1. The document discusses the evolution of data privacy regulations between the EU and US from the EU Data Privacy Directive in 1995 to the Safe Harbor Framework in 2000.
2. The EU Data Privacy Directive established regulations around the collection and processing of personal data within the EU. It also sought to limit the transfer of personal data to non-EU countries unless they ensured an "adequate level of protection".
3. In response, the Safe Harbor Framework was adopted in 2000 and established 7 principles (notice, choice, onward transfer, security, data integrity, access, and enforcement) that US companies could follow to be deemed as providing an "adequate level of protection" and be allowed to receive personal data from the
Transatlantic Data Privacy Regulations from Safe Harbor to Privacy Shield
1. 1
Transatlantic Data Privacy – From Safe Harbor to Privacy Shield
By Daniel Parziale
Introduction:
As a society we are increasingly living out our lives
digitally. In 2006, only 17.6% of the global population had
accessed the Internet within the past twelve months; however, by
2014 that number had more than doubled to 40.7%.1
Unsurprisingly,
countries that are post-industrial are among those with the
highest percentage of Internet users.2
During the same period,
2006 – 2014, the amount of Internet users in the United States
increased from 68.9% to 87.4%.3
Similarly, across the Atlantic,
the percentage of Internet users in the European Union, (“EU”),
increased from 54.5% to 78.1%.4
In order to accommodate this
increasing insatiable demand for Internet access, there are
currently 285 cables spanning the Atlantic and connecting the
United States and the EU.5
The information and data that crosses
these cables has brought western culture closer together by
allowing instantaneous communication and a large trans-national
dialogue. On the other hand, this same instantaneous
communication creates a liability for companies who must submit
to various legal and regulatory compliance measures when
processing personal data.
The European Union’s Data Privacy Directive:
2. 2
Near the turn of the millennium many member states of the EU
became aware of the increasing amount of user generated data
being transferred over the Internet. This data was eventually
stored on commercial servers. While several member nation states
had their own national frameworks for protecting personal data,
the growing economic relationship of the European Union
necessitated that a Union wide regulatory framework be used.6
Therefore, in an effort to protect the privacy of its citizens,
the EU adopted the "European Union Directive on the Protection
of Individuals with Regard to the Processing of Personal Data
and on the Free Movement of Such Data"(“Directive”) in 1995.7
Becoming effective in 1998, this regulation sought to “protect
the fundamental rights and freedoms of natural persons, and in
particular their right to privacy with respect to the processing
of personal data”.8
While the overall objective of the Directive appears facially
clear and appealing to most, further definitions are necessary
to ultimately determine what the EU set to achieve with the
Directive. To this end, the Directive set forth some definitions
to establish the scope of the regulatory framework. First, the
Directive defines personal data as, “any information relating to
an identified or identifiable natural person”.9
Next, it broadly
defines personal data processing as, “any operation or set of
3. 3
operations which is performed upon personal data”.10
Lastly, the
Directive defines who the “controllers” - otherwise known as
Data Protection Authorities, (“DPA”)- are as, “public authority,
agency or any other body which… determines the purposes and
means of the processing of personal data”.11
Thereafter, the
Directive focuses certain cases when personal data may and may
not be processed for legitimate purposes under Article 7.
Article 7 of the Directive establishes a series of six
principles enumerating where and how the processing of personal
data may be legitimized.12
First, personal data may be
legitimately processed if the “data subject has unambiguously
given [their] consent”.13
Second, personal data may be
legitimately processed if it is in connection with a contract
the data subject is a party to.14
Third, the personal data may be
legitimately processed if “processing is necessary for
compliance with a legal obligation to which the controller is
subject”.15
Fourth, personal data may be legitimately processed
if “processing is necessary in order to protect the vital
interests of the data subject”.16
Fifth, personal data may be
legitimately processed if processing is necessary to carry out a
task in the public interest or in an “exercise of official
authority vested in the controller”.17
Lastly, personal data may
be legitimately processed where “processing is necessary for the
4. 4
purposes of the legitimate interests pursued by the controller”
but only “where such interests are overridden by the interests
for fundamental rights and freedoms of the data subject”.18
While
there are principles in place to provide for when personal data
may be legitimately processed, the framers of the Directive were
also concerned with prohibiting certain types of personal data
from ever being collected and processed.
Article 8 of the Directive establishes limits on what types of
personal data may be collected.19
For seemingly obvious reasons,
the Directive prohibits the collection of personal data where
such data is related to the individual’s “racial or ethnic
origin, political opinions, religious or philosophical beliefs,
trade-union membership, and the processing of data concerning
health or sex life” as this data could be used for
discriminatory purposes.20
This personal data is known as
“sensitive” personal data.21
In contrast, the Directive does
provide that collection and processing of these aforementioned
specific types of personal data may be legitimized if certain
criteria are met.22
For example, if the data subject gives their
consent or if the processing is done for the purpose of medical
or criminal records.23
5. 5
With copious amounts of personal data being collected and
processed, the EU desired to provide access to personal data
stored and processed by the organization to the data subject.
Article 12 of the Directive, further broken down into three
provisions, provides data subjects access to their processed
personal data.24
First, Article 12 provides that a data subject
has the right to confirmation, in an intelligible form, what
personal data is being processed and for what purpose.25
Second,
Article 12 provides the data subject with the ability to have
certain personal data removed, or corrected, for processing.26
More specifically, Article 12 provides a data subject the
ability to ensure “erasure or blocking of data the processing of
which does not comply with the provisions of the Directive”.27
Third, and closely related, Article 12 provides a data subject
with the right to notify third parties “of any rectification,
erasure or blocking carried out in compliance with” the second
provision.28
The second and third provision collectively became
to be known as the European Union’s “Right to be Forgotten”.29
The importance of Article 12 of the Directive cannot be
overstated as it highlights the EU’s strong commitment to an
individual’s right to protect the use of their personal data by
enabling a data subject a way to remove, or correct, their data
being processed.30
6. 6
The EU’s Data Protection Directive was enacted to protect
individual freedoms by limiting the collection and processing of
personal data. The Directive established what data may be
collected and what data was prohibited. Furthermore, the
Directive established how collected personal data may be
legitimately used. Lastly, the Directive provided individual
data subject’s the right to change their personal data being
process or to entirely remove from processing. Nevertheless, one
major regulatory issue remains. What happens to personal data
that is processed outside of the jurisdiction of the European
Union?
Personal Data Processing Across Boarders:
The Internet, like corporations, is not limited by national
borders. Instead it facilitates trade and communication across
nations and continents. As a result, some of the personal data
of citizens in the EU may be processed by some organizations
outside of the EU Although the internet had not yet made the
world as readily accessible, the framers of the Directive
planned for this eventuality in Chapter IV of the Directive,
Articles 25 and 26.31
Article 25 of the Directive outlines the principles for
transferring personal data to third countries.32
For the purposes
7. 7
of the Directive, the term “third country” refers to a country
where neither the data subject nor the country a member of the
E. U. is located.33
Under Article 25, the Directive states that
personal data must not be transferred to third countries for
processing unless the third country can ensure “an adequate
level of protection”.34
While “an adequate level of protection”
is already a somewhat nebulous term, the Directive expounds upon
the concept, noting that the level of protection “shall be
assessed in the light of all the circumstances surrounding a
data transfer operation or set of data transfer operation”.35
Considerations for assessing the level of protection include;
the nature of the data, its purpose, the duration it is being
processed in the third country, and the strength of the data
protection regulations in the third country.36
Overcoming the
adequacy requirement of Article 25 is paramount to any
organization seeking to transfer and process personal data
outside of the E. U.
Article 26 provides the opportunity to have data processed
without the protections set forth in Article 25 protections so
long as seven other criteria are met.37
First, free flow of
personal data to a third country is justified if the “the
unambiguous consent of the data subject to the export of the
data is given”.38
Second, the free flow of personal data to a
8. 8
third country may be justified if the data subject, “enters – or
prepares to enter – into a contractual relationship which
clearly requires that the data be transferred to a recipient
abroad”.39
Third, free flow of personal data to a third country
may be justified if a contract between the data controller and a
third party was made with consideration for the data subject’s
interests.40
Fourth, free flow of personal data to a third
country may be justified if the “transfer is necessary in order
to protect the vital interests of the data subject”.41
Finally,
free flow of personal data to a third country may be justified
if the transfer of personal data is from governmental public
registers.42
These criteria allow for the transmission of
personal data to a third county where not provided for by
domestic law, i.e. law of an individual EU member state, and
where the third country does not “ensure an adequate level of
protection” within the meaning of Article 25.
European Union – United States Safe Harbor Framework:
The regulatory regime established in Articles 25 and 26 of the
Directive provide for the limited transmission of personal data.
However, the inherent limitations ultimately proved overly
burdensome when attempting to facilitate trade and commerce
between the European Union and the United States, (“U.S.”). The
regulatory regime in the U.S. is comparatively a “sector[ial]
9. 9
approach that relies on a mix of legislation, regulation, and
self-regulation”.43
This contrast in regulatory regimes
ultimately caused many organizations in the U.S. to express
concern over the indeterminate impact the Directive’s “adequacy
standard”.44
Therefore, on July 26, 2000 the European Commission
adopted the “Safe Harbor Decision”.45
The Safe Harbor decision
recognized seven Safe Harbor Principles; notice, choice, onward
transfer, security, data integrity, access, and enforcement.46
Compliance with these seven Principles, in conjunction with
adherence to regulations set forth in the U.S. Department of
Commerce’s answers to some frequently asked questions enables an
organization within the U.S. to self-certify and establish an
“adequate level of protection” sufficient to be compliant under
Article 25 of the Directive.47
Only certain types of
organizations in the U.S. may file for self-certification;
namely, those under the jurisdiction of the Federal Trade
Commission or airlines under the jurisdiction of the Department
of Transportation.48
The first Principle of the Safe Harbor framework is notice.49
Organizations in the U.S. are required to provide notice to data
subjects about the organization’s purpose for collecting and
processing their personal data.50
Furthermore, organizations are
required to provide contact information where a data subject may
10. 10
lodge inquiries or complaints regarding how their personal data
is being processed.51
Moreover, organizations are required to
provide which third parties received any of the data subject’s
personal information.52
Lastly, organizations in the U.S. are
required to provide choices and means for data subject to limit
the use and disclosure of their personal data.53
All of these
notice requirements must be provided in a clear, unambiguous,
and capricious language easily accessible to the data subject.
The second Principle of the Safe Harbor framework is choice.54
Organizations seeking to self-certify to Safe Harbor must
provide a choice to data subjects enabling them to opt out of
the sharing of the personal data, allowing it to be transferred
to a third party, or processed for a purpose other than its
originally stated purpose.55
Correspondingly, organizations must
provide an affirmative opt in method for transmitting or
processing “sensitive” personal data to a third party for
purposes other than originally stated.56
Simply stated, if
organizations in the U.S. wish to avail themselves of the
“adequate level of protection” standard provided for under the
Safe Harbor framework, they must provide a choice to the data
subject regarding which parts of their personal data can be
processed and which third parties should have access.
11. 11
The third Principle of the Safe Harbor framework is onward
transfer.57
Organizations in the U.S. seeking to self-certify to
Safe Harbor must commit to investigate the third parties with
whom they share the data subject’s personal data.58
As part of
this investigation, organizations are first required to
determine whether the third party itself has self-certified and
is protected under Safe Harbor.59
In addition, the organization
should investigate whether the third party has been found to
have and “adequate level of protection” under the Directive in
adequacy finding provided for in Articles 25 and 26.60
Finally,
if neither of aforementioned provide protection, the
organization may enter an agreement with the third party
requiring them to “provide at least the same level of privacy
protection as is required by the relevant [p]rinciples”
effectively encouraging them to simply follow the established
Safe Harbor framework.61
If an organization complies with all of
the aforementioned regulation regarding onward transfer of
personal data, they limit their liability with respect to
subsequent infractions of the third party.62
The forth Principle of the Safe Harbor framework is security.63
Simply stated, in order to be in compliance with Safe Harbor an
organization seeking self-certification must “take reasonable
precautions to protect” the data subject’s personal data from
12. 12
“loss, misuse, unauthorized access, disclosure, alteration, or
destruction”.64
Effectively, the organization has a duty to
protect the personal data of the data subject. Falling below the
standard of care of that duty can create liabilities.
The fifth Principle of the Safe Harbor framework is data
integrity.65
Organizations seeking to self-certify under Safe
Harbor must ensure that the personal data being processed is
“relevant for the purposes for which it is to be used”.66
Organizations are prohibited from processing personal data for a
purpose other than originally stated or subsequently authorized
by the data subject.67
Moreover, the organization should make an
effort to “ensure that data is reliable for its intended use,
accurate, complete, and current”.68
This data integrity Principle
clearly mirrors the second provision outlined in Article 12 of
the Directive that ensures the accuracy and completeness of
personal data being processed by organizations within the E.U.
The sixth Principle of the Safe Harbor framework is access.69
Under the Principle of access, and closely related to the
Principle of data integrity, organizations seeking to self-
certify to Safe Harbor are required to provide access to the
personal data of a given data subject so that the data subject
may remove and correct inaccurate data.70
This requirement can be
13. 13
helpful in situations that would be overly burdensome for the
organization especially when compared with the risk to the data
subject’s personal data and the personal data of other
individuals.71
Therefore, it is apparent that the Principle of
data integrity clearly resembles and mirrors Article 12 of the
Directive in providing for a mechanism for data subjects to
remove or correct inaccurate data.
The seventh, and perhaps most important, Principle of the Safe
Harbor framework is enforcement.72
Any regulation is only as
strong as it is enforced. The Safe Harbor framework dictates
that “protection must include mechanisms for assuring compliance
with the [p]rinciples” and that there will be “consequences for
the organization when the [p]rinciples are not followed”.73
The
first mechanism for assuring compliance requires a readily
available independent method providing recourse to each
individual complaint and dispute so that it is truly
investigated.74
The second mechanism for assuring compliance
requires the verification organization make about their privacy
practices and compliance with the Safe Harbor Principles.75
The
third mechanism for assuring compliance is the requirement of
imposed fines and sanctions for those that violate Safe Harbor.76
14. 14
These enforcement mechanisms heavily rely on the Federal Trade
Commission and the Department of Commerce for enforcement to
collect and investigate any assertions that an organization is
failing to meet the requirements outlined in the Safe Harbor
Principles.77
If it is determined by the Department of Commerce
that an organization is not living up to the requirements
outlined under the Safe Harbor Principles they no longer receive
the benefit of being protected from Article 25 liability of the
Directive and may additionally be liable under the False
Statements Act.78
The Safe Harbor Principles were developed in 2000 by both the
European Commission and the U.S. Department of Commerce to
ensure an easy path to compliance with Article 25 of the
Directive’s “adequate level of protection” standard. Safe Harbor
required organizations in the U.S. to comply with seven outlined
Principles; notice, choice, onward transfer, security, data
integrity, access, and enforcement. These seven Principles were
designed to provide an adequate level of protection and ensure
that violators would be punished. However, the efficacy of the
program remains elusive and unclear.
Max Schrems v Irish Data Protection Commissioner:
15. 15
Currently the famed social network, Facebook, has nearly one and
half billion monthly active users. Nearly one fifth of the
entire global population uses the social network in a given
month.79
An inherent operation of a social network is collecting
and processing the personal data of users.80
This data is used
for a variety of purposes from connecting one with his or her
friends online to providing a custom and tailored advertisement.
Ultimately this process of collecting and using personal data
has lead Facebook to record profits - a total of $3.69 billion
for fiscal year 2015.81
In 2011, a then twenty-four-year-old Austrian law student Max
Schrems became intently curious about how much of his personal
data was being stored and processed by Facebook.82
Following the
regulations regarding access to personal data outlined in the
Directive under Article 12. Over the course of six weeks and
twenty-three emails with a subsidiary of Facebook located in
Ireland, the company sent Schrems a 1222 page document of all of
the personal data it had collected and processed on him.83
Personal data including every post he had made to the social
network, some of which he thought were deleted, a very personal
conversation with a friend in a troubled state of mind, and
geolocation data that Schrems did not remember submitting to the
16. 16
site.84
Schrems then became panicked by the overwhelming amount
of personal data Facebook had collected on him.
Over time Schrems’ sense of panic turned to anger and he began
to think about what recourse he had. In August 2011, he brought
22 complaints against the Irish Data Protection Commissioner,
the local Data Protection Authority (“DPA”) in Ireland, who’s
responsibility it was under the Directive to protect his data.85
In separating these problems into 22 smaller issues, Schrems
believed he would have a better opportunity at effecting real
change in this area.86
In 2013, in response to issues raised by
the actions of Edward Snowden and respective surveillance
actions of the U.S., Schrems filed a twenty-third complaint with
the Irish Data Protection Commission alleging the laws and
practices of the U.S. did not meet the privacy requirements
outlined in the Directive.87
Schrems asserted that the Commission
failed to meet their duty in assessing whether Facebook met an
“adequate level of protection” under Article 25.88
The Commission
rejected this complaint, maintaining the already established
Safe Harbor framework agreed to by the E.U. meant that a smaller
member state Data Protection Authority did not have the
responsibility of investigating the level of protection if the
organization met with the requirements of Safe Harbor.89
Schrems
appealed the ruling to the Court of Justice of the E.U..90
17. 17
The Court of Justice of the European Union, (“CJEU”), sought to
determine whether a member state’s DPA could conduct their own
investigation into Article 25’s “adequate level of protection”
requirement in a third country or whether they are bound by the
pre-existing decision of the European Commission.91
Principally,
whether the Irish Data Protection Commission could investigate
the level of protection offered by Facebook even though they had
previously self-certified and were thus complaint under the Safe
Harbor Principles.92
Ultimately, the CJEU held that “the
[European] Commission did not have competence to restrict the
national supervisory authorities’ powers”93
and therefore the
Irish Data Protection Commission was not limited by Safe Harbor
and did have the power to investigate whether Facebook complied
with the “adequate level of protection” outlined in Article 25.
Furthermore, CJEU held the Safe Harbor Scheme invalid as it did
not provide an adequate level of protection required under the
directive.94
Privacy Shield:
In the wake of the CJEU’s decision there were many questions
about how collecting data on European data subjects and
processing that information in the U.S. would continue. Many
feared this would mean every organization in the U.S. that
18. 18
collected and processed data of Europeans would need to be in
full compliance with the requirements outlined in the Directive,
or otherwise provided for under Article 26. However, soon a new
framework developed to fill the gap left by Safe Harbor.
The Privacy Shield framework was developed in February 2016 to
fill the gap and again provide an easy method for organizations
in the U.S. to meet the adequacy requirement outlined under
Article 25.95
The purpose of the Privacy Shield framework was to
provide for “strong[er] obligations on companies” and more
“robust enforcement” than previously provided for under Safe
Harbor.96
That being said, the Privacy Shield framework is eerily
similar to the Safe Harbor framework. For example, the Privacy
Shield framework consists of seven Principles. Furthermore,
these Principles: notice, choice, accountability for onward
transfer, security, data integrity and purpose limitation,
access, and recourse and enforcement, clearly mirror or are
exactly the same as the seven Principles provided for under the
Safe Harbor framework.97
Nevertheless, there are still some
differences where the new regulation may ultimately prove to be
more protection.
Some of the first evidence for a stronger and more robust
enforcement under Privacy Shield appears as changes made to the
19. 19
Principle of data integrity.98
Namely, organizations are now
required to not only adhere to the Principles outlined in the
framework while they claim self-certification but, for as long
as they hold the personal data of the data subject.99
While minor
changes such as these promote a sense of security, ultimately
any compliance regime is only powerful if it is enforced and
adhered to. The new recourse and enforcement Principles outlined
in Privacy Shield seek to promote adherence to a regulatory
regime. For example, organizations will be removed from the
program for failing to renew. Furthermore, organizations who
violate the Privacy Shield, and their violations, will be
publicly posted on the Department of Commerce’s website.100
Likewise, the Department of Commerce has agreed to conduct
periodic audits to ascertain the level of compliance of
organizations after they self-certify.101
Finally, organizations
are now required to provide a “cost-free” method, expecting to
be arbitration, to the data subject for resolving disputes.102
Outside of the changes made to the Principles, there appears to
be a more concerted effort made to increase a transnational
dialogue between the Department of Commerce and the European
Data Protection Authorities. For example, the new Privacy Shield
framework calls for annual joint reviews of the policies and to
address national security concerns.103
Moreover, as one of the
20. 20
major fears mentioned in the Schrems’ case was the collecting of
personal data by the U.S. government for nefarious purposes, the
new Privacy Shield provides for clear limitations for the U.S.
government.104
Additionally, the U.S. government asserts they “do
not engage in indiscriminate mass surveillance of anyone,
including ordinary European citizens.”105
However, the effect that these changes will have remains to be
seen. While the new Privacy Shield has been announced, it is
still a living, changing, and adapting document as it still must
travel through committees before being fully adopted by the
European Commission. Therefore, the regulations stated above are
subject to change.
Privacy Shield – Criticisms:
The primary purpose of the Privacy Shield is to provide for a
stronger and more enforceable regulatory regime. However, at
this time, the actual effect the framework will have remains to
be seen. Although all of the exact details have not been
finalized, as the European Commission has yet to approve the new
framework, there already are some voicing their criticisms. One
major criticism asserts the new framework is too similar to the
older ineffective framework outlined under Safe Harbor.106
Another major criticism asserts the Privacy Shield, although
21. 21
providing for increased mechanisms for enforcement, still does
not do enough to ensure a higher rate of compliance.107
Additionally, some assert the policy still provides avenues for
the U.S. government to collect and process the data of Europeans
as Max Schrems feared.108
Privacy Shield superficially appears to be eerily similar to the
old ineffective Safe Harbor framework. Both frameworks contain
seven Principles that either use the exact same terminology or
are extremely similar. Both frameworks attempt overly optimistic
provisions for what “should” happen but rarely spell out the
details of how it will actually happen in practice. As such,
both frameworks are too broad to practically be enforced. The
purpose of both Safe Harbor and the Privacy Shield is to provide
organizations with a simplified means to ensure compliance with
Article 25 of the Directive; however in creating a simplified
method, the regulatory framework has virtually nullified the
stringent requirements of the Directive and replaced them with
optimistic puffery. Therefore, it is clear that more particular
and practical guidance on what exactly is required by Privacy
Shield is needed to ensure organizations are aware of what is
required of them. More particular and clear guidance would
ultimately result in higher rates of compliance as organizations
22. 22
have difficulty complying with broad regulations they do not
understand.
This vagueness has allowed many organizations in the U.S. to
claim and operate under the protection of Safe Harbor without
meeting its requirements. For example, one study conducted found
only three hundred and forty-eight of the one thousand five
hundred and ninety-seven, or 21.8%, of organizations claiming
adherence to Safe Harbor actually complied with all of its
required provisions.109
Nearly 31% of organizations claiming
adherence failed to even properly renew their certification.110
Furthermore, the study found that 206 organizations claimed, for
several years on their websites, to be members of Safe Harbor
despite never even self-certifying with the Department of
Commerce.111
Moreover, 209 organizations, or 13%, of
organizations who would have otherwise been compliant failed to
identify an independent dispute resolution affordable to their
data subjects.112
Therefore, despite clear indication that non-
compliance was rampant, the Department of Commerce took no
actions to enforce compliance. As previously stated, without an
actual demonstration of enforcing punishment for non-compliance,
organizations have no incentive to comply.
23. 23
Under the new regulatory regime, the Department of Commerce
assures the European Union it will enforce seven Principles and
impose hasher ramifications for those who fail to comply.113
Nevertheless, the Department of Commerce is not themselves bound
to enforce Privacy Shield. The Department themselves will suffer
no ramifications for failing to enforce the Privacy Shield.
Ultimately, if the Department of Commerce fails to enforce
Privacy Shield, it is likely the CJEU will find it invalid for
the same reasons as Safe Harbor. This will only effect
organizations seeking to more easily comply with the Directive
and not the Department itself. Without the threat of
ramifications placed upon the Department of Commerce, there is
little motivation for them to enforce the Principles of the
Privacy Shield and it will likely lead to the same dismal level
of enforcement as under Safe Harbor.
Lastly, Max Schrems feared that his personal data was being
transferred to the U.S. through processing by Facebook and that
the U.S. government might have access to it. To address this
fear, under Privacy Shield, the U.S. government merely states
that they “do not engage in indiscriminate mass surveillance of
anyone, including ordinary European citizens”.114
Simply stating
that the U.S. government does not actively survey ordinary
Europeans does not mean that the government has not investigated
24. 24
the data of Europeans. This largely depends on the ambiguous
definition of “ordinary”. By not providing a distinct
operational definition, the U.S. government could still collect
and process the data of Europeans they consider “non-ordinary”.
Therefore, the new Privacy Shield represents little change from
the older Safe Harbor framework and will likely suffer the same
problems.
The regulatory requirements outlined under the Safe Harbor
framework were overly broad, ambiguous, and ultimately rarely
enforced by the U.S. Department of Commerce. The new Privacy
Shield framework eerily mirrors the older ineffective Safe
Harbor framework, save for a few differences regarding
enforcement. While these changes are welcome and may ultimately
help make Privacy Shield a more enforceable regulation, they are
too little and still too broad to likely make the sort of change
the CJEU had in mind when they invalidated the Safe Harbor
framework.
Conclusion:
Around the turn of the last century, a technological revolution
was occurring that would forever change the way humans connect
with one another. The Internet is used by nearly one fifth of
the world’s population.115
Personal data generated by Internet
25. 25
use is not limited by national boundaries but travels across
nations and continents. The European Union sought to protect its
citizen’s “right to privacy with respect to the processing of
personal data” and to this end created the Data Protection
Directive.116
The Directive created limits on who could collect
and process data.117
These limits were cumbersome and imposed a
heavy burden on organizations outside of the European Union who
collected the personal data on Europeans. In an effort to
simplify regulations, and promote trans-continental commerce,
the European Union and the United States developed the Safe
Harbor framework.118
Comprised of seven principles: notice,
choice, onward transfer, security, data integrity, access, and
enforcement.119
Nevertheless, only 21.8% of organizations
claiming Safe Harbor Protection were fully compliant with the
framework.120
Max Schrems, and Austrian law student, followed guidance under
the Directive and brought complaints against the Irish Data
Protection Authority for failing to investigate whether Facebook
offered an “adequate level of security” under the Directive.121
The Irish DPA claimed, because the organization self-certified
to Safe Harbor they were not required to investigate.122
Ultimately, the Court of Justice of the European Union held that
the Irish DPA, despite Safe Harbor, was required to investigate
26. 26
the level of security as provided under the Directive.123
Furthermore, the CJEU held Safe Harbor invalid as it failed to
provide an adequate level of security.124
A new regulatory regime was developed to replace Safe Harbor,
Privacy Shield.125
However, while this new regulation provides
for more enforcement mechanisms it fails to make the necessary
changes that are need to ensure a higher rate of compliance.126
In order to ensure a higher rate of compliance, the United
States Department of Commerce must be more willing to carry out
enforcement of the regulation. Lastly, new terms further binding
and ensuring ramifications for failure on both the Department of
Commerce and organizations seeking compliance may be necessary
in order to ensure a higher rate of compliance.
27. 27
1
Internet Users (per 100 people), WORLD BANK,
http://data.worldbank.org/indicator/IT.NET.USER.P2/countries?dip
play=graph (last visited Apr. 4, 2016).
2
Internet Users (per 100 people) - Income, WORLD BANK,
http://data.worldbank.org/indicator/IT.NET.USER.P2/countries/XT-
XD-XM?display=graph (last visited Apr. 4, 2016).
3
Internet Users (per 100 people) – United States, WORLD BANK,
http://data.worldbank.org/indicator/IT.NET.USER.P2/countries/US?
display=graph (last visited Apr. 4, 2016).
4
Internet Users (per 100 people) – European Union, WORLD BANK,
http://data.worldbank.org/indicator/IT.NET.USER.P2/countries/EU?
display=graph (last visited Apr. 4, 2016).
5
David Brown, 10 Facts About the Internet’s Undersea Cables,
MENTALFLOSS.COM, http://mentalfloss.com/article/60150/10-facts-
about-internets-undersea-cables (last visited Apr. 4, 2016).
6
Council Directive 95/46, 1995 O.J. (L 281) 31 (EC).
7
Id.
8
Id.
9
Council Directive 95/46, art. 1, 1995 O.J. (L 281) 31 (EC).
10
Council Directive 95/46, art. 2, 1995 O.J. (L 281) 31 (EC).
11
Id.
12
Council Directive 95/46, art. 7, 1995 O.J. (L 281) 31 (EC).
13
Id.
14
Id.
15
Id.
16
Id.
17
Id.
18
Council Directive 95/46, art. 7, 1995 O.J. (L 281) 31 (EC).
19
Council Directive 95/46, art. 8, 1995 O.J. (L 281) 31 (EC).
20
Id.
21
Id.
22
Id.
23
Id.
24
Council Directive 95/46, art. 12, 1995 O.J. (L 281) 31 (EC).
25
Id.
26
Id.
27
Id.
28
Id.
29
Factsheet on the “Right to be Forgotten” Ruling, EUROPA.EU,
http://ec.europa.eu/justice/data-
protection/files/factsheets/factsheet_data_protection_en.pdf
(last visited Apr. 4, 2016).
30
Id.
31
Council Directive 95/46, 1995 O.J. (L 281) 31 (EC).
32
Council Directive 95/46, art. 25, 1995 O.J. (L 281) 31 (EC).
33
Id.
28. 28
34
Id.
35
Id.
36
Id.
37
Council Directive 95/46, art. 26, 1995 O.J. (L 281) 31 (EC).
38
Id.
39
Id.
40
Id.
41
Id.
42
Id.
43
U.S. DEPARTMENT OF COMMERCE, THE U.S.-EU SAFE HARBOR GUIDE TO SELF-
CERTIFICATION (2013),
http://www.export.gov/build/groups/public/@eg_main/@safeharbor/d
ocuments/webcontent/eg_main_061613.pdf (last visited Apr. 4,
2016).
44
Id.
45
Issuance of Safe Harbor Principles and Transmission to
European Commission, 65 Fed. Reg. 45,666 (July 24, 2003).
[hereafter Safe Harbor]
46
Id at 45,667-45,668.
47
Commission Decision 2000/520, art. 1, 2000 O.J. (L 215) (EC).
48
Safe Harbor, supra note 45 at 45,668.
49
Safe Harbor, supra note 45 at 45,667.
50
Id.
51
Id.
52
Id.
53
Id.
54
Safe Harbor, supra note 45 at 45,667.
55
Id.
56
Safe Harbor, supra note 45 at 45,668.
57
Id.
58
Id.
59
Id.
60
Id.
61
Id.
62
Safe Harbor, supra note 45 at 45,668.
63
Id.
64
Id.
65
Id.
66
Id.
67
Id.
68
Safe Harbor, supra note 45 at 45,668.
69
Id.
70
Id.
71
Id.
72
Id.
73
Id.
74
Safe Harbor, supra note 45 at 45,668.
29. 29
75
Id.
76
Id.
77
Safe Harbor, supra note 45 at 45,673.
78
Id; see also 18 U.S.C. § 1001.
79
In Facebook’s Third Quarter 2015 Earnings they announced they
had 1.55 billion Monthly Active Users, or MAUs. See Facebook
Reports Third Quarter 2015 Results, FACEBOOK.COM,
http://investor.fb.com/releasedetail.cfm?ReleaseID=940609 (last
visited Apr. 4, 2016). The global population at the time was
roughly 7.3billion. See Population, WORLD BANK,
http://data.worldbank.org/indicator/SP.POP.TOTL/countries?displa
y=graph (last visited Apr. 4, 2016). 1.55 divided by 7.3 is 0.21
or roughly 1/5.
80
See generally DICTIONARY.COM,
http://www.dictionary.com/browse/social-network (last visited
Apr. 4, 2016).
81
Facebook Reports Fourth Quarter and Full Year 2015 Results,
FACEBOOK.COM,
http://investor.fb.com/releasedetail.cfm?ReleaseID=952040 (last
visited Apr. 4, 2016).
82
Suddeutsche Zeitung, Max Schrems, the Man Who De-Friended
Facebook, VOXEUROPE.COM,
http://www.voxeurop.eu/en/content/article/1884271-max-schrems-
man-who-de-friended-facebook (last visited Apr. 4, 2016).
83
Id.
84
Id.
85
Legal Procedure against “Facebook Ireland Limited, EUROPE-V-
FACEBOOK.COM, http://www.europe-v-
facebook.org/EN/Complaints/complaints.html (last visited Apr. 4,
2016).
86
Id.
87
Max Schrems v Irish Data Protection Commissioner (Safe
Harbor), EPIC.ORG https://epic.org/privacy/intl/schrems/ (last
visited Apr. 4, 2016).
88
Id.
89
Id.
90
Id.
91
Maximillian Schrems v. Data Protection Commissioner, Case C-
362/14 [2015] E.C.R. I ____ (delivered October 6, 2015)
92
Id.
93
Id.
94
Id.
95
European Union – United States Privacy Shield, U.S. DEPT. OF
COMM.,
https://www.commerce.gov/sites/commerce.gov/files/media/files/20
16/eu_us_privacy_shield_full_text.pdf.pdf (last visited Apr. 4,
2016). [hereafter Privacy Shield]
30. 30
96
Id.
97
Id.
98
Id.
99
Id.
100
Id.
101
European Union – United States Privacy Shield, U.S. DEPT. OF
COMM.,
https://www.commerce.gov/sites/commerce.gov/files/media/files/20
16/eu_us_privacy_shield_full_text.pdf.pdf (last visited Apr. 4,
2016).
102
Id.
103
Id.
104
Id.
105
Id.
106
Gabriel Maldoff, We Read Privacy Shield So You Don’t Have To,
IAPP.ORG, https://iapp.org/news/a/we-read-privacy-shield-so-you-
dont-have-to/ (last visited Apr. 4, 2016).
107
Id.
108
Damon Beres, New Privacy Deal May Not Actually Stop U.S.
Snooping, HUFFINGTONPOST.COM,
http://www.huffingtonpost.com/entry/privacy-shield-
agreement_us_56b0ffd6e4b0a1b96203edd8
109
The US Safe Harbor – Fact or Fiction?, GALEXIA,
http://www.galexia.com/public/research/assets/safe_harbor_fact_o
r_fiction_2008/safe_harbor_fact_or_fiction.pdf (last visited
Apr. 4, 2016).
110
Id.
111
Id.
112
Id.
113
Privacy Shield, supra note 95.
114
US defends Safe Harbor, says it never uses “indiscriminate
surveillance”, ARSTECHNICA.COM, http://arstechnica.com/tech-
policy/2015/09/us-desperately-defends-safe-harbour-scheme-says-
it-never-uses-indiscriminate-surveillance-on-eu/ (last visited
Apr. 4, 2016).
115
Supra note 79.
116
Supra note 9.
117
Id.
118
Safe Harbor, supra note 45.
119
Id.
120
Supra note 109.
121
Max Schrems v. Irish Data Protection Commission, supra note
87.
122
Maximillian Schrems v. Data Protection Commissioner, supra
note 91.
123
Id.
124
Id.