{ "id": "R44257", "type": "CRS Report", "typeId": "REPORTS", "number": "R44257", "active": true, "source": "EveryCRSReport.com, University of North Texas Libraries Government Documents Department", "versions": [ { "source": "EveryCRSReport.com", "id": 452757, "date": "2016-05-19", "retrieved": "2016-05-24T19:02:53.779941", "title": "U.S.-EU Data Privacy: From Safe Harbor to Privacy Shield", "summary": "Both the United States and the European Union (EU) maintain that they are committed to upholding individual privacy rights and ensuring the protection of personal data. Nevertheless, data privacy and protection issues have long been sticking points in U.S.-EU economic and security relations, in part because of differences in U.S. and EU data privacy approaches and legal regimes. In the late 1990s, the United States and the EU negotiated the Safe Harbor Agreement of 2000 to allow U.S. companies and organizations to meet EU data protection requirements and permit the legal transfer of personal data between EU member countries and the United States.\nThe unauthorized disclosures in June 2013 of U.S. National Security Agency (NSA) surveillance programs and subsequent allegations of other U.S. intelligence activities in Europe renewed and exacerbated European concerns about U.S. data privacy and protection standards. The alleged involvement of some U.S. Internet and telecommunications companies in the NSA programs also elevated European worries about how U.S. technology firms use personal data and the extent of U.S. government access to such data. As a result, a number of U.S.-EU data-sharing accords in both the commercial and law enforcement sectors have come under intense scrutiny in Europe.\nIn October 2015, the Court of Justice of the European Union (CJEU, which is also known as the European Court of Justice, or ECJ) invalidated the Safe Harbor Agreement. The CJEU essentially found that Safe Harbor failed to meet EU data protection standards, in large part because of the U.S. surveillance programs. Given that some 4,500 U.S. companies were using Safe Harbor to legitimize transatlantic data transfers, U.S. officials and business leaders were deeply dismayed by the CJEU\u2019s ruling. Companies that had been using Safe Harbor as the legal basis for U.S.-EU data transfers were required to immediately implement alternative measures. Experts claimed that the CJEU decision created legal uncertainty for many U.S. companies and feared that it could negatively impact U.S.-EU trade and investment ties.\nOn February 2, 2016, U.S. and EU officials announced an agreement, \u201cin principle,\u201d on a revised Safe Harbor accord, to be known as Privacy Shield; the full text of the agreement was released on February 29, 2016. U.S. and EU officials assert that the new accord will address the CJEU\u2019s concerns. In particular, they stress that it contains significantly stronger privacy protections as well as safeguards related to U.S. government access to personal data. \nSome analysts question, however, whether Privacy Shield will sufficiently address the broader issues about the U.S. data protection framework raised by the CJEU decision, and thus be able to withstand future legal challenges. Many U.S. policymakers and trade groups hope that the recently concluded U.S.-EU \u201cumbrella\u201d Data Privacy and Protection Agreement (DPPA)\u2014which seeks to better protect personal information exchanged in a law enforcement context\u2014and the newly enacted U.S. Judicial Redress Act (H.R. 1428 / S. 1600, P.L. 114-126)\u2014which extends the core of the judicial redress provisions in the U.S. Privacy Act of 1974 to EU citizens\u2014could help ease at least some concerns about U.S. data protection standards and boost confidence in Privacy Shield.\nThis report provides background on U.S. and EU data protection policies and the Safe Harbor Agreement, discusses the CJEU ruling, and reviews the key elements of the newly-proposed Privacy Shield. It also explores various issues for Congress, including implications for U.S. firms of Safe Harbor\u2019s invalidation and the role of the Judicial Redress Act in helping to ameliorate U.S.-EU tensions on data privacy and protection issues.", "type": "CRS Report", "typeId": "REPORTS", "active": true, "formats": [ { "format": "HTML", "encoding": "utf-8", "url": "http://www.crs.gov/Reports/R44257", "sha1": "593aff597c6dc62176aed10a440d4b3b0189127c", "filename": "files/20160519_R44257_593aff597c6dc62176aed10a440d4b3b0189127c.html", "images": null }, { "format": "PDF", "encoding": null, "url": "http://www.crs.gov/Reports/pdf/R44257", "sha1": "6db1c699d85afac946c44acc0020ca32a49f4559", "filename": "files/20160519_R44257_6db1c699d85afac946c44acc0020ca32a49f4559.pdf", "images": null } ], "topics": [ { "source": "IBCList", "id": 522, "name": "European Union" } ] }, { "source": "EveryCRSReport.com", "id": 449634, "date": "2016-02-12", "retrieved": "2016-04-06T17:11:22.477102", "title": "U.S.-EU Data Privacy: From Safe Harbor to Privacy Shield", "summary": "Both the United States and the European Union (EU) maintain that they are committed to upholding individual privacy rights and ensuring the protection of personal data. Nevertheless, data privacy and protection issues have long been sticking points in U.S.-EU economic and security relations, in part because of differences in U.S. and EU data privacy approaches and legal regimes. In the late 1990s, the United States and the EU negotiated the Safe Harbor Agreement of 2000 to allow U.S. companies and organizations to meet EU data protection requirements and permit the legal transfer of personal data between EU member countries and the United States.\nThe unauthorized disclosures in June 2013 of U.S. National Security Agency (NSA) surveillance programs and subsequent allegations of other U.S. intelligence activities in Europe renewed and exacerbated European concerns about U.S. data privacy and protection standards. The alleged involvement of some U.S. Internet and telecommunications companies in the NSA programs also elevated European worries about how U.S. technology firms use personal data and the extent of U.S. government access to such data. As a result, a number of U.S.-EU data-sharing accords in both the commercial and law enforcement sectors have come under intense scrutiny in Europe.\nIn October 2015, the Court of Justice of the European Union (CJEU, which is also known as the European Court of Justice, or ECJ) invalidated the Safe Harbor Agreement. The CJEU essentially found that Safe Harbor failed to meet EU data protection standards, in large part because of the U.S. surveillance programs. Given that some 4,500 U.S. companies were using Safe Harbor to legitimize transatlantic data transfers, U.S. officials and business leaders were deeply dismayed by the CJEU\u2019s ruling. Companies that had been using Safe Harbor as the legal basis for U.S.-EU data transfers were required to immediately implement alternative measures. Experts claimed that the CJEU decision created legal uncertainty for many U.S. companies and feared that it could negatively impact U.S.-EU trade and investment ties.\nOn February 2, 2016, U.S. and EU officials announced an agreement, \u201cin principle,\u201d on a revised Safe Harbor accord, to be known as Privacy Shield. Although the text of the new agreement is still being finalized and has not yet been released, U.S. and EU officials assert that it will address the CJEU\u2019s concerns. In particular, they stress that it will contain significantly stronger privacy protections as well as safeguards related to U.S. government access to personal data. \nSome analysts question, however, whether Privacy Shield will sufficiently address the broader issues about the U.S. data protection framework raised by the CJEU decision, and thus be able to withstand future legal challenges. Many U.S. policymakers and trade groups hope that the recently concluded U.S.-EU \u201cumbrella\u201d Data Privacy and Protection Agreement (DPPA)\u2014which seeks to better protect personal information exchanged in a law enforcement context\u2014and the proposed U.S. Judicial Redress Act (H.R. 1428 and S. 1600)\u2014which would extend the core of the judicial redress provisions in the U.S. Privacy Act of 1974 to EU citizens\u2014could help ease at least some concerns about U.S. data protection standards and boost confidence in Privacy Shield. H.R. 1428 passed the House on October 20, 2015, and was passed by the Senate on February 9, 2016. Since the bill was amended by the Senate Judiciary Committee, essentially making special reference to the need for continued sharing of U.S.-EU commercial data, it went back to the House which approved the amended bill on February 10. H.R. 1428 now goes to the President.\nThis report provides background on U.S. and EU data protection policies and the Safe Harbor Agreement, discusses the CJEU ruling, and reviews the key elements of the newly-proposed Privacy Shield. It also explores various issues for Congress, including implications for U.S. firms of Safe Harbor\u2019s invalidation and the role of the proposed Judicial Redress Act in helping to ameliorate U.S.-EU tensions on data privacy and protection issues.", "type": "CRS Report", "typeId": "REPORTS", "active": true, "formats": [ { "format": "HTML", "encoding": "utf-8", "url": "http://www.crs.gov/Reports/R44257", "sha1": "5d4e9f79e56b25d3b03b69730a72155114893f27", "filename": "files/20160212_R44257_5d4e9f79e56b25d3b03b69730a72155114893f27.html", "images": null }, { "format": "PDF", "encoding": null, "url": "http://www.crs.gov/Reports/pdf/R44257", "sha1": "071b0d31f96bf3f5ad1770f87018395260e78cc6", "filename": "files/20160212_R44257_071b0d31f96bf3f5ad1770f87018395260e78cc6.pdf", "images": null } ], "topics": [ { "source": "IBCList", "id": 522, "name": "European Union" } ] }, { "source": "University of North Texas Libraries Government Documents Department", "sourceLink": "https://digital.library.unt.edu/ark:/67531/metadc795682/", "id": "R44257_2015Oct29", "date": "2015-10-29", "retrieved": "2016-01-13T14:26:20", "title": "The EU-U.S. Safe Harbor Agreement on Personal Data Privacy: In Brief", "summary": "This report discusses a recent judgement by the Court of Justice of the European Union (CJEU) that invalidates the Safe Harbor Agreement between the United States and the 28-member European Union (EU). Safe Harbor is a 15-year-old accord, under which personal data could legally be transferred between EU member countries and the United States.", "type": "CRS Report", "typeId": "REPORT", "active": false, "formats": [ { "format": "PDF", "filename": "files/20151029_R44257_35c829bb2fee9d0ef3aa897dd15f69a573f1ab68.pdf" }, { "format": "HTML", "filename": "files/20151029_R44257_35c829bb2fee9d0ef3aa897dd15f69a573f1ab68.html", "source": "pymupdf" } ], "topics": [ { "source": "LIV", "id": "Technology", "name": "Technology" }, { "source": "LIV", "id": "Information services", "name": "Information services" }, { "source": "LIV", "id": "Internet", "name": "Internet" }, { "source": "LIV", "id": "Electronic data interchange", "name": "Electronic data interchange" }, { "source": "LIV", "id": "Electronic commerce", "name": "Electronic commerce" } ] } ], "topics": [ "European Affairs", "Foreign Affairs", "Industry and Trade", "Intelligence and National Security" ] }