¹ Privacy Shield Agreement, EU-U.S., Feb. 2, 2016, at https://www.commerce.gov/sites/commerce.gov/files/media/files/2016/eu_us_privacy_shield_full_text.pdf.pdf [hereinafter Privacy Shield]; Fact Sheet: Overview of the EU-U.S. Privacy Shield Framework, Dep’t of Commerce (Feb. 29, 2016), at https://www.commerce.gov/news/fact-sheets/2016/02/fact-sheet-overview-eu-us-privacy-shield-framework [hereinafter Dep’t of Commerce Fact Sheet]. See also European Commission Unveils EU-U.S. Privacy Shield, European Commission (Feb. 29, 2016), at http://ec.europa.eu/justice/newsroom/data-protection/news/160229_en.htm; European Commission Press Release, EU Commission and United States Agree on New Framework for Transatlantic Data Flows: EU-U.S. Privacy Shield (Feb. 2, 2016), at http://europa.eu/rapid/press-release_IP-16-216_en.htm [hereinafter EC Feb. 2 Press Release] (describing the Privacy Shield as a political agreement).

² Scott, Mark, European Privacy Regulators Want Details on “Safe Harbor” Data Deal N.Y. Times, Feb. 3, 2016, at B3 Google Scholar.

³ Andrea Peterson, The Massive New Privacy Deal Between U.S. and Europe, Explained, Wash. Post (Feb. 2, 2016), at https://www.washingtonpost.com/news/the-switch/wp/2016/02/02/the-massive-new-privacy-deal-be-tween-u-s-and-europe-explained/.

⁴ Safe Harbor Privacy Principles, U.S. Dep’t of Commerce (July 21, 2000), at http://web.archive.org/web/20150908060809/http://export.gov/safeharbor/eu/eg_main_018475.asp. See also Dep’t of Commerce, U.S.-EU Safe Harbor Framework: A Guide to Self-Certification (2009) [hereinafter Safe Harbor Framework], available at http://trade.gov/media/publications/pdf/safeharbor-selfcert2009.pdf

⁵ European Commission Press Release, European Commission Calls on the U.S. to Restore Trust in EU-U.S. Data Flows (Nov. 27, 2013), at http://europa.eu/rapid/press-release_IP-13-1166_en.htm.

⁶ Case C-362/14, Maximillian Schrems v. Data Protection Comm’r (June 25, 2013), at http://curia.europa.eu/juris/celex.jsf?celex=62001CJ0286&lang1=en&type=TXT&ancre=[hereinafter Schrems]. See also Megan Graham, Adding Some Nuance to the European Court’s Safe Harbor Decision, Just Security (Oct. 7, 2015), at https://www.justsecurity.org/26651/adding-nuance-ecj-safe-harbor-decision/.

⁷ See Article 29 Working Party, Statement of the Article 29 Working Party (Oct. 16, 2015), at http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdf [hereinafter Article 29 Working Party Statement]. See also Zoya Sheftalovich, The Phone Call that Saved Safe Harbor, Politico (Feb. 5, 2016), at http://www.politico.eu/article/the-phone-call-that-saved-safe-harbor-john-kerry-frans-timmermans/.

⁸ European Commission Press Release, EU-U.S. Privacy Shield: Frequently Asked Questions (Feb. 29, 2016), at http://europa.eu/rapid/press-release_MEMO-16-434_en.htm; Privacy Shield, supra note 1, at 5 (Letter from Under Secretary for Trade Stefan Stelig to EU Commissioner Vera Jourova (Feb. 23, 2016)).

⁹ See infra notes 48–50.

¹⁰ See infra notes 60–61.

¹¹ See infra notes 66–68.

¹² See infra note 43.

¹³ Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L. 281) [hereinafter Data Protection Directive]. The Directive will be replaced by the General Data Protection Regulation, which will create a “single set of rules” regarding the transfer of personal data while increasing mechanisms for individuals’ access to information on how their data is processed. European Commission Press Release, Agreement on Commission’s EU Data Protection Reform will Boost Digital Single Market (Dec. 15, 2015), at http://europa.eu/rapid/press-release_IP-15-6321_en.htm.

¹⁴ Data Protection Directive, supra note 13, Art. 25(1).

¹⁵ Id. Art. 25(2). This provision continues: “[P]articular consideration shall be given to the nature of the data, the purposes and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rule of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.” Id.

¹⁶ Id. Art. 25(6).

¹⁷ Safe Harbor Framework, supra note 4, at 10.

¹⁸ Id. at 4–6.

¹⁹ Id. at 4 (“The decision by U.S. organizations to enter the Safe Harbor is entirely voluntary. Organizations that decide to participate in the Safe Harbor must comply with the Safe Harbor’s requirements and publicly declare that they do so. To be assured of Safe Harbor benefits, an organization needs to self-certify annually in writing to the Department of Commerce that it agrees to adhere to the Safe Harbor’s requirements, which include elements such as notice, choice, access, and enforcement. It must also state in its published privacy policy statement complies with the U.S.-EU Safe Harbor Framework and that it has certified its adherence to the Safe Harbor Privacy Principles.”). See also Scott, Mark, U.S. and Europe in “ Safe Harbor” Data Deal, but Legal Fight May Await, N.Y. Times, Feb. 2, 2016, at B1 Google Scholar.

²⁰ For example, as an alternative, parties might use Standard Contractual Clauses. See European Union Agency for Fundamental Rights & Council of Europe, Handbook on European Data Protection Law 137 (2014), available at http://www.echr.coe.int/Documents/Handbook_data_protection_ENG.pdf. Both the data-exporting controller and third-party recipient (the American company) would sign the clause, which had been developed by the European Commission. This, in turn, would “provide the supervisory authority with sufficient proof that adequate safeguards are in place.” Id. at 137. See also Model Contracts for the Transfer of Personal Data to Third Countries, European Commission (Feb. 12, 2015), at http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm.

²¹ Commission Decision 2000/520/EC, 2000 O.J. (L 215) 8.

²² Schrems, supra note 6, para 28. See also Barton Gellman, Julie Tate & Ashkan Soltani, In NSA-Intercepted Data, Those not Targeted far Outnumber the Foreigners Who Are, Wash. Post (July 5, 2014), at https://www.washingtonpost.com/world/national-security/in-nsa-intercepted-data-those-not-targeted-far-outnumber-the-foreigners-who-are/2014/07/05/8139adf8-045a-11e4-8572-4b1b969b6322_story.html;Barton Gellman & Laura Poitras, U.S., British Intelligence Mining Data from Nine U.S. Internet Companies in Broad Secret Program, Wash. Post ( June 7, 2013), at https://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html. See also Daugirdas, Kristina & Mortenson, Julian Davis, Contemporary Practice of the United States, 108 AJIL 783, 816 (2014)Google Scholar.

²³ Schrems, supra note 6, para. 28.

²⁴ Id., para. 29.

²⁵ Id., para. 30.

²⁶ Id., para. 36.

²⁷ Id., paras. 98, 104 – 05. See also European Commission, Communication from the Commission to the European Parliament and Council on the Transfer of Personal Data from the EU to the United State of America under Directive 95/46/EC following the Judgment by the Court of Justice in Case C-362/14 (Schrems), COM(2015) 566 final (Nov. 6, 2015).

²⁸ Schrems, supra note 6, para. 73.

²⁹ Id., para. 75.See also Case C-362/14, Maximillian Schrems v. Data Protection Comm’r, Opinion of Advocate General Bot, para. 82 (Sept. 23, 2015), at http://curia.europa.eu/juris/document/document.jsf?docid=168421&doclang=EN (“It is undisputed, as set out in Article 25(2) of Directive 95/46, that the adequacy of the level of protection afforded by a third country is to be assessed in the light of a range of circumstances, both factual and legal. If one of those circumstances changes and appears to be such as to call into question the adequacy of the level of protection afforded by a third country, the national supervisory authority to which a complaint has been submitted must be able to draw the appropriate conclusions in relation to the contested transfer.”).

³⁰ Schrems, supra note 6, para. 8.

³¹ Id., para. 86.

³² Id., para. 87.

³³ Id., paras. 90–96.

³⁴ Id., para. 98.

³⁵ CJEU Press Release, The Court of Justice Declares that the Commission’s U.S. Safe Harbour Decision is Invalid (Oct. 6, 2015), at http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf.

³⁶ Schrems, supra note 6, para. 94.

³⁷ Christopher Kuner, Reality and Illusion in EU Data Transfer Regulation Post Schrems, University of Cambridge Legal Studies Research 14/2016, March 2016, at 29; Martin Scheinin, Mass Surveillance and the Right to Privacy: Adding Nuance to the Schrems Case, Just Security (Oct. 13, 2015), at https://www.justsecurity.org/26781/adding-nuance-context-max-schrems-case-safe-harbor; Scott, Mark, Data Transfer Pact Between U.S. and Europe is Ruled Invalid, N.Y. Times, Oct. 6, 2015, at B1 Google Scholar.

³⁸ Scott, supra note 20. Article 29 Working Party Statement, supra note 7 (noting that unless an agreement is reached by the end of January 2016, “EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions”).

³⁹ Sheftalovich, supra note 7.

⁴⁰ See supra note 1.

⁴¹ Dep’t of Commerce Fact Sheet, supra note 1.

⁴² Privacy Shield, supra note 1, at 19.

⁴³ European Commission Press Release, Restoring Trust in Transatlantic Data Flows through Strong Safeguards: European Commission Presents EU-U.S. Privacy Shield (Feb. 29, 2016), at http://europa.eu/rapid/press-release_IP-16-433_en.htm. See also Fact Sheet, EU-U.S. Privacy Shield, European Commission (Feb. 2016), at http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_eu-us_privacy_shield_en.pdf.

⁴⁴ Privacy Shield, supra note 1, at 18 (EU-U.S. Privacy Shield Principles) (citing 15 U.S.C. § 1512, which provides: “It shall be the province and duty of said Department to foster, promote, and develop the foreign and domestic commerce, the mining, manufacturing, and fishery industries of the United States; and to this end it shall be vested with jurisdiction and control of the departments, bureaus, offices, and branches of the public service hereinafter specified, and with such other powers and duties as may be prescribed by law”).

⁴⁵ Privacy Shield, supra note 1, at 18 (EU-U.S. Privacy Shield Principles); id. at 4 (Letter from Under Secretary for Trade Stefan Stelig to EU Commissioner Vera Jourova).

⁴⁶ Id. at 19 (EU-U.S. Privacy Shield Principles).

⁴⁷ Id. at 21 (including “the type or identity of third parties to which it discloses personal information”). See also Id. at 5 (Letter from Under Secretary for Trade Stefan Stelig to EU Commissioner Vera Jourova).

⁴⁸ Id. at 22 (EU-U.S. Privacy Shield Principles).

⁴⁹ Id. at 20.

⁵⁰ Id. at 6–9 (Letter from Under Secretary for Trade Stefan Stelig to EU Commissioner Vera Jourova).

⁵¹ Id. at 9.

⁵² Id. at 68–73 (Letter from FTC Chairwoman Edith Ramirez to EU Commissioner Vera Jourova (Feb. 23, 2016)). The FTC has cited its authority under the Federal Trade Commission Act “to protect consumers worldwide from practices taking place in the United States” as the basis for its authority to undertake enforcement actions outlined in the Privacy Shield. Privacy Shield, supra note 1, at 75–76 (The EU-U.S. Privacy Shield Framework in Context).See also 15 U.S.C.§45(a)(4); Federal Trade Commission Press Release, Statement of FTC Chairwoman Edith Ramirez on EU-U.S. Privacy Shield Framework (Feb. 29, 2016), at https://www.ftc.gov/news-events/press-releas-es/2016/02/statement-ftc-chairwoman-edith-ramirez-eu-us-privacy-shield-0.

⁵³ Privacy Shield, supra note 1, at 28 (EU-U.S. Privacy Shield Principles).

⁵⁴ Id. at 72–73 (Letter from FTC Chairwoman Edith Ramirez to EU Commissioner Vera Jourova). See also EC Feb. 2 Press Release, supra note 1.

⁵⁵ Privacy Shield, supra note 1, at 71 (Letter from FTC Chairwoman Edith Ramirez to EU Commissioner Vera Jourova). See also Dep’t of Commerce Fact Sheet, supra note 1.

⁵⁶ Privacy Shield, supra note 1, at 39 (EU-U.S. Privacy Shield Principles).

⁵⁷ Id. at 24.

⁵⁸ Id. at 41.

⁵⁹ Id. at 40. See also id. (Annex I: Arbitral Model).

⁶⁰ Id. at 49 (Annex I: Arbitral Model).

⁶¹ Id.

⁶² Id. at 105 (Letter from Director of National Intelligence General Counsel Robert Litt to U.S. Dep’t of Commerce Counselor Justin Antonipillai and Int’l Trade Adm’n Deputy Assistant Sec’y Ted Dean).

⁶³ Id. at 124–28 (Letter from Deputy Assistant Attorney General Bruce Swartz to U.S. Dep’t of Commerce Counselor Justin Antonipillai and Int’l Trade Adm’n Deputy Assistant Sec’y Ted Dean).

⁶⁴ Id. at 57 (EU-U.S. Privacy Shield Framework Mechanism Regarding Signals Intelligence). See also Department of Commerce Fact Sheet, supra note 1; EC Feb. 2 Press Release, supra note 1. The Department of State has cited Section 4(d) of Presidential Policy Directive 28—directing the Secretary of State to designate a senior official to “serve as point of contact for foreign governments who wish to raise concerns regarding signals intelligence activities conducted by the United States”—as the basis for the creation of the Ombudsperson. Privacy Shield, supra note 1, at 55 (EU-US Privacy Shield Framework Mechanism Regarding Signals Intelligence).

⁶⁵ Id. at 54 (Letter from Sec’y of State John Kerry to EU Commissioner Vera Jourova (Feb. 22, 2016)).

⁶⁶ Ellen Nakashima & Andrea Peterson, European and US Negotiators Agree on New “ Safe Harbor” Data Deal, Wash. Post (Feb. 2, 2016), at https://www.washingtonpost.com/world/national-security/european-and-us-negotiators-agree-on-new-safe-harbor-data-deal/2016/02/02/f576e706-c9e5-11e5-a7b2-5a2f824b02c9_story.html. See also Department of Commerce Press Release, Statement from U.S. Sec’y of Commerce Penny Pritzker on EU-U.S. Privacy Shield (Feb. 2, 2016), at https://www.commerce.gov/news/press-releases/2016/02/state-ment-us-secretary-commerce-penny-pritzker-eu-us-privacy-shield.

⁶⁷ Nakashima & Peterson, supra note 66. Scott, supra note 19.

⁶⁸ Scott, supra note 19.