
We have prepared this guide primarily to help people locate legal resources relevant to understanding the issues raised by the Schrems II case. It will also be helpful to those interested in other cross-border issues at the intersection of technology, privacy, and security.
This is a living guide; we will endeavor to keep it up to date, and welcome suggestions for additions or other changes.
EU-US Data Privacy Framework (2022)
Official Statements
- European Commission, Adequacy decision for the EU-US Data Privacy Framework, July 10, 2023
- United States Department of Justice, Memorandum in Support of Designation of the European Union and Iceland, Liechtenstein, July 3, 2023
- Office of Director of National Intelligence, ODNI Releases IC Procedures Implementing New Safeguards in Executive Order 14086, July 3, 2023
- European Data Protection Board, Opinion 5/2023 on the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework, February 28, 2023
- European Parliament, European Parliament resolution on the adequacy of the protection afforded by the EUUS Data Privacy Framework, February, 14, 2023
- European Commission, Adequacy decision for the EU-US Data Privacy Framework, December 13, 2022
- The White House, National Security Memorandum on Partial Revocation of Presidential Policy Directive 28, October 7, 2022
- The White House, FACT SHEET: President Biden Signs Executive Order to Implement the European Union-U.S. Data Privacy Framework, October 7, 2022
- European Commission, Questions & Answers: EU-U.S. Data Privacy Framework, October 7, 2022
- EDPB, Statement 01/2022 on the announcement of an agreement in principle on a new Trans-Atlantic Data Privacy Framework, April 6, 2022
- The White House, Remarks by President Biden and European Commission President Ursula von der Leyen in Joint Press Statement, March 25, 2022. United States President Joe Biden announces plans to enhance the Privacy Shield Framework.
- The White House, United States and European Commission Joint Statement on Trans-Atlantic Data Privacy Framework, March 25, 2022. Joint statement by United States and European Commission discussing the new Trans-Atlantic Data Privacy Framework.
- The White House, FACT SHEET: United States and European Commission Announce Trans-Atlantic Data Privacy Framework, March 25, 2022. Description of what the new Trans-Atlantic Data Privacy Framework will entail.
- European Commission, Statement by President von der Leyen with US President Biden, March 25, 2022. European Commission President Ursula von der Leyen announces new data privacy framework between the European Union and United States.
- European Commission, European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework, March 25, 2022. Joint statement by European Commission and United States discussing the new Trans-Atlantic Data Privacy Framework.
- European Commission, Trans-Atlantic Data Privacy Framework, March 25, 2022. Overview of the agreement in principle for the new Trans-Atlantic Data Privacy Framework.
Specific U.S. Legal Authorities
- Office of The Director of National Intelligence, Implementation Procedures for the Signals Intelligence Redress Mechanism under Executive Order 14086, December 6, 2022
- The White House, Executive Order 14086 On Enhancing Safeguards For United States Signals Intelligence Activities, October 7, 2022
- The White House, Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities (Reformatted), October 7, 2022
- Department of Justice, Redress in the Data Protection Review Court, October 7, 2022
European Union
The Schrems Cases
- Schrems I (2015)
On October 6, 2015, the European Court of Justice issued a judgment declaring as “invalid” the European Commission’s Decision 2000/520/EC of 26 July 2000 “on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the US Department of Commerce.” As a result of that decision, the U.S.-EU Safe Harbor Framework is not a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This is a link to the Safe Harbor agreement that was invalidated by Schrems I. - Schrems II (2020)
The adequacy decision on the EU-US Privacy Shield was adopted on 12 July 2016 and allowed the free transfer of data to companies certified in the US under the Privacy Shield. In its judgment of 16 July 2020 (Case C-311/18), the Court of Justice of the European Union invalidated the adequacy decision. The EU-US Privacy Shield is therefore no longer a valid mechanism to transfer personal data from the European Union to the United States.
Other Relevant CJEU Cases
The Court of Justice of the European Union (CJEU) has issued several judgements on whether EU Law prohibits measures requiring providers of electronic communications services to share or retain communications data for national security or law enforcement purposes:
Relevant EU Legal Instruments
- General Data Protection Regulation (“GDPR”). Schrems II involved the application of the cross-border transfer provisions of GDPR.
- An excellent online version of GDPR can be found here: https://gdpr-info.eu/.
- GDPR’s predecessor was the Data Protection Directive.
- EU Charter of Fundamental Rights. The Schrems II court based its decision in large part on the EU Charter of Fundamental Rights. In particular, the Schrems II court highlighted the following articles of the Charter:
- Article 7. Respect for Private and Family Life
- Article 8. Protection of Personal Data
- Article 47. Right to an effective remedy and to a fair trial
- Treaty on European Union. The Schrems II court referred to Article 4(2) of the Treaty on European Union, which states: “The Union shall respect the equality of Member States before the Treaties as well as their national identities, inherent in their fundamental structures, political and constitutional, inclusive of regional and local self-government. It shall respect their essential State functions, including ensuring the territorial integrity of the State, maintaining law and order and safeguarding national security. In particular, national security remains the sole responsibility of each Member State.” The consolidated version of the treaty is available here.
Relevant EU Entities
- Court of Justice of the European Union (CJEU). The (CJEU) interprets EU law to make sure it is applied in the same way in all EU countries, and settles legal disputes between national governments and EU institutions.
- European Data Protection Board (EDPB). The EDPB is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. The EDPB is established by the General Data Protection Regulation (GDPR), and is based in Brussels.
- National Supervisory/Data Protection Authorities. The EDPB is composed of representatives of the EU national data protection authorities, and the European Data Protection Supervisor (EDPS). The supervisory authorities of the EFTA EEA States (IS, LI, NO) are also members with regard to the GDPR related matters and without the right to vote and being elected as chair or deputy chairs.
- European Commission. The Commission helps to shape the EU’s overall strategy, proposes new EU laws and policies, monitors their implementation and manages the EU budget. It also plays a significant role in supporting international development and delivering aid.
- International Data Flows and Protection Unit of the Directorate-General for Justice and Consumers. The International Data Flows and Protection Unit of the Directorate-General for Justice and Consumers is the organization that leads the adequacy process under GDPR. This is the organization chart for the Directorate-General for Justice and Consumers.
Official EU Statements and Reports
- EDPB
- Recommendations 01/2020 on Measures that Supplement Transfer Tools to Ensure Compliance with the EU Level of Protection of Personal Data (Nov. 10, 2020)
- Comments on Proposed EDPB Recommendations 01/2020 (Dec. 21, 2020)
- Recommendations 02/2020 on the European Essential Guarantees for Surveillance Measures (Nov. 10, 2020)
- Frequently Asked Questions on the judgment of the Court of Justice of the European Union Case in Case C-311/18 – Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (July 23, 2020)
- Article 29 Data Protection Working Party, Opinion 01/2016 on the EU – U.S. Privacy Shield Draft Adequacy Decision (Apr. 13, 2016)
- European Commission
- Implementing Decision on standard contractual clauses for the transfer of personal data to third countries (June 4, 2021)
- Annex to the Implementing Decision
- European Parliament
- Press Release, European Parliament, European Parliament Resolution of 6 October 2021 on the Future of EU-US Relations (Oct. 6, 2021)
EU Adequacy Decisions (Listed in reverse chronological order)
- Adequacy Decision for Privacy Shield (invalidated by Schrems II)
- The European Commission has so far recognized as providing adequate protection:
- United Kingdom
- GDPR (2021)
- Law Enforcement Directive (2021)
- EDPB Opinion (2021)
- South Korea (2021)
- Japan (2019)
- New Zealand (2012)
- Uruguay (2012)
- Israel (2011)
- Faroe Islands (2010)
- Andorra (2010)
- Jersey (2008)
- Isle of Man (2004)
- Guernsey (2003)
- Argentina (2003)
- Canada (2001)
- Switzerland (2000)
- United Kingdom
European Court of Human Rights
- Legal Instruments
- European Convention on Human Rights. The Convention for the Protection of Human Rights and Fundamental Freedoms, better known as the European Convention on Human Rights, was opened for signature in Rome on 4 November 1950 and came into force on 3 September 1953. It was the first instrument to give effect to certain of the rights stated in the Universal Declaration of Human Rights and make them binding. Among other things, it established the European Court of Human Rights (ECtHR), which has issued rulings governing the applicability of the Convention’s privacy right to national security activities.
- European Convention on Human Rights. The Convention for the Protection of Human Rights and Fundamental Freedoms, better known as the European Convention on Human Rights, was opened for signature in Rome on 4 November 1950 and came into force on 3 September 1953. It was the first instrument to give effect to certain of the rights stated in the Universal Declaration of Human Rights and make them binding. Among other things, it established the European Court of Human Rights (ECtHR), which has issued rulings governing the applicability of the Convention’s privacy right to national security activities.
- European Court of Human Rights Cases
- Case of Klass and Others v. Germany (1978). In this case, the applicants, five German lawyers, complained in particular about legislation in Germany empowering the authorities to monitor their correspondence and telephone communications without obliging the authorities to inform them subsequently of the measures taken against them. The European Court of Human Rights held that there had been no violation of Article 8 of the European Convention on Human Rights, finding that the German legislature was justified to consider the interference resulting from the contested legislation with the exercise of the right guaranteed by Article 8 as being necessary in a democratic society in the interests of national security and for the prevention of disorder or crime.
- Case of Kennedy v. The United Kingdom (2010). The Court stated that based on the principle of effective protection by the Convention’s system, an individual might – under certain conditions to be determined in each case – claim to be the victim of a violation as a result of the mere existence of secret measures, even if they were not applied to him.
- Roman Zakharov v. Russia (2015). The Court found the domestic legal provisions governing the interception of communications did not provide adequate and effective guarantees against arbitrariness and the risk of abuse. The domestic law did not meet the “quality of law” requirement and was incapable of keeping the “interference” to what was “necessary in a democratic society”.
- Szabó and Vissy v. Hungary (2016). The case concerned Hungarian legislation on secret anti-terrorist surveillance introduced in 2011.
- Big Brother Watch and Others v. the United Kingdom (2021). The case concerned complaints by journalists and human-rights organisations in regard to three different surveillance regimes: (1) the bulk interception of communications; (2) the receipt of intercept material from foreign governments and intelligence agencies; (3) the obtaining of communications data from communication service providers.
- Centrum För Rättvisa v. Sweden (2021). The case concerned the alleged risk that the applicant foundation’s communications had been or would be intercepted and examined by way of signals intelligence, as it communicated on a daily basis with individuals, organisations and companies in Sweden and abroad by email, telephone and fax, often on sensitive matters.
- Ekimdzhiev and Others v. Bulgaria (2022). The case concerned secret surveillance and the system of retention and subsequent accessing of communications data in Bulgaria
- Official Statements and Reports
- Research Division, National Security and European Case-Law, European Court of Human Rights (2013)
- European Court of Human Rights, Press Unit, Mass Surveillance (2021)
Enforcement Decisions
- DPC publishes statistical report on handling of cross-border complaints under GDPR’s One-Stop-Shop (OSS). The Irish Data Protection Commission (DPC) has today published a statistical report on the DPC’s handling of cross-border complaints under the GDPR’s One-Stop-Shop (OSS) mechanism.
- Austrian DPA’s Google Analytics Decision Could Have “Far-Reaching Implications”, IAPP (Jan. 20, 2022). The recent decision by the Austrian Data Protection Authority that the use of Google Analytics violates the EU General Data Protection Regulation could have “far-reaching implications.” The decision, published Jan. 13, is the first of 101 complaints filed across EU countries by advocacy group NOYB alleging companies using Google Analytics were not complying with the July 2020 Court of Justice of the European Union’s “Schrems II” decision on data transfers.
- EDPS Issues Decision on EU Parliament’s Cookie Violations, Hunton Andrews Kurth LLP (Jan. 19, 2022). On January 5, 2022, the European Data Protection Supervisor (“EDPS”) issued a decision against the European Parliament (“EP”). The case resulted from a complaint submitted by certain Members of the European Parliament (“MEPs”) who alleged that the Parliament’s use of cookies violated data protection law, including requirements regarding the transfer of personal data outside of the EU.
- EDPS orders Europol to erase data concerning individuals with no established link to a criminal activity, EDPS (Jan. 10, 2022). On 3 January 2022, the EDPS notified Europol of an order to delete data concerning individuals with no established link to a criminal activity (Data Subject Categorisation). This Decision concludes the EDPS’ inquiry launched in 2019.
- Belgian Council of State Considers Encryption a Sufficient Measure for U.S. Data Transfers, Hunton Andrews Kurth LLP (Sept. 9, 2021). In its decision of August 19, 2021, the Belgian Council of State took the position that the use of U.S. cloud services in and of itself does not violate the GDPR. In reaching its decision, the Council of State took into account the Guidelines issued by the European Data Protection Board on supplementary measures and an opinion issued by the Flemish Supervisory Commission, and concluded that encryption is a valid supplementary measure to transfer data to the U.S. in certain circumstances, including where the encryption keys are kept under the full control of the data controller.
- Hamburg DPA warns regional Senate to discontinue video service use over data transfers, IAPP (Aug. 16, 2021). The Hamburg Commissioner for Data Protection and Freedom of Information warned the regional Senate Chancellery to stop using Zoom, citing “insufficient protection” of data transmitted to the U.S.
- The EDPS opens two investigations following the “Schrems II” Judgement, EDPS (May 27, 2021). The EDPS launched two investigations today, one regarding the use of cloud services provided by Amazon Web Services and Microsoft under Cloud II contracts by European Union institutions, bodies and agencies (EUIs) and one regarding the use of Microsoft Office 365 by the European Commission.
- High Court hands Irish DPC victory in Facebook data transfers case, IAPP (May 14, 2021). The Irish High Court dismissed all of Facebook’s procedural complaints in a preliminary decision from Ireland’s Data Protection Commission regarding data transfers from the EU to the U.S. A win for the Irish DPC, the court decision opens up the possibility that Facebook would eventually have to halt personal data transfers from the EU to the U.S.
- Census 2021: Portuguese DPA (CNPD) suspended data flows to the USA, European Data Protection Board (Apr. 28, 2021). The Portuguese Data Protection Authority (CNPD) ordered INE (National Institute for Statistics) to suspend the sending of personal data from the Census 2021 to the United States.
- Bavarian DPA (BayLDA) calls for German company to cease the use of ‘Mailchimp’ tool, European Data Protection Board (Mar. 30, 2021). In this decision, the Bavarian DPA requested that a German company refrain from using Mailchimp to send its newsletter because Mailchimp could be subject to US surveillance laws.
- Why this French court decision has far-reaching consequences for many businesses, IAPP (Mar. 15, 2021). The Conseil d’Etat — France’s highest administrative court — ruled that personal data on a platform used to book COVID-19 vaccinations, managed by Doctolib and hosted by Amazon Web Services, was sufficiently protected under the EU General Data Protection Regulation because sufficient safeguards, both legal and technical, were put in place in case of an access request from U.S. authorities.
United States
Official Descriptions
The U.S. legal framework governing national security activities is extensive and complicated. It is a system of many layers with many players. A good starting point for understanding the relevant aspects of that framework is U.S. government submissions.
- The European Commission included U.S. government descriptions of the U.S. legal framework in annexes to the Privacy Shield adequacy decision. Annexes VI and VII describe the national security legal framework:
- The U.S. government recently issued a white paper in response to the Schrems II ruling: Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II
- U.S. Government submission in Schrems I case.
General Reference Guides
- Guide to Posted Documents (intel.gov). This is a comprehensive guide to key legal documents that comprise the national security legal framework, with a particular focus on FISA Section 702, Executive Order 12333, United States Intelligence Activities, and Presidential Policy Directive-28, Signals Intelligence Activities. It includes links to the latest documents released by the U.S. Government relating to those authorities, such as Section 702 targeting, minimization, and querying procedures, compliance assessments, statistical transparency reports, and policies implementing protections under PPD-28.
- IC on the Record. The ODNI established IC on the Record as the platform for releasing documents relating to the IC’s surveillance authorities.
- IC on the Record Database Query Tool. This tool allows users to conduct full text searches of documents posted on IC on the Record.
- Intelligence Community Legal Reference Book. This is a comprehensive compilation of relevant statutes, executive orders, and related legal instruments that are relevant to the U.S. national security legal framework, including FISA, the National Security Act of 1947, and the Freedom of Information Act. It is current as of 2020.
- Georgetown University Foreign Intelligence Law Collection. The collection includes foreign intelligence-related statutory and regulatory instruments; the legislative histories for statutory changes to the Foreign Intelligence Surveillance Act (FISA); publicly available and declassified opinions and orders issued by the Foreign Intelligence Surveillance Court (FISC) and Foreign Intelligence Surveillance Court of Review (FISCR); FISA-related cases in non-specialized Article III courts; statutorily-required reports on the operation of FISA and formal correspondence between FISC and Congress; FISC/FISCR Rules of Procedure; and an annotated bibliography of secondary sources related to FISA, FISC/FISCR, and foreign intelligence law.
Specific U.S. Legal Authorities
The Schrems II decision focused in particular on Section 702 of the Foreign Intelligence Surveillance Act (FISA), Executive Order 12333, and PPD-28. A helpful source for the latest official releases of documents that relate to those authorities is the Guide to Posted Documents. For ease of reference, we have included below some relevant highlights;
- FISA Section 702
- A copy of FISA Section 702 can be found starting on page 472 of the IC Legal Reference Book, current as of 2020.
- The Guide to Posted Documents includes links to relevant summaries and descriptions, including:
- Section 702 Overview – In late December 2017, the IC prepared an infographic summarizing key elements of Section 702. This overview is posted here.
- FISA Amendments Act: Q&A – The IC prepared a detailed Q&A document describing Section 702 and other FISA provisions. This document includes a discussion of the intelligence value of Section 702, with examples. The Q&A document was prepared before the FISA Amendments Reauthorization Act of 2017 (the Reauthorization Act). For changes made by the Reauthorization Act, see the IC summary of relevant changes.
- The FISC must approve the procedures which govern how Section 702 is implemented. The collection must be conducted in accordance with “targeting procedures.” The collected data must be retained and shared in accordance with “minimization procedures.” The data may only be queried in accordance with “querying procedures.” The government redacts and releases these procedures:
- FBI Section 702 Targeting Procedures, October 19, 2020
- NSA Section 702 Targeting Procedures, October 19, 2020
- CIA’s Section 702 Minimization Procedures, October 19, 2020
- FBI’s Section 702 Minimization Procedures, October 19, 2020
- NCTC’s Section 702 Minimization Procedures, October 19, 2020
- NSA’s Section 702 Minimization Procedures, October 19, 2020
- FBI’s Section 702 Querying Procedures, October 19, 2020
- CIA’s Section 702 Querying Procedures, October 19, 2020
- NCTC’s Section 702 Querying Procedures, October 19, 2020
- NSA’s Section 702 Querying Procedures, October 19, 2020
- Official reports on Section 702 provide helpful descriptions and other information:
- The Privacy and Civil Liberties Oversight Board (PCLOB) wrote a landmark report on Section 702, with an extensive declassified description of how the U.S. Government implements this authority. It made a series of recommendations, and then issued updates tracking the implementation of those recommendations.
- PCLOB Report on the Surveillance Program Operated Pursuant to Section 702 of FISA (July 2, 2014).
- PCLOB update on the government’s implementation of the PCLOB Recommendations on Section 215 and Section 702 (January 29, 2015 Update).
- PCLOB update on the government’s implementation of the PCLOB Recommendations on Section 215 and Section 702 (February 5, 2016 Update).
- Annual Statistical Transparency Reports: These are annual reports that provide important statistics on the use of FISA authorities as well as national security letters. These reports also describe these complex authorities in a readily understandable manner. Read more about the report here.
- Semiannual Compliance Assessments: By law, the Director of National Intelligence and the Attorney General must assess compliance with Section 702 on a semiannual basis. These joint assessments result in comprehensive, detailed reports which are provided to the FISC as well as to Congress. They are then redacted and publicly released. Here is the latest release.
- The Privacy and Civil Liberties Oversight Board (PCLOB) wrote a landmark report on Section 702, with an extensive declassified description of how the U.S. Government implements this authority. It made a series of recommendations, and then issued updates tracking the implementation of those recommendations.
- Executive Order 12333
- Executive Order 12333 organizes and directs the intelligence activities of the U.S. government in securing the nation from foreign threats. It lays out important boundaries for intelligence agencies, requiring them to take action consistent with applicable law, and imposing restrictions to protect civil liberties and privacy. A copy of Executive Order 12333 can be found starting on page 693 of the IC Legal Reference Book, current as of 2020.
- IC elements have issued procedures implementing Executive Order 12333, which have been approved by the Attorney General in consultation with the Director of National Intelligence – Chart_of_EO_12333_AG_approved_Guidelines_March_2021.pdf (intel.gov).
- The PCLOB issued reports and statements relating to Executive Order 12333:
- Executive Order 12333 Public Report (pclob.gov)
- Felton and LeBlanc Statement on EO 12333 Public Report (pclob.gov)
- Member LeBlanc’s 12333 Unclassified Statement.pdf (pclob.gov).
- PCLOB Report on CIA Activities (“Deep Dive 1”) (pclob.gov)
- PCLOB Report on CIA Activities (“Deep Dive 2”) (pclob.gov)
- Member Travis LeBlanc’s Statement on the Board’s Report and Recommendations (pclob.gov)
- Presidential Policy Directive-28
- Presidential Policy Directive-28 (PPD-28) articulates privacy protections in signals intelligence activities that apply to people regardless of nationality.
- Intelligence Community agencies have issued binding policies implementing PPD-28. Chart-of-PPD-28-Procedures_May-2017.pdf (dni.gov). For example, NSA issued NSA Procedures Implementing Section 4 of PPD-28, also titled “Supplemental Procedures for the Collection, Processing, Retention, and Dissemination of Signals Intelligence Information and Data Containing Personal Information of Non-United States Persons”), available at link.
- The PCLOB issued a report on PPD-28: PPD-28 Report (for FOIA Release).pdf (pclob.gov). The IC presented a responsive report to the PCLOB: Status_of_PPD_28_Implementation_Response_to_PCLOB_Report_10_16_18.pdf (dni.gov).
- Section 309 of the Intelligence Authorization Act of 2015
- This authority establishes a five-year retention period for “covered communications”
- Executive Order 14086
- The White House, Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities, October 7, 2022
- Department of Justice, Redress in the Data Protection Review Court, October 7, 2022
Relevant U.S. Entities
- Civil Liberties Protection Officer. The position of Civil Liberties Protection Officer was established by the Intelligence Reform and Terrorism Prevention Act of 2004, and is now codified at 50 U.S.C. Section 3029 (see page 65 of the IC Legal Reference Book). The Civil Liberties Protection Officer reports directly to the Director of National Intelligence (DNI). The Officer’s statutory duties include, among other things, ensuring that privacy and civil liberties protections are appropriately addressed in the policies and procedures of intelligence agencies; overseeing compliance; and reviewing, assessing and investigating complaints and other information indicating possible abuses of civil liberties and privacy. The Civil Liberties Protection Officer also serves as the ODNI’s Chief Transparency Officer, and leads the ODNI’s Office of Civil Liberties, Privacy and Transparency. The Officer’s responsibilities are further laid out in Intelligence Community Directive 107, Civil Liberties, Privacy and Transparency.
- Privacy and Civil Liberties Officers. The positions of Privacy and Civil Liberties Officers are outlined in 42 U.S.C. Section 2000ee-1 (see page 228 of the IC Legal Reference Book). By law, their duties include ensuring that their department, agency, or element has adequate procedures to receive, investigate, respond to, and redress complaints from individuals who allege violations of their privacy or civil liberties. These officers are established at the Departments of Justice, State, Treasury, Health and Human Services, and Homeland Security, as well as at the Office of the Director of National Intelligence, Central Intelligence Agency, National Security Agency, Federal Bureau of Investigation, and at any other department, agency, or element of the executive branch designated by the Privacy and Civil Liberties Oversight Board. If a department, agency, or element already has a statutory privacy and civil liberties officer (e.g., the ODNI’s Civil Liberties Protection Officer), that officer will in addition have the responsibilities listed in this statute. Here are links to some of these offices’ websites:
- ODNI Office of Civil Liberties, Privacy, and Transparency
- CIA Privacy and Civil Liberties Office
- NSA Civil Liberties and Privacy Office
- Department of Justice Office of Privacy and Civil Liberties
- Department of Defense Privacy and Civil Liberties Office
- Department of Homeland Security Privacy Office
- Department of Homeland Security Office of Civil Rights and Civil Liberties
- Privacy and Civil Liberties Oversight Board. The PCLOB is an independent agency within the Executive Branch. Its mission is to ensure that the federal government’s efforts to prevent terrorism are balanced with the need to protect privacy and civil liberties. Its governing statute is codified at 42 U.S.C. Section 2000ee (see page 221 of the IC Legal Reference Book). It conducts a range of advisory and oversight activities, including oversight over the Foreign Intelligence Surveillance Act, Executive Order 12333, and Presidential Policy Directive-28.
- Inspectors General. Under the Inspector General Act of 1978, the role of inspectors general is to prevent and detect waste, fraud, and abuse relating to their agency’s programs and operations, and to promote economy, efficiency, and effectiveness in the agency’s operations and programs. Offices of Inspector General are located within their agencies but must conduct their audits, investigations, evaluations, and special reviews independently from their agencies. The Intelligence Community Inspector General has a public website , which includes its public semiannual reports .
Cross-Border Privacy Rules
Official Statements
- U.S. Department of Commerce, Global Cross-Border Privacy Rules Declaration, April 21, 2022
- U.S. Department of Commerce, Statement by Commerce Secretary Raimondo on Establishment of the Global Cross-Border Privacy Rules (CBPR) Forum, April 21, 2022
- U.S. Department of Commerce, Global Cross-Border Privacy Rules Declaration FAQ, April 21, 2022
- Asia-Pacific Economic Cooperation, APEC Privacy Framework, 2015
- U.S. Department of Commerce, Cross Border Privacy Rules System, 2011
Data Free Flow with Trust
Global Efforts
- OECD Declaration on Government Access to Personal Data Held by Private Sector Entities
- The Declaration on Government Access to Personal Data Held by Private Sector Entities was adopted by Ministers and high-level representatives of OECD Members and the European Union on 14 December 2022, on the occasion of the Ministerial meeting of the Committee on Digital Economy Policy (CDEP) held in the island of Gran Canaria, Spain.
- As the first intergovernmental agreement on common approaches to safeguard privacy and other human rights and freedoms when accessing personal data for national security and law enforcement purposes, it seeks to promote trust in cross-border data flows, a critical enabler of the global economy. Read more here.
- G7 Digital and Technology Ministerial Declaration
- In April 2021, the UK, Canada, France, Italy, Japan, the US and the EU agreed to the G7 Digital and Technology Ministerial Declaration, which endorsed Roadmap for Cooperation on Data Free Flow with Trust, which in turn declared support for the aims and objectives of the OECD’s drafting group working on trusted government access to personal data held by the private sector.
- G7 Data Protection and Privacy Authorities’ Action Plan, June 22, 2023
- G7 Hiroshima Leaders’ Communiqué, May 20, 2023
- Ministerial Declaration: The G7 Digital and Tech Ministers’ Meeting, April 30, 2023
- Annex on G7 Vision for Operationalising DFFT and Its Priorities, April 30, 2023
- In April 2021, the UK, Canada, France, Italy, Japan, the US and the EU agreed to the G7 Digital and Technology Ministerial Declaration, which endorsed Roadmap for Cooperation on Data Free Flow with Trust, which in turn declared support for the aims and objectives of the OECD’s drafting group working on trusted government access to personal data held by the private sector.
- Statement from OECD’s Committee on Digital Economy Policy
- In December 2020, the OECD’s Committee on Digital Economy Policy issued a statement announcing the convening of a drafting group of government representatives and experts, including from law enforcement and national security agencies, to examine the possibility of developing an instrument setting out high-level principles or policy guidance for trusted government access to personal data held by the private sector. Such work would bring together and elaborate a set of common and coherent good practices and legal guarantees from across OECD countries for best reconciling law enforcement and national security needs for data with protection of individual rights.
- In December 2020, the OECD’s Committee on Digital Economy Policy issued a statement announcing the convening of a drafting group of government representatives and experts, including from law enforcement and national security agencies, to examine the possibility of developing an instrument setting out high-level principles or policy guidance for trusted government access to personal data held by the private sector. Such work would bring together and elaborate a set of common and coherent good practices and legal guarantees from across OECD countries for best reconciling law enforcement and national security needs for data with protection of individual rights.
- G20 Osaka Leaders Declaration
- In June 2019, the leaders of the G20 met in Osaka, Japan and issued a declaration committing to facilitating the free flow of data and strengthening consumer and business trust.
- On June 30, 2019, the OECD issued a statement supporting the G20 policy priorities at the Osaka Summit.
Articles and Papers
Listed in Reverse Chronological Order
- Paul Rosenzweig, The Jurisdiction of the New Data Protection Review Court, Lawfare (February 27, 2023)
- Congressional Research Service, The EU-U.S. Data Privacy Framework: Background, Implementation, and Next Steps (October 24, 2022)
- Alex Joel, Gabriela Zanfir-Fortuna, Caitlin Fennessy, Peter Swire, The EU-U.S. Data Privacy Framework & Next Steps for Data Transfers, LinkedIn Live (October 7, 2022)
- Caitlin Fennessy, The EU-US Data Privacy Framework: A new era for data transfers?, IAPP (October 7, 2022)
- Jim Sullivan, President Biden orders surveillance reforms two years after Schrems II, DLA Piper (October 7, 2022)
- Raffaela Wakeman, Privacy Shield 2.0 —Third Time’s the Charm?, Lawfare (May 19, 2022)
- Theodore Christakis, Kenneth Propp and Peter Swire, EU/US Adequacy Negotiations and the Redress Challenge: How to Create an Independent Authority with Effective Remedy Powers, European Law Blog (Feb. 16, 2022)
- Theodore Christakis, Kenneth Propp and Peter Swire, EU/US Adequacy Negotiations and the Redress Challenge: Whether a New U.S. Statute is Necessary to Produce an “Essentially Equivalent” Solution, European Law Blog (Jan. 31, 2022)
- Gabriela Zanfir-Fortuna, Understanding Why the First Pieces Fell in the Transatlantic Transfers Domino, Future of Privacy Forum (Jan. 27, 2022)
- Thorsten Wetzling, Lauren Sarkesian, Charlotte Dietrich, Solving the Transatlantic Data Dilemma, Stiftung Neue Verantwortung (Dec. 15, 2021)
- Professor Stephen I. Vladeck, Expert Opinion on the Current State of U.S. Surveillance Law and Authorities, Data Protection Conference (Nov. 15, 2021)
- Alex Joel, Francesca Oliveira, Redress: What is the Problem?, European Law Blog (Sept. 28, 2021)
- Congressional Research Services (CRS) Report: U.S.-EU Privacy Shield and Transatlantic Data Flows (Sept. 22, 2021)
- Sharon Bradford Franklin, Lauren Sarkesian, Ross Schulman, Strengthening Surveillance Safeguards After Schrems II, New American (Apr. 7, 2021)
- Alex Joel, Protect Privacy. That’s an Order., Lawfare (Apr. 6, 2021)
- Congressional Research Services (CRS) Report: EU Data Transfer Requirements and U.S. Intelligence Laws: Understanding Schrems II and Its Impact on the EU-U.S. Privacy Shield (Mar. 17, 2021)
- Peter Margulies, Ira Rubinstein, EU Privacy Law and U.S. Surveillance: Solving the Problem of Transatlantic Data Transfers, Lawfare (Mar. 10, 2021)
- Theodore Christakis, Kenneth Propp, How Europe’s Intelligence Services Aim to Avoid the EU’s Highest Court—and What It Means for the United States, Lawfare (Mar. 8, 2021)
- Center for Democracy and Technology, Schrems II and the Need for Intelligence Surveillance Reform (Jan. 13, 2021)
- Cameron F. Kerry, The Oracle at Luxembourg: The EU Court of Justice Judges the World on Surveillance and Privacy, The Brookings Institution (Jan. 11, 2021)
- Peter Swire, Testimony by Peter Swire: U.S. Senate Commerce Committee Hearing “The Invalidation of the EU-U.S. Privacy Shield and the Future of Transatlantic Data Flows” (Dec. 9, 2020)
- Peter Swire, Appendix 1 to U.S. Senate Commerce Committee Testimony on “The Invalidation of the E.U.-U.S. Privacy Shield and the Future of Transatlantic Data Flows” (Dec. 9, 2020)
- Peter Swire, Appendix 2 to U.S. Senate Commerce Committee Testimony on “The Invalidation of the E.U.-U.S. Privacy Shield and the Future of Transatlantic Data Flows” (Dec. 9, 2020)
- Joshua P. Meltzer, Why Schrems II Requires US-EU Agreement on Surveillance and Privacy, The Brookings Institution (Dec. 8, 2020)
- Hunton Andrews Kurth, CJEU Restricts Indiscriminate Access to Electronic Communications for National Security Purposes (Oct. 12, 2020)
- Christopher Docksey, Schrems II and Individual Redress—Where There’s a Will, There’s a Way, Lawfare (Oct. 12, 2020)
- Kenneth Propp, Peter Swire, After Schrems II: A Proposal to Meet the Individual Redress Challenge, Lawfare (Aug. 13, 2020)
- Caitlin Fennessy, The ‘Schrems II’ decision: EU-US Data Transfers in Question, IAPP (July 16, 2020)
- Gary Weingarden, Privacy Across Borders: Enforcement and Prescriptive Jurisdiction, IAPP (Apr. 23, 2019)
- European Union Agency for Fundamental Rights, Surveillance by Intelligence Services: Fundamental Rights Safeguards and Remedies in the EU Volume II: Field Perspectives and Legal Update (2017)
- European Union Agency for Fundamental Rights, Surveillance by Intelligence Services: Fundamental Rights Safeguards and Remedies in the EU Volume I: Member States’ Legal Frameworks (2017)
- Data Matters, Essentially Equivalent, Sidley Austin LLP (Jan. 2016)
- Steven Greer, The Exceptions to Articles 8 to 11 of the European Convention on Human Rights, Council of Europe Publishing (1997)
Tools
Listed in Reverse Chronological Order
Due to the Schrems II decision, companies have had to change their data management practices to comply with the judgment. The following is a list of information on compliance tools that may help countries in their data transfers:
- International Association of Privacy Professionals, Transfer Impact Assessment Templates (2021)
- United Kingdom’s Information Commissioner’s Office, Draft International Transfer Risk Assessment and Tool (2021)
- My Privacy Is None of Your Business, GDPRhub (2021)
- The Software Alliance, Principles: Additional Safeguards for SCC Transfers (2020)
- European Data Protection Supervisor, International Transfers (2020)