Commission did urge the FTC to bring actions for substantive violations of the Shield. In
comments on the Privacy Shield and in
a letter to Congress, EPIC called for a permanent end to the broad telephone record collection under Section 215 of the Patriot Act. The validity of the Privacy Shield is still in dispute in several
cases before Europe's highest court.
- Access Now Calls for Privacy Shield to be Struck Down (Sep. 18, 2019) +
Access Now has
called on the European Commission to strike down the EU-U.S. Privacy Shield, a framework that permits the transfer of Europeans' personal data to the U.S. In
comments to the Commission, Access Now wrote "the Privacy Shield has manifestly failed to meet the standards set by EU law from inception to today." The comments cite the limited redress provided by the Privacy Shield Ombudsperson, increased U.S. border surveillance, and the Cambridge Analytica scandal among the shortcomings in US privacy protection. EPIC's earlier
comments on the Privacy Shield highlighted the failure of the U.S. to curtail surveillance authorities, the absence of a comprehensive privacy law and a data protection agency. Next month the European Commission will decide whether to renew the pact.
- Company Violates Privacy Shield, FTC Imposes No Penalty (Aug. 22, 2019) +
The FTC entered into an
enforcement agreement against background screening company SecurTest for falsely claiming to offer privacy protections to EU citizens. According to the FTC, SecurTest's website
falsely claimed to participate in the
EU-U.S. Privacy Shield, a framework that permits the transfer of Europeans' personal data to the U.S. The settlement requires Securtest to halt misrepresentations and submit to compliance monitoring, but provides no remedy to those EU citizens who used the service. In recent
comments on the Privacy Shield, EPIC noted the absence in the US of a comprehensive federal privacy law and a data protection authority, with the
authority to enforce privacy rights. The European Commission will formally decide whether to renew the pact this fall.
- EPIC Comments on Canada Transborder Data Flow Policy (Aug. 6, 2019) +
EPIC provided
comments to the Office of the Privacy Commissioner on Canada's
policy for transborder data flows. EPIC urged the OPC to require that legal protection for personal data protection extend across borders, citing risks to privacy after the Capital One
breach impacted affected six million Canadians. EPIC also encouraged the OPC to recognize multiple grounds for transfer, coupled with strong accountability measures. This approach is reflected in the
EU General Data Protection Regulation and the
Council of Europe's Modernized Privacy Convention. EPIC recently submitted
comments on the third annual review of the
EU-U.S. Privacy Shield, a framework that permits the transfer of Europeans' personal data to the U.S. EPIC detailed the latest developments in the U.S., including the
failure to reform bulk surveillance under Section 702 of FISA, the absence of comprehensive federal privacy law and a data protection authority, the full slate appointments to the PCLOB, and U.S. endorsement of the
OECD AI Principles.
- EPIC Comments on Third Annual Privacy Shield Review (Jul. 15, 2019) +
EPIC provided
comments to the European Commission to inform the third annual review of the
EU-U.S. Privacy Shield, a framework that permits the transfer of Europeans' personal data to the U.S. EPIC detailed the latest developments in the U.S., including the
failure to reform bulk surveillance under Section 702 of FISA, the absence of comprehensive federal privacy law and a data protection authority, and an
executive order to collect data about non-citizens from across the federal government. EPIC also applauded
appointments to the PCLOB and the U.S. endorsement of the
OECD AI Principles. The Commission
approved Privacy Shield last year, but urged the U.S. to adopt privacy legislation and to join the
International Privacy Convention. The European Commission will make a determination about whether to renew the Privacy Shield this fall.
- EPIC to Discuss US Surveillance before Top European Court (Jul. 8, 2019) +
This week EPIC Senior Counsel
Alan Butler will appear before the Court of Justice for the European Union in the case
Data Protection Commissioner v. Facebook. The case, known as "Schrems 2.0." follows the European Court's landmark decision in
Schrems v. DPC striking down the
"Safe Harbor" arrangement and leading to the creation of the
"Privacy Shield." The current case considers whether the transfer of personal data to the U.S. using standard contract clauses violates the fundamental rights of Europeans. At issue is Section 702 of the FISA Amendments Act and Executive Order 12333. EPIC's Butler will provide the Court with expert analysis on U.S. surveillance law. EPIC is a party to the case, along with Austrian privacy activist Max Schrems. EPIC also recently filed a brief with the European Court of Human Rights in
Big Brother Watch v. UK, arguing that the Human Rights Court should review UK-U.S. intelligence transfers in assessing UK bulk surveillance. That case will be heard July 10th.
- EPIC Urges Senate to Strengthen US Privacy Laws for Cross Border Data Flows (Mar. 26, 2019) +
EPIC sent a
statement to a Senate committee on Foreign Relations regarding the
nomination of Keith Krach to Under Secretary of State. Krach would serve as the US Privacy Shield Ombudsperson, a pivotal role concerning the transfer of personal data between the EU and the US. EPIC took no position on the nominee, but wrote to underscore the urgency of Congressional action to safeguard the privacy interests of Americans. EPIC explained that foreign governments are reluctant to permit the transfer of the personal data of their citizens to the U.S. due to the U.S.'s lax privacy laws. EPIC recommended Congress take three steps to update U.S. privacy law: (1) enact the comprehensive baseline privacy legislation, (2)
establish an independent data protection agency, and (3) ratify the
International Privacy Convention.
- European Privacy Board Report Criticizes Privacy Shield Compliance (Jan. 25, 2019) +
A
report from the
European Data Protection Board, an influential independent European privacy body, criticizes U.S. oversight of the EU-U.S. Privacy Shield. The European Commission recently
renewed the framework permitting the flow of European consumers' personal data to the U.S. However, the Board now states U.S. oversight of compliance lacks "substantial checks." The EU Data Protection Board encouraged the Privacy and Civil Liberties Oversight Board to review U.S. surveillance authorities, and stated that the Privacy Shield Ombudsperson could not be considered an "effective remedy" for privacy violations. During review of Privacy Shield, EPIC
cited concerns about the failure of the FTC to enforce the 2011
Consent Order against Facebook, passage of the
CLOUD Act, and renewal of
bulk foreign intelligence surveillance.
- EU-U.S. Privacy Shield Renewed, Privacy Commitments Ignored (Dec. 19, 2018) +
The European Commission
has renewed the EU-U.S.
Privacy Shield, a framework permitting the flow of European consumers' personal data to the U.S. Oddly, the Commission cited the
FTC investigation into the Cambridge Analytica scandal (which has produced no outcome) and the appointment of three members to the
PCLOB as support for renewal. The report also overlooked the failure of the FTC to enforce the 2011
Consent Order against Facebook, which ultimately compromised the personal data of several hundred million Europeans. And the Commission had little concerns with passage of the
CLOUD Act, renewal of Section 702 of FISA (permitting bulk surveillance of Europeans), and other shortcomings cited by EPIC
comments and the
European Parliament. The Commission did recommend an Ombudsperson for Privacy Shield (which was required in the original agreement), and encouraged the U.S. to ratify the
International Privacy Convention.
- U.S. Defends Privacy Shield, But Fails to Comply with Privacy Commitments (Sep. 5, 2018) +
The Department of Commerce has
told the President of the European Parliament that the US is in compliance with the
Privacy Shield, a pact that permits US companies to obtain the personal data of Europeans. The statement follows a
resolution of Parliament to suspend the international arrangement if the U.S. did not comply in full by September 1. The Parliament cited the
Cambridge Analytica data breach, the reauthorization of
FISA Section 702 without reform, the failure to stand up
the PCLOB, the passage of the
CLOUD Act, and the absence of a Privacy Shield ombudsman. The Commerce Department
disputed the Parliament's findings but failed to show progress on the issues identified. EPIC highlighted similar problems with data protection in the United States in recent
comments to the European Commission. Almost six months have passed since the FTC
reopened the investigation of Facebook's compliance with the
2011 consent order, which followed a
complaint from EPIC and other consumer privacy organizations.
- EPIC Comments on Second Annual Privacy Shield Review (Aug. 14, 2018) +
EPIC provided
comments to the European Commission to inform the second annual review of the
EU-U.S. Privacy Shield, a framework that permits the processing of the personal data of Europeans in the United States. EPIC detailed the latest privacy developments in the U.S., including the extension of Fourth Amendment protection to cell phone location data in
Carpenter v. United States, passage of the
CLOUD Act, the FTC's
failure to enforce its legal judgment against Facebook, the vacancies at the PCLOB, the absence of a Privacy Shield Ombudsman at the Commerce Department, and the
nomination of Judge Brett Kavanaugh to the Supreme Court. The Commission
approved Privacy Shield last year, but sought additional steps by the United States. The European Parliament has
called for suspension of the pact if the U.S. does not fully comply by September 1st. The European Commission will make a final determination this fall.
- For Internet Policy, EPIC Urges Congress to Update U.S. Privacy Laws (Jul. 30, 2018) +
In advance of a
hearing on "The Internet and Digital Communications: Examining the Impact of Global Internet Governance," EPIC
urged the Senate Commerce Committee to prioritize updating U.S. privacy law to respond to changes in technology. "The failure of the United States to address the growing concerns about online privacy is threatening both the digital economy and democratic institutions," EPIC stated. EPIC explained that privacy protection is necessary to ensure the free flow of information online. EPIC
again warned Congress that Europe may suspend the
Privacy Shield, a framework that permits the flow of European consumers' personal data to the U.S, if the United States does not modernize privacy law and establish a federal data protection agency.
- European Parliament: 'Privacy Shield' Does Not Protect Privacy, Calls for Suspension (Jul. 5, 2018) +
The European Parliament has
called for the suspension of the
"Privacy Shield" if the U.S. does not comply in full by September 1, 2018. The
resolution states that the pact, which permits US companies to obtain the personal data of European, does not protect privacy. The Parliament cited numerous problems, including the
Cambridge Analytica breach of 87 million Facebook users data, the reauthorization of
FISA Section 702, the failure to appoint members to
the PCLOB, and passage of the
CLOUD Act, which permits US law enforcement agencies to access personal data stored in Europe. The vote of the full Parliament follows an earlier
statement from the civil liberties "LIBE" committee. EPIC highlighted many of the same concerns in recent
comments. EPIC also
told the FTC that the Cambridge Analytica breach could have been prevented if the FTC had enforced its
2011 Consent Order with Facebook. The European Commission, the EU body in charge of the Shield, must now decide how to respond.
- FTC Announces Another Privacy Settlement, But Again Imposes No Penalties (Jul. 2, 2018) +
The FTC
announced today that it settled charges with ReadyTech, a California company, for misrepresenting compliance with
Privacy Shield, a self-certification arrangement that allows US companies to obtain the personal data of Europeans. The
FTC settlement prohibits the company from making future misrepresentations about Privacy Shield compliance, but imposes no penalties and provides no remedy to European consumers whose personal data was wrongfully obtained. Last year, the FTC
settled charges with three companies that misrepresented their participation in Privacy Shield, but similarly failed to impose penalties. The European Parliament's Civil Liberties Committee ("LIBE") recently
passed a resolution stating that Privacy Shield does not protect European consumers, and called for its suspension if the U.S. does not comply by September 1, 2018. LIBE specifically called attention to the
Cambridge Analytica breach of 87 million Facebook users. In March, EPIC
told the FTC that the Cambridge Analytica breach could have been prevented if the FTC had enforced its
2011 Consent Order with Facebook.
- European Civil Liberties Committee: 'Privacy Shield' Should Be Suspended (Jun. 12, 2018) +
Members of European Parliament are
calling for the suspension of the EU-U.S.
Privacy Shield if the U.S. does not comply in full by September 1, 2018. The Civil Liberties Committee (
"LIBE")
passed a
resolution stating that the pact, which permits the flow of European consumers' personal data to the U.S, does not adequately protect privacy. LIBE urged US authorities to respond without delay to the
Cambridge Analytica breach of 87 million Facebook users. The groups also expressed "strong concerns" about the
CLOUD Act which permits US law enforcement to unilaterally access personal data stored in Europe. EPIC recently
told the FTC that the Cambridge Analytica breach could have been avoided had the agency enforced a
2011 Consent Order that EPIC and a coalition of consumer privacy groups obtained.
- European Court of Justice Receives Key Questions on Future of EU-US Personal Data Transfers (Apr. 12, 2018) +
The Irish High Court has sent
eleven questions to the
European Court of Justice for review in
Data Protection Commissioner v. Facebook. The case considers whether Facebook's transfers of data from Ireland to the United States violate the European Charter of Fundamental Rights. The case follows the 2015 landmark decision
Schrems v. DPC, which found that the US had insufficient privacy law to protect the personal data of Europeans. The new case examines "standard contractual clauses" and whether the US provides sufficient remedies for privacy violations, whether future data transfers should be suspended, and whether the EU-US
"Privacy Shield" matters. EPIC was
designated the US NGO amicus curiae in this case, and provided a
detailed assessment of US privacy law.
- EPIC Tells House to Probe Commerce Secretary on Data Protection, Privacy Shield (Mar. 20, 2018) +
EPIC has sent a
statement to the House Appropriations Committee outlining the key privacy issues facing the Secretary of Commerce. The Committee held a
hearing today to discuss the FY19 budget for the Department of Commerce. EPIC stated that data protection may be "the most important issue that the Secretary of Commerce will confront over the next several years." EPIC said the FTC is simply not doing enough to safeguard the personal data of American consumers, as evidenced by this week's
report on Facebook and Cambridge Analytica. EPIC also warned that Europe may suspend the
Privacy Shield, a framework that permits the flow of European consumers' personal data to the U.S, if the United States does not modernize privacy law and establish a federal data protection agency.
- Congress Renews Controversial Surveillance Measure, EU Impacted (Jan. 18, 2018) +
In a decision that could jeopardize relations with Europe, Congress has
renewed "Section 702" of the
Foreign Intelligence Surveillance Act, which permits broad surveillance of individuals outside of the United States. The
FISA Amendment Reauthorization Act also permits government
surveillance of Americans and restarts the controversial
"about" collection program. Congress rejected
updates, including limits on data collection, that would preserve a
privacy agreement between Europe and the United States. The European Court of Justice will also soon
decide whether to allow data transfers from Ireland to the United States. EPIC
served as the US NGO amicus curiae in that case.
- EU Approves Data Transfer Arrangement, But Seeks Stronger U.S. Privacy Protections (Oct. 18, 2017) +
Following the first annual review of the pact, the European Commission has
approved the EU-U.S.
Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. However, the Commission
urged the U.S. to appoint a permanent
Ombudsperson to review complaints, to restore the
Privacy and Civil Liberties Oversight Board, and to pass the Obama-era
Presidential Policy Directive-28 into law. In a recent letter to
Congress, EPIC emphasized the need to update U.S. privacy laws. EPIC Senior Counsel Alan Butler has also highlighted weaknesses in US privacy in
DPC v. Facebook, a case now before the European Court of Justice.
- EPIC Urges House to Strengthen US Privacy Laws for Cross Border Data Flows (Oct. 12, 2017) +
EPIC sent a
letter to a House committee on Digital Commerce and Consumer Protection for the
hearing "21st Century Trade Barriers: Protectionist Cross Border Data Flow Policy's Impact on U.S. Jobs." EPIC explained that foreign governments are reluctant to permit the transfer of the personal data of their citizens to the U.S. due to the U.S.'s lax privacy laws. EPIC recommended Congress take four steps to update U.S. privacy law: (1) enact the Consumer Privacy Bill of Rights, (2) modernize the Privacy Act, (3) establish an independent data protection agency, and (4) ratify the International Privacy Convention. EPIC also noted that the
Schrems II decision calls into question the viability of
"Privacy Shield," the current data transfer scheme between the US and EU.
- FTC Announces Privacy Shield Settlement but Imposes No Penalties (Sep. 8, 2017) +
The Federal Trade Commission
announced today a settlement with three companies that misrepresented their participation in the
Privacy Shield arrangement. The
Privacy Shield allows companies to transfer the personal data of European consumers to the United States based on a system of industry self-certification. The FTC settlement prohibits the companies from making future false claims about compliance with Privacy Shield, but does not impose any penalty. The FTC settlement also fails to provide any remedy to the EU consumers whose personal data was wrongfully obtained, nor does it require the companies to disgorge the data they fraudulently obtained.
EPIC and consumer organizations in the
US and
Europe have criticized Privacy Shield for failing to establish basic privacy protection and lacking effective remedies. The FTC is now soliciting public comments on the proposed settlements, and the deadline to file a
comment is October 10, 2017.
- European Privacy Officials Push for Answers on Status of U.S. Privacy (Jun. 13, 2017) +
The
Article 29 Working Party, an expert group of European privacy officials, is pressing the European Commission to closely evaluate the EU-US
Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. In a
letter to the Commission, the Working Party outlined its expectations for this summer's annual review of the arrangement. The Group asked for "precise evidence" that bulk surveillance is "limited and proportionate." The Article 29 also seeks information about vacancies in key privacy oversight positions, including the
Privacy and Civil Liberties Oversight Board and the
Privacy Shield Ombudsperson, and any legal protections for "automated decision making." The European Parliament previously
expressed alarm over the rollback of U.S. privacy safeguards necessary for the Privacy Shield. In 2015, EPIC and a coalition of privacy organizations
urged the US and the EU to strengthen privacy protections following a landmark
decision that found insufficient legal protections for the transfer of consumer data to the US. At a hearing before the High Court of Ireland, EPIC Senior Counsel Alan Butler made submissions in
DPC v. Facebook, highlighting weaknesses in US privacy law.
- EPIC, Privacy Coalition Meet with EU Data Protection Supervisor (Apr. 21, 2017) +
European Data Protection Supervisor
Giovanni Buttarelli spoke today to the Privacy Coalition, a nonpartisan association established in 1995 to promote dialogue on emerging privacy between civil society organizations and policy leaders. Mr. Buttarelli addressed relations between the European Union and the United States, and discussed encryption policy, the
E-Privacy Regulation, the
Privacy Shield, the
U.S. Privacy Act as it applies to foreigners among many other topics. Recent speakers at the Privacy Coalition have included FTC Chair Maureen Ohlhausen and FCC Senior Counsel Nick Degani.
- European Parliament Expresses Alarm Over Rollback of US Privacy Safeguards (Apr. 6, 2017) +
In a
resolution passed today, the European Parliament
expressed alarm over the rollback of U.S. privacy safeguards necessary for
Privacy Shield, a framework permitting the flow of European consumers' personal data to the United States. The Parliament cited several recent developments including
procedures that allow the NSA to disseminate raw data across the US government, vacancies at the Federal Trade Commission and the
Privacy and Civil Liberties Oversight Board, the
repeal of an FCC privacy rule, and the absence of effective redress for violations of Privacy Shield. The resolution of Parliament called on the European Commission to rigorously analyze these matters and to "take all necessary measures" to ensure the agreement respects EU privacy rights. In 2015, EPIC a coalition of privacy organizations had
urged the US and the EU to strengthen privacy protections, following a landmark
decision that found insufficient legal protections for the transfer of consumer data to the US.
- NGOs Continue Campaign Against Privacy Shield (Mar. 2, 2017) +
In March 2016, EPIC and more than
20 civil society organizations urged European leaders to oppose adoption of the
"Privacy Shield" for EU-US data flows. The NGOs
wrote that the political agreement fails to provide sufficient data protection and does not respect the decision of the European Court of Justice in the
Schrems case. The groups urged the US to make changes in domestic laws and international commitments to permit transfers of personal data to the US. The ACLU and Human Rights Watch have now also sent a
letter asking Europe to reexamine
Privacy Shield. At a hearing before the High Court of Ireland, EPIC Senior Counsel Alan Butler has made submissions in
DPC v. Facebook highlighting weaknesses in US privacy law.
- White House Publishes Privacy Report, Data Breaches Continue to Rise, as Obama Leaves Office (Jan. 19, 2017) +
As one of the final acts of the outgoing President, the White House has
released "Privacy in our Digital Lives: Protecting Individuals and Promoting Innovation." In 2008, President Obama announced "Change We Can Believe In" and
said he would "strengthen the privacy protections for the digital age and to harness the power of technology to hold government and business accountable for violations of personal privacy." Beginning after his election, privacy groups across the county urged the President to strengthen privacy in America. In 2012, Obama
proposed a Consumer Privacy Bill of Rights but no legislation followed. After the Snowden revelations, Congress enacted the
Freedom Act and Obama
reformed intelligence practices, but the US failed to limit data collection outside the US. The
"Privacy Shield," a framework to gather data for commercial use without legal protections, was put in place even after NGOs
urged comprehensive reforms in the US and the EU. Between 2009 and 2016, the levels of
data breach,
identity theft, and financial fraud in the United States skyrocketed, even as Americans
called for stronger protections. The 2016 Presidential election was marked by
data breaches,
email disclosures and
cyber attack The U.S. is still one of the few democratic nations in the world without a
data protection agency.
- EPIC Tells Senate to Probe Commerce Nominee on Data Protection, Privacy Shield (Jan. 18, 2017) +
EPIC has sent a
letter to the Senate Commerce Committee outlining the key privacy issues that the next Secretary of Commerce should address. The Committee convened this week to
consider the nomination of Wilbur Ross for Commerce Secretary. EPIC stated that privacy protection may be on "the most important issue that the Secretary of Commerce will confront over the next several years." EPIC urged the Committee to ensure the nominee "make clear his commitment to a comprehensive approach to data protection, based in law." EPIC warned about the
inadequacy of the
Privacy Shield, a non-legal framework that permits the flow of European consumers' personal data to the United States, outside of European privacy law.
- Second Legal Challenge Launched Against "Privacy Shield" (Nov. 3, 2016) +
La Quadrature du Net, a French privacy organization, has
launched a legal challenge to “Privacy Shield,” a controversial framework for the transfer of personal data from Europe to the United States. This lawsuit follows a similar
challenge brought by the Irish group Digital Rights Ireland. "Privacy Shield" was the response of EU and US politicians after the European Court of Justice
determined that there was insufficient legal protection for transatlantic data transfers. NGOs in the United States and Europe had urged the adoption of a
comprehensive framework for data protection and
said that Privacy Shield was not adequate. EPIC also
testified before Congress on the need to update US privacy law. EPIC is currently participating as
amicus curiae in related case brought by privacy advocate Max Schrems.
- Privacy Shield Sign-ons Begin (Aug. 2, 2016) +
The European Commission
announced that the
EU-U.S. Privacy Shield data transfer arrangement is "fully operational" and U.S. "companies are able to sign up with the
Department of Commerce." The framework was adopted by the European Commissioner objection by
European data protection authorities, the
European Data Protection Supervisor, the
European Parliament, and
EU and US NGOs. The deal will be subject to
future legal scrutiny and experts
predict that the "Privacy Shield will share the history of the previous Safe Harbor and be invalidated by the European Court of Justice." EPIC has
urged the EU and US to strengthen safeguards for transborder data flows including
redress mechanisms.
- European Commission Signs Off on Flawed "Privacy Shield" (Jul. 12, 2016) +
The
European Commission has approved the
"Privacy Shield" which will allow companies to
transfer personal data of Europeans to the U.S. without legal protections.
European data protection authorities, the
European Data Protection Supervisor, and
EU and US NGOs identified
flaws with the non-binding framework. Citing a judgement of the European high court which struck down a similar framework,
Max Schrems and Jan-Philipp Albrecht predicted that the "Privacy Shield will share the history of the previous Safe Harbor and be invalidated by the European Court of Justice."
EPIC and other
consumer organizations urged the EU and US to strengthen safeguards for transborder data flows. According to the Federal Trade Commission, identity theft complaints in the US
increased by 47% between 2014 and 2015.
- Privacy Shield Revisions Fail to Satisfy Legal Requirements (Jun. 29, 2016) +
A
revised draft of the
Privacy Shield included some modifications on the scope of US bulk data collection, the role of the "ombudsperson," and data erasure but fails to resolve flaws previously identified by
European data protection authorities and the
European Data Protection Supervisor.
EPIC and an international coalition of NGOs previously called for
substantial changes in the Privacy Shield to
respect the fundamental rights to privacy and data protection.
- EPIC's Rotenberg Outlines Need for International Privacy Framework (Jun. 17, 2016) +
Speaking at the
Council of Europe in Strasbourg, EPIC President Marc Rotenberg
outlined the need for the US to ratify the
International Privacy Convention. Rotenberg said it was "unlikely that the Privacy Shield will survive another trip to Luxembourg." The
Privacy Shield is a proposed arrangement for EU-US data transfers that has come under criticism from
European consumer groups, NGOs,
privacy officials, and the
EU Data Protection Supervisor. In 2009, more than 100 privacy groups and experts
endorsed the Council of Europe Privacy Convention. In 2010 members of the
EPIC Advisory Board urged then Secretary of State Hilary Clinton to seek US ratification of the Privacy Convention.
- Top European Privacy Official Rejects EU-US "Privacy Shield" (May. 31, 2016) +
The European Data Protection Supervisor has determined that "Privacy Shield is not robust enough to withstand future legal scrutiny." He
called for changes in the
draft arrangement to permit data transfers to the United States. "Significant improvements are needed,"
said Giovanni Buttarelli. The
Article 29 Working Party, the
European Parliament, and a
coalition of EU and U.S.
consumer organizations have also
opposed the data transfer proposal. Citing rampant
data breaches in the United States, NGOs have urged
strong safeguards for
privacy and data protection.
- European Parliament Requires Changes to Privacy Shield (May. 26, 2016) +
The European Parliament
called for changes in the
draft arrangement to permit data transfers to the United States. The Parliament said that officials must "fully implement"
privacy recommendations and negotiate further
changes to the "Privacy Shield." The
European Data Protection Supervisor is expected to issue an opinion on the data transfer arrangement next week.
EPIC and other
consumer and
privacy organizations have said that the Privacy Shield
fails to provide adequate safeguards for consumers.
- TACD Opposes "Privacy Shield," Urges Rejection by EU (Apr. 7, 2016) +
The
Transatlantic Consumer Dialogue has
urged the European Commission to reject the
"Privacy Shield," a proposal to continue the transatlantic transfer of personal data from Europe to the United States. TACD warned that Privacy Shield "does not adequately protect consumers' fundamental rights to privacy" and that it does not provide "effective and meaningful data protection." European officials are carefully reviewing the proposal. EPIC and a
coalition of NGOs have urged the US to adopt a
robust data protection law and
end 702 surveillance. The TACD is a forum of more than 70 consumer organizations in Europe and the United States.
- EPIC's Rotenberg Urges European Parliament to Condition "Privacy Shield' on End of 702 Surveillance (Mar. 17, 2016) +
Speaking before the European Parliament on
"Privacy Shield," Marc Rotenberg outlined several flaws in the
proposed EU-US data transfer agreement, including a weak privacy framework,
lack of enforcement, and a cumbersome redress mechanism. In the short term, Rotenberg recommended that the EU condition acceptance of the Privacy Shield on the end of the
"702 program," which permits bulk surveillance on Europeans by the US. EPIC along with other NGOs has
urged the European Commission to rewrite the Privacy Shield, saying it fails to safeguard human rights and does not reflect
changes in US law as required by the
Schrems decision.
- NGOs - "Privacy Shield" is Failed Approach for EU-US Data Protection (Mar. 16, 2016) +
More than
twenty civil society groups has urged European leaders to oppose adoption of the
"Privacy Shield" for EU-US data flows. The NGOs
state that the political agreement
fails to provide sufficient data protection and does not respect the decision of the European Court of Justice in the
Schrems case. The groups said the US must make changes in domestic laws and international commitments to comply with the decision and permit transfers of personal data. EPIC has launched
"Data Protection 2016" to support stronger privacy safeguards in the US.
- "Privacy Shield" Released, New Questions Raised (Feb. 29, 2016) +
The text of the
"Privacy Shield" was released today by European Commission and the US Department of Commerce. The arrangement was intended to bring EU-US data transfers in line with the recent decision of the European Court of Justice in the
Schrems case. But the
framework appears to provide less protection than the
Safe Harbor arrangement it replaces. New exceptions
take broad categories of personal data entirely outside the scope of the agreement. Max Schrems
said "this is far from what the Court required and does not seem like a stable solution." Privacy experts will now assess the text and
determine whether it provides an adequate basis for the transfer of personal data. EU and US NGOs have
urged the US to update its privacy laws.
- Department of Commerce: Privacy Shield "does not exist" (Feb. 10, 2016) +
As a
response to EPIC's Freedom of Information
request for the
"Privacy Shield," the Commerce Department responded that "the record you requested does not exist."
EU and
US officials celebrated earlier this month that the EU and the US reached an agreement for transatlantic data transfers but they did not make the agreement public. Apparently there was nothing to make public since the agreement does not exist. The EPIC FOIA request is designated DOC-ITA-2016-000577.
- Privacy Commissioners to Review "Privacy Shield" (Feb. 3, 2016) +
The
Article 29 Working Party, the association of European Data Protection Commissioners, has said it will review the adequacy of the
"Privacy Shield" proposal for transborder data flows. The Working Party said there must be (1) clear and precise rules, (2) a "necessary and proportionate" standard for data collection and access, (3) independent oversight, and (4) effective remedies for the individual. The Working Party also said it must first receive the relevant documents to assess the legal force of the arrangement and whether it will resolve "wider concerns raised by the
Schrems judgement."
Background
The Court of Justice of the European Union (CJEU) issued the final ruling in Schrems v. Data Protection Commissioner (Case C-362/14) on October 6, 2015. The Court’s decision invalidated the Safe Harbor EU-U.S. data transfer arrangement. The European Commission seeks to replace the Safe Harbor framework with the Privacy Shield proposal.
As a consequence of the Schrems decision the negotiations between the European Commission and the U.S. Department of Commerce continued on the revision of Safe Harbor. The goal has been to reach a solution for the continuation of data flows which provides legal certainties for individuals and businesses alike. The new framework must meet the legal criteria of EU law, including the Schrems judgment, and provide for adequate safeguards for the fundamental rights to privacy and data protection.
The Court interprets that ‘adequacy’ means that the third country must ensure, through its domestic legal order or international commitments, a level of protection which is essentially equivalent to that guaranteed within the EU.
The Article 29 Working Party, composed of privacy officials across Europe, set the end of January 2016 deadline for the European Commission and the U.S. to create an alternative to Safe Harbor before initiating coordinated enforcement actions.
On February 2, 2016, the EU Commission and the Department of Commerce announced that they reached a political agreement on the framework, the so-called Privacy Shield. Despite the announcement, they did not make the text of the agreement public until February 29, 2016.
According to privacy and consumer groups the framework in the published form fails to provide adequate protections against commercial misuse of personal information and bulk surveillance.
The Article 29 Working Party issued its opinion on the Privacy Shield draft adequacy decision on April 13, 2016. They announced that there must be changes in the proposal. The Article 29 Working Party in its opinion cited the complexity of the redress mechanism, the lack of independence of the ombudsman, as well as the broad uses of personal data that would be permitted under the arrangement. According to the privacy officials the US does "not exclude massive and indiscriminate collection of personal data”, the Ombudsperson “is not sufficiently independent” and “does not guarantee a satisfactory remedy”. The Working Party has also concluded that "onward transfers of EU personal data are insufficiently framed”.
EPIC's interest
EPIC supports the establishment of a comprehensive legal framework to enable transborder data flows. EPIC previously urged that the United States begin the process of ratification of Council of Europe Convention 108. EPIC has launched "Data Protection 2016" to support stronger privacy safeguards in the US.
In a letter to Commissioner Vera Jourova and Secretary Penny Pritzker, EPIC and more than 40 NGOs to urge the U.S. and the EU to protect the fundamental right to privacy. The groups warned that that without significant changes to "domestic law" and "international commitments," a new framework will almost certainly fail.
EPIC and a coalition of NGOs called on the European Union, and the Article 29 Working Party in particular, to oppose the Privacy Shield proposal because the political agreement fails to provide sufficient data protection and does not respect the decision of the European Court of Justice in the Schrems case.
EPIC’s President Marc Rotenberg in a testimony before the LIBE Committee of the European Parliament outlined several flaws in the proposed EU-US data transfer agreement, including a weak privacy framework, lack of enforcement, and a cumbersome redress mechanism. In the short term, Rotenberg recommended that the EU condition acceptance of the Privacy Shield on the end of the "702 program," which permits bulk surveillance on Europeans by the US. EPIC along with other NGOs has urged the European Commission to rewrite the Privacy Shield, saying it fails to safeguard human rights and does not reflect changes in US law as required by the Schrems decision.
EPIC filed a Freedom of Information request to obtain the text of the agreement when the negotiators failed to publish the Privacy Shield in February 2016.
Resources
News
- Jennifer Baker, Don't hold your breath on Privacy Shield deal - it'll be last minute, insider says, arstechnica (June 9, 2016)
- Laurens Cerulus, Privacy shield dead on arrival, Politico (May 30, 2016)
- Carlo Piltz, German authorities slam draft Privacy Shield - Call for new legal remedies to challenge Commission decision, De Lege Data (Apr 21, 2016)
- Privacy Laws & Business, UK ICO urges U.S. to answer DPA's Privacy Shield questions (Apr 29. 2016), http://www.privacylaws.com/Int_enews_29_4_16
- Leo Kelion, EU watchdogs demand revisions to Safe Harbour replacement BBC (Apr 13, 2016)
- Mark Scott, Europe's Privacy Watchdogs Call for Changes to U.S. Data-transfer Deal, The New York Times (Apr 13, 2016)
- Samuel Gibbs, Data regulators reject EU-U.S. Privacy Shield safe harbour deal, The Guardian (Apr 14, 2016)
- Access Now, Privacy Shield fails to provide certainty for users, say EU Data Protection Authorities (Apr 13, 2016)
- Sam Schechner and Natalia Drozdiak, EU Regulators Call for Changes to EU-U.S. Privacy Accord, The Wall Street Journal (Apr 13, 2016)
- EU privacy watchdogs cast doubt on data sharing deal with U.S., Financial Times (Apr 13, 2016)
- Rachel Stern, EU privacy advocates complain data-sharing pact not good enough, The Christian Science Monitor (Apr 13, 2016)
- Glyn Moody, EU-US Privacy Shield may not pass muster, according to leaked extract, arstechnica (Apr 13, 2016)
