Non-EU Use
Decision
Article 1
1. For the purposes of Article 25(2) of Directive 95/46/EC, the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States under the EU-U.S. Privacy Shield.
2. The EU-U.S. Privacy Shield is constituted by the Principles issued by the U.S. Department of Commerce on 7 July 2016 as set out in Annex II and the official representations and commitments contained in the documents listed in Annexes I, III to VII.
3. For the purpose of paragraph 1, personal data are transferred under the EU-U.S. Privacy Shield where they are transferred from the Union to organisations in the United States that are included in the ‘Privacy Shield List’, maintained and made publicly available by the U.S. Department of Commerce, in accordance with Sections I and III of the Principles set out in Annex II.
Article 2
This Decision does not affect the application of the provisions of Directive 95/46/EC other than Article 25(1) that pertain to the processing of personal data within the Member States, in particular Article 4 thereof.
Article 3
Whenever the competent authorities in Member States exercise their powers pursuant to Article 28(3) of Directive 95/46/EC leading to the suspension or definitive ban of data flows to an organisation in the United States that is included in the Privacy Shield List in accordance with Sections I and III of the Principles set out in Annex II in order to protect individuals with regard to the processing of their personal data, the Member State concerned shall inform the Commission without delay.
Article 4
1. The Commission will continuously monitor the functioning of the EU-U.S. Privacy Shield with a view to assessing whether the United States continues to ensure an adequate level of protection of personal data transferred thereunder from the Union to organisations in the United States.
2. The Member States and the Commission shall inform each other of cases where it appears that the government bodies in the United States with the statutory power to enforce compliance with the Principles set out in Annex II fail to provide effective detection and supervision mechanisms enabling infringements of the Principles to be identified and punished in practice.
3. The Member States and the Commission shall inform each other of any indications that the interferences by U.S. public authorities responsible for national security, law enforcement or other public interests with the right of individuals to the protection of their personal data go beyond what is strictly necessary, and/or that there is no effective legal protection against such interferences.
4. Within one year from the date of the notification of this Decision to the Member States and on a yearly basis thereafter, the Commission will evaluate the finding in Article 1(1) on the basis of all available information, including the information received as part of the Annual Joint Review referred to in Annexes I, II and VI.
5. The Commission will report any pertinent findings to the Committee established under Article 31 of Directive 95/46/EC.
6. The Commission will present draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to suspending, amending or repealing this Decision or limiting its scope, among others, where there are indications:
—
that the U.S. public authorities do not comply with the representations and commitments contained in the documents annexed to this Decision, including as regards the conditions and limitations for access by U.S. public authorities for law enforcement, national security and other public interest purposes to personal data transferred under the EU-U.S. Privacy Shield,
—
of a systematic failure to effectively address complaints by EU data subjects, or
—
of a systematic failure by the Privacy Shield Ombudsperson to provide timely and appropriate responses to requests from EU data subjects as required by Section 4(e) of Annex III.
The Commission will also present such draft measures if the lack of cooperation of the bodies involved in ensuring the functioning of the EU-U.S. Privacy Shield in the United States prevents the Commission from determining whether the finding in Article 1(1) is affected.
Article 5
Member States shall take all the measures necessary to comply with this Decision.
Article 6
This Decision is addressed to the Member States.
Done at Brussels, 12 July 2016.
For the Commission
Věra JOUROVÁ
Member of the Commission
Footnontes
(1) OJ L 281, 23.11.1995, p. 31.
(2) See Opinion 4/2016 on the EU-U.S. Privacy Shield draft adequacy decision, published 30 May 2016.
(3) Case C-362/14, Maximillian Schrems v Data Protection Commissioner (‘Schrems’), EU:C:2015:650, paragraph 39.
(4) Case C-553/07, Rijkeboer, EU:C:2009:293, paragraph 47; Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Others, EU:C:2014:238, paragraph 53; Case C-131/12, Google Spain and Google, EU:C:2014:317, paragraphs 53, 66 and 74.
(5) Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the U.S. Department of Commerce (OJ L 215, 28.8.2000, p. 7).
(6) Communication from the Commission to the European Parliament and the Council Rebuilding Trust in EU-U.S. Data Flows, COM(2013) 846 final of 27 November 2013.
(7) Communication from the Commission to the European Parliament and the Council on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies established in the EU, COM(2013) 847 final of 27 November 2013.
(8) See e.g. Council of the European Union, Final Report by EU-US High Level Contact Group on information sharing and privacy and personal data protection, Note 9831/08, 28 May 2008, available on the internet at: http://www.europarl.europa.eu/document/activities/cont/201010/20101019ATT88359/20101019ATT88359EN.pdf.
(9) Report on the Findings by the EU Co-chairs of the ad hoc EU-U.S. Working Group on Data Protection, 27 November 2013, available on the internet at: http://ec.europa.eu/justice/data-protection/files/report-findings-of-the-ad-hoc-eu-us-working-group-on-data-protection.pdf.
(10) See footnote 3.
(11) Schrems, paragraph 97.
(12) Schrems, paragraphs 73-74.
(13) Schrems, paragraph 88-89.
(14) See Annex II, Sec. III.10.a. In line with the definition in Sec. I.8.c., the EU controller will determine the purpose and means of processing of the personal data. Moreover, the contract with the agent has to make clear whether onward transfers are allowed (see Sec. III.10.a.ii.2.).
(15) This applies also where human resources data transferred from the Union in the context of the employment relationship are concerned. While the Principles stress the ‘primary responsibility’ of the EU employer (see Annex II, Sec. III.9.d.i.), they at the same time make clear that its conduct will be covered by the rules applicable in the Union and/or respective Member State, not the Principles. See Annex II, Sec. III.9.a.i., b.ii., c.i., d.i.
(16) This applies also to processing that takes place through the use of equipment situated in the Union but used by an organisation established outside the Union (see Article 4(1)(c) of Directive 95/46/EC). As of 25 May 2018, the General Data Protection Regulation (GDPR) will apply to the processing of personal data (i) in the context of the activities of an establishment of a controller or processor in the Union (even where the processing takes place in the United States), or (ii) of data subjects who are in the Union by a controller or processor not established in the Union where the processing activities are related to (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. See Article 3(1), (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
(17) The present decision has EEA relevance. The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Directive 95/46/EC, is covered by the EEA Agreement and has been incorporated into Annex XI thereof. The EEA Joint Committee has to decide on the incorporation of the present decision into the EEA Agreement. Once the present decision applies to Iceland, Liechtenstein and Norway, the EU-U.S. Privacy Shield will also cover these three countries and references in the Privacy Shield package to the EU and its Member States shall be read as including Iceland, Liechtenstein and Norway.
(18) See Annex II, Sec. III.6.e.
(19) Special rules providing additional safeguards apply for human resources data collected in the employment context as laid down in the supplemental principle on ‘Human Resources Data’ of the Privacy Principles (See Annex II, Sec. III.9). For instance, employers should accommodate the privacy preferences of employees by restricting access to the personal data, anonymising certain data or assigning codes or pseudonyms. Most importantly, organisations are required to cooperate and comply with the advice of Union Data Protection Authorities when it comes to such data.
(20) This applies to all data transfers under the Privacy Shield, including where these concern data collected through the employment relationship. While a self-certified U.S. organisation may in principle use human resources data for different, non-employment-related purposes (e.g. certain marketing communications), it must respect the prohibition on incompatible processing and moreover may do so only in accordance with the Notice and Choice Principles. The prohibition on the U.S. organisation to take any punitive action against the employee for exercising such choice, including any restriction of employment opportunities, will ensure that, despite the relationship of subordination and inherent dependency, the employee will be free from pressure and thus can exercise a genuine free choice.
(21) See Annex II, Sec. III.12.
(22) See also the supplemental principle on ‘Access’ (Annex II, Sec. III.8).
(23) See e.g. the Equal Credit Opportunity Act (ECOA, 15 U.S.C. 1691 et seq.), Fair Credit Reporting Act (FRCA, 15 USC § 1681 et seq.), or the Fair Housing Act (FHA, 42 U.S.C. 3601 et seq.).
(24) In the context of a transfer of personal data that have been collected in the EU, the contractual relationship with the individual (customer) will in most cases be with — and therefore any decision based on automated processing will typically be taken by — the EU controller which has to abide by the EU data protection rules. This includes scenarios where the processing is carried out by a Privacy Shield organisation acting as an agent on behalf of the EU controller.
(25) See also supplemental principle ‘Dispute Resolution and Enforcement’ (Annex II, Sec. III.11).
(26) See also supplemental principle ‘Self-Certification’ (Annex II, Sec. III.6).
(27) See also supplemental principle ‘Verification’ (Annex II, Sec. III.7).
(28) See also supplemental principle ‘Obligatory contracts for Onward Transfers’ (Annex II, Sec. III.10).
(29) See supplemental principle ‘Obligatory contracts for Onward Transfers’ (Annex II, Sec. III.10.b). While this principle allows for transfers based also on non-contractual instruments (e.g. intra-group compliance and control programs), the text makes clear that these instruments must always ‘ensur[e] the continuity of protection of personal information under the Principles’. Moreover, given that the self-certified U.S. organisation will remain responsible for compliance with the Principles it will have a strong incentive to use instruments that are indeed effective in practice.
(30) See Annex II, Sec. I.5.
(31) Individuals will have no opt-out right where the personal data is transferred to a third party that is acting as an agent to perform tasks on behalf of and under the instructions of the U.S. organisation. However, this requires a contract with the agent and the U.S. organisation will bear the responsibility to guarantee the protections provided under the Principles by exercising its powers of instruction.
(32) The situation is different depending on whether the third party is a controller or a processor (agent). In the first scenario, the contract with the third party must provide that the latter ceases processing or takes other reasonable and appropriate steps to remedy the situation. In the second scenario, it is for the Privacy Shield organisation — as the one controlling the processing under whose instructions the agent operates — to take these measures.
(33) In such a case, the U.S. organisation must also take reasonable and appropriate steps (i) to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organisation’s obligations under the Principles and, (ii) to stop and remediate unauthorised processing, upon notice.
(34) Information about the management of the Privacy Shield List can be found in Annex I and Annex II (Sec. I.3, Sec. I.4, III.6.d, and Sec. III.11.g).
(35) See e.g. Annex II, Sec. I.3, Sec. III.6.f. and Sec. III.11.g.i.
(36) See Annex I, section on ‘Search for and Address False Claims of Participation’.
(37) See Annex II, Sec. III.6.h. and Sec. III.11.f.
(38) See Annex I.
(39) This is the handling authority designated by the panel of DPAs provided for in the supplemental principle on ‘The Role of the Data Protection Authorities’ (Annex II, Sec. III.5).
(40) The annual report must include: (1) the total number of Privacy Shield-related complaints received during the reporting year; (2) the types of complaints received; (3) dispute resolution quality measures, such as the length of time taken to process complaints; and (4) the outcomes of the complaints received, notably the number and types of remedies or sanctions imposed.
(41) See Annex II, Sec. III.11.e.
(42) See Annex II, Sec. III.11.g, in particular points (ii) and (iii).
(43) See Annex I, section on ‘Search for and Address False Claims of Participation’.
(44) The rules of procedure of the informal DPA panel should be established by the DPAs based on their competence to organise their work and cooperate among each other.
(45) See Annex I, sections on ‘Increase Cooperation with DPAs’ and ‘Facilitate Resolution of Complaints about Non-Compliance’ and Annex II, Sec. II.7.e.
(46) See Annex IV, p. 6.
(47) ibid.
(48) See Annex I, section on ‘Facilitate Resolution of Complaints about Non-Compliance’.
(49) A Privacy Shield organisation has to publicly declare its commitment to comply with the Principles, publicly disclose its privacy policies in line with these Principles and fully implement them. Failure to comply is enforceable under Section 5 of the FTC Act prohibiting unfair and deceptive acts in or affecting commerce.
(50) According to information from the FTC, it has no power to conduct on-site inspections in the area of privacy protection. However, it has the power to compel organisations to produce documents and provide witness statements (see Section 20 of the FTC Act), and may use the court system to enforce such orders in case of non-compliance.
(51) FTC or court orders may require companies to implement privacy programs and to regularly make compliance reports or independent third-party assessments of those programs available to the FTC.
(52) See Annex II, Sec. II.1.xi and III.7.c.
(53) The number of arbitrators on the panel will have to be agreed between the parties.
(54) However, the panel may find that, under the circumstances of the specific arbitration, coverage would lead to unjustified or disproportionate costs.
(55) Individuals may not claim damages in arbitration, but in turn invoking arbitration will not foreclose the option to seek damages in the ordinary U.S. courts.
(56) The Director of National Intelligence (DNI) serves as the head of the Intelligence Community and acts as the principal advisor to the President and the National Security Council. See the Intelligence Reform and Terrorism Prevention Act of 2004, Pub. L. 108-458 of 17.12.2004. Among others, the ODNI shall determine requirements for, and manage and direct the tasking, collection, analysis, production and dissemination of national intelligence by the Intelligence Community, including by developing guidelines for how information or intelligence is accessed, used and shared. See Sec. 1.3 (a), (b) of E.O. 12333.
(57) See Schrems, paragraph 91.
(58) U.S. Const., Article II. See also the introduction to PPD-28.
(59) E.O. 12333: United States Intelligence Activities, Federal Register Vol. 40, No 235 (8 December 1981). To the extent that the Executive Order is publicly accessible, it defines the goals, directions, duties and responsibilities of U.S. intelligence efforts (including the role of the various Intelligence Community elements) and sets out the general parameters for the conduct of intelligence activities (in particular the need to promulgate specific procedural rules). According to Sec. 3.2 of E.O. 12333, the President, supported by the National Security Council, and the DNI shall issue such appropriate directives, procedures and guidance as are necessary to implement the order.
(60) According to E.O. 12333, the Director of the National Security Agency (NSA) is the Functional Manager for signals intelligence and shall operate a unified organization for signals intelligence activities.
(61) For the definition of the term ‘Intelligence Community’, see Sec. 3.5 (h) of E.O. 12333 with n. 1 of PPD-28.
(62) See Memorandum by the Office of Legal Counsel, Department of Justice (DOJ), to President Clinton, 29 January 2000. According to this legal opinion, presidential directives have the ‘same substantive legal effect as an Executive Order’.
(63) ODNI Representations (Annex VI), p. 3.
(64) See Sec. 4(b),(c) of PPD-28. According to public information, the 2015 review confirmed the existing six purposes. See ODNI, Signals Intelligence Reform, 2016 Progress Report.
(65) ODNI Representations (Annex VI), p. 6 (with reference to Intelligence Community Directive 204). See also Sec. 3 of PPD-28.
(66) ODNI Representations (Annex VI), p. 6. See, for instance, NSA Civil Liberties and Privacy Office (NSA CLPO), NSA’s Civil Liberties and Privacy Protections for Targeted SIGINT Activities under Executive Order 12333, 7 October 2014. See also ODNI Status Report 2014. For access requests under Sec. 702 FISA, queries are governed by the FISC-approved minimization procedures. See NSA CLPO, NSA’s Implementation of Foreign Intelligence Surveillance Act Section 702, 16 April 2014.
(67) See Signal Intelligence Reform, 2015 Anniversary Report. See also ODNI Representations (Annex VI), pp. 6, 8-9, 11.
(68) See ODNI Representations (Annex VI), p. 3.
(69) It should also be noted that, according to Sec. 2.4 of E.O. 12333, elements of the IC ‘shall use the least intrusive collection techniques feasible within the United States’. As regards the limitations for substituting all bulk collection with targeted collections, see the results of an assessment by the National Research Council as reported by the European Union Agency for Fundamental Rights, Surveillance by intelligence services: fundamental rights, safeguards and remedies in the EU (2015), p. 18.
(70) ODNI Representations (Annex VI), p. 4.
(71) See also Sec. 5(d) of PPD-28 which directs the Director of National Intelligence, in coordination with the heads of relevant Intelligence Community elements and the Office of Science and Technology Policy, to provide the President with a ‘report assessing the feasibility of creating software that would allow the Intelligence Community more easily to conduct targeted information acquisition rather than bulk collection.’ According to public information, the result of this report was that ‘there is no software-based alternative which will provide a complete substitute for bulk collection in the detection of some national security threats.’ See Signals Intelligence Reform, 2015 Anniversary Report.
(72) See footnote 68.
(73) ODNI Representations (Annex VI). This specifically addresses the concern expressed by the national data protection authorities in their opinion on the draft adequacy decision. See Article 29 Data Protection Working Party, Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy decision (adopted 13 April 2016), p. 38 with n. 47.
(74) See Sec. 2 of PPD-28.
(75) ODNI Representations (Annex VI), p. 4. See also Intelligence Community Directive 203.
(76) ODNI Representations (Annex VI), p. 2. Likewise, the limitations stipulated in E.O. 12333 (e.g. the need for collected information to respond to intelligence priorities set by the President) apply.
(77) See Schrems, paragraph 93.
(78) In addition, the collection of data by the FBI may also be based on law enforcement authorizations (see Section 3.2 of this decision).
(79) For further explanations on the use of NSL see ODNI Representations (Annex VI), pp. 13-14 with n. 38. As indicated therein, the FBI may resort to NSLs only to request non-content information relevant to an authorized national security investigation to protect against international terrorism or clandestine intelligence activities. As regards data transfers under the EU-U.S. Privacy Shield, the most relevant legal authorization appears to be the Electronic Communications Privacy Act (18 U.S.C. § 2709), which requires that any request for subscriber information or transactional records uses a ‘term that specifically identifies a person, entity, telephone number, or account’.
(80) 50 U.S.C. § 1804. While this legal authority requires a ‘statement of the facts and circumstances relied upon by the applicant to justify his belief that (A) the target of the electronic surveillance is a foreign power or an agent of a foreign power’, the latter may include non-U.S. persons that engage in international terrorism or the international proliferation of weapons of mass destruction (including preparatory acts) (50 U.S.C. § 1801 (b)(1)). Still, there is only a theoretical link to personal data transferred under the EU-U.S. Privacy Shield, given that the statement of facts also has to justify the belief that ‘each of the facilities or places at which the electronic surveillance is directed is being used, or is about to be used, by a foreign power or an agent of a foreign power’. In any event, the use of this authority requires application to the FISC which will assess, among others, whether on the basis of the submitted facts there is probable cause that this is indeed the case.
(81) 50 U.S.C. § 1842 with § 1841(2) and Sec. 3127 of Title 18. This authority does not concern the contents of communications, but rather aims at information about the customer or subscriber using a service (such as name, address, subscriber number, length/type of service received, source/mechanism of payment). It requires an application for an order by the FISC (or a U.S. Magistrate Judge) and the use of a specific selection term in the sense of § 1841(4), i.e. a term that specifically identifies a person, account, etc. and is used to limit, to the greatest extent reasonably possible, the scope of the information sought.
(82) While Sec. 501 FISA (ex-Sec. 215 U.S. PATRIOT ACT) authorizes the FBI to request a court order aiming at the production of ‘tangible things’ (in particular telephone metadata, but also business records) for foreign intelligence purposes, Sec. 702 FISA allows US Intelligence Community elements to seek access to information, including the content of internet communications, from within the United States, but targeting certain non-U.S. persons outside the United States.
(83) Based on this provision, the FBI may request ‘tangible things’ (e.g. records, papers, documents) based on a showing to the Foreign Intelligence Surveillance Court (FISC) that there are reasonable grounds to believe that they are relevant to a specific FBI investigation. In carrying out its search, the FBI must use FISC-approved selection terms for which there is a ‘reasonable, articulable suspicion’ that such term is associated with one or more foreign powers or their agents engaged in international terrorism or activities in preparation therefore. See PCLOB, Sec. 215 Report, p. 59; NSA CLPO, Transparency Report: The USA Freedom Act Business Records FISA Implementation, 15 January 2016, pp. 4-6.
(84) ODNI Representations (Annex VI), p. 13 (n. 38).
(85) See footnote 81.
(86) PCLOB, Sec. 702 Report, pp. 32-33 with further references. According to its privacy office, the NSA must verify that there is a connection between the target and the selector, must document the foreign intelligence information expected to be acquired, this information must be reviewed and approved by two senior NSA analysts, and the overall process will be tracked for subsequent compliance reviews by the ODNI and Department of Justice. See NSA CLPO, NSA’s Implementation of Foreign Intelligence Act Section 702, 16 April 2014.
(87) PLCOB, Sec. 702 Report, p. 111. See also ODNI Representations (Annex VI), p. 9 (‘Collection under Section 702 of the [FISA] is not “mass and indiscriminate” but is narrowly focused on the collection of foreign intelligence from individually identified legitimate targets’) and p. 13, n. 36 (with reference to a 2014 FISC Opinion); NSA CLPO, NSA’s Implementation of Foreign Intelligence Act Section 702, 16 April 2014. Even in the case of UPSTREAM, the NSA may only request the interception of electronic communications to, from, or about tasked selectors.
(88) ODNI Representations (Annex VI), p. 18. See also p. 6, according to which the applicable procedures ‘demonstrate a clear commitment to prevent arbitrary and indiscriminate collection of signals intelligence information, and to implement — from the highest levels of our Government — the principle of reasonableness.’
(89) See Statistical Transparency Report Regarding Use of National Security Authorities, 22 April 2015. For the overall flow of data on the internet, see for example Fundamental Rights Agency, Surveillance by Intelligence Services: Fundamental Rights Safeguards and Remedies in the EU (2015), at pp. 15-16. As regards the UPSTREAM program, according to a declassified FISC opinion of 2011, over 90 % of the electronic communications acquired under Sec. 702 FISA came from the PRISM program, whereas less than 10 % came from UPSTREAM. See FISC, Memorandum Opinion, 2011 WL 10945618 (FISA Ct., 3.10.2011), n. 21 (available at: http://www.dni.gov/files/documents/0716/October-2011-Bates-Opinion-and%20Order-20140716.pdf).
(90) See Sec. 4(a)(ii) of PPD-28. See also ODNI, Safeguarding the Personal Information of all People: A Status Report on the Development and Implementation of Procedures under Presidential Policy Directive 28, July 2014, p. 5, according to which ‘Intelligence Community element policies should reinforce existing analytic practices and standards whereby analysts must seek to structure queries or other search terms and techniques to identify intelligence information relevant to a valid intelligence or law enforcement task; focus queries about persons on the categories of intelligence information responsive to an intelligence or law enforcement requirement; and minimize the review of personal information not pertinent to intelligence or law enforcement requirements.’ See e.g. CIA, Signals Intelligence Activities, p. 5; FBI, Presidential Policy Directive 28 Policies and Procedures, p. 3. According to the 2016 Progress Report on the Signals Intelligence Reform, IC elements (including the FBI, CIA and NSA) have taken steps to sensitise their personnel to the requirements of PPD-28 by creating new or modifying existing training policies.
(91) According to the ODNI Representations, these restrictions apply regardless of whether the information was collected in bulk or through targeted collection, and of the individual’s nationality.
(92) See ODNI Representations (Annex VI).
(93) See Sec. 4(a)(i) of PPD-28 with Sec 2.3 of E.O. 12333.
(94) Sec. 4(a)(i) of PPD-28; ODNI Representations (Annex VI), p. 7. For instance, for personal information collected under Sec. 702 FISA, the NSA’s FISC-approved minimization procedures foresee as a rule that the metadata and unevaluated content for PRISM is retained for no more than five years, whereas UPSTREAM data is retained for no more than two years. The NSA complies with these storage limits through an automated process that deletes collected data at the end of the respective retention period. See NSA Sec. 702 FISA Minimization Procedures, Sec. 7 with Sec. 6(a)(1); NSA CLPO, NSA’s Implementation of Foreign Intelligence Surveillance Act Section 702, 16 April 2014. Likewise, retention under Sec. 501 FISA (ex-Sec. 215 U.S. PATRIOT ACT) is limited to five years, unless the personal data form part of properly approved dissemination of foreign intelligence information or the DOJ advises the NSA in writing that the records are subject to a preservation obligation in pending or anticipated litigation. See NSA, CLPO, Transparency Report: The USA Freedom Act Business Records FISA Implementation, 15 January 2016.
(95) In particular, in case of Sec. 501 FISA (ex-Sec. 215 U.S. PATRIOT ACT), dissemination of personal information may take place only for counterterrorism purposes or as evidence of a crime; in case of Sec. 702 FISA only if there is a valid foreign intelligence or law enforcement purpose. Cf. NSA, CLPO, NSA’s Implementation of Foreign Intelligence Surveillance Act Section 702, 16 April 2014; Transparency Report: The USA Freedom Act Business Records FISA Implementation, 15 January 2016. See also NSA’s Civil Liberties and Privacy Protections for Targeted SIGINT Activities under Executive Order 12333, 7 October 2014.
(96) ODNI Representations (Annex VI), p. 7 (with reference to Intelligence Community Directive (ICD) 203).
(97) The Court of Justice has clarified that national security constitutes a legitimate policy objective. See Schrems, paragraph 88. See also Digital Rights Ireland and Others, paragraphs 42-44 and 51, in which the Court of Justice considered that the fight against serious crime, in particular organised crime and terrorism, may depend to a large extent on the use of modern investigation techniques. Moreover, unlike for criminal investigations that typically concern the retrospective determination of responsibility and guilt for past conduct, intelligence activities often focus on preventing threats to national security before harm has occurred. Therefore, such investigations may often have to cover a broader range of possible actors (‘targets’) and a wider geographic area. Cf. ECtHR, Weber and Saravia v Germany, Decision of 29 June 2006, Application no. 54934/00, paragraphs 105-118 (on so-called ‘strategic monitoring’).
(98) Schrems, paragraph 91, with further references.
(99) Schrems, paragraph 93.
(100) Cf. Schrems, paragraph 94.
(101) ODNI, Safeguarding the Personal Information of all People: A Status Report on the Development and Implementation of Procedures under Presidential Policy Directive 28, p. 7. See e.g. CIA, Signals Intelligence Activities, p. 6 (Compliance); FBI, Presidential Policy Directive 28 Policies and Procedures, Sec. III (A)(4), (B)(4); NSA, PPD-28 Section 4 Procedures, 12 January 2015, Sec. 8.1, 8.6(c).
(102) For instance, the NSA employs more than 300 compliance staff in the Directorate for Compliance. See ODNI Representations (Annex VI), p. 7.
(103) See Ombudsperson Mechanism (Annex III), Sec. 6(b) (i) to (iii).
(104) See 42 U.S.C. § 2000ee-1. This includes for instance the Department of State, the Department of Justice (including the FBI), the Department of Homeland Security, the Department of Defense, the NSA, CIA and the ODNI.
(105) According to the U.S. government, if the ODNI Civil Liberties and Privacy Office receives a complaint, it will also coordinate with other Intelligence Community elements on how that complaint should be further processed within the IC. See Ombudsperson Mechanism (Annex III), Sec. 6(b)(ii).
(106) See 42 U.S.C. § 2000ee-1 (f)(1),(2).
(107) Article 29 Data Protection Working Party, Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy decision (adopted 13 April 2016), p. 41.
(108) ODNI Representations (Annex VI), p. 7. See e.g. NSA, PPD-28 Section 4 Procedures, 12 January 2015, Sec. 8.1; CIA, Signals Intelligence Activities, p. 7 (Responsibilities).
(109) This Inspector General (IG) (which was created in October 2010) is appointed by the President, with Senate confirmation, and can be removed only by the President, not the DNI.
(110) These IGs have secure tenure and may only be removed by the President who must communicate to Congress in writing the reasons for any such removal. This does not necessarily mean that they are completely free from instructions. In some cases, the head of the department may prohibit the Inspector General from initiating, carrying out, or completing an audit or investigation where this is considered necessary to preserve important national (security) interests. However, Congress must be informed of the exercise of this authority and on this basis could hold the respective director responsible. See, e.g. Inspector General Act of 1978, § 8 (IG of the Department of Defense); § 8E (IG of the DOJ), § 8G (d)(2)(A),(B) (IG of the NSA); 50. U.S.C. § 403q (b) (IG for the CIA); Intelligence Authorization Act For Fiscal Year 2010, Sec 405(f) (IG for the Intelligence Community). According to the assessment by the national data protection authorities, the Inspector-Generals ‘are likely to meet the criterion for organisational independence as defined by the CJEU and the European Court of Human Rights (ECtHR), at least from the moment the new nomination process applies to all.’ See Article 29 Data Protection Working Party, Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy decision (adopted 13 April 2016), p. 40.
(111) See ODNI Representations (Annex VI), p. 7. See also Inspector General Act of 1978, as amended, Pub. L. 113-126 of 7 July 2014.
(112) See Inspector General Act of 1978, § 6.
(113) See ODNI Representations (Annex VI), p. 7. See also Inspector General Act of 1978, §§ 4(5), 5. According to Sec. 405(b)(3),(4) of the Intelligence Authorization Act For Fiscal Year 2010, Pub. L. 111-259 of 7 October 2010, the IG for the Intelligence Community will keep the DNI as well as Congress informed of the necessity for, and the progress of, corrective actions.
(114) According to the assessment by the national data protection authorities, the PCLOB has in the past ‘demonstrated its independent powers’. See Article 29 Data Protection Working Party, Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy decision (adopted 13 April 2016), p. 42.
(115) In addition, the PCLOB employs some 20 regular staff. See https://www.pclob.gov/about-us/staff.html.
(116) These include at least the Department of Justice, the Department of Defense, the Department of Homeland Security, the Director of National Intelligence and the Central Intelligence Agency, plus any other department, agency or element of the executive branch designated by the PCLOB to be appropriate for coverage.
(117) See 42 U.S.C. § 2000ee. See also Ombudsperson Mechanism (Annex III), Sec. 6(b) (iv). Among others, the PCLOB is required to report when an Executive Branch agency declines to follow its advice.
(118) ODNI, Safeguarding the Personal Information of all People: A Status Report on the Development and Implementation of Procedures under Presidential Policy Directive 28, pp. 7-8.
(119) Id. at p. 8. See also ODNI Representations (Annex VI), p. 9.
(120) ODNI, Safeguarding the Personal Information of all People: A Status Report on the Development and Implementation of Procedures under Presidential Policy Directive 28, p. 7. See, e.g. NSA, PPD-28 Section 4 Procedures, 12 January 2015, Sec. 7.3, 8.7(c),(d); FBI, Presidential Policy Directive 28 Policies and Procedures, Sec. III.(A)(4), (B)(4); CIA, Signals Intelligence Activities, p. 6 (Compliance) and p. 8 (Responsibilities).
(121) See E.O. 12333, Sec. 1.6(c).
(122) PPD-28, Sec. 4(a)(iv).
(123) See Sec. 501(a)(1) (50 U.S.C. § 413(a)(1)). This provision contains the general requirements as regards Congressional oversight in the area of national security.
(124) See Sec. 501(b) (50 U.S.C. § 413(b)).
(125) Cf. Sec. 501(d) (50 U.S.C. § 413(d)).
(126) See 50 U.S.C. §§ 1808, 1846, 1862, 1871, 1881f.
(127) See 50 U.S.C. § 1881f.
(128) See 50 U.S.C. § 1881a(l)(1).
(129) See USA FREEDOM Act of 2015, Pub. L. No 114-23, Sec. 602(a). In addition, according to Sec 402, ‘the Director of National Intelligence, in consultation with the Attorney General, shall conduct a declassification review of each decision, order, or opinion issued by the Foreign Intelligence Surveillance Court or the Foreign Intelligence Surveillance Court of Review (as defined in section 601(e)) that includes a significant construction or interpretation of any provision of law, including any novel or significant construction or interpretation of the term “specific selection term”, and, consistent with that review, make publicly available to the greatest extent practicable each such decision, order, or opinion.’
(130) USA FREEDOM Act, Sec. 602(a), 603(a).
(131) For certain types of surveillance, alternatively a U.S. Magistrate Judge publicly designated by the Chief Justice of the United States may have the power to hear applications and grant orders.
(132) The FISC is comprised of eleven judges appointed by the Chief Justice of the United States from among sitting U.S. district court judges, who previously have been appointed by the President and confirmed by the Senate. The judges, who have life tenure and can only be removed for good cause, serve on the FISC for staggered seven-year terms. FISA requires that the judges be drawn from at least seven different U.S. judicial circuits. See Sec 103 FISA (50 U.S.C. 1803 (a)); PCLOB, Sec. 215 Report, pp. 174-187. The judges are supported by experienced judicial law clerks that constitute the court’s legal staff and prepare legal analysis on collection requests. See PCLOB, Sec. 215 Report, p. 178; Letter from the Honourable Reggie B. Walton, Presiding Judge, U.S. Foreign Intelligence Surveillance Court, to the Honourable Patrick J. Leahy, Chairman, Committee on the Judiciary, U.S. Senate (July 29, 2013) (‘Walton Letter’), pp. 2-3.
(133) The FISCR is composed of three judges appointed by the Chief Justice of the United States and drawn from U.S. district courts or courts of appeals, serving for a staggered seven year term. See Sec. 103 FISA (50 U.S.C. § 1803 (b)).
(134) See 50 U.S.C. §§ 1803 (b), 1861 a (f), 1881 a (h), 1881 a (i)(4).
(135) For instance, additional factual details about the target of the surveillance, technical information about the surveillance methodology, or assurances about how the information acquired will be used and disseminated. See PCLOB, Sec. 215 Report, p. 177.
(136) 50 U.S.C. §§ 1804 (a), 1801 (g).
(137) The FISC may approve the application, request further information, determine the necessity of a hearing or indicate a possible denial of the application. On the basis of this preliminary determination, the government will make its final application. The latter may include substantial changes to the original application on the basis of the judge’s preliminary comments. Although a large percentage of final applications are approved by the FISC, a substantial part of these contain substantive changes to the original application, e.g. 24 % of applications approved for the period from July to September 2013. See PCLOB, Sec. 215 Report, p. 179; Walton Letter, p. 3.
(138) PCLOB, Sec. 215 Report, p. 179, n. 619.
(139) 50 U.S.C. § 1803 (i)(1),(3)(A). This new legislation implemented recommendations by the PCLOB to establish a pool of privacy and civil liberties experts that can serve as amicus curiae, in order to provide the court with legal arguments to the advancement of privacy and civil liberties. See PCLOB, Sec. 215 Report, pp. 183-187.
(140) 50 U.S.C. § 1803 (i)(2)(A). According to information by the ODNI, such appointments have already taken place. See Signals Intelligence Reform, 2016 Progress Report.
(141) 50 U.S.C. § 1803 (i)(2)(B).
(142) 50 U.S.C. § 1861
(143) 50 U.S.C. § 1861 (b).
(144) 50 U.S.C. § 1881.
(145) 50 U.S.C. § 1881a (a).
(146) PCLOB, Sec. 702 Report, p. 46.
(147) 50 U.S.C. § 1881a (h).
(148) 50 U.S.C. § 1881a (g). According to the PCLOB, these categories have so far mainly concerned international terrorism and topics such as the acquisition of weapons of mass destruction. See PCLOB, Sec. 702 Report, p. 25.
(149) PCLOB, Sec. 702 Report, p. 27.
(150) 50 U.S.C. § 1881a.
(151) ‘Liberty and Security in a Changing World’, Report and Recommendations of the President’s Review Group on Intelligence and Communications Technologies, 12 December 2013, p. 152.
(152) 50 U.S.C.1881a (i).
(153) Rule 13(b) of the FISC Rules of Procedure requires the government to file a written notice with the Court immediately upon discovering that any authority or approval granted by the Court has been implemented in a manner that does not comply with the Court’s authorization or approval, or with applicable law. It also requires the government to notify the Court in writing of the facts and circumstances relevant to such non-compliance. Typically, the government will file a final Rule 13(a) notice once the relevant facts are known and any unauthorized collection has been destroyed. See Walton Letter, p. 10.
(154) 50 U.S.C. § 1881 (l). See also PCLOB, Sec. 702 Report, pp. 66-76; NSA CLPO, NSA’s Implementation of Foreign Intelligence Surveillance Act Section 702, 16 April 2014. The collection of personal data for intelligence purposes under Sec 702 FISA is subject to both internal and external oversight within the executive branch. Among others, the internal oversight includes internal compliance programs to evaluate and oversee compliance with targeting and minimization procedures; reporting of non-compliance incidents, both internally and externally to the ODNI, Department of Justice, Congress and the FISC; and annual reviews sent to the same bodies. As for external oversight, it mainly consists in targeting and minimization reviews conducted by the ODNI, DOJ and Inspectors General, which in turn report to Congress and the FISC, including on non-compliance incidents. Significant compliance incidents must be reported to the FISC immediately, others in a quarterly report. See PCLOB, Sec. 702 Report, pp. 66-77.
(155) PCLOB, Recommendations Assessment Report, 29 January 2015, p. 20.
(156) PCLOB, Recommendations Assessment Report, 29 January 2015, p. 16.
(157) In addition, Sec. 10 of the Classified Information Procedures Act provides that, in any prosecution in which the United States must establish that material constitutes classified information (e.g. because it requires protection against unauthorized disclosure for reasons of national security), the United States shall notify the defendant of the portions of the material that it reasonably expects to rely upon to establish the classified information element of the offense.
(158) See for the following ODNI Representations (Annex VI), p. 16.
(159) 18 U.S.C. § 2712.
(160) 50 U.S.C. § 1810.
(161) 50 U.S.C. § 1806.
(162) 18 U.S.C. § 1030.
(163) 18 U.S.C. §§ 2701-2712.
(164) 12 U.S.C. § 3417.
(165) ODNI Representations (Annex VI), p. 17.
(166) 5 U.S.C. § 706(2)(A).
(167) 5 U.S.C. § 552. Similar laws exist at State level.
(168) If this is the case, the individual will normally only receive a standard reply by which the agency declines either to confirm or deny the existence of any records. See ACLU v CIA, 710 F.3d 422 (D.C. Cir. 2014).
(169) See ODNI Representations (Annex VI), p. 16. According to the explanations provided, the available causes of action either require the existence of damage (18 U.S.C. § 2712; 50 U.S.C. § 1810) or a showing that the government intends to use or disclose information obtained or derived from electronic surveillance of the person concerned against that person in judicial or administrative proceedings in the United States (50 U.S.C. § 1806). However, as the Court of Justice has repeatedly stressed, to establish the existence of an interference with the fundamental right to privacy, it does not matter whether the person concerned has suffered any adverse consequences on account of that interference. See Schrems, paragraph 89 with further references.
(170) This admissibility criterion stems from the ‘case or controversy’ requirement of the U.S. Const., Article III.
(171) See Clapper v Amnesty Int’l USA, 133 S.Ct. 1138, 1144 (2013). As regards the use of NSLs, the USA FREEDOM Act (Sec. 502(f)-503) provides that non-disclosure requirements must be periodically reviewed, and that recipients of NSL be notified when the facts no longer support a non-disclosure requirement (see ODNI Representations (Annex VI), p. 13). However, this does not ensure that the EU data subject would be informed that (s)he has been the target of an investigation.
(172) In case the complainant seeks access to documents held by U.S. public authorities, the rules and procedures set out in the Freedom of Information Act apply. This includes the possibility to seek judicial redress (rather than independent oversight) in case the request is rejected, under the conditions set out in the FOIA.
(173) According to the Ombudsperson Mechanism (Annex III), Sec. 4(f), the Privacy Shield Ombudsperson will communicate directly with the EU individual complaint handling body, who will in turn be responsible for communicating with the individual submitting the request. If direct communications are part of the ‘underlying processes’ that may provide the requested relief (e.g. a FOIA access request, see Sec. 5), those communications will take place in accordance with the applicable procedures.
(174) See Ombudsperson Mechanism (Annex III), Sec. 2(a). See also recitals 0-0.
(175) See Ombudsperson Mechanism (Annex III), Sec. 2(c). According to the explanations provided by the U.S. government, the PCLOB shall continually review the policies and procedures, as well as their implementation, of those U.S. authorities responsible for counterterrorism to determine whether their actions ‘appropriately protect privacy and civil liberties and are consistent with governing laws, regulations, and policies regarding privacy and civil liberties.’ It also shall ‘receive and review reports and other information from privacy officers and civil liberties officers and, when appropriate, make recommendations to them regarding their activities.’
(176) See Roman Zakharov v Russia, Judgment of 4 December 2015 (Grand Chamber), Application No 47143/06, paragraph 275 (‘although it is in principle desirable to entrust supervisory control to a judge, supervision by non-judicial bodies may be considered compatible with the Convention, provided that the supervisory body is independent of the authorities carrying out the surveillance and is vested with sufficient and effective oversight powers’).
(177) See Kennedy v the United Kingdom, Judgment of 18 May 2010, Application No 26839/05, paragraph 167.
(178) Schrems, paragraph 95. As is clear from paragraphs 91, 96 of the judgment, paragraph 95 concerns the level of protection guaranteed in the Union legal order, to which the level of protection in the third country must be ‘essentially equivalent’. According to paragraphs 73 and 74 of the judgment, this does not require that the level of protection or the means to which the third country has recourse must be identical, even though the means to be employed have to prove, in practice, effective.
(179) According to the Fourth Amendment, ‘[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.’ Only (magistrate) judges may issue search warrants. Federal warrants for the copying of electronically stored information are further governed by Rule 41 of the Federal Rules of Criminal Procedure.
(180) Repeatedly, the Supreme Court has referred to searches without warrants as ‘exceptional’. See e.g. Johnson v United States, 333 U.S. 10, 14 (1948); McDonald v United States, 335 U.S. 451, 453 (1948); Camara v Municipal Court, 387 U.S. 523, 528-29 (1967); G.M. Leasing Corp. v United States, 429 U.S. 338, 352-53, 355 (1977). Likewise, the Supreme Court regularly stresses that ‘the most basic constitutional rule in this area is that searches conducted outside the judicial process, without prior approval by judge or magistrate, are per se unreasonable under the Fourth Amendment — subject only to a few specifically established and well-delineated exceptions.’ See e.g. Coolidge v New Hampshire, 403 U.S. 443, 454-55 (1971); G.M. Leasing Corp. v United States, 429 U.S. 338, 352-53, 358 (1977).
(181) City of Ontario, Cal. v Quon, 130 S. Ct. 2619, 2630 (2010).
(182) PCLOB, Sec. 215 Report, p. 107, referring to Maryland v King, 133 S. Ct. 1958, 1970 (2013).
(183) PCLOB, Sec. 215 Report, p. 107, referring to Samson v California, 547 U.S. 843, 848 (2006).
(184) City of Ontario, Cal. v Quon, 130 S. Ct. 2619, 2630 (2010), 2627.
(185) See e.g. United States v Wilson, 540 F.2d 1100 (D.C. Cir. 1976).
(186) Cf. Roman Zakharov v Russia, Judgment of 4.12.2015 (Grand Chamber), Application No 47143/06, paragraph 269, according to which ‘the requirement to show an interception authorisation to the communications service provider before obtaining access to a person’s communications is one of the important safeguards against abuse by the law-enforcement authorities, ensuring that proper authorisation is obtained in all cases of interception.’
(187) DOJ Representations (Annex VII), p. 4 with further references.
(188) DOJ Representations (Annex VII), n. 2.
(189) According to the information the Commission has received, and leaving aside specific areas likely not relevant for data transfers under the EU-U.S. Privacy Shield (e.g. investigations into health care fraud, child abuse or controlled substances cases), this concerns mainly certain authorities under the Electronic Communications Privacy Act (ECPA), namely requests for basic subscriber, session and billing information (18 U.S.C. § 2703(c)(1), (2), e.g. address, type/length of service) and for the content of emails more than 180 days old (18 U.S.C. § 2703(a), (b)). In the latter case, however, the individual concerned has to be notified and thus has the opportunity to challenge the request in court. See also the overview in DOJ, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, Ch. 3: The Stored Communications Act, pp. 115-138.
(190) According to the representations by the U.S. government, recipients of administrative subpoenas may challenge them in court on the grounds that they are unreasonable, i.e. overboard, oppressive of burdensome. See DOJ Representations (Annex VII), p. 2.
(191) 5 U.S.C. § 702.
(192) Generally, only ‘final’ agency action — rather than ‘preliminary, procedural, or intermediate’ agency action — is subject to judicial review. See 5 U.S.C. § 704.
(193) 5 U.S.C. § 706(2)(A).
(194) 18 U.S.C. §§ 2701-2712.
(195) The ECPA protects communications held by two defined classes of network service providers, namely providers of: (i) electronic communication services, for instance telephony or e-mail; (ii) remote computing services like computer storage or processing services.
(196) These exclusions are, however, framed. For example, according to 5 U.S.C. § 552 (b)(7), FOIA rights are ruled out for ‘records or information compiled for law enforcement purposes, but only to the extent that the production of such law enforcement records or information (A) could reasonably be expected to interfere with enforcement proceedings, (B) would deprive a person of a right to a fair trial or an impartial adjudication, (C) could reasonably be expected to constitute an unwarranted invasion of personal privacy, (D) could reasonably be expected to disclose the identity of a confidential source, including a State, local, or foreign agency or authority or any private institution which furnished information on a confidential basis, and, in the case of a record or information compiled by criminal law enforcement authority in the course of a criminal investigation or by an agency conducting a lawful national security intelligence investigation, information furnished by a confidential source, (E) would disclose techniques and procedures for law enforcement investigations or prosecutions, or would disclose guidelines for law enforcement investigations or prosecutions, if such disclosure could reasonably be expected to risk circumvention of the law, or (F) could reasonably be expected to endanger the life or physical safety of any individual.’ Also, ‘[w]henever a request is made which involves access to records [the production of which could reasonably be expected to interfere with enforcement proceedings] and– (A) the investigation or proceeding involves a possible violation of criminal law; and (B) there is reason to believe that (i) the subject of the investigation or proceeding is not aware of its pendency, and (ii) disclosure of the existence of the records could reasonably be expected to interfere with enforcement proceedings, the agency may, during only such time as that circumstance continues, treat the records as not subject to the requirements of this section.’ (5 U.S.C. § 552 (c)(1)).
(197) 18 U.S.C. §§ 2510 et seq. Under the Wiretap Act (18 U.S.C. § 2520), a person whose wire, oral, or electronic communication is intercepted, disclosed, or intentionally used may bring a civil action for violation of the Wiretap Act, including under certain circumstances against an individual government official or the United States. For the collection of addressing and other non-content information (e.g. IP address, e-mail to/from address), see also the Pen Registers and Trap and Trace Devices chapter of Title 18 (18 U.S.C. §§ 3121-3127 and, for civil action, § 2707).
(198) 18 U.S.C. § 1030. Under the Computer Fraud and Abuse Act, a person may bring suit against any person with respect to intentional unauthorised access (or exceeding authorised access) to obtain information from a financial institution, a U.S. government computer system or other specified computer, including under certain circumstances against an individual government official.
(199) 28 U.S.C. §§ 2671 et seq. Under the Federal Tort Claims Act, a person may bring suit, under certain circumstances, against the United States with respect to ‘the negligent or wrongful act or omission of any employee of the Government while acting within the scope of his office or employment.’
(200) 12 U.S.C. §§ 3401 et seq. Under the Right to Financial Privacy Act, a person may bring suit, under certain circumstances, against the United States with respect to the obtaining or disclosing of protected financial records in violation of the statute. Government access to protected financial records is generally prohibited unless the government makes the request subject to a lawful subpoena or search warrant or, subject to limitations, a formal written request and the individual whose information is sought receives notice of such a request.
(201) 15 U.S.C. §§ 1681-1681x. Under the Fair Credit Reporting Act, a person may bring suit against any person who fails to comply with requirements (in particular the need for lawful authorisation) regarding the collection, dissemination and use of consumer credit reports, or, under certain circumstances, against a government agency.
(202) The Court of Justice has recognised that law enforcement constitutes a legitimate policy objective. See Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Others, EU:C:2014:238, paragraph 42. See also Article 8(2) ECHR and the judgment by the European Court of Human Rights in Weber and Saravia v Germany, Application no. 54934/00, paragraph 104.
(203) Schrems, paragraphs 40 et seq., 101-103.
(204) Schrems, paragraphs 51, 52 and 62.
(205) Schrems, paragraph 65.
(206) Schrems, paragraph 76.
(207) As of the date of application of the General Data Protection Regulation, the Commission will make use of its powers to adopt, on duly justified imperative grounds of urgency, an implementing act suspending the present decision which shall apply immediately without its prior submission to the relevant comitology committee and shall remain in force for a period not exceeding six months.
(208) Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy decision, adopted on 13 April 2016.
(209) European Parliament resolution of 26 May 2016 on transatlantic data flows ((2016/2727(RSP)).