Submit to Digest

[Digest Note] The Court of Justice of the European Union Finds the Harbor No Longer Safe

By Ann Kristin Glenster - Edited by David Nathaniel Tan

Commentary Notes First Amendment

Introduction

On October 6, 2015, the Court of Justice of the European Union (“CJEU”) delivered another landmark ruling concerning the handling of personal data by U.S. companies in Europe.[1]Responding to a request from the Irish High Court,[2] the CJEU held that the Safe Harbor Agreement (the “Agreement”), under which companies like Facebook were able to legally transmit personal data from their European subscribers to the U.S., was invalid. This article will give a brief overview of the Agreement and the case, and explore some of the salient issues to which the European Court took umbrage. Finally, it will attempt to sketch out some possible consequences of the ruling, and the options that now face E.U. and U.S. legislators.

According to the CJEU, the Safe Harbor Principles did not provide adequate safeguards as required by the Data Protection Directive (95/46/EC) (the “Directive”). The decision has led to a flurry of activity on both shores of the Atlantic. On November 3, barely a month after the judgement was announced, it was the hot topic of debate at a House Communications Subcommittee of Commerce, Manufacturing and Trade meeting. Microsoft, Apple and Oracle, among others, urged U.S. legislators to take swift action as “trillions of dollars in global GDP were at stake.”[3]

The CJEU decision has left U.S companies in a quandary as to how they may demonstrate their compliance with European law in handling foreign customer data, as they wait for rescue by Safe Harbor 2.0.[4] But so far, signals are weak that a new Safe Harbor Agreement can provide the much sought-after shelter for personal data making the journey across the Atlantic.

The Safe Harbor Agreement

The Safe Harbor Agreement was issued as an Executive Decision by the European Commission in order to facilitate the cross-border flow of personal data from the United States. In the words of the European Commission: “transfer of personal data are an important and necessary element of the transatlantic relationship. They form an integral part of commercial exchanges across the Atlantic including for new growing digital businesses, such as social media or cloud computing, with large amounts of data going from the European Union to the United States.”[5]In order to benefit from the scheme, a U.S. company planning to transfer personal data from the E.U. to the U.S. must self-certify with the U.S. government that it will protect that data in accordance with the standards of the Agreement. However, Recital 57 of the Directive prohibits the transfer of personal data to a third country, i.e. a non-EU jurisdiction, unless the transfer is performed in accordance with the requirements in either Article 25 or 26 of the Directive. The Safe Harbor Agreement was designed to enable the cross-border transfer of personal data by meeting these requirements.

The Case

Greatly simplified, the constitutional architecture of the European Union is founded on the EU Treaties[6] followed by regulations and directives, the last must be incorporated nationally, usually by a domestic statute, in order to take effect in the Member States. National courts decide actual cases, but may refer questions pertaining to the interpretation of E.U. law in a specific instance to the CJEU. The CJEU issues judgments on how the law should be applied although it is for the national court to decide the individual case.

The locus of European data protection is the Directive,[7]effectuated through separate domestic laws enacted by the Member States, and overseen by national Data Protection Authorities. In June 2013, the Austrian national Max Schrems submitted a complaint to the Irish Data Protection Commissioner against Facebook alleging that the social media platform illegally passed European personal data to U.S. law enforcement agencies as part of the PRISM program.[8]Schrems’ case was filed with the Irish Data Protection Commissioner because Facebook’s European presence is established in Ireland.[9] As CNN has reported, several U.S. companies have chosen to incorporate in Ireland because of its business-friendly tax regime.[10] Ireland is also known for its comparatively relaxed implementation of the Directive, imposing less stringent conditions on U.S. companies such as Facebook.[11] Schrems and his activist group Europe v. Facebook have previously launched campaigns against the Irish Data Commissioner for his failure of robust oversight of Facebook’s transatlantic operations.[12]However, the Commissioner held that hewas under no duty to investigate Facebook Ireland as the company had voluntarily self-certified as compliant with European law under the Safe Harbour Agreement.

Schrems filed for judicial review of the Data Protection Commissioner’s decision with the Irish High Court.[13]It should be emphasized that although the Irish High Court found it likely that Facebook was making European personal data available to the U.S. authorities,[14] the social media platform was not a defendant in the case. Instead, the issue for the High Court was whether the Irish Data Protection Commissioner could decline to investigate an alleged violation of the Safe Harbor Agreement. In order to make that determination, the High Court requested a preliminary ruling under Article 267 TFEU on the interpretation of the Safe Harbor Principles in light of Articles 25(6) and 28 of the Data Protection Directive and Articles 7, 8, and 47 of the Charter of Fundamental Rights of the European Union (the “E.U. Charter”). However, the CJEU chose to take the request one step further by noting that although Schrems had not explicitly questioned the validity of the Safe Harbor Agreement,[15]his claim justified the CJEUs examination of the Principles’ legality in their entirety.

In short, the CJEU held that the Safe Harbor Principles had to provide “essentially equivalent” protection as that in the Directive and the E.U. Charter.[16] This is a very high threshold as data protection in the E.U. is far more encompassing than U.S. privacy law. With that in mind, the CJEU focused on two aspects: first, it found that the Safe Harbor Principles did not meet the standard of adequate safeguards for the protection of personal data in Article 25 of the Directive because the derogation in Annex II of the Executive Decision based on “national security, public interest, or law enforcement requirements” was too broad.[17]Instead, the CJEU cited that derogations and limitations had to be “strictly necessary,”[18] and emphasized that “in particular, legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the [E.U] Charter”.[19]

Second, despite the redress mechanism offered by the U.S. Federal Trade Commission (“FTC”) backed by federal law, the CJEU noted that European citizens still did not have sufficient access to remedies, partly because the FTC was not consumer-friendly, and partly because some constitutional privacy protections, such as the Fourth Amendment, are not available to non-citizens.[20]In addition, the CJEU quoted the European Commissions in finding that: “moreover, the are no opportunities for either E.U. or U.S. data subjects to obtain access, rectification or erasure of data, or administrative or judicial redress with regard to collection and furthering processing of their personal data taking place under the US surveillance program.”[21]

Having declared the Safe Harbor Agreement invalid, the CJEU referred the case back to the Irish High Court, which ordered the Irish Data Commissioner to undertake the investigation of Facebook that Schrems had initially petitioned. The outcome of this investigation has yet to be released. That noted, if there is one immediate outcome of the case, it is that time is of the essence for a new scheme or legislation to take its place. The Article 29 Data Protection Working Party, constituted by the Directive to provide advice on the interpretation of the Directive, has warned that without a new appropriate scheme or agreement for the cross-border transfer of personal data by the end of January 2016, the national data protection agencies across the E.U. will take “all necessary and appropriate action, including coordinated enforcement action.”[22] In other words “transfers that are still taking place under the Safe Harbor decision after the CJEU judgment are unlawful,”[23]

The Core Issue: Spying?

At its core, however, this decision may not be about the Safe Harbor Agreement. For years, criticisms of the Agreement’s inefficient enforcement and other structural weaknesses[24] have been largely overlooked as courts and legislators on both continents implicitly recognized the importance of the free flow of personal data across the ‘pond’. But in the wake of the Edward Snowden revelations, which seriously undermined trust between the transatlantic partners, the tide may be turning.[25] Indeed, the CJEU specifically took issue with the possibility that U.S. authorities could employ U.S. laws to compel U.S. companies to surrender European customer data in breach of the E.U. Charter.[26]

Secrecy was also an issue as Advocate-General Bok elucidated: “While the Foreign Intelligence Surveillance Court which operates under the Foreign Intelligence Surveillance Act of 1978, exercises supervisory jurisdiction, proceedings before that court take place in secret and ex parte.”[27] He continued, “apparent from the fact that decisions relating to access to personal data are taken on the basis of United States law, citizens of the [European] Union have no effective right to be heard on the question of the surveillance and interception of their data.”[28] In his view, this amounted to a breach of the right to an effective remedy guaranteed by Article 47 of the E.U. Charter.[29] The CJEU concurred.[30] It is not clear -  and not mentioned in the judgment - if the USA FREEDOM Act of 2015 and the Judicial Redress Act of 2015, the latter currently being considered by the U.S. Senate, will adequately address these issues.

The CJEU quoted the European Commission’s observation that all the transatlantic companies that participated in the U.S. PRISM ‘spy’ program were also Safe Harbor certified, and that “[t]his has made the Safe Harbor scheme one of the conduits through which access is given to U.S. intelligence authorities to collecting personal data initially processed in the [European Union].”[31] From this analysis, it appears that the Safe Harbor Agreement has failed to achieve its objective of extending personal data protection for European citizens to extend to processing performed by large corporate servers firmly planted on American soil.

Two Different Legal Regimes

Part of the fundamental underlying challenge for reaching the Safe Harbor Agreement in the first place can be traced to the difference in European and U.S. understanding of privacy law. Both the European Commission and its American counterpart, the U.S. Department of Commerce, recognized that: “While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the European Union. The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self-regulation.”[32]

Yet, the difference may be deeper than a simple divergent implementation strategy. The U.S. notion of privacy rights can be traced to Samuel Warren and Louis Brandeis’ seminal 1890 Harvard Law Journal article and “the right to be let alone”.[33]The concept evolved with William L. Prosser’s four privacy torts from 1960[34]and in various constitutional amendments, as primarily protection from illegal intrusion or invasion of the private sphere. Indeed, a similar conceptual interpretation of privacy is found in the European Court of Human Rights’ jurisprudence on Article 8 of the European Convention of Human Rights and Fundamental Freedoms.[35]

Yet, since the Convention was signed in 1950, a narrow view of privacy in European jurisprudence has spread across a wider field of rights that encompasses the right to informational self-determination, dignity and autonomy.[36]For example in Perry v. United Kingdom, the European Court of Human Rights held that: “Private life is a broad term not susceptible to exhaustive definition. Aspects such as gender identification, name, sexual orientation and sexual life are important elements of the personal sphere protected by Article 8. Article 8 also protects a right to identity and personal development, and the right to establish and develop relationships with other human beings and the outside world and it may include activities of a professional or business nature.”[37]

This broad approach has resulted in an independent legal concept of personal data protection found in the Directive and Article 8 of the E.U. Charter. The underpinning logic of personal data protection is not whether privacy has been breached, but whether the processing of the personal data adheres to the Data Protection Processing Principles (the “Principles”). The Principles first appeared in the Organisation for Economic Co-Operation and Development (“OECD”)’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980 and the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention 108”)in 1981.[38]These two international documents served as a template for the drafters of the Directive in 1995.

The main Principles in the Directive are data quality and lawfulness of data processing (Articles 6 and 7), access (Article 12), information regarding processing (Article 10), and confidentiality and security (Articles 16 and 17). It should also be taken into account that the Directive covers all gathering, collection, use, storage, and dissemination of personal data (with a narrow household exemption); and similarly employs a definition of personal information that is considerably wider than most Personal Identifiable Information (“PII”) used in the United States. Thus, the Principles are considerably broader than the idea of “notice and consent” that is sometimes present in U.S. law.[39]Yet common ground had to be found for the practical implementation of a cross-border agreement. The result in terms of Safe Harbor is that the European principles have been distilled into notice, choice, onward transfer (transfer to third parties), access, security, data integrity, and enforcement.[40]

A question remains, however, as to whether a new agreement can come into legal effect as the CJEU’s ruling was not so much an objection to the commercial practices of U.S. internet companies, but rather a critique at the wide scope of U.S. federal laws that allows for, in the eyes of the CJEU, unwarranted “mass surveillance.”[41]Among the commentators of the case, the E.U.-U.S. Mission has attempted to refute Snowden’s allegations of American ‘spying’.[42]The website Politico has quoted U.S. Ambassador Danny Spulveda as claiming that the Court decision was “fundamentally and demonstrably incorrect” and that the U.S. will provide the evidence regarding its (non-existent) spying activities to prove so.[43]Yet, these protests have been contested by, for example, the Electronic Privacy Information Center (“EPIC”) which has stated that: “The United States continues to engage in the routine of mass surveillance of persons outside of the United States, including ordinary European citizens.”[44]

The European Commission has released thirteen recommendations concerning transparency, redress, enforcement, and access by U.S. authorities in an attempt to salvage the Safe Harbor Agreement. According to the Commission:

“Privacy policies of self-certified companies should include information on the extent to which US laws allow public authorities to collect and process data transferred under Safe Harbour. In particular companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Principles to meet national security, public interest or law enforcement requirements.”[45]

And further, “[i]t is important that the national security exception foreseen by the Safe Harbor decision is used only to an extent that is strictly necessary or proportionate.” [46]

However, these proposed measures seem somewhat misguided or incomplete given that the CJEU was not particularly interested in whether spying was actually going on; the Court based its decision on the fact that U.S. law could potentially force a company to breach its own certified Safe Harbour privacy policy.[47] The mere potential of such a breach was sufficient for the Court to find that the requisite adequate protection standard had not been met. This may be a pragmatic recognition by the Court that proving actual spying would be difficult for an ordinary consumer, and therefore preclude any meaningful enforcement of his or her data protection rights.

More fundamentally, the CJEU’s approach places a strong emphasis on privacy and data protection; these  human rights have a higher value than regular law.[48] By contrast, the U.S. courts and lawmakers seem to take the view that albeit important, privacy is a right that can be legislated in law on par with any other interest. This dilemma is well expressed by Representative Joe Barton (R) of Texas: “If I put my pro-business hat on, I want to renegotiate this Safe Harbour agreement as soon as possible. But if I put my privacy caucus co-chairman hat on, I think the European Union has highlighted a substantial issue, that US privacy laws aren’t as strong as they could be.”[49]

Possible Consequences

The CJEU ruling poses a dilemma for the more than four thousand U.S. companies who have availed themselves of the Safe Harbour Agreement by registering and self-certifying through an official U.S. website.[50] On one hand, the CJEU ruling prevents them from sharing their customer data with U.S. law enforcement agencies; on the other hand, U.S. federal law obligates them to do just that. One solution may be for the U.S. companies to close their European offices, thereby avoiding the jurisdiction of the European Court. This may also be seen as a gain to the U.S. taxpayer, as these companies will now be liable for taxes at home. However, that may be easier said than done.[51]The decision may also go the other way, as there have been some indications that companies are moving all their data to Europe “for safekeeping.”[52]

Some commentators have suggested that the impact of the decision may not be as deep as first anticipated due to the other options for transferring personal data that already exist under Article 26 of the Directive. Under Article 26, companies are still able to transfer personal data outside the E.U. provided thatthe data subject has consented; yet not only must consent be freely given, it must also be specific, informed and unambiguous. It may therefore be more likely that one of the other derogation grounds will be used, such as a transfer being deemed necessary for (1)the performance of a contract (which would be most likely used by companies such as Facebook), (2)public interest reasons, (3) the protection of the data subject’s vital interests, or (4)legal compliance.. In practical terms, these may involve standard contractual clauses and binding corporate rules that have been pre-approved by the national data protection authorities.[53]Yet, these solutions have been criticised for being costly to put in place, and prohibitive for small businesses.[54]

In any case, it is in the interest of the E.U. and the U.S. to agree to a replacement scheme sooner rather than later. One compelling argument for a prompt solution is the burden the demand of individual case oversight places on national data protection authorities. In an age of austerity and an unfolding migrant crisis, few European governments have the means to allocate adequate resources to this task. Individual case oversight may also widen the gap of data protection practices across the European Union.. However, commentators are still skeptical of the potential of a Safe Harbour 2.0, fearing that it will suffer from similar ills as the initial agreement.[55] Some have also suggested that the recently-entered-into Umbrella Agreement between E.U. and U.S. law enforcement agencies in regards to the protection of personal data can provide a suitable framework.[56] Yet, this seems highly unlikely as the Umbrella Agreement is limited to the prevention, detection, investigation, and prosecution of criminal offenses, which remains under the competencies of the individual Member States, and not day-to-day business activities.[57]

Conclusion

The CJEU found that the Safe Harbour Agreement was invalid, and subsequently the Irish High Court ordered the Irish Data Commissioner to investigate Schrems’ complaints against the social media platform. The outcome of that investigation has yet to be released, but in any event, Maximillian Scherms v.DPC has already promoted a swift reply from the European Commission, which has issued thirteen recommendations to ameliorate the Principles within three months of the CJEU’s decision. However, the case has not led to an immediate suspension of cross-border data transfers from the E.U. to the U.S. as Article 26 of the Directive provides alternative legal mechanisms for the cross-border transfer of personal data.. Further, the case has strengthened the long-overdue calls for reform of the Safe Harbour Agreement, which has previously been criticised for its weak enforcement mechanism and voluntary nature.

Some U.S. commentators, and the E.U.-U.S. Mission, seem to be caught by the arguably misguided notion that the case was about actual spying, and has therefore attempted to refute the allegations of illegal surveillance activities that were accepted by the Irish High Court. Yet this criticism seems to miss the point that the CJEU was not necessarily concerned with actual “spying”, but the potential that exists as long as U.S.C. 50 1888a, the Patriot Act, and the Executive Order 12333 are in effect. Thus, until U.S. legislators amend federal and possibly state laws to bridge this gap, Politico finds it difficult to see “Exactly how is the Obama administration going to reverse the perception that the U.S. has poor privacy protections?”[58]Yet it should be recognised that significant progress has been made with the recent USA FREEDOM Act 2015 and the proposed Judicial Redress Act 2015  the latter targeted specifically to this fill this void.

Still the question remains as to whether these efforts will be enough to satisfy the European Court as long as Section 702 of Foreign Intelligence Surveillance Act (FISA) remains in force. It will also be worth following Senator Schakowsky’s privacy Bill as it makes it legislative journey.[59]Perhaps these efforts, along with international pressures, may compel federal legislators to introduce stronger privacy laws across the United States.

Ann Kristin Glenster is a doctoral exchange student from the University of Cambridge Faculty of Law.


[1] Court of Justice of the European Union, case C-362/14, October 6, 2015.
[2]Maximillian Schrems v. Data Protection Commissioner, Ireland High Court, October 20, 2015.
[3] Multichannel, “Hill Hones In on U.S.-E.U. Data Safe Harbour”, November 3, 2015, http://www.multichannel.com/news/congress/hill-hones-data-safe-harbor/395.
[4] The Hill, “American Firms Scramble for answers to EU data dilemma”, November 4, 2015, http://thehill.com/policy/cybersecurity/259058-american-firms-scramble-for-answer-to-eu-data-dilemma.
[5]The European Commission communication, COM(2013) 847 final, November 27, 2013.
[6] The two main treaties are the Treaty on the European Union and the Treaty on the Functioning of the European Union incorporating the main treaties Treaty of Rome of 1957, the Single European Act of 1986, the Maastricht Treaty 1992, the Amsterdam Treaty of 1999, the Nice Treaty of 2001, and the Lisbon Treaty of 2007.
[7] Directive 95/36/EC of the European Parliament and of the Council of 24 September 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML.
[8]U.S.C. 50 1888a Foreign Intelligence Surveillance Act (FISA).
[9] According to Scherms, Facebook has outsourced all its operations outside of the U.S. and Canada to Facebook Ireland Ltd, which, according to the organisation’s website “is responsible for more than 83.1 percent of all worldwide Facebook users.” The Irish office transfers the data to its operational centres in the US, “Initial Response”, October 6, 2015, http://www.europe-v-facebook.org/CJEU_IR.pdf.
[10] CNN, “U.S. missing out to corporate tax havens”, November 10, 2015,http://money.cnn.com/2015/11/10/news/economy/corporate-tax-reform-g20-oxfam/.
[11] CNET, “Privacy Group to appeal Ireland’s Facebook audit”, December 4, 2012, http://www.cnet.com/news/privacy-group-to-appeal-irelands-facebook-audit/.
[12]Europe v. Facebook,http://www.europe-v-facebook.org/EN/Complaints/PRISM/Response/response.html; Schrems embarked on his quest after hearing what he believed to be a fundamental misunderstanding of European data protection by a Facebook attorney lecturing at Santa Clara University. Schrems requested all Facebook’s data on him personally, as he has a right to under E.U. law, and famously received as CD with more than 1,200 pages of data. The Washington Post, “How one Austrian Student took on American tech companies over privacy – and won”, October 19, 2015,https://www.washingtonpost.com/news/the-switch/wp/2015/10/19/how-one-austrian-student-took-on-american-tech-companies-over-privacy-and-won/.
[13]Maximillian Schrems v. Data Protection Commissioner, Ireland High Court, October 20, 2015.
[14]Opinion of Advocate General Bok, case C-362/14, September 23, 2015, at para 36.
[15] Court of Justice of the European Union, case C-362/14, October 6, 2015 at para 35; see also Opinion of Advocate General Bot, case C-362/14, September 23, 2015, at para 121.
[16] Court of Justice of the European Union, case C-362/14, October 6, 2015, at para 81.
[17]Id. at para 86.
[18] Court of Justice of the European Union, Joined cases C-293/12 and C-594/12 (“Digital Rights”), April 8, 2014.
[19] Court of Justice of the European Union, case C-362/14, October 6, 2015, at para 94.
[20]Id. at para 81; the Judicial Redress Act 2015 has been introduced specifically to address this problem.
[21]Court of Justice of European Union, case C-362, October 6, 2015 at para 23.
[22] Article 29 Working Party statement, October 16, 2015, http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdf.
[23]Id.
[24] The European Commission communication, COM(2013) 847 final, November 27, 2013; Electronic Privacy Information Center statement, September 28, 2015, https://epic.org/privacy/intl/schrems/statement/; Boehm, F., “Opinion on the adequacy of the Safe Harbour Decision: Comparison between Safe Harbour and Directive 95/36”, November 9, 2014, Westfälische Wilhelms-Universität, Institute for Information-, Telecommunication and Media-Law (ITM).
[25] Court of Justice of European Union, case C-362, October 6, 2015, Opinion of Advocate-General Bok, case C-362/14, September 23, 2015, at para 4.
[26]Court of Justice of the European Union, case C-362/14, October 6, 2015, at para 94.
[27]Opinion of Advocate General Bok, case C-362/14, September 23, 2015, at para 35.
[28]Id. at para 35.
[29]Id. at para 173.
[30] Court of Justice of the European Union, case C-362/14, October 6, 2015, at para 94.
[31] Court of Justice of the European Union, case C-362/14, October 6, 2015, at para 22.
[32] Annex I Safe Harbour Principles issued by the U.S. Department of Commerce on July 21, 2000.
[33] Warren, S. D. and Brandeis, S., “The Right to Privacy”, Harvard Law Review, V. IV., No. 5, December 1890.
[34]Richards, M.N. and Solove, D. J., “Prosser’s Privacy Law: A Mixed Legacy”, 98 Cal. L. Rev. 1887 (2010).
[35] See for example the European Court of Human Rights judgments in Marckx v. Belgium, application no. 6833/74, June 13, 1979, “Relating to Certain Aspects of the Laws on the Use of Languages in Education in Belgium” v. Belgium (“The Belgian Linguistic Case”), application no. 1474/62, 1677/62, 1691/62, 1769/63, 1994/63, and 2126/64, July 23, 1968; Peck v. United Kingdom, application no. 44647/98, January 28, 2003, and S. and Marper v. United Kingdom, application no. 30562/04 and 30566/04, December 4, 2008.
[36]Hornung, G. and Schnabel, C., “Data Protection in Germany I: the population census decision and the right to informational self-determination”, Computer Law & Security Report, Vol. 25(1) 2009, 84-88.
[37] European Court of Human Rights, Perry v. United Kingdom, application no. 63737/00, July 17, 2003, at 36.
[38] The U.S. Fair Information Practice from 1973 was arguably the precursor to Convention 108 and the OECD Guidelines.
[39] Practical Law, “Data protection in United States: an overview”, July 1, 2015, http://us.practicallaw.com/6-5...
[40]European Commission, Executive Decision 2000/525, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML.
[41]Article 29 Working Party statement, supra note 26.
[42] European Union – United States Mission, “Safe Harbour Protects Privacy and Provides Trust in Data Flows that Underpin Transatlantic Trade”, September 28, 2015, http://useu.usmission.gov/st-09282015.html.
[43] Politico, “U.S. sellin’ Europe hard on privacy”, November 5, 2015, http://www.politico.com/tipsheets/morning-tech/2015/11/mt-blue-origin-the-bezos-space-company-eyes-dc-us-keeps-up-privacy-push-in-eu-sharing-economy-companies-go-on-offense-new-ways-means-chief-old-r-d-credit-push-211106.
[44] Electronic Privacy Information Center statement, September 28, 2015, https://epic.org/privacy/intl/schrems/statement/.
[45] The European Commission communication, COM(2013) 847 final, November 27, 2013.
[46]Id.
[47]Court of Justice of the European Union, case C-362/14, October 6, 2015, at para 86.
[48] Opinion of Advocate General Bok, case C-362/14, September 23, 2015, Court of Justice of the European Union, Joined cases C-293/12 and C-594/12 (“Digital Rights”), April 8, 2014.
[49] CSMonitor.com, “EUs Safe Harbour decision reveals rife between US economic, privacy issues”, November 3, 2015, http://www.csmonitor.com/Technology/2015/1103/EU-s-Safe-Harbor-decision-reveals-rift-between-US-economic-privacy-issues.
[51] Article 4 of the Directive, the CJEU has held that one representative is enough (Court of Justice of the European Union,  case C-230/14, October 1, 2015), and the Article 29 Data Protection Group has even suggested that a cookie stored on a computer will meet the test (Opinion 8/2010 on applicable law, WP 179, December 16, 2010).
[52]Multichannel, supra note 3.
[53] European Commission Decision 2001/497/EC, June 15, 2001, European Commission Decision 2004/915/EC, December 27, 2004, and European Commission Decision 2010/87/EU, February 5, 2010.
[54] The Hill, supra note 4.
[55]Id.
[56] See for example Thompson, S. and Dossa, M., “E.U. and U.S, Reach “Umbrella Agreement” on Data Transfers”, September 14, 2015, http://www.passwordprotectedlaw.com/2015/09/eu-and-u-s-reach-umbrella-agreement-on-data-transfers/.
[57] European Commission – Fact Sheet, “Questions and Answers on the EU-US data protection “umbrella agreement” “, September 8, 2015, http://europa.eu/rapid/press-r...
[58]Politico, supra note 47.
[59]Law 360, “US Need Though Privacy Laws for Int’l Law Flow, Reps. Told”, November 3, 2015, http://www.law360.com/articles/722118/us-needs-tough-privacy-laws-for-int-l-data-flow-reps-tol.