CONSUMER PRIVACY ON AN INTERNATIONAL
SCALE: CONFLICTING VIEWPOINTS UNDERLYING
THE EU-U.S. PRIVACY SHIELD FRAMEWORK AND
HOW THE FRAMEWORK WILL IMPACT PRIVACY
ADVOCATES, NATIONAL SECURITY, AND
BUSINESSES
SHERRI J. DECKELBOIM*
ABSTRACT
Despite differing standards for online privacy and data transfers, the United
States and the EU exchange vast amounts of personal data every day as part of
the transatlantic economy. However, recent revelations from Edward Snowden
concerning U.S. data surveillance practices have led to distrust of the United
States among its trade partners, including the EU. As a result, the two parties
have negotiated new guiding principles for data transfers in the form of the
EU-U.S. Privacy Shield Framework. The Privacy Shield reportedly accounts for
modern developments in EU human rights law and modifications to U.S. surveillance practices following the Snowden revelations and subsequent backlash. Through
this instrument, the United States attempts to provide for greater privacy protections
and recourse methods as compared to prior trade instruments, yet strong similarities
to prior instruments will likely draw backlash against the Privacy Shield from privacy
advocates. In addition, the voluntary nature of the Privacy Shield presents businesses
with a choice of whether to comply with the contentious Privacy Shield or to pursue
alternative options that may result in challenges for national security, such as
encryption. This Note evaluates the potential impact of the Privacy Shield through
the lens of the differing historical backgrounds of U.S. and EU privacy practices. It
also traces the trajectory of attempts by the United States and EU to bridge the gap
between privacy practices for the purpose of data privacy in trade.
* Sherri J. Deckelboim is a J.D. Candidate at Georgetown University Law Center, graduating
in May 2017. She is currently the Senior Notes Editor for the Georgetown Journal of International Law.
Sherri holds a B.S. with concentrations in Marketing and Operations & Information Management
from the Wharton School of the University of Pennsylvania. She would like to thank Professor
James Zirkle of Georgetown University Law Center for his insight and guidance during the
drafting of this Note, the editors and staff of the Georgetown Journal of International Law for their
time and assistance, and her family and friends for their support. © 2016, Sherri J. Deckelboim.
This Note was selected as a result of an objective and anonymous evaluation process involving
Georgetown Journal of International Law Notes Editors and the Georgetown Journal of International Law’s Editor-in-Chief, Shannon Togawa Mercer. The Georgetown Journal of International Law
takes seriously its commitment to publishing the best and most compelling academic work,
regardless of the author’s affiliation with the Journal or the wider University.
263
GEORGETOWN JOURNAL OF INTERNATIONAL LAW
I. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
II. BACKGROUND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A. EU View of Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Historical Context . . . . . . . . . . . . . . . . . . . . . . . . .
2. Directive 95/46/EC . . . . . . . . . . . . . . . . . . . . . . . .
3. Charter of Fundamental Rights of the EU . . . . . . .
4. EU General Data Protection Regulation . . . . . . . .
B. U.S. View of Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Overview of U.S. Privacy Legislation . . . . . . . . . . .
2. Electronic Communications Privacy Act . . . . . . . .
3. USA PATRIOT Act. . . . . . . . . . . . . . . . . . . . . . . . .
4. FISA Amendments Act of 2008 . . . . . . . . . . . . . . .
C. U.S.-EU Safe Harbor Framework . . . . . . . . . . . . . . . . . . . .
D. Snowden Revelations . . . . . . . . . . . . . . . . . . . . . . . . . . . .
E. Schrems Case Decision . . . . . . . . . . . . . . . . . . . . . . . . . .
III. EU-U.S. PRIVACY SHIELD FRAMEWORK . . . . . . . . . . . . . . . . . . .
IV. POTENTIAL IMPACT OF THE EU-U.S. PRIVACY SHIELD
FRAMEWORK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A. A Likely Challenge from Privacy Advocates . . . . . . . . . . . . .
B. Developments Within National Security . . . . . . . . . . . . . . .
C. Possible Actions for Companies . . . . . . . . . . . . . . . . . . . . .
V. CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
264
265
265
266
267
269
270
272
273
275
276
278
279
281
284
285
289
289
290
293
296
I. INTRODUCTION
Every day, vast amounts of personal data flow across nations’ borders,
and data transfers between the United States and the European Union
(EU) are part of that stream, driving a large portion of the transatlantic
economy.1 Trade policy has the capacity to promote international
business and political cooperation despite varying standards for privacy, but recent revelations from Edward Snowden concerning U.S.
national security practices have led to distrust of the United States
among its potential trade partners.2 As a result, the United States and
EU have negotiated new guiding principles for trade through the
1. See Press Release, U.S. Dep’t of Commerce, Statement from U.S. Secretary of Commerce
Penny Pritzker on Release of EU-U.S. Privacy Shield Text (Feb. 29, 2016), https://www.commerce.
gov/news/press-releases/2016/02/statement-us-secretary-commerce-penny-pritzker-release-eu-usprivacy [hereinafter Statement from U.S. Secretary of Commerce].
2. See, e.g., Katie Bo Williams, Distrust of US Surveillance Threatens Data Deal, THE HILL (Feb. 7,
2016, 7:30 AM), http://thehill.com/policy/cybersecurity/268467-distrust-of-us-surveillancethreatens-data-deal.
264
[Vol. 48
CONSUMER PRIVACY ON AN INTERNATIONAL SCALE
EU-U.S. Privacy Shield Framework, which reportedly takes into account
modern developments in EU human rights law and modifications to
U.S. surveillance practices.3 While the Privacy Shield is an attempt to
provide for greater privacy protections and recourse methods than its
predecessor, the U.S.-EU Safe Harbor Framework, it will likely draw
backlash from privacy advocates, and it presents businesses with a
choice of whether to comply with the contentious Privacy Shield
Framework or to pursue alternative options that may result in challenges for national security.
II. BACKGROUND
Varying cultural norms and societal expectations create different
privacy standards in the EU and United States. While they have
developed trade agreements in the past in an attempt to bridge the gap
between the privacy policies, developments within the global privacy
and national security landscape have caused the parties’ views to shift,
resulting in the need for a new trade framework between the United
States and EU.
A. EU View of Privacy
In the EU, which is comprised of twenty-eight Member States,4
citizens receive broad privacy protections from other citizens and from
companies, and the government is viewed as the “principal protector of
personal information from abuse by non-governmental institutions.”5
All EU Member States must comply with the same data protection rules
because of the numerous daily cross-border information transfers that
would be disrupted by conflicting rules with differing levels of security.6
The data protection rules to which the EU Member States are subject
have evolved over time in response to shifting data use practices.
3. See Commission Implementing Decision of 12.7.2016 Pursuant to Directive 95/46/EC of
the European Parliament and of the Council on the Adequacy of the Protection Provided by the
EU-U.S. Privacy Shield, 2016 O.J. (C 4176) 4, http://ec.europa.eu/justice/data-protection/files/
privacy-shield-adequacy-decision_en.pdf.
4. Countries, EUR. UNION, http://europa.eu/about-eu/countries/index_en.htm (last updated Oct. 23, 2016).
5. Larry Downes, The Business Implications of the EU-U.S. “Privacy Shield,” HARV. BUS. REV. (Feb.
10, 2016), https://hbr.org/2016/02/the-business-implications-of-the-eu-u-s-privacy-shield.
6. See Protection of Personal Data, EUR. COMM’N, http://ec.europa.eu/justice/data-protection/
index_en.htm (last updated Oct. 13, 2016).
2016]
265
GEORGETOWN JOURNAL OF INTERNATIONAL LAW
1. Historical Context
In the aftermath of World War II, the United Nations General
Assembly adopted the Universal Declaration of Human Rights in
December 1948, Article 12 of which promoted respect for private and
family life.7 This was the first time that an international legal instrument was used to protect a person’s privacy from being intruded upon
by others, including by a state.8
Following this adoption, the Council of Europe was formed in 1949
to unite the states of Europe in promoting human rights, democracy,
and the rule of law.9 Today the Council numbers forty-seven Member
States, including all twenty-eight EU Member States.10 The Universal
Declaration of Human Rights so influenced the Council’s work11 that
in November 1950, the Council of Europe adopted the European
Convention on Human Rights, which all Council Member States are
obligated to follow.12 Article 8 of the European Convention on Human
Rights includes the “right to respect for [one’s] private and family life,
[as well as for the] home and . . . correspondence,” and the right to
private life encompasses the right to protection of personal data.13
Due to the emergence of information technology in the following
decades, society required updated and increased protections for personal data.14 In addition to adopting various resolutions over the years
that referred to Article 8 of the European Convention on Human
Rights,15 in 1981, the Council of Europe opened for signature Conven-
7. G.A. Res. 217 (III) A, Universal Declaration of Human Rights, art. 12 (Dec. 10, 1948).
8. COUNCIL OF EUR. ET AL., HANDBOOK ON EUROPEAN DATA PROTECTION LAW 14 (2014),
http://www.echr.coe.int/Documents/Handbook_data_protection_ENG.pdf.
9. Founding Fathers, COUNCIL OF EUR., http://www.coe.int/en/web/about-us/foundingfathers (last visited Apr. 13, 2016); see also Council of the European Union, EUR. UNION, http://europa.
eu/about-eu/institutions-bodies/council-eu/index_en.htm (last updated Nov. 24, 2015) (noting
that the Council of Europe is a separate body from the Council of the EU).
10. See Do Not Get Confused, COUNCIL OF EUR., http://www.coe.int/en/web/about-us/do-notget-confused (last visited Apr. 13, 2016).
11. COUNCIL OF EUR. ET AL., supra note 8, at 14.
12. See id.; see also Convention for the Protection of Human Rights and Fundamental
Freedoms, opened for signature Nov. 4, 1950, 213 U.N.T.S. 221 [hereinafter European Convention
on Human Rights]; Aisha Gani, What is the European Convention on Human Rights?, THE GUARDIAN
(Oct. 3, 2014), http://www.theguardian.com/law/2014/oct/03/what-is-european-convention-onhuman-rights-echr.
13. European Convention on Human Rights, supra note 12, art. 8; see COUNCIL OF EUR. ET AL.,
supra note 8, at 14 –15.
14. See COUNCIL OF EUR. ET AL., supra note 8, at 15.
15. See id.
266
[Vol. 48
CONSUMER PRIVACY ON AN INTERNATIONAL SCALE
tion 108, the “Convention for the Protection of Individuals with regard
to Automatic Processing of Personal Data.”16 This document was the
first legally binding international instrument that explicitly addressed
data protection, and in addition to regulating cross-border transfers of
personal data, Convention 108 established minimum standards for
protecting individuals from misuse of their personal data.17
2. Directive 95/46/EC
In October 1995, the EU adopted Directive 95/46/EC “on the
protection of individuals with regard to the processing of personal data
and on the free movement of such data,” commonly known as the Data
Protection Directive.18 In order to further privacy rights in terms of
personal and family life, the home, and in correspondence, the Data
Protection Directive included the critical components from Article 8 of
the European Convention on Human Rights.19 As such, it was also
“designed to give substance to the principles of the right to privacy
already contained in Convention 108, and to expand them.”20 The EU
adopted this legislation with “two objectives in mind: to protect the
fundamental right to data protection and to guarantee the free flow of
personal data between Member States.”21
The Data Protection Directive applies not only to EU Member States
but also to the three non-EU states that are members of the European
16. Convention for the Protection of Individuals with Regard to Automatic Processing of
Personal Data, Jan. 28, 1981, E.T.S. 108, http://www.coe.int/en/web/conventions/full-list/-/
conventions/treaty/108.
17. See COUNCIL OF EUR. ET AL., supra note 8, at 15–16; Data Protection Legislation, EUR. DATA
PROT. SUPERVISOR, https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/Dataprotection/QA/
QA2 (last visited Apr. 13, 2016).
18. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995
on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free
Movement of Such Data, 1995 O.J. (L 281) 31, http://eur-lex.europa.eu/legal-content/EN/TXT/
?uri⫽celex:31995L0046 [hereinafter Directive 95/46/EC]; Protection of Personal Data, EUR-LEX,
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri⫽URISERV%3Al14012 (last updated Aug.
3, 2014) [hereinafter Directive 95/46/EC Summary].
19. Margaret Rouse, EU Data Protection Directive (Directive 95/46/EC), WHATIS.COM, http://
whatis.techtarget.com/definition/EU-Data-Protection-Directive-Directive-95-46-EC (last updated
Jan. 2008).
20. COUNCIL OF EUR. ET AL., supra note 8, at 18.
21. Proposal for a Regulation of the European Parliament and of the Council on the Protection of
Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General
Data Protection Regulation), COM (2012) 11 final (Jan. 25, 2012), http://eur-lex.europa.eu/legalcontent/EN/ALL/?uri⫽celex%3A52012PC0011 [hereinafter GDPR].
2016]
267
GEORGETOWN JOURNAL OF INTERNATIONAL LAW
Economic Area.22 Furthermore, when personal data flows to states
outside of this group, the extraterritorial states either must guarantee
an adequate level of protection or take other special precautions.23
However, exceptions apply, such as the subject of the data consenting
to the transfer of the personal data.24 In addition, EU Member States
are permitted to restrict the rights of a data subject “in order to
safeguard aspects such as national security, defence, public security,
the prosecution of criminal offences, an important economic or financial interest of a Member State or of the [EU,] or the protection of the
data subject.”25
The Data Protection Directive also established the Article 29 Data
Protection Working Party, which functions independently of, and has
advisory status for, the EU.26 The Working Party is composed of a
representative from all EU Member States’ data protection authorities
(DPAs), the European Data Protection Supervisor, and the European
Commission.27 The Working Party’s objectives include providing expert opinions to the European Commission on matters of data protection and promoting the uniform application of the Data Protection
22. EUR. ECON. AREA, http://www.efta.int/eea (last visited Apr. 13, 2016) (“The European
Economic Area (EEA) unites the EU Member States and the three EEA EFTA States (Iceland,
Liechtenstein, and Norway) into an Internal Market governed by the same basic rules. These rules
aim to enable goods, services, capital, and persons to move freely about the EEA in an open and
competitive environment, a concept referred to as the four freedoms.”).
23. Directive 95/46/EC, supra note 18, art. 25 (“The adequacy of the level of protection
afforded by a third country shall be assessed in the light of all the circumstances surrounding a
data transfer operation or set of data transfer operations; particular consideration shall be given to
the nature of the data, the purpose and duration of the proposed processing operation or
operations, the country of origin and country of final destination, the rules of law, both general
and sectoral, in force in the third country in question and the professional rules and security
measures which are complied with in that country.”); Data Transfers Outside the EU, EUR. COMM’N,
http://ec.europa.eu/justice/data-protection/international-transfers/index_en.htm (last updated Dec. 2, 2015).
24. Directive 95/46/EC, supra note 18, art. 7.
25. Directive 95/46/EC Summary, supra note 18; see also Directive 95/46/EC, supra note 18,
art. 13.
26. See Directive 95/46/EC, supra note 18, art. 29; see also Protection of Personal Data, supra note 6.
27. See Protection of Personal Data, supra note 6; see also About the European Commission, EUR.
COMM’N, http://ec.europa.eu/index_en.htm (last updated Jan. 15, 2016) (“The European Commission is the EU’s executive body. It represents the interests of the [EU] as a whole (not the
interests of individual countries).”); Members & Mission, EUR. DATA PROT. SUPERVISOR, https://secure.
edps.europa.eu/EDPSWEB/edps/cache/offonce/EDPS/Membersmission (last visited Oct. 10,
2016) (“The [European Data Protection Supervisor’s] general objective is to ensure that the
European institutions and bodies respect the right to privacy when they process personal data and
develop new policies.”); see generally Directive 95/46/EC, supra note 18.
268
[Vol. 48
CONSUMER PRIVACY ON AN INTERNATIONAL SCALE
Directive among the members of the European Economic Area.28
3. Charter of Fundamental Rights of the EU
In December 2000, the European Council29 adopted the Charter of
Fundamental Rights of the EU, which operates consistently with the
European Convention on Human Rights.30 When the Lisbon Treaty31
came into force in December 2009, the Charter became legally binding
on EU Member States and EU institutions.32 This single document
aggregated all of the EU’s protected fundamental rights, and because
the EU recognized the interaction of its data and privacy policies with
the human rights arena, these privacy concepts were incorporated into
the document.33
The Charter’s structure elucidates how the “right to respect for . . . private and family life, home[,] and communications” found in Article 7 is
distinct from the right to the protection of personal data found in
Article 8.34 By explicitly mentioning the right to data protection
alongside all of the other recognized fundamental protections, the
Charter clearly established that data protection is a fundamental right
in the EU.35 However, the right to the protection of personal data is not
absolute and must instead “be considered in relation to its function in
society.”36 In addition, in terms of the Charter’s scope, the EU may
28. Article 29 Working Party, EUR. DATA PROT. SUPERVISOR, https://secure.edps.europa.eu/ED
PSWEB/edps/site/mySite/Art29 (last visited Apr. 7, 2016).
29. The European Council is distinct from the Council of Europe and the Council of the EU.
See Council of the European Union, supra note 9.
30. See Human Rights, EUR. UNION, http://europa.eu/pol/rights/index_en.htm (last updated Jan. 19, 2016); see also Charter of Fundamental Rights of the European Union, Dec. 7, 2000,
O.J. (C 364) 1, http://eur-lex.europa.eu/legal-content/EN/TXT/?uri⫽CELEX%3A32000X121
8%2801%29 (last visited Apr. 13, 2016).
31. The Treaty of Lisbon: Introduction, EUR-LEX, http://eur-lex.europa.eu/legal-content/EN/
TXT/?uri⫽uriserv%3Aai0033 (last updated Sept. 22, 2015) (“The Treaty of Lisbon . . . takes the
form of a series of amendments to the . . . two founding Treaties: the Treaty on European Union
and the Treaty establishing the European Community. However, the Treaty establishing the
European Community is renamed the ‘Treaty on the Functioning of the EU[.]’”).
32. COUNCIL OF EUR. ET AL., supra note 8, at 20.
33. Id.
34. Id. at 3; Charter of Fundamental Rights of the European Union, supra note 30, art. 7– 8;
see also Data Protection Legislation, supra note 17 (“Respect for private life and protection of personal
data have been recognised as closely related, but separate fundamental rights in Articles 7 and 8 of
the EU Charter of Fundamental Rights.”).
35. COUNCIL OF EUR. ET AL., supra note 8, at 20.
36. Id. at 21; see also Charter of Fundamental Rights of the European Union, supra note 30,
art. 52.
2016]
269
GEORGETOWN JOURNAL OF INTERNATIONAL LAW
impose limitations “on the exercise of rights such as those set forth in
Articles 7 and 8 of the Charter, as long as these limitations are provided
for by law, respect the essence of those rights and freedoms[,] and,
subject to the principle of proportionality, are necessary and genuinely
meet objectives of general interest recognised by the [EU] or the need
to protect the rights and freedoms of others.”37
In an attempt to promote human rights worldwide, in any trade or
cooperation agreement with non-EU states, the EU insists on including
a clause affirming the importance of human rights in dealings with the
EU.38 Additionally, on multiple occasions, the EU has imposed sanctions for breaches of human rights.39
4. EU General Data Protection Regulation
Because of technological developments in data sharing and collection, inconsistent implementation of Data Protection Directive rules,40
and “to strengthen online privacy rights and boost Europe’s digital
economy,”41 the EU Member States will soon operate under a new data
regulation: the General Data Protection Regulation (GDPR).42 First
proposed in January 2012 by the European Commission, the new
system will replace the Data Protection Directive and eliminate the
Member States’ fragmented implementation of privacy and data laws.43
As a “regulation,” the GDPR will have the binding legal force on all
Member States that the Data Protection Directive never had, thus
making uniform the means by which Member States must achieve the
37. COUNCIL OF EUR. ET AL., supra note 8, at 21–22; see also Charter of Fundamental Rights of
the European Union, supra note 30, art. 52.
38. Human Rights, supra note 30.
39. Id.
40. GDPR, supra note 21; European Commission Press Release IP/12/46, Commission
Proposes a Comprehensive Reform of Data Protection Rules to Increase Users’ Control of Their
Data and to Cut Costs for Businesses (Jan. 25, 2012), http://europa.eu/rapid/press-release_IP-1246_en.htm?locale⫽en.
41. European Commission Press Release IP/12/46, supra note 40; see also COUNCIL OF EUR. ET
AL., supra note 8, at 21.
42. See Daniel Felz, European Council Issues New Consolidated GDPR and Accelerates GDPR’s
Legislative Timetable, JD SUPRA (Apr. 7, 2016), http://www.jdsupra.com/legalnews/europeancouncil-issues-new-59555/.
43. See Cedric Burton et al., The Final European Union General Data Protection Regulation,
BLOOMBERG BNA (Feb. 12, 2016), http://www.bna.com/final-european-union-n57982067329/;
GDPR, supra note 21.
270
[Vol. 48
CONSUMER PRIVACY ON AN INTERNATIONAL SCALE
goals of data protection.44
On December 15, 2015, the European Council, European Parliament, and European Commission reached an agreement in their final
negotiations regarding the GDPR, which was the last major step in the
process for adopting the regulation.45 After the European Parliament
voted to approve the adopted regulation in April 2016, the GDPR
became applicable and will require compliance in two years.46 “Because the digital economy is at the core of what the GDPR is all about,”
the GDPR will have extraterritorial implications on businesses by
affecting “every entity that holds or uses European personal data both
inside and outside of Europe.”47 If impacted organizations do not
comply with the GDPR, they will face substantial financial penalties, a
threat which most organizations will likely view seriously.48
In Article 17, the GDPR incorporates and clarifies the right to be
forgotten from the May 2014 ruling by the Court of Justice of the
European Union (CJEU) in a case involving Google Spain.49 The case
established that citizens within the EU have a right to have information
44. See Regulations, Directives and Other Acts, EUR. UNION, https://europa.eu/european-union/
law/legal-acts_en (last updated Aug. 10, 2016).
45. Burton et al., supra note 43; Reform of EU Data Protection Rules, EUR. COMM’N, http://ec.
europa.eu/justice/data-protection/reform/index_en.htm (last updated Sept. 29, 2016).
46. See European Commission Statement 16/1403, Joint Statement on the Final Adoption of
the New EU Rules for Personal Data Protection (Apr. 14, 2016), http://europa.eu/rapid/pressrelease_STATEMENT-16-1403_en.htm; Felz, supra note 42.
47. Warwick Ashford, EU Data Protection Rules Affect Everyone, Say Legal Experts, COMPUTER
WKLY. (Jan. 11, 2016), http://www.computerweekly.com/news/4500270456/EU-data-protectionrules-affect-everyone-say-legal-experts.
48. Id. (“The fines apply to infringement[] of the basic principles for processing, including
conditions for consent, data subjects’ rights, the conditions for lawful international data transfers,
specific obligations under national laws permitted by the GDPR, and orders by data protection
authorities including suspension of data flows . . . . [M]ost organisations are likely to take these
fines seriously, especially large tech firms such as Google, Facebook, Apple[,] and Microsoft
because non-compliance could potentially result in fines of billions of dollars.”); see also Giangi
Olivi, Analysis: What to Expect from the Privacy Shield and the General Data Protection Regulation (GDPR),
TECH.’S LEGAL EDGE (Feb. 18, 2016), https://www.technologyslegaledge.com/2016/02/analysiswhat-to-expect-from-the-privacy-shield-and-the-general-data-protection-regulation-gdpr/ (“The
GDPR provides for fines of as much as 4% of global turnover in cases of violation of data subjects’
rights.”).
49. GDPR, supra note 21; European Commission Press Release IP/15/6321, Agreement on
Commission’s EU Data Protection Reform Will Boost Digital Single Market (Dec. 15, 2015),
http://www.europa.eu/rapid/press-release_IP-15-6321_en.htm (explaining the “right to be forgotten” by stating that data will be deleted when a subject no longer wants personal data processed
and there are no legitimate grounds for retention); see generally Case C-131/12, Google Spain SL v.
Agencia Española de Protección de Datos, 2014 E.C.R. 317.
2016]
271
GEORGETOWN JOURNAL OF INTERNATIONAL LAW
concerning them removed from a list of results on a search engine if
the information is considered an invasion of their private life or
personal data,50 both of which are fundamental rights under EU law.51
B. U.S. View of Privacy
U.S. privacy law reflects the nation’s revolutionary founding, and
thus it “focuses more on restrictions, such as the Fourth Amendment,
that protect citizens from information collection and use by government rather than private actors. In fact, private actors are often
protected from such restrictions by the First Amendment.”52 The policy
surrounding Internet freedom in the United States “seeks to preserve
and expand the Internet as an open, global space for free expression,
for organizing and interaction, and for commerce.”53 A key aspect of
U.S. Internet freedom policy is the protection of citizens and private
entities against foreign governments’ repression and intrusive surveillance.54 President Obama and other U.S. government officials have
even publicly criticized foreign legislation that would “force companies
to collaborate in censorship and pervasive surveillance of their users in
order to chill expression and facilitate persecution.”55 However, recent
revelations concerning U.S. surveillance of personal data have resulted
in a backlash against the U.S. government and accusations of hypocrisy.56
50. Nora Ni Loidean, The End of Safe Harbor: Implications for EU Digital Privacy and Data
Protection Law, 19 J. INTERNET L. 1, 11 (2016); see generally Google Spain SL, 2014 E.C.R. 317.
51. See COUNCIL OF EUR. ET AL., supra note 8, at 20.
52. Downes, supra note 5. While Downes identifies the government as the main source from
which people in the United States attempt to keep information private, non-governmental actors
also may violate individuals’ privacy. The Federal Trade Commission (FTC) may bring an action
against a private company if the company does not adhere to its published privacy policy or if the
company engages in unfair or deceptive acts. The FTC protects U.S. consumers’ online privacy
through Section 5 of the Federal Trade Commission Act and the FTC Bureau of Consumer
Protection. See 15 U.S.C. § 45(a) (2012); see also A Brief Overview of the Federal Trade Commission’s
Investigative and Law Enforcement Authority, FED. TRADE COMM’N (revised July 2008), https://www.ftc.
gov/about-ftc/what-we-do/enforcement-authority; FED. TRADE COMM’N, PRIVACY & DATA SECURITY
UPDATE: 2015, 2 (2015), https://www.ftc.gov/system/files/documents/reports/privacy-datasecurity-update-2015/privacy_and_security_data_update_2015-web_0.pdf.
53. RICHARD A. CLARKE ET AL., THE NSA REPORT: LIBERTY AND SECURITY IN A CHANGING WORLD
158 (2014).
54. Id.
55. Id.
56. See, e.g., id. at 159; NSA Spying on Americans, ELEC. FRONTIER FOUND., https://www.eff.org/
nsa-spying (last visited Oct. 8, 2016).
272
[Vol. 48
CONSUMER PRIVACY ON AN INTERNATIONAL SCALE
1. Overview of U.S. Privacy Legislation
The United States maintains two sets of laws concerning government
surveillance, one for criminal investigations and one for foreign intelligence issues concerning national security.57 Different probable cause
standards apply to targets of the respective types of investigations,
namely U.S. persons subject to criminal investigations and non-U.S.
persons who are foreign powers or agents of foreign powers subject to
national security investigations.58
Title III of the Omnibus Crime Control and Safe Streets Act of 1968,
commonly known as the Wiretap Act, forms Title I of the Electronic
Communications Privacy Act (ECPA) and sets forth rules for “electronic surveillance,” which is defined as the U.S. government’s interception of wire, oral, and electronic communications.59 The Wiretap Act
allows for electronic surveillance by law enforcement in criminal
investigations.60 It “establishes warrant procedures consistent with the
Fourth Amendment,”61 meaning that “a search warrant must be based on
probable cause to believe that a crime has been or is being committed.”62
Title II of the ECPA, known as the Stored Communications Act,
protects the contents of files stored by Internet service providers and
records held about a subscriber.63 Section 2703 requires that service
providers disclose customer records and communications to the government in criminal investigations, and it establishes “a tiered system with
different standards that apply depending on whether an [electronic
communication service] or [a remote computing service] is holding
the record, whether the data sought is content or non-content, whether
[an] email has been opened, and whether advanced notice has been
57. See Electronic Communications Privacy Act of 1986, U.S. DEP’T OF JUST.: JUST. INFO. SHARING
(last updated July 30, 2013), https://it.ojp.gov/privacyliberty/authorities/statutes/1285 [hereinafter Information on ECPA]; Foreign Intelligence Surveillance Act of 1978, U.S. DEP’T OF JUST.: JUST. INFO.
SHARING (last updated Sept. 19, 2013), https://it.ojp.gov/PrivacyLiberty/authorities/statutes/
1286 [herinafter Information on FISA].
58. See Information on ECPA, supra note 57; see also Information on FISA, supra note 57.
59. See Title III of the Omnibus Crime Control and Safe Streets Act of 1968, U.S. DEP’T OF JUST.: JUST.
INFO. SHARING (last updated Sept. 19, 2013), https://it.ojp.gov/PrivacyLiberty/authorities/statutes/
1284 [hereinafter Information on Title III]; see 18 U.S.C. §§ 2510 –22 (2012). Title III used to just
concern wire and oral communications, but in 1986, Title I of the ECPA revised the Wiretap Act to
also encompass electronic communications, such as e-mail.
60. Information on Title III, supra note 59.
61. Id.
62. U.S. CONST. amend. IV; Foreign Intelligence Surveillance Act (FISA), ELECTRONIC PRIVACY INFO.
CTR., https://epic.org/privacy/terrorism/fisa/ (last visited Oct. 8, 2016).
63. Information on ECPA, supra note 57 (citing 18 U.S.C. §§ 2701–12 (2012)).
2016]
273
GEORGETOWN JOURNAL OF INTERNATIONAL LAW
given to the customer.”64
Under Title 50 of the U.S. Code, the Foreign Intelligence Surveillance Act of 1978 (FISA) “sets out procedures for physical and electronic surveillance and collection of foreign intelligence information.”65 Through the FISA provisions, Congress intended “to provide
judicial and congressional oversight of foreign intelligence surveillance
activities while maintaining the secrecy necessary to effectively monitor
national security threats.”66 In contrast to the probable cause standard
for U.S. persons under the Wiretap Act, surveillance permitted through
FISA for non-U.S. persons must instead be simply “based on a finding
of probable cause that the surveillance target is a foreign power or an
agent of a foreign power, irrespective of whether the target is suspected
of engaging in criminal activity.”67
The Uniting and Strengthening America by Providing Appropriate
Tools Required to Intercept and Obstruct Terrorism Act of 2001, also
known as the USA PATRIOT Act (Patriot Act), modified the ECPA and
FISA.68 It provided the government with “greater authority to track and
intercept communications, both for law enforcement and foreign
intelligence gathering purposes.”69 Under Section 215 of the Patriot
Act, FISA was used to justify bulk collection of metadata from U.S.
persons’ phone calls, which includes information such as the caller’s
phone number, the recipient’s phone number, the time of the call, and
the call’s duration.70
The FISA Amendments Act of 2008 (FAA) further amended FISA by
adding Title VII, creating “separate procedures for targeting non-U.S.
persons and U.S. persons reasonably believed to be outside” of the
64. 18 U.S.C. § 2703 (2012); RICHARD M. THOMPSON II & JARED P. COLE, CONG. RESEARCH
SERV., R44036, STORED COMMUNICATIONS ACT: REFORM OF THE ELECTRONIC COMMUNICATIONS PRIVACY
ACT (ECPA) 4 (2015), https://www.fas.org/sgp/crs/misc/R44036.pdf (last visited Oct. 8, 2016).
65. Information on FISA, supra note 57; see also 50 U.S.C. § 1801 (2012).
66. Information on FISA, supra note 57.
67. Foreign Intelligence Surveillance Act (FISA), supra note 62.
68. H.R. 3162, 107th Cong. (2001) (enacted).
69. CHARLES DOYLE, CONG. RESEARCH SERV., RS21203, THE USA PATRIOT ACT: A SKETCH 1
(2002), http://fas.org/irp/crs/RS21203.pdf.
70. Jeremy Diamond, Everything You Need to Know About the Patriot Act Debate, CNN (May 23,
2015), http://www.cnn.com/2015/05/22/politics/patriot-act-debate-explainer-nsa/ (“Metadata
is all the information surrounding a call, including the caller’s number, the receiver’s number, the
time and location of the call, and how long it lasted--basically, everything except for the audio of
the call itself.”).
274
[Vol. 48
CONSUMER PRIVACY ON AN INTERNATIONAL SCALE
United States.71 Section 702 of the FAA enabled the PRISM surveillance program, which permits access to data concerning non-U.S.
persons processed by U.S. Internet service and communication companies.72 Additionally, Sections 703 and 704 created the requirement that
an individualized court order must be obtained by the government
from the Foreign Intelligence Surveillance Court (FISC) for “authorizing the targeting of U.S. persons abroad for electronic surveillance, the
acquisition of stored communications, and other means of acquiring
foreign intelligence information.”73
2. Electronic Communications Privacy Act
The ECPA has regulated the government’s ability to gain access to
electronic data since 1986,74 and it has subsequently been amended by
various pieces of legislation.75 Different parts of the law protect data
during transmission and during storage.
Title I of the ECPA, or the Wiretap Act, was designed to protect
individuals’ communications from government surveillance.76 As
amended, the Wiretap Act “prohibits the intentional actual or attempted interception, use, disclosure, or ‘procure[ment] [of] any
other person to intercept or endeavor to intercept any wire, oral, or
electronic communication.’”77 In simpler terms, the Wiretap Act protects wire, oral, and electronic communications while they are being
transmitted. It also establishes exceptions to that rule as well as requirements for search warrants consistent with the Fourth Amendment.78
The amended Title II of the ECPA, known as the Stored Communications Act, “protects the privacy of the contents of files stored by service
71. EDWARD C. LIU, CONG. RESEARCH SERV., R42725, REAUTHORIZATION OF THE FISA AMENDACT 5 (2013), https://www.fas.org/sgp/crs/intel/R42725.pdf; see also 50 U.S.C. §§ 1881–
1881g (2012).
72. BRENNAN CTR. FOR JUST., GOVERNMENT SURVEILLANCE FACTSHEET 2 (2013), https://www.
brennancenter.org/sites/default/files/analysis/Government%20Surveillance%20Factsheet.pdf; see
also 50 U.S.C. § 1881a (2012).
73. LIU, supra note 71, at 2, 9 (“The government must submit an application for surveillance
that identifies the target and the facts and circumstances relied upon that would justify the belief
that the target is a foreign power or an agent of a foreign power, which the FISC must find to be
supported by probable cause.”); see also 50 U.S.C. §§ 1881b, 1881c (2012).
74. Electronic Communications Privacy Act of 1986, Pub. L. No. 99-08, 100 Stat. 1848 (1986);
see also 18 U.S.C. §§ 2510 –22, 2701–12 (2012).
75. See Information on ECPA, supra note 57.
76. 18 U.S.C. §§ 2510 –22 (2012).
77. Information on ECPA, supra note 57 (quoting 18 U.S.C. § 2515 (2012)).
78. Information on Title III, supra note 59.
MENTS
2016]
275
GEORGETOWN JOURNAL OF INTERNATIONAL LAW
providers and of records held about the subscriber by service providers,
such as subscriber name, billing records, or IP addresses.”79 As a
comparison, “[w]hile the Wiretap Act addresses the interception of
communications, the Stored Communications Act addresses access to
stored communications at rest,” such as “e-mails that are not in transit.”80 Although the Stored Communications Act protects communications held in electronic storage, its protections are weaker than those of
the Wiretap Act. For example, under the Stored Communications Act,
if electronic communications have been stored in an account for
greater than 180 days, providers are required to disclose to the government the communications’ content upon the government’s production of a subpoena or court order.81 Moreover, if the communications
have been held for less than 180 days, the government can access the
information by obtaining a search warrant, or the government could
instead obtain a court order or subpoena by establishing that there are
“reasonable grounds to believe that the contents are relevant to a
criminal investigation,” which is a lower standard than the probable
cause standard required under the Fourth Amendment for a warrant.82
3. USA PATRIOT Act
Following the terrorist attacks in the United States on September
11, 2001, President George Bush signed the Patriot Act into
law.83 The purpose of the law was “to deter and punish terrorist acts in
the United States and around the world, to enhance law enforcement
investigatory tools, and other purposes, some of which include . . . prevent[ing], detect[ing,] and prosecut[ing] international money laundering and financing of terrorism.”84 The Patriot Act gave U.S. intelligence authorities and law enforcement unprecedented surveillance of
communications.85
79. Information on ECPA, supra note 57 (citing to 18 U.S.C. §§ 2701–12 (2012)).
80. Electronic Communications Privacy Act, ELECTRONIC PRIVACY INFO. CTR., https://epic.org/
privacy/ecpa/ (last visited Apr. 21, 2016).
81. Reema Shah, Law Enforcement and Data Privacy: A Forward-Looking Approach, 125 YALE L.J.
543, 545 (2015).
82. Id.
83. H.R. 3162, 107th Cong. (2001) (enacted); see also Diamond, supra note 70.
84. USA PATRIOT Act, FINCEN, https://www.fincen.gov/resources/statutes-regulations/usapatriot-act (last visited Oct. 13, 2016).
85. Diamond, supra note 70.
276
[Vol. 48
CONSUMER PRIVACY ON AN INTERNATIONAL SCALE
Section 215 of the Patriot Act amended FISA to give the government
new surveillance powers.86 Since 1978, FISA has “provide[d] judicial
and congressional oversight of foreign intelligence surveillance activities while maintaining the secrecy necessary to effectively monitor
national security threats.”87 Section 215 permitted the government,
through the National Security Agency (NSA),88 to obtain secret court
orders from FISC to conduct surveillance of U.S. persons’ telephone
records.89 To protect classified information concerning national security, the majority of FISC’s work is pursued ex parte, with only government representatives present.90 Information about requests for secret
court orders and FISC’s rulings remains classified.91
Pursuant to Section 215, the NSA was allowed “to obtain a secret
court order requiring third parties, such as telephone companies, to
hand over any records or other ‘tangible thing’ if deemed ‘relevant’ to
an international terrorism, counterespionage, or foreign intelligence
investigation.”92 The Patriot Act was thus used to justify the bulk
collection of metadata from U.S. persons’ phone calls.93
86. 50 U.S.C. § 1861 (2012) (noting section 215 of the Patriot Act amended the cited
provision of FISA, entitled “Access to certain business records for foreign intelligence and
international terrorism investigations”); see BRENNAN CTR. FOR JUST., supra note 72, at 1.
87. Information on FISA, supra note 57.
88. Executive Order 12333, originally issued in December 1981, delineates the NSA’s
responsibilities, and it has been subject to subsequent amendments. See Exec. Order No. 12,333,
46 Fed. Reg. 59941 (1981), amended in Exec. Order No. 13,284, 68 Fed. Reg. 4075 (Jan. 23, 2003);
Exec. Order No. 13,355, 69 Fed. Reg. 53594 (Aug. 27, 2004); Exec. Order No. 13,470, 73 Fed. Reg.
45325 (July 30, 2008); see also The NSA/CSS Mission, NAT’L SECURITY ADMIN., https://www.nsa.gov/
about/mission-strategy/ (last modified May 3, 2016).
89. About the Foreign Intelligence Surveillance Court, U.S. FOREIGN INTELLIGENCE SURVEILLANCE
CT., http://www.fisc.uscourts.gov/about-foreign-intelligence-surveillance-court (last visited Apr.
13, 2016) (FISC is a federal court established pursuant to FISA to oversee government applications
for the approval of investigative actions for purposes of foreign intelligence, such as electronic
surveillance or physical search.); BRENNAN CTR. FOR JUST., supra note 72, at 1.
90. About the Foreign Intelligence Surveillance Court, supra note 89.
91. BRENNAN CTR. FOR JUST., supra note 72, at 2.
92. Id. at 2; see 50 U.S.C. § 1861 (2012) (“[T]angible things” include “books, records, papers,
documents, and other items.”).
93. Diamond, supra note 70.
2016]
277
GEORGETOWN JOURNAL OF INTERNATIONAL LAW
4. FISA Amendments Act of 2008
Similar to Section 215 of the Patriot Act, Section 702 of the FAA also
amended a FISA provision.94 While the Patriot Act led to the collection
of phone records, the FAA permitted access to data processed by nine
U.S. companies providing Internet services, including Apple, Facebook, Google, and Skype.95 The NSA facilitated the data collection
through the PRISM program.96 PRISM gathered intelligence about
non-U.S. people who were “reasonably believed to be located outside
the United States,”97 and while the NSA’s program may inadvertently
have collected, retained, or disseminated information about some U.S.
persons, the NSA adopted “targeting” and “minimization” procedures
to avoid those inadvertent actions.98
To obtain permission for surveillance of a non-U.S. target located
outside of the United States, “[t]he Attorney General and [Director of
National Intelligence] must submit to [FISC] an application for an
order (termed a ‘mass acquisition order’),”99 and once that secret
order from FISC is issued “to a tech company to hand over access to its
data to the FBI [(Federal Bureau of Investigation),] [t]he FBI then
94. 50 U.S.C. § 1881a (2012); BRENNAN CTR. FOR JUST., supra note 72, at 1 (noting section 702
of the FAA amended the cited provision of FISA, entitled “Procedures for targeting certain
persons outside the United States other than United States persons”).
95. BRENNAN CTR. FOR JUST., supra note 72, at 1.
96. See Glenn Greenwald & Ewen MacAskill, NSA Prism Program Taps in to User Data of Apple,
Google and Others, THE GUARDIAN (June 7, 2013), http://www.theguardian.com/world/2013/jun/
06/us-tech-giants-nsa-data; see also Benjamin Dreyfuss & Emily Dreyfuss, What is the NSA’s PRISM
Program? (FAQ), CNET (June 7, 2013), http://www.cnet.com/news/what-is-the-nsas-prism-programfaq/.
97. Joris V.J. Van Hoboken & Ira S. Rubinstein, Privacy and Security in the Cloud: Some Realism
About Technical Solutions to Transnational Surveillance in the Post-Snowden Era, 66 ME. L. REV. 487, 504,
514 (2014) (“[T]he Fourth Amendment does not apply to non-U.S. persons outside the [United
States], which is clearly reflected in the language of Section 702 itself.”); FISA Amendments Act of
2008, WALL ST. J. (June 19, 2008, 6:24 PM), http://www.wsj.com/articles/SB121391360949290
049.
98. See Van Hoboken & Rubinstein, supra note 97, at 491; see also BRENNAN CTR. FOR JUST.,
supra note 72, at 2; Tom Murse, What Does the NSA Acronym PRISM Stand For?, ABOUT NEWS (Nov. 30,
2015), http://uspolitics.about.com/od/antiterrorism/a/What-Is-Prism-In-The-National-SecurityAgency.htm (“All that intelligence officials will say is that [FISA] cannot be used to ‘intentionally
target any U.S. citizen, or any other U.S. person, or to intentionally target any person known to be
in the United States.’”).
99. Brett LoGiurato, Here’s the Law the Obama Administration is Using as Legal Justification for
Broad Surveillance, BUS. INSIDER (June 7, 2013, 9:48 PM), http://www.businessinsider.com/fisaamendments-act-how-prism-nsa-phone-collection-is-it-legal-2013-6.
278
[Vol. 48
CONSUMER PRIVACY ON AN INTERNATIONAL SCALE
hands that information over to the NSA.”100
In addition to gaining “front-door” access to data through PRISM,
the NSA allegedly attained “backdoor” access to online companies’
data through their private fiber-optic networks in a program codenamed MUSCULAR.101 Further, leaked documents indicate that the
NSA engaged in a program code-named BULLRUN to undermine
encryption of online data.102
C. U.S.-EU Safe Harbor Framework
As a result of the EU’s requirement that personal data transfers be
provided only to non-EU countries that maintain an “adequate” standard of privacy protection,103 the European Commission and the U.S.
Department of Commerce developed the U.S.-EU Safe Harbor Framework in July 2000.104 The purpose of the Safe Harbor Framework was to
bridge the gap between the differing approaches to EU and U.S.
privacy standards.105 The Safe Harbor only extended to “U.S. organizations subject to the jurisdiction of the Federal Trade Commission
(FTC) or U.S. air carriers and ticket agents subject to the jurisdiction of
the Department of Transportation (DOT).”106
Organizations that chose to qualify for the Safe Harbor did so
voluntarily, and they were required to self-certify to the U.S. Depart-
100. Dreyfuss & Dreyfuss, supra note 96.
101. Van Hoboken & Rubinstein, supra note 97, at 506, 512 (“[I]t seems likely that the NSA
conducts this program under the terms of Executive Order 12333, which is the principal
governing authority for U.S. intelligence activities outside the United States.”).
102. Id. at 492–93, 505– 06 (“Leaked documents suggest that [this] program[] [is] conducted pursuant to Section 702 of the FAA as well as Executive Order 12333. The latter sets
guidelines for intelligence activities including foreign intelligence gathering conducted abroad,
but does not involve any judicial or congressional oversight.”).
103. This “adequacy” standard applied under the Data Protection Directive and continues
under the GDPR. GDPR, supra note 21 (“Article 41 [of the GDPR] sets out the criteria,
conditions[,] and procedures for the adoption of an adequacy decision by the Commission, based
on Article 25 of Directive 95/46/EC. The criteria which shall be taken into account for the
Commission’s assessment of an adequate or not adequate level of protection include expressly the
rule of law, judicial redress[,] and independent supervision. The article now confirms explicitly
the possibility for the Commission to assess the level of protection afforded by a territory or a
processing sector within a third country.”).
104. Safe Harbor Privacy Principles, EXPORT.GOV, https://build.export.gov/main/safeharbor/
eu/eg_main_018475 (last updated Jan. 30, 2009, 3:03 PM).
105. U.S.-EU Safe Harbor Overview, EXPORT.GOV, https://build.export.gov/main/safeharbor/
eu/eg_main_018476 (last updated Dec. 18, 2013, 3:45 PM).
106. Welcome to the U.S.-EU & U.S.-Swiss Safe Harbor Frameworks, EXPORT.GOV, http://export.gov/
safeharbor/index.asp (last updated July 26, 2016, 12:31 PM).
2016]
279
GEORGETOWN JOURNAL OF INTERNATIONAL LAW
ment of Commerce on an annual basis that they agreed to adhere to
the requirements of the Framework.107 The requirements included
seven Safe Harbor Privacy Principles concerning notice, choice, transfers to third parties, access, security, data integrity, and enforcement.108
The Principle of “notice” required that an organization “inform individuals about the purposes for which it collect[ed] and use[d] information about them, how to contact the organization with any inquiries or
complaints, the types of third parties to which it disclose[d] the
information, and the choices and means the organization offer[ed]
individuals for limiting its use and disclosure.”109
To qualify for the program, an organization could “(1) join a
self-regulatory privacy program that adhere[d] to the U.S.-EU Safe
Harbor Framework’s requirements; or (2) develop its own selfregulatory privacy policy that conform[ed] to the U.S.-EU Safe Harbor
Framework.”110 A private sector organization that agreed to comply
with the Safe Harbor Framework was self-regulated and, pursuant to its
obligations under the Safe Harbor, was required to maintain a dispute
resolution system for resolving complaints of individuals whose data
was collected.111 The organization also was required to have procedures for verifying compliance with the Safe Harbor and must have
remedied any problems that arose from the organization’s failure to
comply with the Safe Harbor Privacy Principles.112 If the organization
making representations about belonging to the Safe Harbor Framework failed to comply with the self-regulatory process, the applicable
government body depending upon the industry sector, including the
FTC, other U.S. government agencies, or state governments, would
107. U.S.-EU Safe Harbor Overview, supra note 105.
108. Id.
109. Safe Harbor Privacy Principles, supra note 104 (“This notice must be provided in clear and
conspicuous language when individuals are first asked to provide personal information to the
organization or as soon thereafter as is practicable, but in any event before the organization uses
such information for a purpose other than that for which it was originally collected or processed
by the transferring organization or discloses it for the first time to a third party.”).
110. U.S.-EU Safe Harbor Overview, supra note 105 (“The dispute resolution, verification, and
remedy requirements [that fall under the “enforcement” Principle] can be satisfied in different
ways. An organization could meet the requirements by complying with a private sector developed
privacy seal program that incorporates and satisfies the Safe Harbor Privacy Principles. If the seal
program, however, only provides for dispute resolution and remedies but not verification, then
the organization would have to satisfy the verification requirement in an alternate way.”); see also
Data Privacy Links, EXPORT.GOV, http://www.export.gov/safeharbor/eg_main_018241.asp (last
updated Feb. 11, 2016, 11:50 AM) (explaining the Privacy “Seal” Programs).
111. U.S.-EU Safe Harbor Overview, supra note 105.
112. Id.
280
[Vol. 48
CONSUMER PRIVACY ON AN INTERNATIONAL SCALE
handle enforcement of the organization’s privacy representations.113
Repercussions for companies that failed to comply with the Safe
Harbor Privacy Principles after self-certifying to the Safe Harbor Framework included sanctions, publicity of the non-compliance, injunctive
orders, deletion of data, and financial penalties.114
The U.S. Department of Commerce maintained a public list of
organizations that self-certified their adherence to the Safe Harbor
Framework.115 An organization in the EU was able to ensure that it was
transmitting information to an organization from the United States
that complied with the Safe Harbor Framework by checking this
publicly documented list.116 While a U.S. organization could withdraw
from the Safe Harbor Framework by notifying the U.S. Department of
Commerce, the withdrawal did not relieve the organization of the
obligations imposed by the Safe Harbor for personal information
obtained while the organization was on the Safe Harbor list.117
The Safe Harbor Framework “was established long before the EU
Charter of Fundamental Rights became part of EU law and legally
binding when the Lisbon Treaty entered into force in December
2009.”118 As a result, the Safe Harbor predated the EU’s prioritization
of the fundamental rights of protection of private life and personal
data from Articles 7 and 8 of the Charter of Fundamental Rights.119
D. Snowden Revelations
On June 5, 2013, The Guardian revealed the extent of the NSA’s
surveillance through the Patriot Act, and on June 6, 2013, it revealed
the NSA PRISM program.120 On June 9, 2013, Edward Snowden
113. Id.; Safe Harbor Privacy Principles, supra note 104 (“Where in complying with the
Principles, an organization relies in whole or in part on self-regulation, its failure to comply with
such self-regulation must also be actionable under Section 5 of the Federal Trade Commission Act
prohibiting unfair and deceptive acts or another law or regulation prohibiting such acts.”).
114. U.S.-EU Safe Harbor Overview, supra note 105.
115. Id.
116. Id.
117. U.S.-EU Safe Harbor List, EXPORT.GOV, https://safeharbor.export.gov/list.aspx (last visited Apr. 13, 2016).
118. Loidean, supra note 50, at 9.
119. Id.
120. Kennedy Elliott & Terri Rupar, Six Months of Revelations on NSA, WASH. POST (Dec. 23,
2013), http://www.washingtonpost.com/wp-srv/special/national/nsa-timeline/m/; Mirren Gidda,
Edward Snowden and the NSA Files—Timeline, THE GUARDIAN (Aug. 21, 2013, 5:54 PM), http://www.
theguardian.com/world/2013/jun/23/edward-snowden-nsa-files-timeline; see also Glenn Greenwald, NSA Collecting Phone Records of Millions of Verizon Customers Daily, THE GUARDIAN (June 6, 2013,
2016]
281
GEORGETOWN JOURNAL OF INTERNATIONAL LAW
revealed himself as the NSA whistleblower who provided the information.121 At the time, Snowden was “a 29-year-old former technical
assistant for the CIA [(Central Intelligence Agency)] and current
employee of the defence contractor Booz Allen Hamilton . . . [who
had] been working at the [NSA] for the last four years as an employee
of various outside contractors, including Booz Allen and Dell.”122
The information Snowden provided contained “thousands of classified documents regarding highly sensitive U.S. surveillance activities,”123 and news outlets reported that the documents revealed how
the NSA had “broken privacy rules or overstepped its legal authority
thousands of times each year,”124 thus venturing beyond the scope of
permitted activities under Section 215 of the Patriot Act and Section
702 of the FAA.125 The United States faced much criticism, both
domestically and from foreign governments and organizations, as a
result of the revelations concerning the surveillance programs.126 The
Snowden leaks and the subsequent fallout occurred after the EU’s
adoption of the Charter of Fundamental Rights, which prioritized
protection of private life and personal data.127 As a result of these
elevated rights and the outrage stemming from the Snowden disclosures, the European Parliament “emphasised that trust had been
profoundly shaken between the two transatlantic partners” and threatened to block approval of future proposed trade agreements if the
United States did not abandon its mass surveillance practices concerning EU citizens and institutions.128
6:05 AM), http://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon-courtorder; Greenwald & MacAskill, supra note 96.
121. Glenn Greenwald et al., Edward Snowden: The Whistleblower Behind the NSA Surveillance
Revelations, THE GUARDIAN (June 11, 2013, 9:00 AM), http://www.theguardian.com/world/2013/
jun/09/edward-snowden-nsa-whistleblower-surveillance.
122. Id.
123. Van Hoboken & Rubinstein, supra note 97, at 488.
124. Elliott & Rupar, supra note 120; see also Barton Gellman, NSA Broke Privacy Rules
Thousands of Times Per Year, Audit Finds, WASH. POST (Aug. 15, 2013), https://www.washingtonpost.
com/world/national-security/nsa-broke-privacy-rules-thousands-of-times-per-year-audit-finds/201
3/08/15/3310e554-05ca-11e3-a07f-49ddc7417125_story.html.
125. Van Hoboken & Rubinstein, supra note 97, at 504.
126. See, e.g., Michael Birnbaum, European Leaders Angry About Allegations of U.S. Spying, WASH.
POST (June 30, 2013), https://www.washingtonpost.com/world/europe/eu-fury-on-allegations-ofus-spying/2013/06/30/8fe223e2-e1bc-11e2-8657-fdff0c195a79_story.html.
127. Loidean, supra note 50, at 9.
128. European Parliament, Resolution on U.S. NSA Surveillance Program, in THE SNOWDEN READER
307, 307– 08 (David P. Fidler ed., 2015) (quoting Eur. Parliament, Legislative Observatory, Text
282
[Vol. 48
CONSUMER PRIVACY ON AN INTERNATIONAL SCALE
After the U.S. Senate failed to pass an extension of Section 215 of the
Patriot Act upon its expiration on June 1, 2015,129 the government
adopted the USA FREEDOM Act of 2015 (Freedom Act) as law on June
2.130 While the Freedom Act banned the bulk collection of U.S.
citizens’ telephone and Internet metadata, it “authorize[d] the government to collect from phone companies up to ‘two hops’ of call records
related to a suspect, if the government can prove it has ‘reasonable’
suspicion that the suspect is linked to a terrorist organization.”131 The
government can only conduct this data collection pursuant to an
individual court order from FISC.132 Further, while national security
letters (NSLs) previously were leveraged by the FBI under the Patriot
Act to compel an organization’s disclosure of customer records,133 in
addition to various other new restrictions placed on the use of NSLs
under the Freedom Act, an NSL demand must now “be limited to
specifically identified information rather than insisting on delivery of
record information for all of a recipient’s customers.”134 However,
despite these steps toward privacy protection, the Freedom Act did not
Adopted by Parliament, Dec. 3, 2014 (INI), http://www.europarl.europa.eu/oeil/popups/
summary.do?id⫽1342393&t⫽e&l⫽en); see Loidean, supra note 50, at 9.
129. See, e.g., Kim Zetter, Parts of Patriot Act Expire Tonight After Senate Fails to Pass Reform, WIRED
(May 31, 2015), http://www.wired.com/2015/05/parts-patriot-act-expire-tonight-senate-fails-passreform/.
130. USA Freedom Act of 2015, Pub. L. No. 114-23, 129 Stat. 268 (2015) (noting the acronym
stands for the full name of the law, the “Uniting and Strengthening America by Fulfilling Rights
and Ensuring Effective Discipline Over Monitoring Act of 2015”).
131. USA Freedom Act: What’s In, What’s Out, WASH. POST (June 2, 2015), https://www.
washingtonpost.com/graphics/politics/usa-freedom-act/; see also USA Freedom Act of 2015
§ 101(b)(iii)–(iv).
132. Fact Sheet: Implementation of the USA FREEDOM Act of 2015, IC ON THE RECORD (Nov. 27,
2015), https://icontherecord.tumblr.com/post/134069709168/fact-sheet-implementation-of-theusa-freedom-act.
133. See National Security Letters, ELECTRONIC PRIVACY INFO. CTR., https://epic.org/privacy/nsl/
(last visited Apr. 21, 2016) (“[E]ntities are prohibited, or ‘gagged,’ from telling anyone about
their receipt of the NSL, which makes oversight difficult. The Number of NSLs issued has grown
dramatically since the Patriot Act expanded the FBI’s authority to issue them.”); Transparency
Report, GOOGLE, https://www.google.com/transparencyreport/userdatarequests/faq/#what_is_
an_nsl (last visited Sept. 14, 2016) (An NSL is “a request for information that the Federal Bureau
of Investigation (FBI) can make when they or other agencies in the Executive Branch of the U.S.
government are conducting national security investigations.”).
134. CHARLES DOYLE, CONG. RESEARCH SERV., RS22406, NATIONAL SECURITY LETTERS IN FOREIGN
INTELLIGENCE INVESTIGATIONS: A GLIMPSE AT THE LEGAL BACKGROUND 5 (2015), https://www.fas.org/
sgp/crs/intel/RL33320.pdf (“[T]he USA FREEDOM Act addresses the judicially perceived NSL
shortcomings . . . . It eliminates the prospect of Section 215-like bulk metadata collection under
NSL authority. It revises the procedures for the issuance of NSL nondisclosure provisions and for
2016]
283
GEORGETOWN JOURNAL OF INTERNATIONAL LAW
revise Section 702 of the FAA, which is used for data collection targeting
people outside of the United States through PRISM, or Executive Order
12333, which governs intelligence collection overseas.135
E. Schrems Case Decision
In 2013, Maximillian (Max) Schrems, a privacy activist and Facebook
user, filed a complaint with the Irish Data Protection Commissioner,
“alleging that his Facebook data, which is transferred from Facebook’s
Irish subsidiary to servers in the United States, was inadequately protected.”136 Schrems based his allegations on news reports about NSA
surveillance that resulted from the Snowden disclosures.137 The Commissioner rejected the complaint on the grounds that a European
Commission decision from 2000 established that the Safe Harbor
Framework ensured that the United States provided adequate protection for the privacy of data transferred between the EU and United
States.138 Schrems appealed the decision, and the Irish High Court
referred the question to the CJEU for a preliminary ruling.139 On
October 6, 2015, the CJEU issued a preliminary ruling in Schrems v. Data
Protection Commissioner, invalidating the U.S.-EU Safe Harbor Framework as a mechanism for transferring data between the United States
and EU by ruling that it failed to protect privacy.140
The Schrems judgment was delivered prior to the acceptance of the
GDPR text, “giving the Council, Parliament[,] and Commission time
judicial review of their issuance. Finally, it augments existing reporting requirements for greater
transparency.”).
135. See Steven Nelson, Senate Passes Freedom Act, Ending Patriot Act Provision Lapse, U.S. NEWS
(June 2, 2015), http://www.usnews.com/news/articles/2015/06/02/senate-passes-freedom-actending-patriot-act-provision-lapse (“Section 702 will expire without congressional reauthorization
in 2017.”); see generally USA Freedom Act of 2015, Pub. L. No. 114-23, 129 Stat. 268 (2015).
136. Ellen Nakashima, Top E.U. Court Strikes Down Major Data-Sharing Pact Between U.S. and
Europe, WASH. POST (Oct. 6, 2015), https://www.washingtonpost.com/world/national-security/eucourt-strikes-down-safe-harbor-data-transfer-deal-over-privacy-concerns/2015/10/06/2da2d9f6-6c
2a-11e5-b31c-d80d62b53e28_story.html.
137. Id.
138. Id.; Max Schrems v Irish Data Protection Commissioner (Safe Harbor), ELECTRONIC PRIVACY
INFO. CTR., https://epic.org/privacy/intl/schrems/ (last visited Apr. 14, 2016).
139. Max Schrems v Irish Data Protection Commissioner (Safe Harbor), supra note 138; Nakashima,
supra note 136.
140. Case C-362/14, Schrems v. Data Prot. Comm’r, 2015 E.C.R. 117/1, ECLI:EU:C:2015:
627, ¶ 97 (2015), http://curia.europa.eu/juris/document/document.jsf?text⫽&docid⫽168421
&pageIndex⫽0&doclang⫽EN&mode⫽lst&dir⫽&occ⫽first&part⫽1&cid⫽686127; Burton et al.,
supra note 43.
284
[Vol. 48
CONSUMER PRIVACY ON AN INTERNATIONAL SCALE
and opportunity to consider the impact of Schrems on the GDPR’s data
transfer mechanisms.”141 Because the Safe Harbor Framework was
invalidated, the United States and EU needed to develop an alternative
legal framework for transferring data142 that conformed to the EU’s
provisions in the new GDPR as well as the Charter of Fundamental
Rights.
III. EU-U.S. PRIVACY SHIELD FRAMEWORK
The United States and EU had been negotiating a new framework
concerning transatlantic exchange for nearly two years before the
invalidation of the U.S.-EU Safe Harbor Framework.143 On February
29, 2016, the European Commission and the U.S. Department of
Commerce revealed the legal text of the new EU-U.S. Privacy Shield
Framework that was proposed to replace the Safe Harbor.144 The
Privacy Shield was created to “provide companies on both sides of the
Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the [EU] to the United
States in support of transatlantic commerce.”145 The European Commission also publicly released a draft “adequacy decision,” which established that the policies for data transfers under the new Privacy Shield
Framework are equal to the standards for data protection in the EU.146
141. Burton et al., supra note 43.
142. See Rob Price, Everything You Need to Know About the Pivotal Max Schrems-Facebook Case, BUS.
INSIDER (Oct. 6, 2015, 5:39 AM), http://www.businessinsider.com/ecj-safe-harbor-ruling-botsexpected-2015-10?r⫽UK&IR⫽T.
143. See European Commission Press Release IP/16/434, EU-U.S. Privacy Shield: Frequently
Asked Questions, (Feb. 29, 2016), http://europa.eu/rapid/press-release_MEMO-16-434_en.htm;
Nakashima, supra note 136.
144. See European Commission Press Release IP/16/433, Restoring Trust in Transatlantic
Data Flows Through Strong Safeguards: European Commission Presents EU-U.S. Privacy Shield
(Feb. 29, 2016), http://europa.eu/rapid/press-release_IP-16-433_en.htm; Fact Sheet: Overview of
the EU-U.S. Privacy Shield Framework, U.S. DEP’T OF COMMERCE (Feb. 29, 2016, 2:18 PM), https://www.
commerce.gov/news/fact-sheets/2016/02/fact-sheet-overview-eu-us-privacy-shield-framework
[hereinafter Fact Sheet: Privacy Shield]; see generally U.S. DEP’T OF COMMERCE, EU-U.S. PRIVACY SHIELD
FRAMEWORK PRINCIPLES (2016), https://www.commerce.gov/sites/commerce.gov/files/media/
files/2016/eu_us_privacy_shield_full_text.pdf.pdf [hereinafter EU-U.S. PRIVACY SHIELD].
145. Fact Sheet: Privacy Shield, supra note 144; see Taylor Wessing, EU-US Privacy Shield Adopted,
LEXOLOGY (July 12, 2016), http://www.lexology.com/library/detail.aspx?g⫽77e5cbe9-ab14-4de18c76-7fd8f592e3a6.
146. Following the European Commission’s draft adequacy decision, on April 13, 2016, the
Article 29 Working Party released its non-binding opinion stating that while the Privacy Shield
presents “significant improvements” as compared to the Safe Harbor, the Working Party has
“strong concerns on both the commercial aspects and the access by public authorities to data
2016]
285
GEORGETOWN JOURNAL OF INTERNATIONAL LAW
Like the Safe Harbor, joining the Privacy Shield Framework is
voluntary for U.S.-based companies.147 If a U.S. company chooses to
join the Privacy Shield Framework, it must self-certify to the Department of Commerce that it meets the Privacy Shield’s requirements and
publicly commit to continue complying with the Privacy Shield’s requirements through its privacy policy.148 After a company voluntarily joins
the Privacy Shield Framework, its commitment to the Privacy Shield will
be enforceable under U.S. law by the FTC.149
The Privacy Shield Principles required by the Framework follow the
same general structure as those from the Safe Harbor, but some of the
Principles have been expanded.150 The Principles again include notice,
choice, accountability for onward transfers to third parties, security,
data integrity, and access; however, the seventh Principle has changed
from just detailing enforcement to now encompassing recourse, enforcement, and liability.151 The Privacy Shield also includes and clarifies
information from sixteen Supplemental Principles on the topics of
sensitive data, journalistic exceptions, secondary liability, performing
due diligence and conducting audits, the role of the EU DPAs, selfcertification, verification, access, human resources data, obligatory
contracts for onward transfers of data to third parties, dispute resolution and enforcement, the Choice Principle for opting out of direct
transferred under the Privacy Shield.” European Commission Press Release, Statement of the
Article 29 Working Party on the Opinion on the EU-U.S. Privacy Shield (Apr. 13, 2016),
http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_
material/2016/press_release_shield_en.pdf. Despite the concerns of the Article 29 Working
Party, the European Commission adopted the EU-U.S. Privacy Shield Framework on July 12, 2016.
See Kate Brimsted, Privacy Shield Does Not Achieve Adequacy of Protection under Current Regime, Say EU
Data Protection Authorities, JD SUPRA (Apr. 18, 2016), http://www.jdsupra.com/legalnews/privacyshield-does-not-achieve-92410/; Richard Dickinson et al., EU-US Privacy Shield Adopted: Where Do We
Go From Here?, LEXOLOGY (July 18, 2016), http://www.lexology.com/library/detail.aspx?g⫽e9f77b
78-e9c3-4026-b7b6-dabadd8de893; European Commission Press Release, European Commission
Launches EU-U.S. Privacy Shield: Stronger Protection for Transatlantic Data Flows (July 12,
2016), http://europa.eu/rapid/press-release_IP-16-2461_en.htm; European Commission Press
Release IP/16/433, supra note 144; Ulrich Wuermeling et al., Privacy Shield Is on Its Way, LEXOLOGY
(Mar. 23, 2016), www.lexology.com/library/detail.aspx?g⫽7005fd57-4b9a-4f2f-b0e8-1ff5b47e9243.
147. See Wuermeling et al., supra note 146.
148. Id.
149. Id. If a company fails to comply with its privacy policy representations, that may be seen
as an unfair and deceptive act, and legal action may be taken under Section 5 of the Federal Trade
Commission Act. See 15 U.S.C. § 45(a) (2012); see also Peter Sayer, 5 Things You Need to Know About
the EU-US Privacy Shield Agreement, PCWORLD (Feb. 29, 2016), http://www.pcworld.com/article/30
38688/privacy/five-things-you-need-to-know-about-the-eu-us-privacy-shield-agreement.html.
150. See EU-U.S. PRIVACY SHIELD, supra note 144, at 4.
151. Id.; Wuermeling et al., supra note 146.
286
[Vol. 48
CONSUMER PRIVACY ON AN INTERNATIONAL SCALE
marketing using personal data, travel information, pharmaceutical and
medical products, public record and publicly available information,
and access requests by public authorities.152
Pursuant to the seventh Principle of “recourse, enforcement, and
liability,” an EU citizen has several possibilities for recourse if he thinks
a U.S. company that has joined the Privacy Shield Framework has
violated his rights by mishandling his personal data.153 First, a complaint can be filed with the company itself, and the company must now
respond to the consumer within forty-five days of receiving the complaint.154 Companies also must now maintain a free155 and independent alternative dispute resolution body to provide redress for the
consumer, or the EU citizen can instead choose to contact his EU
Member State’s DPA, who will coordinate with the Department of
Commerce or the FTC to investigate and resolve the complaint.156 If
these methods of recourse do not resolve the case, the consumer can
use the new “last resort” mechanism of arbitration from a panel
designated by the U.S. Department of Commerce and the European
Commission, in which the decision will be binding on the company.157
Moreover, if an EU citizen fears that U.S. national intelligence
authorities, like the NSA, may have accessed his personal data unlawfully, he can file a complaint directly with an Ombudsperson, a position
independent from U.S. national security agencies that will be established by the U.S. Department of State158 as a new mechanism for
152. EU-U.S. PRIVACY SHIELD, supra note 144, at 8.
153. Id. at 6.
154. Id. at 22; see also European Commission Press Release IP/16/434, supra note 143; U.S.
DEP’T OF COMMERCE, THE U.S.-EU SAFE HARBOR FRAMEWORK: GUIDE TO SELF-CERTIFICATION 46
(2009), http://trade.gov/media/publications/pdf/safeharbor-selfcert2009.pdf [hereinafter SAFE
HARBOR GUIDE] (indicating no requirement to respond within 45 days for the Safe Harbor).
155. While under the Safe Harbor a company still had to provide a dispute resolution
mechanism, sources do not indicate that it had to be free for the individual. See FAQ—Dispute
Resolution and Enforcement, EXPORT.GOV, https://build.export.gov/main/safeharbor/eu/eg_main_
018383 (last updated May 7, 2012, 4:25 PM); see also SAFE HARBOR GUIDE, supra note 154, at 49.
156. EU-U.S. PRIVACY SHIELD, supra note 144, at 4; see also European Commission Press
Release IP/16/434, supra note 143; Fact Sheet: Privacy Shield, supra note 144.
157. See Fact Sheet: Privacy Shield, supra note 144; FAQ—Dispute Resolution and Enforcement, supra
note 155 (indicating no panel arbitration mechanism); see also Chanley T. Howell et al., EU-U.S.
Privacy Shield Agreement Released, LEXOLOGY (Mar. 1, 2016), http://www.lexology.com/library/detail.
aspx?g⫽12d98cab-4654-44b8-a496-ecdc8afe577d; see generally EU-U.S. PRIVACY SHIELD, supra note
144, Annex I: Arbitral Model.
158. EU-U.S. PRIVACY SHIELD, supra note 144, at 4; see also Fact Sheet: Privacy Shield, supra note
144; Howell et al., supra note 157; Mark Scott, E.U. and U.S. Release Details on Trans-Atlantic Data
2016]
287
GEORGETOWN JOURNAL OF INTERNATIONAL LAW
governmental redress under the Privacy Shield.159 The Ombudsperson
will communicate with the citizen to “inform the complainant whether
the matter has been properly investigated and that either [U.S.] law has
been complied with or, in case of non-compliance, [the violation] has
been remedied.”160
In addition to these forms of redress, on February 24, 2016, President
Obama signed the U.S. Judicial Redress Act, which “will give EU
citizens access to U.S. courts to enforce privacy rights in relation to
personal data transferred to the [United States] for law enforcement
purposes,” including if personal data is allegedly mishandled or disclosed by the federal government in terror or criminal investigations.161
As compared to the Safe Harbor, the Privacy Shield Framework has a
new “annual joint review mechanism” for the EU and United States to
“monitor the functioning of the Privacy Shield, including the commitments and assurance as regards access to data for law enforcement and
national security purposes.”162 The U.S. Department of Commerce and
the European Commission will conduct the review along with experts
in national intelligence from both sides, and the review “will serve to
substantiate the commitments” that the governments and companies
have made through the Privacy Shield Framework.163
Transfer Deal, N.Y. TIMES (Feb. 29, 2016), http://www.nytimes.com/2016/03/01/technology/euus-trans-atlantic-data-transfer-deal.html?_r⫽1.
159. European Commission Press Release IP/16/434, supra note 143 (“In January 2014,
President Obama issued Presidential Policy Directive 28 (PPD-28), which imposes important
limitations for intelligence operations. It specifies that data collection by the intelligence services
should be targeted. Additionally, the PPD-28 limits the use of bulk collection of data to six national
security purposes . . . to better protect privacy of all persons, including non-U.S[.] citizens.”); see
also Press Release, White House, Office of the Press Sec’y, Presidential Policy Directive 28, Signals
Intelligence Activities (Jan. 17, 2014), https://www.whitehouse.gov/the-press-office/2014/01/17/
presidential-policy-directive-signals-intelligence-activities.
160. EU-U.S. PRIVACY SHIELD, supra note 144; European Commission Press Release IP/16/
434, supra note 143; see also Howell et al., supra note 157.
161. European Commission Press Release IP/16/434, supra note 143 (“The Judicial Redress
Act will extend the rights [U.S.] citizens and residents enjoy under the 1974 Privacy Act also to EU
citizens. This is a long-standing demand of the EU.”); H.R. 1428, 114th Cong. (2016) (enacted);
Howell et al., supra note 157.
162. European Commission Press Release IP/16/434, supra note 143.
163. Id.
288
[Vol. 48
CONSUMER PRIVACY ON AN INTERNATIONAL SCALE
IV. POTENTIAL IMPACT OF THE EU-U.S. PRIVACY SHIELD FRAMEWORK
The EU-U.S. Privacy Shield Framework will likely encounter backlash
from privacy advocates, and it will also have broad implications in the
realms of national security and business.
A. A Likely Challenge from Privacy Advocates
Privacy advocates are already planning to challenge the Privacy
Shield, stating that the deal does not offer sufficient protections to
Europeans when their data is transported from the EU to the United
States.164 They claim that the new Privacy Shield Framework contains
mere cosmetic changes from its predecessor, putting “lipstick on a pig”
according to Schrems.165 The prior Safe Harbor Framework clearly was
not sufficient for protecting the fundamental right to privacy of EU
citizens since, by the time the Schrems decision invalidated the Framework, the EU and United States had been negotiating for two years on a
new program that they hoped would better protect the privacy rights of
EU citizens when transferring their data to the United States.166
Because of the Safe Harbor’s acknowledged shortcomings, the strikingly similar Privacy Shield likely also does not provide adequate
protection for EU citizens.
In a similar vein, the primary change from the Safe Harbor to the
Privacy Shield appears to be the various methods for recourse once an
EU citizen thinks that a company or the U.S. government has mishandled his data. As Snowden suggests, this leads to the Privacy Shield
functioning more like an “accountability shield” in practice.167
Snowden’s claim is further substantiated because even under the
164. Scott, supra note 158.
165. Id.; see also Natasha Lomas, Draft Text of EU-U.S. Privacy Shield Deal Fails to Impress the Man
Who Slayed Safe Harbor, TECHCRUNCH (Feb. 29, 2016), http://techcrunch.com/2016/02/29/lipstickon-a-pig/ (reproducing Max Schrems (@maxschrems), Twitter (Feb. 29, 2016, 7:12 AM)) (at the
time this Note was going to publication, Schrems’ original tweet had been removed, but a copy of
Lomas’ article with the embedded original Tweet is on file with the Georgetown Journal of
International Law).
166. See European Commission Press Release IP/16/434, supra note 143; Nakashima, supra
note 136.
167. Edward Snowden (@Snowden), TWITTER (Feb. 2, 2016, 9:22 AM), https://twitter.com/
Snowden/status/694571566990921728; see also Seung Lee, FBI’s Fight with Apple over Encryption May
Erode European Trust in U.S., NEWSWEEK (Feb. 20, 2016, 2:24 PM), http://www.newsweek.com/fbifight-apple-over-encryption-may-erode-european-trust-privacy-shield-428804; David Meyer, Looks
Like Data Will Keep Flowing From the EU to the U.S. After All, FORTUNE (Feb. 2, 2016, 10:19 AM),
http://fortune.com/2016/02/02/looks-like-data-will-keep-flowing-from-the-eu-to-the-u-s-after-all/.
2016]
289
GEORGETOWN JOURNAL OF INTERNATIONAL LAW
Privacy Shield, as a result of President Obama’s Presidential Policy
Directive 28 (PPD-28), six purposes still exist for which the United
States can perform bulk data surveillance: detecting and countering
terrorism, threats from espionage, weapons of mass destruction, cybersecurity, threats to the United States or allied Armed Forces, or
transnational criminal threats.168 As the Schrems decision noted, “legislation permitting the public authorities to have access on a generalised
basis to the content of electronic communications must be regarded as
compromising the essence of the fundamental right to respect for
private life, as guaranteed by Article 7 of the Charter [of Fundamental
Rights].”169 The Privacy Shield appears to permit “access on a generalised basis” through the six purposes permitted by PPD-28, thus
violating fundamental privacy rights recognized by the EU and putting
the Privacy Shield at risk if it is challenged in court in the EU.170
B. Developments Within National Security
A further source of conflict surrounding the Privacy Shield is its
explicit admission that its Principles may be legally circumscribed by
one party if events warrant. “Adherence to [the] Principles may be
limited: (a) to the extent necessary to meet national security, public
interest, or law enforcement requirements; (b) by statute, government
regulation, or case law that creates conflicting obligations or explicit
authorizations.”171 Simply stated, in addition to the six purposes permitted by PPD-28, the U.S. government will not follow the Privacy Shield
Principles when they conflict with the needs of U.S. law enforcement or
national security. Thus, bulk data collection is still possible in certain
circumstances,172 and the U.S. government has indicated its view that
this practice is necessary for protecting national security through the
168. Sayer, supra note 149; White House, Office of the Press Sec’y, supra note 159; see also
European Commission Press Release IP/16/434, supra note 143.
169. Case C-362/14, Schrems v. Data Prot. Comm’r, 2005 E.C.L.I. 627, ¶ 94 (2015).
170. See id.; see also Glyn Moody, “Privacy Shield” Proposed to Replace US-EU Safe Harbor, Faces
Skepticism, ARS TECHNICA (Feb. 29, 2016, 9:04 AM), http://arstechnica.com/tech-policy/2016/02/
privacy-shield-doomed-from-get-go-nsa-bulk-surveillance-waved-through/; The New Way US Tech
Giants Are Going to Handle Your Data is Almost in Place, TheJournal.ie (Feb. 29, 2016, 3:21 PM),
http://www.thejournal.ie/article.php?id⫽2633339 (quoting a Tweet by Max Shrems on February
27, 2016 that has since been removed, stating, “So they openly admit that #PrivacyShield will
violate the #CJEU ruling on #SafeHarbor!?”).
171. EU-U.S. PRIVACY SHIELD, supra note 144, at 2.
172. See White House, Office of the Press Sec’y, supra note 159 (explaining PPD-28); Sayer,
supra note 149.
290
[Vol. 48
CONSUMER PRIVACY ON AN INTERNATIONAL SCALE
continued collection.173 In contrast, the European Parliament has
“stated that the fight against terrorism could never be a justification for
untargeted, secret, or even illegal mass surveillance program[s].”174
The inherent differences in the privacy and national security perspectives of the EU and United States may result in further conflicts
between the two bodies’ trade negotiations in the future.
If a legal challenge successfully invalidates the Privacy Shield Framework, companies may instead encrypt their data in an attempt to
achieve an “adequate” standard of privacy protection as required by the
EU to maintain transatlantic trade.175 But encrypting content so heavily
that the companies themselves would not even be able to access the
encrypted data “poses a direct obstacle to law enforcement’s ability to
access necessary electronic content,” even with a targeted warrant.176
Encryption would make the data far more difficult for the U.S. government to access, thereby thwarting the NSA’s PRISM program as well as
other data collection practices considered necessary by PPD-28 and the
Privacy Shield.177
U.S. intelligence agencies may argue that mass surveillance is still
necessary so “that if there is a terrorist attack or a kidnapping, they
[can] quickly access all the data [related to one name] in order to see if
they can find any communications that might be related.”178 That
claim seems reasonable, especially given the success of the PRISM
program’s online surveillance.179 While some may try to counter this
argument by pointing out that, according to “a privacy and civil
liberties review body” established by President Obama, no evidence
exists to show that there was “a single instance involving a threat to the
173. See White House, Office of the Press Sec’y, supra note 159.
174. Fidler, supra note 128, at 308.
175. See Nigel Hawthorn, Safe Harbor “Invalid”—What’s the Impact to Companies Using US-Based
Cloud Services?, SKYHIGH NETWORKS (Sept. 23, 2015), https://www.skyhighnetworks.com/cloudsecurity-blog/safe-harbor-invalid-whats-the-impact-to-companies-using-us-based-cloud-services/;
Van Hoboken & Rubinstein, supra note 97, at 496, 508 – 09.
176. Shah, supra note 81, at 544, 553–54.
177. Id. at 554.
178. See Ewen MacAskill, The NSA’s Bulk Metadata Collection Authority Just Expired. What Now?,
THE GUARDIAN (Nov. 28, 2015), http://www.theguardian.com/us-news/2015/nov/28/nsa-bulkmetadata-collection-expires-usa-freedom-act.
179. See Fred Kaplan, The NSA Debate We Should Be Having, SLATE (June 8, 2015), http://www.
slate.com/articles/news_and_politics/war_stories/2015/06/the_national_security_agency_s_
surveillance_and_the_usa_freedom_act_the.html (“The key difference [as compared to telephone metadata] is that PRISM has been a far more effective intelligence tool. Obama’s
independent commission—the same body that refuted official claims about telephone metadata’s
usefulness— concluded that PRISM had played an important role in stopping 53 terrorist plots.”).
2016]
291
GEORGETOWN JOURNAL OF INTERNATIONAL LAW
United States in which the telephone records program made a concrete difference in the outcome of a counterterrorism investigation,”180 that reasoning would be flawed on two accounts: first, the
extensive bulk data collection of the telephone monitoring program
ended with the death of the Patriot Act,181 and second, that information is not the same as the data transmitted via the Internet that would
be encrypted.182
If companies were to use encryption and render mass surveillance of
data ineffectual, any attempts by the U.S. government to access EU
customers’ data would likely only be done on a targeted basis, in which
case privacy advocates probably would not object.183 In addition, given
the existence of the BULLRUN decryption program and a recent case
in which the FBI circumvented the security system on an iPhone after
Apple refused to comply with a court order to unlock the device, it
seems possible that in the future the United States may be able to gain
access to some of the encrypted information anyway, but the degree to
which the encryption could be thwarted is uncertain.184
The recent terrorist attacks in France and Brussels may cause the EU
to change its perspective on whether mass surveillance is deemed
acceptable. News outlets have reported that the EU is now planning to
prioritize developing a system for the collection of digital evidence
concerning possible terrorist attacks, and “the push for direct government access to telecommunications and other data appears to be a sea
180. See MacAskill, supra note 178.
181. See Zetter, supra note 129; see also USA Freedom Act of 2015, Pub. L. No. 114-23, 129 Stat.
268 (2015).
182. Kaplan, supra note 179 (“[V]ery little of the [NSA news] coverage draws a distinction— or know that there is a difference— between Section 215 metadata collection (which has
had no effect on stopping terrorism) and Section 702 data-interception (which has been
remarkably successful).”).
183. See MacAskill, supra note 178 (“Privacy campaigners have argued they are not opposed
to targeted surveillance, in which suspects are monitored. Their complaint is with bulk data
collection and its indiscriminate nature.”).
184. Hundreds of encrypted devices held by state and local law enforcement have data that is
still inaccessible to investigators, indicating that the government’s ability to overcome encryption
may progress at a slow pace. In addition, once a security breach allowing access to encrypted
content is discovered by a company, the company will likely plug the hole, requiring new
encryption methods. See Kevin Johnson, Comey: Hack Tool Used on San Bernardino Phone Won’t Work
in New Models, USA TODAY (Apr. 8, 2016), http://www.usatoday.com/story/news/politics/2016/0
4/07/fbi-comey-apple-iphones-encryption-farook/82764724/; Joseph Menn, FBI Trick for Breaking
into iPhone Likely to Leak, Limiting its Use, REUTERS (Apr. 2, 2016), http://www.reuters.com/article/
us-apple-encryption-fbi-idUSKCN0WZ0U2; Van Hoboken & Rubinstein, supra note 97, at 492–93,
505– 06.
292
[Vol. 48
CONSUMER PRIVACY ON AN INTERNATIONAL SCALE
change in EU thinking on privacy and security.”185 These unfortunate
events may have resulted in the EU better understanding the surveillance policies put forth by the United States, which could lead to
acceptance of the provisions set forth in the Privacy Shield among the
EU citizens and its branches of government.
C. Possible Actions for Companies
Companies face greater obligations under the Privacy Shield Framework than they previously did under the Safe Harbor Framework.186
Under the new program, businesses must now provide “greater transparency with respect to their data collection, use, and sharing practices
through more robust and detailed privacy policies,” and they are also
required to “notify individuals of the type of data collected, how the
data is handled, and available opt-out mechanisms.”187 If companies
transfer personal data to third-party service providers, they must monitor and are subject to responsibility for the proper handling of that
personal data.188 In addition, companies must now respond to complaints with respect to personal data handling within forty-five days.189
185. See Jim Brunsden, EU Ministers Push for Data Access to Combat Terror, FIN. TIMES (Mar. 24,
2016), http://www.ft.com/cms/s/0/eab11fb8-f11c-11e5-aff5-19b4e253664a.html#axzz45S9y4
0FS; Alexander J. Martin, EU Ministers to Demand More Data Access after Brussels Attacks, REGISTER
(Mar. 24, 2016, 2:48 PM), http://www.theregister.co.uk/2016/03/24/eu_ministers_to_demand_
more_data_access_after_terrorism_hits_brussels.
186. See Mark Thompson & Ewan Donald, Privacy Shield: What to Expect and Why Businesses
Must Act Now, COMPUTER BUS. REV. (Mar. 22, 2016), http://www.cbronline.com/blogs/cbr-rollingblog/privacy-shield-what-to-expect-and-why-businesses-must-act-now; see generally EU-U.S. PRIVACY
SHIELD, supra note 144.
187. Howell et al., supra note 157; see generally EU-U.S. PRIVACY SHIELD, supra note 144.
188. EU-U.S. PRIVACY SHIELD, supra note 144, at 5– 6; see Howell et al., supra note 157; Thomas
Matzen, EU-U.S. Privacy Shield and the GDPR: The New Rules of Engagement for Transatlantic Data
Transfers, METRO. CORP. COUNS. (Mar. 30, 2016), http://www.metrocorpcounsel.com/articles/337
09/eu-us-privacy-shield-and-gdpr-new-rules-engagement-transatlantic-data-transfers (In discussing third-party vendors in an interview about the Privacy Shield and GDPR, an e-discovery expert
said, “This is where some of the new expenses will arise . . . . Essentially, [companies] will have to
become a clearinghouse, vouching for all of the vendors that venture into their world of data,
which could be thousands.”); see also Safe Harbor Privacy Principles, supra note 104 (Under the Safe
Harbor, “[i]f the organization [first ascertains that the third party provides at least the same level
of privacy protection as is required by the relevant Principles], it shall not be held responsible
(unless the organization agrees otherwise) when a third party to which it transfers such information processes it in a way contrary to any restrictions or representations, unless the organization
knew or should have known the third party would process it in such a contrary way and the
organization has not taken reasonable steps to prevent or stop such processing.”).
189. EU-U.S. PRIVACY SHIELD, supra note 144, at 22; see also Howell et al., supra note 157.
2016]
293
GEORGETOWN JOURNAL OF INTERNATIONAL LAW
These requirements are all supplemented by the company providing
an alternative dispute resolution mechanism to resolve the complaints
at no cost to the individual (yet at cost to the business), and where the
complaints are not resolved through that mechanism or other methods
of enforcement, the company must now engage in binding arbitration
from a panel designated by the U.S. Department of Commerce and the
European Commission.190
These new obligations for U.S. companies to be able to engage in
business with the EU through the Privacy Shield all create additional
labor and expenses.191 Moreover, if individuals bring frivolous suits in
an attempt to gain financial rewards because the recourse methods are
of no cost to the individuals, companies may experience an unnecessary drain of resources by pursuing the activities required by the Privacy
Shield. While the decision to enter the Privacy Shield Framework is
voluntary, a company’s determination not to expend its resources on
the Framework’s new required practices may result in the company
sacrificing the significant opportunity to engage in the transatlantic
economy’s $260 billion digital services industry.192
However, companies can instead pursue their own policies for the
privacy of their customers and still be able to conduct business with
consumers in the EU. As a result, companies may no longer have any
incentive to comply with optional policies from the U.S. government
that could again result in mass collections of foreign data and thus
create backlash from consumers and foreign governments.193 Rather
than using its resources to pursue the Privacy Shield, as mentioned
before, a company may instead attempt to achieve an “adequate”
standard of privacy protection as required by the EU to engage in trade
by encrypting its data.194 Moreover, this approach could be completed
190. See Howell et al., supra note 157; see generally EU-U.S. PRIVACY SHIELD, supra note 144,
Annex I: Arbitral Model.
191. See Matzen, supra note 188.
192. See Statement from U.S. Secretary of Commerce, supra note 1.
193. See Van Hoboken & Rubinstein, supra note 97, at 494 –96, 505 (“[T]he U.S. tech
industry—and especially companies in the cloud computing industry—worried about potential
spillover damage [from the Snowden revelations] based on foreign businesses and governments
threatening not to use their services because of concerns over NSA spying.” The same concern
about NSA spying may apply now given the provisions from the United States that are applicable to
the Privacy Shield.); see also Shah, supra note 81, at 543 (“A defining feature of this new era
[post-Snowden] is the increasingly contentious relationship between the U.S. government and
major U.S. tech companies, such as Apple and Google.”).
194. See Hawthorn, supra note 175 (“If the organization encrypts personal data before it is
sent to the cloud and keeps the keys on their own premises, then all of these issues [considered by
294
[Vol. 48
CONSUMER PRIVACY ON AN INTERNATIONAL SCALE
without concerns about potential challenges to, and effects from, the
Privacy Shield. Whereas in the past encryption may have been considered “too costly or inconvenient to implement, under the postSnowden calculus, [companies] are now adopting [it] as a matter of
business necessity.”195 Additionally, rather than pursuing encryption,
companies could instead “restructure their European data processing
operations—such as building European data centers to process regional data.”196 However, these changes may require substantial alterations in the management of the flows of user data, resulting in a
significant time and financial investment.197 For both encryption and
data operations restructuring, companies must weigh the potential for
U.S. government backlash198 and the financial costs of the changes
against the benefits of not being beholden to the Privacy Shield
Framework. This analysis is especially necessary because after companies make adjustments and financial provisions for the Framework, the
EU could invalidate it and replace it with yet more new and costly
requirements.
In addition, despite possible preparations being made for compliance with the Privacy Shield, some commentators say that “[o]rganisations shouldn’t be overly distracted by Privacy Shield, as there are far
more significant changes on the horizon for organisations processing
personal information,” such as implementing changes required for
compliance with provisions of the GDPR by 2018.199 With obligations
the EU] disappear. There is no personal data in the cloud service as it has been encrypted or
tokenized.”); Van Hoboken & Rubinstein, supra note 97, at 508 – 09 (“When properly implemented by cloud providers, encryption measures can help secure communications and stored
data against third party intrusions, including those of government intelligence agencies.”).
195. Van Hoboken & Rubinstein, supra note 97, at 496; see also Nathan Eddy, Encryption a Top
Priority, and Challenge, for Businesses, EWEEK (Aug. 14, 2015), http://www.eweek.com/small-business/
encryption-a-top-priority-and-challenge-for-businesses.html (“[R]oadblocks include the cost of
encryption technology . . . and worries about impact on performance.”).
196. See Natasha Lomas, Europe’s Top Court Strikes Down ‘Safe Harbor’ Data-Transfer Agreement
with U.S., TECHCRUNCH (Oct. 6, 2015), http://techcrunch.com/2015/10/06/europes-top-courtstrikes-down-safe-harbor-data-transfer-agreement-with-u-s/.
197. Id.
198. See Dustin Volz & Mark Hosenball, Leak of Senate Encryption Bill Prompts Swift Backlash,
REUTERS (Apr. 8, 2016), http://www.reuters.com/article/us-apple-encryption-legislation-idUSKC
N0X52CG (explaining that a leaked draft of a bill by the top Republican and Democrat members
of the Senate Intelligence Committee would require companies to decrypt data when faced with a
court order “to hand over data in ‘an intelligible format’ or provide ‘technical assistance’ to access
locked data”).
199. Thompson & Donald, supra note 186; European Commission Statement 16/1403, supra
note 46; see also Felz, supra note 42; Olivi, supra note 48.
2016]
295
GEORGETOWN JOURNAL OF INTERNATIONAL LAW
such as increased accountability for data processors outside of the EU
that are subject to the GDPR and the potential for substantial financial
penalties, which could be up to four percent of a company’s global
annual turnover for violating a data subject’s privacy rights,200 companies in the United States subjected to the GDPR have a lot for which to
prepare. This makes it necessary for companies to keep the requirements of the GDPR in perspective when weighing whether to pursue
the Privacy Shield.
V. CONCLUSION
The differing underlying perspectives on privacy for the EU and
United States are difficult to reconcile with complete satisfaction for
both parties. While the EU-U.S. Privacy Shield Framework is an attempt
to do so, privacy advocates will likely challenge the protections as
inadequate. Although privacy advocates and the EU may see the data
collection by the United States for national security purposes as an
invasion of the right to privacy, the United States would disagree and
claim that the collection is crucial for the nation’s safety. This conflict
of views may lead to companies resolving issues within transatlantic
trade by exercising their own business judgment rather than pursuing
the contentious Privacy Shield. However, this path may result in
obstacles to safeguarding national security. Regardless, companies that
choose to engage in digital commerce with the EU will have to make
adjustments to meet its expectations of privacy, and businesses must
conduct an analysis of whether it is prudent for them to pursue the
Privacy Shield and its numerous requirements or if it would be more
beneficial for them to seek other options.
200. See Ashford, supra note 47; Matzen, supra note 188 (“General counsel should consider
putting a team together to address the GDPR standards and help ease the transition to the Privacy
Shield [P]rinciples.”); Olivi, supra note 48; Thompson & Donald, supra note 186.
296
[Vol. 48