¹ Anton Chekhov, Gooseberries, in Selected Stories of Anton Chekov 5793, 5793–94 (Richard Pevear & Larissa Volokhonsky trans., Kindle ed. 2009) (paraphrasing Alexander Pushkin).Google Scholar

² Directive 95/46, of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31 (EC).Google Scholar

³ Regulation 2016/679, of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data and Repealing Directive 95/46/EC [hereinafter GDPR], 2016 O.J. (L 119) 1 (Chapter V of the GDPR deals with international data transfers) (EU).Google Scholar

⁴ ECJ, Case C-362/14, Schrems v. Data Prot. Comm'r, ECLI:EU:C:2015:6506, Judgment of 6 October 2015.Google Scholar

⁵ Commission Decision 2000/520 of 26 July 2000 Pursuant to Directive 95/46 of the European Parliament and of the Council on the Adequacy of the Protection Provided by the Safe Harbour Privacy Principles and Related Frequently Asked Questions Issued by the US Department of Commerce, 2000 O.J. (L 215) 7. The European spelling “Safe Harbour” is used throughout because that is used by the Court; the American spelling “Safe Harbor” is used when it appears as such in original sources.Google Scholar

⁶ Opinion of Advocate General Bot, Case 362/14, Schrems v. Data Prot. Comm'r (Sept. 23, 2015), http://curia.europa.eu/juris/document/document.jsf?text=&docid=168421&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=297564.Google Scholar

⁷ See, e.g., Robinson, Duncan, Richard Waters & Murad Ahmed, US Tech Companies Overhaul Operations After EU Data Ruling, Fin. Times (Oct. 6, 2015), http://www.ft.com/intl/cms/s/0/5d75e65a-6bf8-11e5-aca9-d87542bf8673.html#axzz3vvmkIE7x; Mark Scott, Data Transfer Pact Between U.S. and Europe is Ruled Invalid, N.Y. Times (Oct. 6, 2015), http://www.nytimes.com/2015/10/07/technology/european-union-us-data-collection.html?_r=0>..>Google Scholar

⁸ See European Commission Press Release, First Vice-President Timmermans and Commissioner Jourová's Press Conference on Safe Harbour Following the Court Ruling in Case C-362/14 (Schrems), (Oct. 6, 2015), http://europa.eu/rapid/press-release_STATEMENT-15-5782_en.htm.Google Scholar

⁹ See Brill, Julie, Former Comm'r, US FTC, Keynote Address Before the Amsterdam Privacy Conference, Transatlantic Privacy After Schrems: Time for an Honest Conversation (Oct. 23, 2015), https://www.ftc.gov/system/files/documents/public_statements/836443/151023amsterdamprivacy1.pdf; United States Mission to the EU, Safe Harbor Protects Privacy and Provides Trust in Data Flows that Underpin Transatlantic Trade, (Sept. 28, 2015), http://useu.usmission.gov/st-09282015.html.Google Scholar

¹⁰ See, e.g., Debate: The Schrems Case, Verfassungsblog, http://verfassungsblog.de/category/schwerpunkte/the-schrems-case/; Peter Swire, US Surveillance Law, Safe Harbor, and Reforms Since 2013 (Dec. 18, 2015), http://peterswire.net/wp-content/uploads/Schrems-White-Paper-12-18-2015.pdf.Google Scholar

¹¹ See Sidley Austin LLP, Essentially Equivalent: A Comparison of the Legal Orders for Privacy and Data Protection in the European Union and United States (2016), http://www.sidley.com/~/media/publications/essentially-equivalent—final.pdf.Google Scholar

¹² See Popp, Valentina, ECJ President on EU Integration, Public Opinion, Safe Harbor, Antitrust, Wall St. J. Blog, (Oct. 14, 2015, 4:05 AM), http://blogs.wsj.com/brussels/2015/10/14/ecj-president-on-eu-integration-public-opinion-safe-harbor-antitrust/tab/print/.Google Scholar

¹³ See Commission Implementing Decision 2016/1250 of 12 July 2016 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequacy of the Protection Provided by the EU-U.S. Privacy Shield, 2016 O.J. (L 207) 1, para. 137 (EU). The Privacy Shield has also been published in the US Federal Register. See Framework, Privacy Shield, 81 Fed. Reg. 51,042 (Aug. 2, 2016).Google Scholar

¹⁴ The list of companies that have joined the Privacy Shield can be consulted at https://www.privacyshield.gov/list.Google Scholar

¹⁵ See Agreement on the Protection of Personal Information Relating to the Prevention, Investigation, Detection and Prosecution of Criminal Offenses, U.S.-EU, Feb 1, 2017 O.J. (L 336) 3. The Umbrella Agreement entered into force on February 1, 2017.Google Scholar

¹⁶ Council Decision 2016/2220 of 2 December 2016 on the Conclusion, on Behalf of the European Union, of the Agreement Between the United States of America and the European Union on the Protection of Personal Information Relating to the Prevention, Investigation, Detection, and Prosecution of Criminal Offences, 2016 O.J. (L 336) 1 (EU).Google Scholar

¹⁷ See Judicial Redress Act of 2015, H.R. 1428, 114th Cong. (2016).Google Scholar

¹⁸ See Opinion of Advocate General Mengozzi, Opinion 1/15, (Sept. 8, 2016), ECLI:EU:C:2016:656, http://curia.europa.eu/juris/document/document.jsf?docid=183140&doclang=EN&mode=req&occ=first. The judgment in the case had not yet been issued when this article was published.Google Scholar

¹⁹ Treaty on the Functioning of the European Union art. 15, Oct. 12, 2012, 2012 O.J. (C 326) 47.Google Scholar

²⁰ Charter of Fundamental Rights of the European Union art. 8, Dec. 18, 2000, 2000 O.J. (C 364/1) 389.Google Scholar

²¹ See Data Prot. Comm'r v. Facebook Ir. Ltd. & Anor 2016/4809 P [hereinafter “Schrems II”].Google Scholar

²² See Case T-670/16, Dig. Rights Ir. v. Comm'n, Sept. 16, 2016, O.J. (C 410) 26; Case T-738/16, La Quadrature du Net v. Comm'n, Oct. 25, 2016, O.J. (C 6) 39.Google Scholar

²³ See Schrems, Maximilian, Europe Versus Facebook, “Legal Procedure against ‘Facebook Ireland Limited‘”, http://europe-v-facebook.org/EN/Complaints/complaints.html, containing copies of the complaints against Facebook and other relevant documents in the case.Google Scholar

²⁴ See Schrems v. Data Prot. Comm'r [2014] 2 ILRM 441 (H. Ct.) (Ir.), [2014] I.E.H.C. 310; Schrems v Data Prot. Comm'r II [2014] 2 ILRM 506; [2014] I.E.H.C. 351.Google Scholar

²⁵ Commission Decision 2000/520, supra note 5.Google Scholar

²⁶ Article 25(6) of the Directive, supra note 2, provides as follows: The Commission may find, in accordance with the procedure referred to in Article 31 (2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals. Member States shall take the measures necessary to comply with the Commission's decision.Google Scholar

²⁷ Reference for a Preliminary Ruling from High Court of Ireland (Ireland), Case C-362/14, Schrems v. Data Prot. Comm'r (July 25, 2014), http://curia.europa.eu/juris/document/document.jsf?docid=157862&doclang=EN.Google Scholar

²⁸ Opinion of Advocate General Bot, supra note 6, at para. 237.Google Scholar

²⁹ See Popp, supra note 12, for a statement of CJEU President, Koen Lenaerts, noting that “[w]e are not judging the U.S. system here, we are judging the requirements of EU law in terms of the conditions to transfer data to third countries, whatever they be.”Google Scholar

³⁰ See, e.g., Schrems, supra note 4, at para. 93 (implying that data transferred to the US are subject to undifferentiated storage, access, and use, such as it criticized in ECJ, Joined Cases C-293/12 and C-594/12, Digital Rights Ireland & Seitlinger, ECLI:EU:C:2014:238, Judgment of 8 April 2014) and para. 96–97 (finding that the Commission had not stated that the US law ensures an adequate level of data protection).Google Scholar

³¹ See id. at para. 90.Google Scholar

³² See Digital Rights Ireland & Seitlinger, supra note 30.Google Scholar

³³ ECJ, Case C-131/12, Google Spain v. AEPD and Mario Costeja Gonzalez, ECLI:EU:C:2014:317, Judgment of 13 May 2014.Google Scholar

³⁴ Opinion of Advocate General Mengozzi, Opinion 1/15, supra note 18.Google Scholar

³⁵ See Lynskey, Orla, The Foundations of EU Data Protection Law 270–272 (2015); Christopher Docksey, Four Fundamental Rights: Finding the Balance, 6 Int'l Data Privacy L. 195, 198 (2016).Google Scholar

³⁶ See Schrems, supra note4, at para. 45.Google Scholar

³⁷ See Kuner, Christopher, Transborder Data Flows and Data Privacy Law 125–129 (2013).Google Scholar

³⁸ Case C-101/01, Bodil Lindqvist, 2003 E.C.R. I-12971.Google Scholar

³⁹ See Schrems, supra note 4, at para. 73.Google Scholar

⁴⁰ See Bradford, Anu, The Brussels Effect, 107 Nw. U. L. Rev. 1 (2013).Google Scholar

⁴¹ See Bygrave, Lee, Data Privacy Law: An International Perspective 6215–16 (Kindle ed. 2014); Paul De Hert & Vagelis Papakonstantinou, Three Scenarios for International Governance of Data Privacy: Towards an International Data Privacy Organization, Preferably a UN Agency?, 9 J. L. & Pol'y for Info. Soc'y 271, 287–88 (2013); Graham Greenleaf, The Influence of European Data Privacy Standards Outside Europe: Implications for Globalization of Convention 108, 2 Int'l Data Privacy L. 68 (2012).Google Scholar

⁴² See Popp, supra note 12 (including a statement by CJEU President, Koen Lenaerts, “[i]f this is also affecting some dealings internationally, why would Europe not be proud to contribute its requiring standards of respect of fundamental rights to the world in general?”).Google Scholar

⁴³ See Bamberger, Kenneth & Mulligan, Deirdre, Privacy on the Ground 65 (2015) (noting with regard to a survey of company privacy officers in the US that “respondents explained that European law plays a large role in shaping such company-wide privacy policies,” and that “the influence of US law was evidenced by specific activities such as Safe Harbor certification”).Google Scholar

⁴⁴ See Schrems, supra note 4, at para. 78.Google Scholar

⁴⁵ European Union Agency for Fundamental Rights, Data Protection in the European Union: The Role of National Data Protection Authorities, (2010), http://fra.europa.eu/sites/default/files/fra_uploads/815-Data-protection_en.pdf.Google Scholar

⁴⁶ See Simitis, Spiros & Dammann, Ulrich, EG-Datenschutzrichtlinie 275 (1997).Google Scholar

⁴⁷ Schrems, supra note4, at para. 43.Google Scholar

⁴⁸ See GDPR, supra note 3, art. 58(2)(j)Google Scholar

⁴⁹ See ECJ, Case C-399/11, Melloni v Ministerio Fiscal, ECLI:EU:C:2013:107, Judgment of 26 February 2013 (finding that when the EU legislator has harmonized fundamental rights protection in an exhaustive way, Member States are not allowed to “top up” fundamental rights protection).Google Scholar

⁵⁰ See GDPR, supra note 3, art. 60–76.Google Scholar

⁵¹ See, e.g., Schrems, supra note 4 at para. 38 (stating that “It should be recalled first of all that the provisions of Directive 95/46, inasmuch as they govern the processing of personal data liable to infringe fundamental freedoms, in particular the right to respect for private life, must necessarily be interpreted in the light of the fundamental rights guaranteed by the Charter”). Id. at para. 67 (stating that “It should be examined whether that decision complies with the requirements stemming from Directive 95/46 read in the light of the Charter”).Google Scholar

⁵² Id. at para. 39, 72, and 73.Google Scholar

⁵³ Id. at para. 78.Google Scholar

⁵⁴ Clara Rauchegger, The Interplay Between the Charter and National Constitutions after Åkerberg Fransson and Melloni, in The EU Charter of Fundamental Rights as a Binding Instrument 93, 122 (Sybe de Vries, Ulf Bernitz & Stephen Weatherill eds., 2015).Google Scholar

⁵⁵ Treaty on the Functioning of the European Union, supra note 19, at Article 4(2).Google Scholar

⁵⁶ Directive, supra note 2, art. 3(2)); GDPR, supra note 3, Recital 16.Google Scholar

⁵⁷ Rauchegger, supra note 54, at 97.Google Scholar

⁵⁸ Charter, supra note 20, art. 51(1). See Rauchegger, supra note 54, at 97.Google Scholar

⁵⁹ European Union Agency for Fundamental Rights, Surveillance by Intelligence Services: Fundamental Rights Safeguards and Remedies in the EU 11 (2015), http://fra.europa.eu/sites/default/files/fra_uploads/fra-2015-surveillance-intelligence-services_en.pdf.Google Scholar

⁶⁰ Art. 13(1)(a) provides that “Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in Articles 6(1), 10, 11(1), 12 and 21 when such a restriction constitutes a necessary measures to safeguard: (a) national security ….” Art. 23 of the GDPR, supra note 3, also allows restrictions to be put on data protection rights for national security reasons under strict conditions.Google Scholar

⁶¹ Art. 28(4) provides in part that, “Each supervisory authority shall, in particular, hear claims for checks on the lawfulness of data processing lodged by any person when the national provisions adopted pursuant to Article 13 of this Directive apply.”Google Scholar

⁶² See Violeta Moreno-Lax & Cathryn Costello, The Extraterritorial Application of the EU Charter of Fundamental Rights: From Territoriality to Facticity, the Effectiveness Model, in The EU Charter of Fundamental Rights, A Commentary 1657 (Steve Peers, Tamara Harvey, Jeff Kenner, & Angela Ward eds., 2014).Google Scholar

⁶³ See Bruno de Witte, Article 53—Level of Protection, in The EU Charter of Fundamental Rights, A Commentary, supra note 62, at 1527Google Scholar

When a legal situation is outside the scope of EU law and within the scope of domestic law, there is no problem: Article 53 of the Charter simply confirms the evident rule that national constitutional rights will fully apply to such cases, notwithstanding any divergent formulation of those rights in the Charter.Google Scholar

⁶⁴ See Cate, Fred H., Dempsey, James X., & Rubenstein, Ira S., Systematic Government Access to Private-Sector Data, 2 Int'L Data Privacy L. 195 (2012).Google Scholar

⁶⁵ See ECJ, Opinion 2/13, ECLI:EU:C:2014:2454, Opinion of 18 December 2014.Google Scholar

⁶⁶ See Koen Lenaerts & Jose Antonio Gutierrez-Fons, The Place of the Charter in the EU Constitutional Edifice, in The EU Charter of Fundamental Rights, A Commentary, supra note 62, at 1581 (stating that “if the ECtHR ever decides to lower the level of protection below that guaranteed by EU law, by virtue of Article 53 of the Charter, the CJEU will be precluded from interpreting the provisions of the Charter in a regressive fashion”).Google Scholar

⁶⁷ See Explanations Relating to the Charter of Fundamental Rights, 2007 O.J. (C 303) 17, 34.Google Scholar

⁶⁸ Rauchegger, supra note 54, at 125.Google Scholar

⁶⁹ See ECJ, Case C-300/11, ZZ v. Sec'y of State for the Home Dep't, ECLI:EU:C:2013:363, Judgment of 4 June 2014, para. 38 (holding that “the mere fact that a decision concerns State security cannot result in European Union law being inapplicable”). With regard to the related concepts of public policy and public security, see ECJ, Case C-348/09, P.I. v. Oberbürgermeisterin der Stadt Remscheid, EU:C:2012:300, Judgment of 22 May 2012, stating at paragraph 23 that: While Member States essentially retain the freedom to determine the requirements of public policy and public security in accordance with their national needs, which can vary from one Member State to another and from one era to another, particularly as justification for a derogation from the fundamental principle of free movement of persons, those requirements must nevertheless be interpreted strictly, so that their scope cannot be determined unilaterally by each Member State without any control by the institutions of the European Union.Google Scholar

See also Hijmans, Hielke, The European Union as Guardian of Internet Privacy 138–145 (2016).Google Scholar

⁷⁰ See European Union Agency for Fundamental Rights, Surveillance by Intelligence Services: Fundamental Rights Safeguards and Remedies in the EU, supra note 59, at 11.Google Scholar

⁷¹ See, e.g., Robertson, Geoffrey, Opinion of Geoffrey Robertson QC for Facebook, Fin. Times (Jan. 14, 2016), http://blogs.ft.com/brusselsblog/files/2016/01/Geoffrey-Robertson-QC.docx; Sidley Austin LLP, supra note 11; see also European Union Agency for Fundamental Rights, Surveillance by Intelligence Services, supra note 59; Stefan Heumann & Ben Scott, Law and Policy in Internet Surveillance Programs: United States, Great Britain and Germany, Stiftung Neue Verantwortung (Sep. 30 2013), http://www.stiftung-nv.de/publikation/law-and-policy-internet-surveillance-programs-united-states-great-britain-and-germany (regarding oversight of intelligence surveillance in the Member States).Google Scholar

⁷² See Greenwald, Glenn, No Place to Hide 1581, 1854–1900 (Kindle ed. 2014) (regarding the Five Eyes alliance).Google Scholar

⁷³ See Root, Vidya, French Intelligence Involved in NSA Spying in France, Bloomberg News, (Nov. 29, 2013), http://www.bloomberg.com/news/articles/2013-11-29/french-intelligence-involved-in-nsa-spying-in-france-monde-says.Google Scholar

⁷⁴ See Geheimdienst-Kooperation: BND leitet seit 2007 Daten an die NSA weiter, Online, Spiegel, (Aug. 8, 2013), http://www.spiegel.de/netzwelt/netzpolitik/geheimdienste-bnd-leitet-seit-2007-daten-an-die-nsa-weiter-a-915589.html.Google Scholar

⁷⁵ See Schrems, supra note4, at para. 73.Google Scholar

⁷⁶ Simitis & Dammann, supra note 46, at 273.Google Scholar

⁷⁷ Manuel José Cepeda Espinosa, Privacy, in The Oxford Handbook of Comparative Constitutional Law 967 (Michel Rosenfeld & András Sajó, eds., Kindle ed. 2012). This is true even between the different EU Member States. See Cartabia, Marta, Europe and Rights: Taking Dialogue Seriously, 5 Eur. Const. L. Rev. 5, 20 (2009).Google Scholar

⁷⁸ Jackson, Vicki C., Comparative Constitutional Law: Methodologies, in The Oxford Handbook of Comparative Constitutional Law, supra note 77, at 54 (mentioning classificatory, historical, normative, functional, and contextual approaches).Google Scholar

⁷⁹ See Greenleaf, Graham, Asian Data Privacy Laws 53 (2014).Google Scholar

⁸⁰ See Lenaerts, Koen, Ignace Maselis, & Kathleen Gutman, EU Procedural Law 15562 (Kindle ed. 2014) (noting that “under settled case-law, in the context of preliminary ruling proceedings, the Court of Justice is not entitled to rule on facts or points of national law, or to verify whether they are correct”).Google Scholar

⁸¹ See Schrems v. Data Prot. Comm'r, [2014] 2 I.L.R.M. 441 (H. Ct.) (Ir.), [2014] I.E.H.C. 310.Google Scholar

⁸² See M. Jänterä-Jareborg, Foreign Law in National Courts: A Comparative Perspective, 304 Recueil des Cours/Collected Courses of the Hague Acad. of Int'l L. 181, 233 (2003).Google Scholar

⁸³ See Lenaerts, Maselis, & Gutman, supra note 80, at 23573.Google Scholar

⁸⁴ See id. In Schrems II 2016/4809 P, the Irish High Court has allowed interventions by the US government and other external stakeholders. See Court, Irish High, Judgment of Mr. Justice McGovern, 19 July 2016, https://regmedia.co.uk/2016/07/19/facebook_eff_schrems.pdf.Google Scholar

⁸⁵ See Lenaerts, Maselis, and Gutman, supra note 80, at 19002–015 (noting that “it would be perfectly possible for measures of inquiry to be ordered pursuant to art. 64(2) of the ECJ Rules of Procedure”). Art 64(2) foresees such measures as “the commissioning of an expert's report”.Google Scholar

⁸⁶ The complete documentation of the Privacy Shield can be found at http://ec.europa.eu/justice/data-protection/international-transfers/eu-us-privacyshield/index_en.htm and https://www.privacyshield.gov/EU-US-Framework.Google Scholar

⁸⁷ The principles include Notice, Choice, Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse Enforcement and Liability.Google Scholar

⁸⁸ These include Sensitive Data; Journalistic Exceptions; Secondary Liability; Performing Due Diligence and Conducting Audits; The Role of the Data Protection Authorities; Self-Certification; Verification; Access; Human Resources Data; Obligatory Contract for Onward Transfers; Dispute Resolution and Enforcement; Choice—Timing of Opt Out; Travel Information; Pharmaceutical and Medical Products; Public Record and Publicly Available Information; and Access Requests by Public Authorities.Google Scholar

⁸⁹ See, e.g., Sheftalovich, Zoya, 5 Takeaways from the Privacy Shield, Politico, Feb. 29, 2016, http://www.politico.eu/article/privacyshield-agreement-takeaways-text-released/ (stating that “the Council's biggest concern is how quickly the new arrangement can be up and running”).Google Scholar

⁹⁰ Article 29 Working Party, Opinion 01/2016 on the EU-U.S. Privacy Shield Draft Adequacy Decision, WP 238 (Apr. 13, 2016); European Data Protection Supervisor, Opinion on the EU-U.S. Privacy Shield Draft Adequacy Decision, Opinion 4/2016, (May 30, 2016).Google Scholar

⁹¹ See Trump, Donald J., Remarks at a Rally at the Greenville Convention Center in Greenville, North Carolina (Sept 6, 2016), http://www.presidency.ucsb.edu/ws/?pid=119197, (including Trump's statement that “we are going to eliminate every unconstitutional executive order and restore the rule of law to our land”).Google Scholar

⁹² See Commission Implementing Decision 2016/1250, supra note 13 (emphasizing in Recitals 68–69 the importance of US Presidential Policy Directive 28 of 17 January 2014 for the Privacy Shield).Google Scholar

⁹³ See GDPR, supra note 3, art. 45(2).Google Scholar

⁹⁴ For example, concerning the use of data protection impact assessments (art. 35 GDPR); data portability (art. 20 GDPR); and data protection by design and by default (art. 25 GDPR).Google Scholar

⁹⁵ See Commission Implementing Decision (EU) 2016/1250, supra note 13, note 208 (stating: As of the date of application of the General Data Protection Regulation, the Commission will make use of its powers to adopt, on duly justified imperative grounds of urgency, an implementing act suspending the present decision which shall apply immediately without its prior submission to the relevant comitology committee and shall remain in force for a period not exceeding six months.Google Scholar

(emphasis added)).Google Scholar

⁹⁶ See id. Recital 146.Google Scholar

⁹⁷ See Beck, Gunnar, The Legal Reasoning of the Court of Justice of the EU 234 (Kindle ed. 2012).Google Scholar

⁹⁸ See Lenaerts, Koen, How the ECJ Thinks: A Study on Judicial Legitimacy, 36 Fordham Int'l L. J. 1302, 1306 (2013).Google Scholar

⁹⁹ See Schrems II, supra note 21.Google Scholar

¹⁰⁰ See GDPR, supra note 3, art. 46.Google Scholar

¹⁰¹ See Directive 95/46, supra note 2, art. 26(1) (providing that the derogations provide a legal basis for data transfers to a third country “which does not ensure an adequate level of protection within the meaning of Article 25(2)”).Google Scholar

¹⁰² There are currently thirteen European Commission adequacy decisions in force, covering Andorra; Argentina; the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA); Switzerland; the Faroe Islands; Guernsey; Israel; the Isle of Man; Jersey; New Zealand; the EU-US Privacy Shield; Uruguay; and transfers of passenger name records of air passengers transferred to the Canada Border Services Agency. In January 2017, the Commission announced that it will “actively engage with key trading partners in East and South-East Asia, starting from Japan and Korea in 2017, and, depending on progress towards the modernisation of its data protection laws, with India, but also with countries in Latin America, in particular Mercosur, and the European neighbourhood which have expressed an interest in obtaining an ‘adequacy finding.‘” See Communication from the Commission to the European Parliament and the Council, Exchanging and Protecting Personal Data in a Globalised World, at 8, COM (2017) 7 final, (Jan. 10, 2017).Google Scholar

¹⁰³ See, e.g., Schrems, supra note4, at para. 78 (stating that “review of the requirements stemming from Article 25 of Directive 95/46, read in the light of the Charter, should be strict”).Google Scholar

¹⁰⁴ See Commission Decision 2002/2 of 20 December 2001 Pursuant to Directive (EC) 95/46 of the European Parliament and of the Council on the Adequate Protection of Personal Data Provided by the Canadian Personal Information Protection and Electronic Documents Act, 2002 O.J. (L 2) 13 (EC); Commission Decision of 6 September 2005 on the Adequate Protection of Personal Data Contained in the Passenger Name Record of Air Passengers Transferred to the Canada Border Services Agency, 2005 O.J. (L 91) 49.Google Scholar

¹⁰⁵ See Commission Implementing Decision of 19 December 2012 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequate Protection of Personal Data by New Zealand, 2013 O.J. (L 28) 12.Google Scholar

¹⁰⁶ See Schrems, supra note 4, at para. 11.Google Scholar

¹⁰⁷ Id. at para. 30.Google Scholar

¹⁰⁸ Id. at para. 31.Google Scholar

¹⁰⁹ Commission Decision 2011/61 of 31 January 2011 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequate Protection of Personal Data by the State of Israel with Regard to Automated Processing of Personal Data, 2011 O.J. (L 27) 39 (EU). See Greenwald, supra note 72, at 1904 (stating that “the NSA has a surveillance relationship with israel that often entails cooperation as close as the Five Eyes partnership, if not sometimes even closer”).Google Scholar

¹¹⁰ See GDPR, supra note 3, art. 46–47.Google Scholar

¹¹¹ See Commission, European, Model Contracts for the Transfer of Personal Data to Third Countries, http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm.Google Scholar

¹¹² See Kuner, Christopher, European Data Protection Law: Corporate Compliance and Regulation 191–208 (2d ed. 2007) (regarding the use of contractual clauses to transfer data). The GDPR deals with contractual clauses in art. 46.Google Scholar

¹¹³ See Moerel, Lokke, Binding Corporate Rules: Corporate Self-Regulation of Global Data Transfers (2012) (regarding BCRs).Google Scholar

¹¹⁴ See Model Contracts for the Transfer of Personal Data to Third Countries, supra note 111.Google Scholar

¹¹⁵ See Commission, European, opinions and Recommendations, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm.Google Scholar

¹¹⁶ See Communication from the Commission to the European Parliament and the Council on the Transfer of Personal Data from the EU to the United States of America Under Directive 95/46/EC Following the Judgment by the Court of Justice in Case C-362/14 (Schrems), COM (2015) 566 final, (Nov. 6, 2015).Google Scholar

¹¹⁷ See schrems II, supra note 21.Google Scholar

¹¹⁸ See, e.g., Commission Decision 2010/87 of 5 February 2010 on Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries Under Directive 95/46/EC of the European Parliament and of the Council, 2010 O.J. (L 39) 5, art. 4(1)(a) (EC); Article 29 Working Party, Explanatory Document on Processor Binding Corporate Rules, WP 204 rev.01, (May 22, 2015) at 13.Google Scholar

¹¹⁹ See Schrems v. Data Prot. Comm'r, Written Submissions of Applicant, Europe Versus Facebook 24 http://www.europe-v-facebook.org/CJEU_subs.pdf.Google Scholar

¹²⁰ See Article 29 Working Party, Working Document Setting Forth a CoOperation Procedure for Issuing Common Opinions on “Contractual Clauses” Considered as Compliant with the EC Model Clauses, WP 226, (Nov. 24, 2014), at 2, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp226_en.pdf.Google Scholar

¹²¹ See GDPR, supra note 3, art. 46(2).Google Scholar

¹²² See EU Data Protection Directive, supra note 2, art. 28(6). See also ECJ, Case C-230/14, Weltimmo, ECLI:EU:C:2015:639, Judgment of 1 October 2015, para. 60.Google Scholar

¹²³ See, e.g., Commission Decision 2010/87 of 5 February 2010 on Standard Contractual Clauses for the Transfer of Personal Data to Processors, supra note 118, Clause 8, (EC) (giving DPAs the right to conduct an audit of the data importer).Google Scholar

¹²⁴ Article 29 Working Party, Working Document: Transfers of Personal Data to Third Countries: Applying Articles 25 and 26 of the EU Data Protection Directive, WP 12, (July 24, 1998) at 24.Google Scholar

¹²⁵ See id. Google Scholar

¹²⁶ Article 29 Working Party, Working Document on a Common Interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995, WP 114, (Nov 25, 2005) at 11 (regarding consent).Google Scholar

¹²⁷ See GDPR, supra note 3, art. 49(1).Google Scholar

¹²⁸ See, e.g., Digital Rights Ireland & Seitlinger, supra note 30, para. 52; see also Paul Craig & Gràinne de Búrca, EU Law 532, 670 (4th ed. 2008); Takis Tridimas, The General Principles of EU Law 209 (2d ed. 2009).Google Scholar

¹²⁹ See, e.g., Fioretti, Julia, German Privacy Regulator Fines Three Firms over U.S. Data Transfers, Reuters (June 6, 2016), http://www.reuters.com/article/us-germany-dataprotection-usa-idUSKCN0YS23H (describing how the DPA of the German state of Hamburg fined three US companies for continuing to rely on the Safe Harbour after the Schrems judgment was issued); see also ULD Position Paper on the Judgment of the Court of Justice of the European Union of 6 October 2015, C-362/14, (Oct. 14, 2015), 4 https://www.datenschutzzentrum.de/uploads/internationales/20151014_ULD-PositionPapier-on-CJEU_EN.pdf (showing the data protection authority of the German federal state of Schleswig-Holstein's statement that, “In consistent application of the requirements explicated by the CJEU in its judgment, a data transfer on the basis of Standard Contractual Clauses to the US is no longer permitted”).Google Scholar

¹³⁰ See Reed, Chris, Making Laws for Cyberspace 49 (2012).Google Scholar

¹³¹ See Article 29 Working Party, The Future of Privacy WP 168 (Dec. 1, 2009), at 10–11 (regarding problems with the EU system for reaching adequacy determinations and stating that the process for reaching adequacy decisions should be “redesigned”).Google Scholar

¹³² See Kuner, supra note 37, at 48.Google Scholar

¹³³ For example, in July 2010 the government of Ireland delayed an EU adequacy decision for Israel based on alleged Israeli government involvement in the forging of Irish passports. See Ihle, John, Ireland Blocks EU Data Sharing with Israel, JTA (July 8, 2010), http://www.jta.org/2010/07/08/news-opinion/world/ireland-blocks-eu-data-sharing-with-israel. Israel later received an adequacy decision from the European Commission. See Commission Decision 2011/61 of 31 January 2011, supra note 109. See also Stoddart, Jennifer, Benny Chan, & Yann Joly, The European Union's Adequacy Approach to Privacy and International Data Sharing in Health Research, 44 J. L. Med. & Ethics 143 (2016) (criticizing the consistency of European Commission adequacy decisions).Google Scholar

¹³⁴ For the current status of Commission decisions concerning equivalence of foreign frameworks in the area of banking and finance, see http://ec.europa.eu/finance/general-policy/global/equivalence/index_en.htm. See Tzung-bor Wei, The Equivalence Approach to Securities Regulation, 27 Nw. J. Int'l L. & Bus. 255 (2006) (regarding the concept of “equivalence” in securities regulation).Google Scholar

¹³⁵ See Schrems, supra note 4, at para. 74; id. at para. 39 (referring to the need for “effective and complete” protection); id. at para. 41 (referring to the importance of ensuring the “effectiveness” of monitoring of compliance with the law by DPAs); id. at para. 81, 89, 91, 95 (stressing the need for protection of the fundamental right to data protection to be “effective”).Google Scholar

¹³⁶ See, e.g., Rotaru v. Romania 2000 Eur. Ct. H.R. 191, para. 67.Google Scholar

¹³⁷ See Art. 29 Working Party, Working Document: Transfers of Personal Data to Third Countries: Applying Articles 25 and 26 of the EU Data Protection Directive WP 12 (July 24, 1998), at 5 (stating that “data protection rules only contribute to the protection of individuals if they are followed in practice”).Google Scholar

¹³⁸ See Directorate-General for Communication, Special Eurobarometer 431: Data Protection, 25 (June 2015), http://ec.europa.eu/public_opinion/archives/ebs/ebs_431_sum_en.pdf.Google Scholar

¹³⁹ See Schrems, supra note 4, at para. 84–86.Google Scholar

¹⁴⁰ Id. at para. 88.Google Scholar

¹⁴¹ Id. at para. 89.Google Scholar

¹⁴² See Self-Certification, Export.gov, Privacy Shield Program (July 6, 2016) https://www.export.gov/article?id=6-Self-Certification.Google Scholar

¹⁴³ See How to Join Privacy Shield (Part 1), Export.gov, Privacy Shield Program (Apr. 13, 2017), https://www.export.gov/article?id=How-to-Join-Privacy-Shield-part-1.Google Scholar

¹⁴⁴ See How to Join Privacy Shield (Part 2), Export.gov, Privacy Shield Program (Apr. 13, 2017) https://www.export.gov/article?id=How-to-Join-Privacy-Shield-part-2.Google Scholar

¹⁴⁵ See Commission Implementing Decision 2016/1250 of 12 July 2016, supra note 13, Recitals 147–48.Google Scholar

¹⁴⁶ Id. Recital 65.Google Scholar

¹⁴⁷ See Agreement on the Protection of Personal information, supra note 15.Google Scholar

¹⁴⁸ See Judicial Redress Act of 2015, supra note 17.Google Scholar

¹⁴⁹ See Anupam Chander & Uyê P. Lê, Data Nationalism, 64 Emory L. J. 677 (2015) (regarding data localization); Christopher Kuner, Data Nationalism and its Discontents, 64 Emory L.J. Online 2089 (2015), http://law.emory.edu/elj/_documents/volumes/64/online/kuner.pdf.Google Scholar

¹⁵⁰ See Atos CEO Calls for ‘Schengen for Data,‘ Thierry Breton's Blog, http://www.thierry-breton.com/lire-lactualite-media-41/items/atos-ceo-calls-for-schengen-for-data.html; Ein Internet nur für Deutschland, Frankfurter Allgemeine Zeitung, (Nov. 10, 2013), http://www.faz.net/aktuell/wirtschaft/netzwirtschaft/plaene-der-telekom-ein-internet-nur-fuer-deutschland-12657090.html.Google Scholar

¹⁵¹ See Communication from the Commission to the European Parliament and the Council on the Transfer of Personal Data from the EU to the United States of America, supra note 116, at 12; see also Murad Ahmed & Richard waters, Microsoft Unveils German Data Plan to Tackle US Internet Spying, Fin. Times, (Nov. 11, 2015) http://www.ft.com/intl/cms/s/0/540a296e-87ff-11e5-9f8c-a8d619fa707c.html#axzz3vvmkIE7x; Karlin Lillington, Oracle Keeps European Data Within Its EU-Based Data Centres, Ir. Times, (Oct. 28, 2015), http://www.irishtimes.com/business/technology/oracle-keeps-european-data-within-its-eu-based-data-centres-1.2408505?mode=print&ot=example.AjaxPageLayout.ot; Schwartz, Paul M. & Karl-Nikolaus Peifer, Datentreuhändermodelle – Sicherheit vor Herausgabeverlangen US-amerikanischer Behörden und Gerichte?, 3 Computer und Recht 165 (2017).Google Scholar

¹⁵² See ECJ, Joined Cases C-203/15 and C-698/15, Tele2 Sverige AB & Sec'y of State for the Home Dep't, ECLI:EU:C:2016:970, Judgment of 21 December 2016, at para. 114.Google Scholar

¹⁵³ For example, as of June 2015, 57% of Europeans use an online social network at least once a week, and 53% use instant messaging or chat websites. See Directorate-General for Communication, Special Eurobarometer 431: Data Protection, 24 (June 2015), http://ec.europa.eu/public_opinion/archives/ebs/ebs_431_sum_en.pdf.Google Scholar

¹⁵⁴ See Universal Declaration of Human Rights, G.A. Res. 217 (III) A, U.N. Doc. A/RES/217(III), Dec. 10, 1948, art. 19; International Covenant on Civil and Political Rights, Dec. 16, 1966, S. Exec. Rep. 102–23, 999 U.N.T.S. 171, Article 19(2); European Convention for the Protection of Human Rights and Fundamental Freedoms, Sept. 3, 1953, E.T.S. 5, 213 U.N.T.S. 221, Article 10(1).Google Scholar

¹⁵⁵ In each of the three human rights conventions referred to above in note 154, the phrase “regardless of frontiers” is mentioned in the article dealing with freedom of opinion and of expression (for example, in the articles cited therein).Google Scholar

¹⁵⁶ See, e.g., Brownlie, Ian, Principles of Public International Law 309 (7th ed. 2008).Google Scholar

¹⁵⁷ See, e.g., EU Data Protection Directive, supra note 2, art. 28(6) (obliging EU DPAs to cooperate with each other); Council Regulation 44/2001 of 22 December 2000 on Jurisdiction and the Recognition and Enforcement of Judgments in Civil and Commercial Matters, 2001 O.J. (L 12) 1 (EC).Google Scholar

¹⁵⁸ See, e.g., Greenwald, supra note 72, at 1852–1926 (stating that there is a wide-ranging intelligence sharing network between US intelligence agencies such as the National Security Agency (NSA) and those of other countries, including both the Five Eyes countries and others such as Israel); Maik Baumgärtner et al., Spying Close to Home: German Intelligence under Fire for NSA Cooperation, Spiegel Online (Apr. 24, 2015), http://www.spiegel.de/international/germany/german-intelligence-agency-bnd-under-fire-for-nsa-cooperation-a-1030593.html (criticizing cooperation between the German intelligence services and those of the US); Julian Border, GCHQ and European Spy Agencies Worked Together on Mass Surveillance, The Guardian (Nov. 1, 2013), http://www.theguardian.com/uk-news/2013/nov/01/gchq-europe-spy-agencies-mass-surveillance-snowden, (alleging close cooperation between the British, French, German, Spanish, and Swedish intelligence agencies).Google Scholar

¹⁵⁹ See Greenwald, supra note 72, at 1857 (stating that the GCHQ is the “closest NSA ally”); Marko Milanovic, Human Rights Treaties and Foreign Surveillance: Privacy in the Digital Age, 56 Harv. Int'l L. Rev. 81, 126 (2015).Google Scholar

¹⁶⁰ See, e.g., Release, Press, Transatlantic Consumer Dialogue (TACD), Transatlantic Consumer Dialogue (TACD) Organization Calls on US to Enact Privacy Legislation to Ensure Fundamental Rights, http://tacd.org/wp-content/uploads/2015/10/TACD-Statement-in-response-to-the-European-Court-of-Justice-ruling-on-Safe-Harbor-agreement-.pdf (stating that “It is also more than high time for the United States to enact a comprehensive set of data protection rules, to bring it in line with 100 plus other countries round the world”). The TACD includes numerous consumer organizations in both the EU and the US, with the majority being European.Google Scholar

¹⁶¹ See, e.g., Atkinson, Robert D., Don't Just Fix Safe Harbour, Fix the Data Protection Regulation, EURACTIV (Dec. 18, 2015), http://www.euractiv.com/sections/digital/dont-just-fix-safe-harbour-fix-data-protection-regulation-320567 (containing a statement in which the president of a Washington-based think-tank urges reform of EU data protection law in order to facilitate data flows).Google Scholar

¹⁶² See, e.g., Baker, Stewart, Time to Get Serious About Europe's Sabotage of US Terror Intelligence Programs, Wash. Post (Jan. 5, 2016), https://www.washingtonpost.com/news/volokh-conspiracy/wp/2016/01/05/time-to-get-serious-about-europes-sabotage-of-us-terror-intelligence-programs/.Google Scholar

¹⁶³ See, e.g., April Dembosky & James Fontanella-Khan, US Tech Groups Criticized for EU Lobbying, Fin. Times (Feb. 4, 2013), http://www.ft.com/intl/cms/s/0/e29a717e-6df0-11e2-983d-00144feab49a.html#axzz40hMUmieK; Francesco Guarascio, US Lobbying Waters Down EU Data Protection Reform, EURACTIV (Feb. 21, 2012), http://www.euractiv.com/section/digital/news/us-lobbying-waters-down-eu-data-protection-reform/.Google Scholar

¹⁶⁴ See, e.g., Williams, Katie Bo, Last-Minute Change to Privacy Bill Adds Tension to US-EU Talks, The Hill (Jan. 28, 2016), http://thehill.com/policy/cybersecurity/267401-last-minute-change-to-privacy-bill-adds-tension-to-us-eu-negotiations (quoting US Senator John Cornyn as stating with regard to adoption by the US of the Judicial Redress Act, which gives rights under the US Privacy Act to Europeans, when he stated that “U.S. companies should not have to endure regulatory threats in an attempt to change our policy or laws.”). The Act was signed into law by President Obama on 24 February 2016. See Judicial Redress Act of 2015, supra note 17.Google Scholar

¹⁶⁵ Communication from the Commission to the European Parliament and the Council, Exchanging and Protecting Personal Data in a Globalised World, supra note 102, at 8.Google Scholar

¹⁶⁶ Martti Koskenniemi, The Politics of International Law 4421 (Kindle ed. 2011). See also Weiler, J.H.H., Fundamental Rights and Fundamental Boundaries: On the Conflict of Standards and Values in the Protection of Human Rights in the European Legal Space, in The Constitution of Europe: “Do the New Clothes Have an Emperor?” And Other Essays on European Integration 106 (1999) (stating that “Human rights are almost invariably the expression of a compromise between competing social goods in the polity”).Google Scholar

¹⁶⁷ See James Q Whitman, The Two Western Cultures of Privacy: Dignity Versus Liberty, 113 Yale L.J. 1151, 1219–1221 (2004).Google Scholar

¹⁶⁸ Peter Schlosser, Der Justizkonflikt zwischen den USA und Europa 42 (Peter Schlosser trans., 1985).Google Scholar

¹⁶⁹ Peter Hustinx, EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data Protection Regulation, Eur. Data Prot. Supervisor 43 (Sept. 15, 2014), https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/Publications/Speeches/2014/14-09-15_Article_EUI_EN.pdf.Google Scholar

¹⁷⁰ Andreas Fischer-Lescano & Gunther Teubner, Regime-Collisions: The Vain Search for Legal Unity in the Fragmentation of Global Law, 25 Mich. J. Int'l L. 999, 1045 (2003).Google Scholar