1. The document discusses the evolution of data privacy regulations between the EU and US from the EU Data Privacy Directive in 1995 to the Safe Harbor Framework in 2000.
2. The EU Data Privacy Directive established regulations around the collection and processing of personal data within the EU. It also sought to limit the transfer of personal data to non-EU countries unless they ensured an "adequate level of protection".
3. In response, the Safe Harbor Framework was adopted in 2000 and established 7 principles (notice, choice, onward transfer, security, data integrity, access, and enforcement) that US companies could follow to be deemed as providing an "adequate level of protection" and be allowed to receive personal data from the
Data Protection Guide – What are your rights as a citizen?Edouard Nguyen
Guide UK Data Protection Law EUROPA - Internal Market - Data Protection - Data Protection Guide – What are your rights as a citizen?http://ec.europa.eu/justice/policies/privacy/docs/guide/guide-ukingdom_en.pdf
The International Comparative Legal Guide to: Data Protection 2016Matheson Law Firm
Matheson partners Anne-Marie Bohan and Andreas Carney co-wrote the Ireland chapter for The International Comparative Legal Guide to: Data Protection 2016, third edition.
Amid mounting criticism of Ireland’s privacy watchdog, top European Commission official Didier Reynders has come to Dublin’s defense, brushing off calls to penalize the country over claims it has failed to uphold Europeans’ privacy rights.
The defense, in a letter to MEPs, comes after lawmakers including Sophie in ‘t Veld and Tineke Strik from the Netherlands and Cornelia Ernst and Birgit Sippel from Germany urged the EU executive to open a disciplinary procedure against Dublin.
UK & EU Freedom of Information & Data Protection: Continuity & ChangeDavid Erdos
This presentation explores continuities and changes in the interface between freedom of information and personal information protection at pan-EU level and in the UK under the amended law of the Data Protection Act 2018 and Regulation 2018/1725. Comparing both regimes, it especially focuses on fairness and balancing, the requirement to demonstrate the "necessity" of processing, the position of the deceased and the relationship between disclosure, transparency and sensitive personal data rules.
Data Protection Guide – What are your rights as a citizen?Edouard Nguyen
Guide UK Data Protection Law EUROPA - Internal Market - Data Protection - Data Protection Guide – What are your rights as a citizen?http://ec.europa.eu/justice/policies/privacy/docs/guide/guide-ukingdom_en.pdf
The International Comparative Legal Guide to: Data Protection 2016Matheson Law Firm
Matheson partners Anne-Marie Bohan and Andreas Carney co-wrote the Ireland chapter for The International Comparative Legal Guide to: Data Protection 2016, third edition.
Amid mounting criticism of Ireland’s privacy watchdog, top European Commission official Didier Reynders has come to Dublin’s defense, brushing off calls to penalize the country over claims it has failed to uphold Europeans’ privacy rights.
The defense, in a letter to MEPs, comes after lawmakers including Sophie in ‘t Veld and Tineke Strik from the Netherlands and Cornelia Ernst and Birgit Sippel from Germany urged the EU executive to open a disciplinary procedure against Dublin.
UK & EU Freedom of Information & Data Protection: Continuity & ChangeDavid Erdos
This presentation explores continuities and changes in the interface between freedom of information and personal information protection at pan-EU level and in the UK under the amended law of the Data Protection Act 2018 and Regulation 2018/1725. Comparing both regimes, it especially focuses on fairness and balancing, the requirement to demonstrate the "necessity" of processing, the position of the deceased and the relationship between disclosure, transparency and sensitive personal data rules.
In general, the GDPR applies to any business that processes personal data by automated or manual processing
A strategic approach is introduced to regulating personal data and the normative foundations of the European Unions General Data Protection Regulation (GDPR)
Existing Requirements imposed by the 1995 Data Protection Directive are refined.
It does this by establishing a uniform framework for data protection legislation across the EU
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Michael Adamberry
This presentation outlines the issue of Direct Marketing, including the use of cookies, the opt-out register and the e-Privacy Directive (and Regulation). The focus is around the Gibraltar Data Protection Act 2004, and how this will change under the General Data Protection Regulation ("GDPR") as of 25th May 2018 and the upcoming e-Privacy Regulation
ISOLAS is pleased to offer assistance in conducting data audits and ensuring you are compliant before the deadline - the clock is ticking!
Data theft rules and regulations things you should know (pt.1)Faidepro
The IT Act appears to be adequate in regards to data theft, it is insufficient in addressing the minute technical intricacies involved in such a crime, leaving gaps in the law and allowing the perpetrators to get away with it. Since this problem affects more than one country and has international implications, we have briefed the countries that have such law and how it works; Which will be covered in two parts.
With GDPR coming into effect, we can see a lot of changes in the privacy policies of companies doing business online. The presentation is a description of GDPR and its implications in India and worldwide. The main aim of the presentation is to identify the key issues of data privacy and the rights available to the consumer who's data is to be shared.
This is a slightly modified version of a presentation that I gave to fellow lawyers last week. It explains what GDPR is, the policy of data protection and the evolution of data protection legislation from the OECD Guidelines and Council of Europe Convention to the GDPR. It explores the regulation focusing on the data protection principles and, in particular, the lawfulness requirement and the validity of consent. The presentation mentions the Law enforcement data protection directive, the Data Protection Bill and the arrangements post Brexit. Finally, it considers the preparations recommended by the Information Commissioner for small busiesses
GIG Working Paper 02/2017 - The Definition of Personal DataIAB Europe
This second output of the GIG focuses on the definition of Personal Data under the GDPR, explaining how it will affect companies in the online advertising space.
In general, the GDPR applies to any business that processes personal data by automated or manual processing
A strategic approach is introduced to regulating personal data and the normative foundations of the European Unions General Data Protection Regulation (GDPR)
Existing Requirements imposed by the 1995 Data Protection Directive are refined.
It does this by establishing a uniform framework for data protection legislation across the EU
Data Protection Seminar 2_Marketing & GDPR_ISOLAS LLP_26-07-17Michael Adamberry
This presentation outlines the issue of Direct Marketing, including the use of cookies, the opt-out register and the e-Privacy Directive (and Regulation). The focus is around the Gibraltar Data Protection Act 2004, and how this will change under the General Data Protection Regulation ("GDPR") as of 25th May 2018 and the upcoming e-Privacy Regulation
ISOLAS is pleased to offer assistance in conducting data audits and ensuring you are compliant before the deadline - the clock is ticking!
Data theft rules and regulations things you should know (pt.1)Faidepro
The IT Act appears to be adequate in regards to data theft, it is insufficient in addressing the minute technical intricacies involved in such a crime, leaving gaps in the law and allowing the perpetrators to get away with it. Since this problem affects more than one country and has international implications, we have briefed the countries that have such law and how it works; Which will be covered in two parts.
With GDPR coming into effect, we can see a lot of changes in the privacy policies of companies doing business online. The presentation is a description of GDPR and its implications in India and worldwide. The main aim of the presentation is to identify the key issues of data privacy and the rights available to the consumer who's data is to be shared.
This is a slightly modified version of a presentation that I gave to fellow lawyers last week. It explains what GDPR is, the policy of data protection and the evolution of data protection legislation from the OECD Guidelines and Council of Europe Convention to the GDPR. It explores the regulation focusing on the data protection principles and, in particular, the lawfulness requirement and the validity of consent. The presentation mentions the Law enforcement data protection directive, the Data Protection Bill and the arrangements post Brexit. Finally, it considers the preparations recommended by the Information Commissioner for small busiesses
GIG Working Paper 02/2017 - The Definition of Personal DataIAB Europe
This second output of the GIG focuses on the definition of Personal Data under the GDPR, explaining how it will affect companies in the online advertising space.
EU General Data Protection Regulation - Update 2017Cliff Ashcroft
This free Lasa webinar looks at why data protection is important in a digital world, and what practical things charities and civil society organisations can do to prepare for when the EU General Data Protection Regulations come into force in May 2018.
It is vital charities use the next 12 months to understand their new responsibilities and put the required processes in place.
Our webinar gives you the opportunity to ensure you are prepared for what’s to come by putting your #GDPR questions to our data protection expert and published author, Paul Ticher.
Lasa does lots more charity tech help and advice - find out more at: Twitter: @lasaict
Acknowledgements:
Lasa actively promotes and supports the Way Ahead – Civil Society at the Heart of London. See www.citybridgetrust.org.uk/publications/way-ahead/
This webinar is supported by the City of London Corporation's charity, City Bridge Trust. www.citybridgetrust.org.uk
A quick view on the DATA RETENTION AND INVESTIGATORY POWERS ACT 2014, aiming to sort out the retained data by ISPs, the modifications happened in the last version and analyzing why the modifications took place. This quick study comes within a chain of comprehensive researches in the Middle Eastern legislative efforts to have a complete legal framework fighting cybercrime
Privacy is not a choice and it should not be the price played for our access to internet. We live in an era where everything is digitalized and anybody and everybody, from a child to a 70 year old accesses the same on a regular basis. Great advances in the technological field constitute a greater danger to the privacy of every individual. The constant question that arises is whether the data principal consents to the information provided and disseminated Mercerization of personal information has opened pits of security breaches and data privacy problems. When one consents to provide his data, does he consent to the dissemination of the same The very idea that consumers must make a trade off between privacy and security has been wiped away by the very enactment of the General Data Protection Regulation. This paper stands as proof that, GDPR is the answer to all the data privacy questions and problems faced by the society. The author briefs through the history of enactment EU GDPR and its necessity. The paper brings out both the endless advantages of GDPR as well as the few disadvantages present. The extensive research on GDPR has prompted the author to attract attention to the key changes seen after the implementation of GDPR and the robust data privacy regime built by its awakening. The main cerebration of the authors by referring to the above submissions is that GDPR is a need of the hour and is for the betterment of the society as a whole. Pranaya Dayalu | M. Punnagai ""GDPR: A Privacy Regime"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-4 , June 2019, URL: https://www.ijtsrd.com/papers/ijtsrd23460.pdf
Paper URL: https://www.ijtsrd.com/humanities-and-the-arts/other/23460/gdpr-a-privacy-regime/pranaya-dayalu
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
Philippine Data Privacy Act of 2012 (RA 10173)Kirk Go
Republic Act 10173 otherwise known as the Data Privacy Act of 2012. This version presents Implementing Rules and Regulations (IRR) for the Act. It outlines provisions, scope, privacy principles, lawful processing of data, security measures, rights of data subject, accountability, penalties, and others.
Read about the data privacy protection & advisory in India - evolving rights and obligations related to data privacy & the implementation of data protection reforms.
Guidelines on the implementation of the Court of Justice of the European UnionSilesia SEM
Guidelines on the implementation of the Court of Justice of the European Union judgment on “Google Spain and inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González”
Similar to Transatlantic Data Privacy - From Safe Harbor to Privacy Sheidl (20)
ALL EYES ON RAFAH BUT WHY Explain more.pdf46adnanshahzad
All eyes on Rafah: But why?. The Rafah border crossing, a crucial point between Egypt and the Gaza Strip, often finds itself at the center of global attention. As we explore the significance of Rafah, we’ll uncover why all eyes are on Rafah and the complexities surrounding this pivotal region.
INTRODUCTION
What makes Rafah so significant that it captures global attention? The phrase ‘All eyes are on Rafah’ resonates not just with those in the region but with people worldwide who recognize its strategic, humanitarian, and political importance. In this guide, we will delve into the factors that make Rafah a focal point for international interest, examining its historical context, humanitarian challenges, and political dimensions.
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselThomas (Tom) Jasper
Military Commissions Trial Judiciary, Guantanamo Bay, Cuba. Notice of the Chief Defense Counsel's detailing of LtCol Thomas F. Jasper, Jr. USMC, as Detailed Defense Counsel for Abd Al Hadi Al-Iraqi on 6 August 2014 in the case of United States v. Hadi al Iraqi (10026)
WINDING UP of COMPANY, Modes of DissolutionKHURRAMWALI
Winding up, also known as liquidation, refers to the legal and financial process of dissolving a company. It involves ceasing operations, selling assets, settling debts, and ultimately removing the company from the official business registry.
Here's a breakdown of the key aspects of winding up:
Reasons for Winding Up:
Insolvency: This is the most common reason, where the company cannot pay its debts. Creditors may initiate a compulsory winding up to recover their dues.
Voluntary Closure: The owners may decide to close the company due to reasons like reaching business goals, facing losses, or merging with another company.
Deadlock: If shareholders or directors cannot agree on how to run the company, a court may order a winding up.
Types of Winding Up:
Voluntary Winding Up: This is initiated by the company's shareholders through a resolution passed by a majority vote. There are two main types:
Members' Voluntary Winding Up: The company is solvent (has enough assets to pay off its debts) and shareholders will receive any remaining assets after debts are settled.
Creditors' Voluntary Winding Up: The company is insolvent and creditors will be prioritized in receiving payment from the sale of assets.
Compulsory Winding Up: This is initiated by a court order, typically at the request of creditors, government agencies, or even by the company itself if it's insolvent.
Process of Winding Up:
Appointment of Liquidator: A qualified professional is appointed to oversee the winding-up process. They are responsible for selling assets, paying off debts, and distributing any remaining funds.
Cease Trading: The company stops its regular business operations.
Notification of Creditors: Creditors are informed about the winding up and invited to submit their claims.
Sale of Assets: The company's assets are sold to generate cash to pay off creditors.
Payment of Debts: Creditors are paid according to a set order of priority, with secured creditors receiving payment before unsecured creditors.
Distribution to Shareholders: If there are any remaining funds after all debts are settled, they are distributed to shareholders according to their ownership stake.
Dissolution: Once all claims are settled and distributions made, the company is officially dissolved and removed from the business register.
Impact of Winding Up:
Employees: Employees will likely lose their jobs during the winding-up process.
Creditors: Creditors may not recover their debts in full, especially if the company is insolvent.
Shareholders: Shareholders may not receive any payout if the company's debts exceed its assets.
Winding up is a complex legal and financial process that can have significant consequences for all parties involved. It's important to seek professional legal and financial advice when considering winding up a company.
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
How to Obtain Permanent Residency in the NetherlandsBridgeWest.eu
You can rely on our assistance if you are ready to apply for permanent residency. Find out more at: https://immigration-netherlands.com/obtain-a-permanent-residence-permit-in-the-netherlands/.
Car Accident Injury Do I Have a Case....Knowyourright
Every year, thousands of Minnesotans are injured in car accidents. These injuries can be severe – even life-changing. Under Minnesota law, you can pursue compensation through a personal injury lawsuit.
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxanvithaav
These slides helps the student of international law to understand what is the nature of international law? and how international law was originated and developed?.
The slides was well structured along with the highlighted points for better understanding .
Transatlantic Data Privacy - From Safe Harbor to Privacy Sheidl
1. 1
Transatlantic Data Privacy – From Safe Harbor to Privacy Shield
By Daniel Parziale
Introduction:
As a society we are increasingly living out our lives
digitally. In 2006, only 17.6% of the global population had
accessed the Internet within the past twelve months; however, by
2014 that number had more than doubled to 40.7%.1
Unsurprisingly,
countries that are post-industrial are among those with the
highest percentage of Internet users.2
During the same period,
2006 – 2014, the amount of Internet users in the United States
increased from 68.9% to 87.4%.3
Similarly, across the Atlantic,
the percentage of Internet users in the European Union, (“EU”),
increased from 54.5% to 78.1%.4
In order to accommodate this
increasing insatiable demand for Internet access, there are
currently 285 cables spanning the Atlantic and connecting the
United States and the EU.5
The information and data that crosses
these cables has brought western culture closer together by
allowing instantaneous communication and a large trans-national
dialogue. On the other hand, this same instantaneous
communication creates a liability for companies who must submit
to various legal and regulatory compliance measures when
processing personal data.
The European Union’s Data Privacy Directive:
2. 2
Near the turn of the millennium many member states of the EU
became aware of the increasing amount of user generated data
being transferred over the Internet. This data was eventually
stored on commercial servers. While several member nation states
had their own national frameworks for protecting personal data,
the growing economic relationship of the European Union
necessitated that a Union wide regulatory framework be used.6
Therefore, in an effort to protect the privacy of its citizens,
the EU adopted the "European Union Directive on the Protection
of Individuals with Regard to the Processing of Personal Data
and on the Free Movement of Such Data"(“Directive”) in 1995.7
Becoming effective in 1998, this regulation sought to “protect
the fundamental rights and freedoms of natural persons, and in
particular their right to privacy with respect to the processing
of personal data”.8
While the overall objective of the Directive appears facially
clear and appealing to most, further definitions are necessary
to ultimately determine what the EU set to achieve with the
Directive. To this end, the Directive set forth some definitions
to establish the scope of the regulatory framework. First, the
Directive defines personal data as, “any information relating to
an identified or identifiable natural person”.9
Next, it broadly
defines personal data processing as, “any operation or set of
3. 3
operations which is performed upon personal data”.10
Lastly, the
Directive defines who the “controllers” - otherwise known as
Data Protection Authorities, (“DPA”)- are as, “public authority,
agency or any other body which… determines the purposes and
means of the processing of personal data”.11
Thereafter, the
Directive focuses certain cases when personal data may and may
not be processed for legitimate purposes under Article 7.
Article 7 of the Directive establishes a series of six
principles enumerating where and how the processing of personal
data may be legitimized.12
First, personal data may be
legitimately processed if the “data subject has unambiguously
given [their] consent”.13
Second, personal data may be
legitimately processed if it is in connection with a contract
the data subject is a party to.14
Third, the personal data may be
legitimately processed if “processing is necessary for
compliance with a legal obligation to which the controller is
subject”.15
Fourth, personal data may be legitimately processed
if “processing is necessary in order to protect the vital
interests of the data subject”.16
Fifth, personal data may be
legitimately processed if processing is necessary to carry out a
task in the public interest or in an “exercise of official
authority vested in the controller”.17
Lastly, personal data may
be legitimately processed where “processing is necessary for the
4. 4
purposes of the legitimate interests pursued by the controller”
but only “where such interests are overridden by the interests
for fundamental rights and freedoms of the data subject”.18
While
there are principles in place to provide for when personal data
may be legitimately processed, the framers of the Directive were
also concerned with prohibiting certain types of personal data
from ever being collected and processed.
Article 8 of the Directive establishes limits on what types of
personal data may be collected.19
For seemingly obvious reasons,
the Directive prohibits the collection of personal data where
such data is related to the individual’s “racial or ethnic
origin, political opinions, religious or philosophical beliefs,
trade-union membership, and the processing of data concerning
health or sex life” as this data could be used for
discriminatory purposes.20
This personal data is known as
“sensitive” personal data.21
In contrast, the Directive does
provide that collection and processing of these aforementioned
specific types of personal data may be legitimized if certain
criteria are met.22
For example, if the data subject gives their
consent or if the processing is done for the purpose of medical
or criminal records.23
5. 5
With copious amounts of personal data being collected and
processed, the EU desired to provide access to personal data
stored and processed by the organization to the data subject.
Article 12 of the Directive, further broken down into three
provisions, provides data subjects access to their processed
personal data.24
First, Article 12 provides that a data subject
has the right to confirmation, in an intelligible form, what
personal data is being processed and for what purpose.25
Second,
Article 12 provides the data subject with the ability to have
certain personal data removed, or corrected, for processing.26
More specifically, Article 12 provides a data subject the
ability to ensure “erasure or blocking of data the processing of
which does not comply with the provisions of the Directive”.27
Third, and closely related, Article 12 provides a data subject
with the right to notify third parties “of any rectification,
erasure or blocking carried out in compliance with” the second
provision.28
The second and third provision collectively became
to be known as the European Union’s “Right to be Forgotten”.29
The importance of Article 12 of the Directive cannot be
overstated as it highlights the EU’s strong commitment to an
individual’s right to protect the use of their personal data by
enabling a data subject a way to remove, or correct, their data
being processed.30
6. 6
The EU’s Data Protection Directive was enacted to protect
individual freedoms by limiting the collection and processing of
personal data. The Directive established what data may be
collected and what data was prohibited. Furthermore, the
Directive established how collected personal data may be
legitimately used. Lastly, the Directive provided individual
data subject’s the right to change their personal data being
process or to entirely remove from processing. Nevertheless, one
major regulatory issue remains. What happens to personal data
that is processed outside of the jurisdiction of the European
Union?
Personal Data Processing Across Boarders:
The Internet, like corporations, is not limited by national
borders. Instead it facilitates trade and communication across
nations and continents. As a result, some of the personal data
of citizens in the EU may be processed by some organizations
outside of the EU Although the internet had not yet made the
world as readily accessible, the framers of the Directive
planned for this eventuality in Chapter IV of the Directive,
Articles 25 and 26.31
Article 25 of the Directive outlines the principles for
transferring personal data to third countries.32
For the purposes
7. 7
of the Directive, the term “third country” refers to a country
where neither the data subject nor the country a member of the
E. U. is located.33
Under Article 25, the Directive states that
personal data must not be transferred to third countries for
processing unless the third country can ensure “an adequate
level of protection”.34
While “an adequate level of protection”
is already a somewhat nebulous term, the Directive expounds upon
the concept, noting that the level of protection “shall be
assessed in the light of all the circumstances surrounding a
data transfer operation or set of data transfer operation”.35
Considerations for assessing the level of protection include;
the nature of the data, its purpose, the duration it is being
processed in the third country, and the strength of the data
protection regulations in the third country.36
Overcoming the
adequacy requirement of Article 25 is paramount to any
organization seeking to transfer and process personal data
outside of the E. U.
Article 26 provides the opportunity to have data processed
without the protections set forth in Article 25 protections so
long as seven other criteria are met.37
First, free flow of
personal data to a third country is justified if the “the
unambiguous consent of the data subject to the export of the
data is given”.38
Second, the free flow of personal data to a
8. 8
third country may be justified if the data subject, “enters – or
prepares to enter – into a contractual relationship which
clearly requires that the data be transferred to a recipient
abroad”.39
Third, free flow of personal data to a third country
may be justified if a contract between the data controller and a
third party was made with consideration for the data subject’s
interests.40
Fourth, free flow of personal data to a third
country may be justified if the “transfer is necessary in order
to protect the vital interests of the data subject”.41
Finally,
free flow of personal data to a third country may be justified
if the transfer of personal data is from governmental public
registers.42
These criteria allow for the transmission of
personal data to a third county where not provided for by
domestic law, i.e. law of an individual EU member state, and
where the third country does not “ensure an adequate level of
protection” within the meaning of Article 25.
European Union – United States Safe Harbor Framework:
The regulatory regime established in Articles 25 and 26 of the
Directive provide for the limited transmission of personal data.
However, the inherent limitations ultimately proved overly
burdensome when attempting to facilitate trade and commerce
between the European Union and the United States, (“U.S.”). The
regulatory regime in the U.S. is comparatively a “sector[ial]
9. 9
approach that relies on a mix of legislation, regulation, and
self-regulation”.43
This contrast in regulatory regimes
ultimately caused many organizations in the U.S. to express
concern over the indeterminate impact the Directive’s “adequacy
standard”.44
Therefore, on July 26, 2000 the European Commission
adopted the “Safe Harbor Decision”.45
The Safe Harbor decision
recognized seven Safe Harbor Principles; notice, choice, onward
transfer, security, data integrity, access, and enforcement.46
Compliance with these seven Principles, in conjunction with
adherence to regulations set forth in the U.S. Department of
Commerce’s answers to some frequently asked questions enables an
organization within the U.S. to self-certify and establish an
“adequate level of protection” sufficient to be compliant under
Article 25 of the Directive.47
Only certain types of
organizations in the U.S. may file for self-certification;
namely, those under the jurisdiction of the Federal Trade
Commission or airlines under the jurisdiction of the Department
of Transportation.48
The first Principle of the Safe Harbor framework is notice.49
Organizations in the U.S. are required to provide notice to data
subjects about the organization’s purpose for collecting and
processing their personal data.50
Furthermore, organizations are
required to provide contact information where a data subject may
10. 10
lodge inquiries or complaints regarding how their personal data
is being processed.51
Moreover, organizations are required to
provide which third parties received any of the data subject’s
personal information.52
Lastly, organizations in the U.S. are
required to provide choices and means for data subject to limit
the use and disclosure of their personal data.53
All of these
notice requirements must be provided in a clear, unambiguous,
and capricious language easily accessible to the data subject.
The second Principle of the Safe Harbor framework is choice.54
Organizations seeking to self-certify to Safe Harbor must
provide a choice to data subjects enabling them to opt out of
the sharing of the personal data, allowing it to be transferred
to a third party, or processed for a purpose other than its
originally stated purpose.55
Correspondingly, organizations must
provide an affirmative opt in method for transmitting or
processing “sensitive” personal data to a third party for
purposes other than originally stated.56
Simply stated, if
organizations in the U.S. wish to avail themselves of the
“adequate level of protection” standard provided for under the
Safe Harbor framework, they must provide a choice to the data
subject regarding which parts of their personal data can be
processed and which third parties should have access.
11. 11
The third Principle of the Safe Harbor framework is onward
transfer.57
Organizations in the U.S. seeking to self-certify to
Safe Harbor must commit to investigate the third parties with
whom they share the data subject’s personal data.58
As part of
this investigation, organizations are first required to
determine whether the third party itself has self-certified and
is protected under Safe Harbor.59
In addition, the organization
should investigate whether the third party has been found to
have and “adequate level of protection” under the Directive in
adequacy finding provided for in Articles 25 and 26.60
Finally,
if neither of aforementioned provide protection, the
organization may enter an agreement with the third party
requiring them to “provide at least the same level of privacy
protection as is required by the relevant [p]rinciples”
effectively encouraging them to simply follow the established
Safe Harbor framework.61
If an organization complies with all of
the aforementioned regulation regarding onward transfer of
personal data, they limit their liability with respect to
subsequent infractions of the third party.62
The forth Principle of the Safe Harbor framework is security.63
Simply stated, in order to be in compliance with Safe Harbor an
organization seeking self-certification must “take reasonable
precautions to protect” the data subject’s personal data from
12. 12
“loss, misuse, unauthorized access, disclosure, alteration, or
destruction”.64
Effectively, the organization has a duty to
protect the personal data of the data subject. Falling below the
standard of care of that duty can create liabilities.
The fifth Principle of the Safe Harbor framework is data
integrity.65
Organizations seeking to self-certify under Safe
Harbor must ensure that the personal data being processed is
“relevant for the purposes for which it is to be used”.66
Organizations are prohibited from processing personal data for a
purpose other than originally stated or subsequently authorized
by the data subject.67
Moreover, the organization should make an
effort to “ensure that data is reliable for its intended use,
accurate, complete, and current”.68
This data integrity Principle
clearly mirrors the second provision outlined in Article 12 of
the Directive that ensures the accuracy and completeness of
personal data being processed by organizations within the E.U.
The sixth Principle of the Safe Harbor framework is access.69
Under the Principle of access, and closely related to the
Principle of data integrity, organizations seeking to self-
certify to Safe Harbor are required to provide access to the
personal data of a given data subject so that the data subject
may remove and correct inaccurate data.70
This requirement can be
13. 13
helpful in situations that would be overly burdensome for the
organization especially when compared with the risk to the data
subject’s personal data and the personal data of other
individuals.71
Therefore, it is apparent that the Principle of
data integrity clearly resembles and mirrors Article 12 of the
Directive in providing for a mechanism for data subjects to
remove or correct inaccurate data.
The seventh, and perhaps most important, Principle of the Safe
Harbor framework is enforcement.72
Any regulation is only as
strong as it is enforced. The Safe Harbor framework dictates
that “protection must include mechanisms for assuring compliance
with the [p]rinciples” and that there will be “consequences for
the organization when the [p]rinciples are not followed”.73
The
first mechanism for assuring compliance requires a readily
available independent method providing recourse to each
individual complaint and dispute so that it is truly
investigated.74
The second mechanism for assuring compliance
requires the verification organization make about their privacy
practices and compliance with the Safe Harbor Principles.75
The
third mechanism for assuring compliance is the requirement of
imposed fines and sanctions for those that violate Safe Harbor.76
14. 14
These enforcement mechanisms heavily rely on the Federal Trade
Commission and the Department of Commerce for enforcement to
collect and investigate any assertions that an organization is
failing to meet the requirements outlined in the Safe Harbor
Principles.77
If it is determined by the Department of Commerce
that an organization is not living up to the requirements
outlined under the Safe Harbor Principles they no longer receive
the benefit of being protected from Article 25 liability of the
Directive and may additionally be liable under the False
Statements Act.78
The Safe Harbor Principles were developed in 2000 by both the
European Commission and the U.S. Department of Commerce to
ensure an easy path to compliance with Article 25 of the
Directive’s “adequate level of protection” standard. Safe Harbor
required organizations in the U.S. to comply with seven outlined
Principles; notice, choice, onward transfer, security, data
integrity, access, and enforcement. These seven Principles were
designed to provide an adequate level of protection and ensure
that violators would be punished. However, the efficacy of the
program remains elusive and unclear.
Max Schrems v Irish Data Protection Commissioner:
15. 15
Currently the famed social network, Facebook, has nearly one and
half billion monthly active users. Nearly one fifth of the
entire global population uses the social network in a given
month.79
An inherent operation of a social network is collecting
and processing the personal data of users.80
This data is used
for a variety of purposes from connecting one with his or her
friends online to providing a custom and tailored advertisement.
Ultimately this process of collecting and using personal data
has lead Facebook to record profits - a total of $3.69 billion
for fiscal year 2015.81
In 2011, a then twenty-four-year-old Austrian law student Max
Schrems became intently curious about how much of his personal
data was being stored and processed by Facebook.82
Following the
regulations regarding access to personal data outlined in the
Directive under Article 12. Over the course of six weeks and
twenty-three emails with a subsidiary of Facebook located in
Ireland, the company sent Schrems a 1222 page document of all of
the personal data it had collected and processed on him.83
Personal data including every post he had made to the social
network, some of which he thought were deleted, a very personal
conversation with a friend in a troubled state of mind, and
geolocation data that Schrems did not remember submitting to the
16. 16
site.84
Schrems then became panicked by the overwhelming amount
of personal data Facebook had collected on him.
Over time Schrems’ sense of panic turned to anger and he began
to think about what recourse he had. In August 2011, he brought
22 complaints against the Irish Data Protection Commissioner,
the local Data Protection Authority (“DPA”) in Ireland, who’s
responsibility it was under the Directive to protect his data.85
In separating these problems into 22 smaller issues, Schrems
believed he would have a better opportunity at effecting real
change in this area.86
In 2013, in response to issues raised by
the actions of Edward Snowden and respective surveillance
actions of the U.S., Schrems filed a twenty-third complaint with
the Irish Data Protection Commission alleging the laws and
practices of the U.S. did not meet the privacy requirements
outlined in the Directive.87
Schrems asserted that the Commission
failed to meet their duty in assessing whether Facebook met an
“adequate level of protection” under Article 25.88
The Commission
rejected this complaint, maintaining the already established
Safe Harbor framework agreed to by the E.U. meant that a smaller
member state Data Protection Authority did not have the
responsibility of investigating the level of protection if the
organization met with the requirements of Safe Harbor.89
Schrems
appealed the ruling to the Court of Justice of the E.U..90
17. 17
The Court of Justice of the European Union, (“CJEU”), sought to
determine whether a member state’s DPA could conduct their own
investigation into Article 25’s “adequate level of protection”
requirement in a third country or whether they are bound by the
pre-existing decision of the European Commission.91
Principally,
whether the Irish Data Protection Commission could investigate
the level of protection offered by Facebook even though they had
previously self-certified and were thus complaint under the Safe
Harbor Principles.92
Ultimately, the CJEU held that “the
[European] Commission did not have competence to restrict the
national supervisory authorities’ powers”93
and therefore the
Irish Data Protection Commission was not limited by Safe Harbor
and did have the power to investigate whether Facebook complied
with the “adequate level of protection” outlined in Article 25.
Furthermore, CJEU held the Safe Harbor Scheme invalid as it did
not provide an adequate level of protection required under the
directive.94
Privacy Shield:
In the wake of the CJEU’s decision there were many questions
about how collecting data on European data subjects and
processing that information in the U.S. would continue. Many
feared this would mean every organization in the U.S. that
18. 18
collected and processed data of Europeans would need to be in
full compliance with the requirements outlined in the Directive,
or otherwise provided for under Article 26. However, soon a new
framework developed to fill the gap left by Safe Harbor.
The Privacy Shield framework was developed in February 2016 to
fill the gap and again provide an easy method for organizations
in the U.S. to meet the adequacy requirement outlined under
Article 25.95
The purpose of the Privacy Shield framework was to
provide for “strong[er] obligations on companies” and more
“robust enforcement” than previously provided for under Safe
Harbor.96
That being said, the Privacy Shield framework is eerily
similar to the Safe Harbor framework. For example, the Privacy
Shield framework consists of seven Principles. Furthermore,
these Principles: notice, choice, accountability for onward
transfer, security, data integrity and purpose limitation,
access, and recourse and enforcement, clearly mirror or are
exactly the same as the seven Principles provided for under the
Safe Harbor framework.97
Nevertheless, there are still some
differences where the new regulation may ultimately prove to be
more protection.
Some of the first evidence for a stronger and more robust
enforcement under Privacy Shield appears as changes made to the
19. 19
Principle of data integrity.98
Namely, organizations are now
required to not only adhere to the Principles outlined in the
framework while they claim self-certification but, for as long
as they hold the personal data of the data subject.99
While minor
changes such as these promote a sense of security, ultimately
any compliance regime is only powerful if it is enforced and
adhered to. The new recourse and enforcement Principles outlined
in Privacy Shield seek to promote adherence to a regulatory
regime. For example, organizations will be removed from the
program for failing to renew. Furthermore, organizations who
violate the Privacy Shield, and their violations, will be
publicly posted on the Department of Commerce’s website.100
Likewise, the Department of Commerce has agreed to conduct
periodic audits to ascertain the level of compliance of
organizations after they self-certify.101
Finally, organizations
are now required to provide a “cost-free” method, expecting to
be arbitration, to the data subject for resolving disputes.102
Outside of the changes made to the Principles, there appears to
be a more concerted effort made to increase a transnational
dialogue between the Department of Commerce and the European
Data Protection Authorities. For example, the new Privacy Shield
framework calls for annual joint reviews of the policies and to
address national security concerns.103
Moreover, as one of the
20. 20
major fears mentioned in the Schrems’ case was the collecting of
personal data by the U.S. government for nefarious purposes, the
new Privacy Shield provides for clear limitations for the U.S.
government.104
Additionally, the U.S. government asserts they “do
not engage in indiscriminate mass surveillance of anyone,
including ordinary European citizens.”105
However, the effect that these changes will have remains to be
seen. While the new Privacy Shield has been announced, it is
still a living, changing, and adapting document as it still must
travel through committees before being fully adopted by the
European Commission. Therefore, the regulations stated above are
subject to change.
Privacy Shield – Criticisms:
The primary purpose of the Privacy Shield is to provide for a
stronger and more enforceable regulatory regime. However, at
this time, the actual effect the framework will have remains to
be seen. Although all of the exact details have not been
finalized, as the European Commission has yet to approve the new
framework, there already are some voicing their criticisms. One
major criticism asserts the new framework is too similar to the
older ineffective framework outlined under Safe Harbor.106
Another major criticism asserts the Privacy Shield, although
21. 21
providing for increased mechanisms for enforcement, still does
not do enough to ensure a higher rate of compliance.107
Additionally, some assert the policy still provides avenues for
the U.S. government to collect and process the data of Europeans
as Max Schrems feared.108
Privacy Shield superficially appears to be eerily similar to the
old ineffective Safe Harbor framework. Both frameworks contain
seven Principles that either use the exact same terminology or
are extremely similar. Both frameworks attempt overly optimistic
provisions for what “should” happen but rarely spell out the
details of how it will actually happen in practice. As such,
both frameworks are too broad to practically be enforced. The
purpose of both Safe Harbor and the Privacy Shield is to provide
organizations with a simplified means to ensure compliance with
Article 25 of the Directive; however in creating a simplified
method, the regulatory framework has virtually nullified the
stringent requirements of the Directive and replaced them with
optimistic puffery. Therefore, it is clear that more particular
and practical guidance on what exactly is required by Privacy
Shield is needed to ensure organizations are aware of what is
required of them. More particular and clear guidance would
ultimately result in higher rates of compliance as organizations
22. 22
have difficulty complying with broad regulations they do not
understand.
This vagueness has allowed many organizations in the U.S. to
claim and operate under the protection of Safe Harbor without
meeting its requirements. For example, one study conducted found
only three hundred and forty-eight of the one thousand five
hundred and ninety-seven, or 21.8%, of organizations claiming
adherence to Safe Harbor actually complied with all of its
required provisions.109
Nearly 31% of organizations claiming
adherence failed to even properly renew their certification.110
Furthermore, the study found that 206 organizations claimed, for
several years on their websites, to be members of Safe Harbor
despite never even self-certifying with the Department of
Commerce.111
Moreover, 209 organizations, or 13%, of
organizations who would have otherwise been compliant failed to
identify an independent dispute resolution affordable to their
data subjects.112
Therefore, despite clear indication that non-
compliance was rampant, the Department of Commerce took no
actions to enforce compliance. As previously stated, without an
actual demonstration of enforcing punishment for non-compliance,
organizations have no incentive to comply.
23. 23
Under the new regulatory regime, the Department of Commerce
assures the European Union it will enforce seven Principles and
impose hasher ramifications for those who fail to comply.113
Nevertheless, the Department of Commerce is not themselves bound
to enforce Privacy Shield. The Department themselves will suffer
no ramifications for failing to enforce the Privacy Shield.
Ultimately, if the Department of Commerce fails to enforce
Privacy Shield, it is likely the CJEU will find it invalid for
the same reasons as Safe Harbor. This will only effect
organizations seeking to more easily comply with the Directive
and not the Department itself. Without the threat of
ramifications placed upon the Department of Commerce, there is
little motivation for them to enforce the Principles of the
Privacy Shield and it will likely lead to the same dismal level
of enforcement as under Safe Harbor.
Lastly, Max Schrems feared that his personal data was being
transferred to the U.S. through processing by Facebook and that
the U.S. government might have access to it. To address this
fear, under Privacy Shield, the U.S. government merely states
that they “do not engage in indiscriminate mass surveillance of
anyone, including ordinary European citizens”.114
Simply stating
that the U.S. government does not actively survey ordinary
Europeans does not mean that the government has not investigated
24. 24
the data of Europeans. This largely depends on the ambiguous
definition of “ordinary”. By not providing a distinct
operational definition, the U.S. government could still collect
and process the data of Europeans they consider “non-ordinary”.
Therefore, the new Privacy Shield represents little change from
the older Safe Harbor framework and will likely suffer the same
problems.
The regulatory requirements outlined under the Safe Harbor
framework were overly broad, ambiguous, and ultimately rarely
enforced by the U.S. Department of Commerce. The new Privacy
Shield framework eerily mirrors the older ineffective Safe
Harbor framework, save for a few differences regarding
enforcement. While these changes are welcome and may ultimately
help make Privacy Shield a more enforceable regulation, they are
too little and still too broad to likely make the sort of change
the CJEU had in mind when they invalidated the Safe Harbor
framework.
Conclusion:
Around the turn of the last century, a technological revolution
was occurring that would forever change the way humans connect
with one another. The Internet is used by nearly one fifth of
the world’s population.115
Personal data generated by Internet
25. 25
use is not limited by national boundaries but travels across
nations and continents. The European Union sought to protect its
citizen’s “right to privacy with respect to the processing of
personal data” and to this end created the Data Protection
Directive.116
The Directive created limits on who could collect
and process data.117
These limits were cumbersome and imposed a
heavy burden on organizations outside of the European Union who
collected the personal data on Europeans. In an effort to
simplify regulations, and promote trans-continental commerce,
the European Union and the United States developed the Safe
Harbor framework.118
Comprised of seven principles: notice,
choice, onward transfer, security, data integrity, access, and
enforcement.119
Nevertheless, only 21.8% of organizations
claiming Safe Harbor Protection were fully compliant with the
framework.120
Max Schrems, and Austrian law student, followed guidance under
the Directive and brought complaints against the Irish Data
Protection Authority for failing to investigate whether Facebook
offered an “adequate level of security” under the Directive.121
The Irish DPA claimed, because the organization self-certified
to Safe Harbor they were not required to investigate.122
Ultimately, the Court of Justice of the European Union held that
the Irish DPA, despite Safe Harbor, was required to investigate
26. 26
the level of security as provided under the Directive.123
Furthermore, the CJEU held Safe Harbor invalid as it failed to
provide an adequate level of security.124
A new regulatory regime was developed to replace Safe Harbor,
Privacy Shield.125
However, while this new regulation provides
for more enforcement mechanisms it fails to make the necessary
changes that are need to ensure a higher rate of compliance.126
In order to ensure a higher rate of compliance, the United
States Department of Commerce must be more willing to carry out
enforcement of the regulation. Lastly, new terms further binding
and ensuring ramifications for failure on both the Department of
Commerce and organizations seeking compliance may be necessary
in order to ensure a higher rate of compliance.
27. 27
1
Internet Users (per 100 people), WORLD BANK,
http://data.worldbank.org/indicator/IT.NET.USER.P2/countries?dip
play=graph (last visited Apr. 4, 2016).
2
Internet Users (per 100 people) - Income, WORLD BANK,
http://data.worldbank.org/indicator/IT.NET.USER.P2/countries/XT-
XD-XM?display=graph (last visited Apr. 4, 2016).
3
Internet Users (per 100 people) – United States, WORLD BANK,
http://data.worldbank.org/indicator/IT.NET.USER.P2/countries/US?
display=graph (last visited Apr. 4, 2016).
4
Internet Users (per 100 people) – European Union, WORLD BANK,
http://data.worldbank.org/indicator/IT.NET.USER.P2/countries/EU?
display=graph (last visited Apr. 4, 2016).
5
David Brown, 10 Facts About the Internet’s Undersea Cables,
MENTALFLOSS.COM, http://mentalfloss.com/article/60150/10-facts-
about-internets-undersea-cables (last visited Apr. 4, 2016).
6
Council Directive 95/46, 1995 O.J. (L 281) 31 (EC).
7
Id.
8
Id.
9
Council Directive 95/46, art. 1, 1995 O.J. (L 281) 31 (EC).
10
Council Directive 95/46, art. 2, 1995 O.J. (L 281) 31 (EC).
11
Id.
12
Council Directive 95/46, art. 7, 1995 O.J. (L 281) 31 (EC).
13
Id.
14
Id.
15
Id.
16
Id.
17
Id.
18
Council Directive 95/46, art. 7, 1995 O.J. (L 281) 31 (EC).
19
Council Directive 95/46, art. 8, 1995 O.J. (L 281) 31 (EC).
20
Id.
21
Id.
22
Id.
23
Id.
24
Council Directive 95/46, art. 12, 1995 O.J. (L 281) 31 (EC).
25
Id.
26
Id.
27
Id.
28
Id.
29
Factsheet on the “Right to be Forgotten” Ruling, EUROPA.EU,
http://ec.europa.eu/justice/data-
protection/files/factsheets/factsheet_data_protection_en.pdf
(last visited Apr. 4, 2016).
30
Id.
31
Council Directive 95/46, 1995 O.J. (L 281) 31 (EC).
32
Council Directive 95/46, art. 25, 1995 O.J. (L 281) 31 (EC).
33
Id.
28. 28
34
Id.
35
Id.
36
Id.
37
Council Directive 95/46, art. 26, 1995 O.J. (L 281) 31 (EC).
38
Id.
39
Id.
40
Id.
41
Id.
42
Id.
43
U.S. DEPARTMENT OF COMMERCE, THE U.S.-EU SAFE HARBOR GUIDE TO SELF-
CERTIFICATION (2013),
http://www.export.gov/build/groups/public/@eg_main/@safeharbor/d
ocuments/webcontent/eg_main_061613.pdf (last visited Apr. 4,
2016).
44
Id.
45
Issuance of Safe Harbor Principles and Transmission to
European Commission, 65 Fed. Reg. 45,666 (July 24, 2003).
[hereafter Safe Harbor]
46
Id at 45,667-45,668.
47
Commission Decision 2000/520, art. 1, 2000 O.J. (L 215) (EC).
48
Safe Harbor, supra note 45 at 45,668.
49
Safe Harbor, supra note 45 at 45,667.
50
Id.
51
Id.
52
Id.
53
Id.
54
Safe Harbor, supra note 45 at 45,667.
55
Id.
56
Safe Harbor, supra note 45 at 45,668.
57
Id.
58
Id.
59
Id.
60
Id.
61
Id.
62
Safe Harbor, supra note 45 at 45,668.
63
Id.
64
Id.
65
Id.
66
Id.
67
Id.
68
Safe Harbor, supra note 45 at 45,668.
69
Id.
70
Id.
71
Id.
72
Id.
73
Id.
74
Safe Harbor, supra note 45 at 45,668.
29. 29
75
Id.
76
Id.
77
Safe Harbor, supra note 45 at 45,673.
78
Id; see also 18 U.S.C. § 1001.
79
In Facebook’s Third Quarter 2015 Earnings they announced they
had 1.55 billion Monthly Active Users, or MAUs. See Facebook
Reports Third Quarter 2015 Results, FACEBOOK.COM,
http://investor.fb.com/releasedetail.cfm?ReleaseID=940609 (last
visited Apr. 4, 2016). The global population at the time was
roughly 7.3billion. See Population, WORLD BANK,
http://data.worldbank.org/indicator/SP.POP.TOTL/countries?displa
y=graph (last visited Apr. 4, 2016). 1.55 divided by 7.3 is 0.21
or roughly 1/5.
80
See generally DICTIONARY.COM,
http://www.dictionary.com/browse/social-network (last visited
Apr. 4, 2016).
81
Facebook Reports Fourth Quarter and Full Year 2015 Results,
FACEBOOK.COM,
http://investor.fb.com/releasedetail.cfm?ReleaseID=952040 (last
visited Apr. 4, 2016).
82
Suddeutsche Zeitung, Max Schrems, the Man Who De-Friended
Facebook, VOXEUROPE.COM,
http://www.voxeurop.eu/en/content/article/1884271-max-schrems-
man-who-de-friended-facebook (last visited Apr. 4, 2016).
83
Id.
84
Id.
85
Legal Procedure against “Facebook Ireland Limited, EUROPE-V-
FACEBOOK.COM, http://www.europe-v-
facebook.org/EN/Complaints/complaints.html (last visited Apr. 4,
2016).
86
Id.
87
Max Schrems v Irish Data Protection Commissioner (Safe
Harbor), EPIC.ORG https://epic.org/privacy/intl/schrems/ (last
visited Apr. 4, 2016).
88
Id.
89
Id.
90
Id.
91
Maximillian Schrems v. Data Protection Commissioner, Case C-
362/14 [2015] E.C.R. I ____ (delivered October 6, 2015)
92
Id.
93
Id.
94
Id.
95
European Union – United States Privacy Shield, U.S. DEPT. OF
COMM.,
https://www.commerce.gov/sites/commerce.gov/files/media/files/20
16/eu_us_privacy_shield_full_text.pdf.pdf (last visited Apr. 4,
2016). [hereafter Privacy Shield]
30. 30
96
Id.
97
Id.
98
Id.
99
Id.
100
Id.
101
European Union – United States Privacy Shield, U.S. DEPT. OF
COMM.,
https://www.commerce.gov/sites/commerce.gov/files/media/files/20
16/eu_us_privacy_shield_full_text.pdf.pdf (last visited Apr. 4,
2016).
102
Id.
103
Id.
104
Id.
105
Id.
106
Gabriel Maldoff, We Read Privacy Shield So You Don’t Have To,
IAPP.ORG, https://iapp.org/news/a/we-read-privacy-shield-so-you-
dont-have-to/ (last visited Apr. 4, 2016).
107
Id.
108
Damon Beres, New Privacy Deal May Not Actually Stop U.S.
Snooping, HUFFINGTONPOST.COM,
http://www.huffingtonpost.com/entry/privacy-shield-
agreement_us_56b0ffd6e4b0a1b96203edd8
109
The US Safe Harbor – Fact or Fiction?, GALEXIA,
http://www.galexia.com/public/research/assets/safe_harbor_fact_o
r_fiction_2008/safe_harbor_fact_or_fiction.pdf (last visited
Apr. 4, 2016).
110
Id.
111
Id.
112
Id.
113
Privacy Shield, supra note 95.
114
US defends Safe Harbor, says it never uses “indiscriminate
surveillance”, ARSTECHNICA.COM, http://arstechnica.com/tech-
policy/2015/09/us-desperately-defends-safe-harbour-scheme-says-
it-never-uses-indiscriminate-surveillance-on-eu/ (last visited
Apr. 4, 2016).
115
Supra note 79.
116
Supra note 9.
117
Id.
118
Safe Harbor, supra note 45.
119
Id.
120
Supra note 109.
121
Max Schrems v. Irish Data Protection Commission, supra note
87.
122
Maximillian Schrems v. Data Protection Commissioner, supra
note 91.
123
Id.
124
Id.