Timeline of laws that have shaped data protection in the EU and the US

Why a timeline?

Over the past twenty years, the Internet and the digital society have affected individuals, public authorities, and companies alike. EU and U.S. legislation on personal data protection has moved in two different directions, but has tried to meet at certain points. Below is a summary of what leads up to the GDPR and the CLOUD Act, which today are two of the governing pieces of legislation.

1995

1995-10-24 The European Parliament and the Council of the EU adopt the Data Protection Directive¹. This leads to the introduction of the Swedish Personal Data Act (PUL)² three years later.

1998

1998-10-24 Exactly three years after the Data Protection Directive³, PUL enters into force in Sweden. The previous Data Act then ceases to apply.

2000

2000-06-26 The U.S. and the European Commission conclude the “Safe Harbor” agreement, declaring that U.S. organizations that have self-certified by registering with the U.S. Department of Commerce are automatically, if certain documentation is in place, deemed to meet the EU’s adequacy requirements for personal data protection⁴.

2002

2002-02-13 The EU reviews the compliance of the now self-certified organizations and notes that compliance looks rather poor⁵.

2006

2006-10-26 The “USA Patriot Act” becomes law in the U.S. The Patriot Act gives U.S. authorities expanded powers during investigations to obtain information from IT companies, e.g., cloud providers, via FISA orders and National Security Letters⁶.

2008

2008-12-02 An external review is carried out of the then 1,597 self-certified organizations under Safe Harbor, of which 488 are outright incorrect registrations, leaving 1,109 correct registrations. Of these 1,109, only 348 appear on paper to meet the stated requirements. A recommendation is made to the EU to renegotiate Safe Harbor⁷.

2010

2010-02-05 The European Commission adopts Standard Contractual Clauses⁸.

2011

2011-06-28 Microsoft UK explains that since the Patriot Act trumps Safe Harbor and Microsoft as a company is subject to U.S. law, Microsoft cannot withhold data from the U.S. government even if it is stored outside the U.S., under the Patriot Act. But the “Stored Communications Act” simultaneously prohibits this. This lays the groundwork for the later, much-discussed case “US vs. Microsoft”⁹.

2011-08-18 Austrian Max Schrems files 16 different complaints about Facebook’s privacy violations with the Irish Data Protection Commissioner, since Facebook in Europe is represented by an Irish subsidiary¹⁰.

2013

2013-06-05 Edward Snowden leaks a large trove of documents from the NSA to journalists. It becomes known that the NSA, both through secret backdoor access and interception, has access to a large quantity of information on the Internet containing personal data, where non-U.S. citizens are given no special protection at all. Many had suspected this, but now a large set of documents is released confirming the scope of several major access programs¹¹.

2013-12-04 A judge in the Southern District of New York issues to Microsoft a search warrant for data that turned out to be stored on servers in Ireland. Microsoft argues it cannot comply and instead asks law enforcement to use the existing bilateral cooperation treaties (MLAT — Mutual Legal Assistance Treaty) between the U.S. and Ireland, and request the data from the Irish authorities instead. The U.S. government does not consider this necessary and takes the matter to court¹².

2013-06-26 Max Schrems submits his 23rd complaint regarding Facebook to the Irish Data Protection Commissioner, who does not want to take up the case, which Schrems appeals. The complaint concerns Facebook’s transfer of data to the U.S., which entails data being transferred to the NSA given the new revelations from Edward Snowden, and that in light of this there can hardly be equivalent personal data protection in the U.S. as EU law requires.

Perhaps the most important core argument is a strong definitional difference between U.S. and European law as to when an intrusion into a person’s privacy is deemed to have occurred in the context of surveillance.

Under U.S. law, the intrusion is considered to occur only when a human has read the content in question, whereas under European law the intrusion occurs already when the electronic information representing the personal information is processed, regardless of whether a human has read it or not.

The Irish Data Protection Commissioner does not want to take this up, citing the Safe Harbor decision, which says that the U.S. is an approved third country, and that the DPC therefore cannot investigate the matter, and that unless Schrems can prove that he has been surveilled by the NSA there is nothing to investigate. Max appeals to the courts, which in turn refer the case to the Court of Justice of the EU for a preliminary ruling, as the “CFR” entered into force after Safe Harbor was adopted.

2015

2015-10-06 The Court of Justice of the EU decides in its reply to the Irish court that Safe Harbor is invalid and therefore ceases to apply in its entirety. Organizations that rely on the agreement for their data transfers are given a three-month reprieve by the Article 29 Working Party before European data protection authorities begin reviewing cases, and DPAs may indeed investigate similar cases^{13 14 15}.

2015-12-01 In December, Schrems again raised the issue with the Irish data protection authority, arguing that the CJEU decision should be applied to Facebook as a whole, i.e., including SCCs but also Privacy Shield, since they contain the same mass-surveillance exceptions as Safe Harbor had¹⁶. The Irish DPC initially said that Schrems’ concerns about EU citizens’ ability to seek redress in U.S. courts in cases of mass surveillance are well-founded.

2016

2016-02-02 On February 2, the European Commission agrees with the U.S. on the “EU-US Privacy Shield,” a replacement for the previous Safe Harbor.

Privacy Shield addresses some of the shortcomings of Safe Harbor, but not all¹⁷. For example, nothing has changed regarding the discrepancy between U.S. and EU law as to when the actual intrusion into a person’s privacy occurs during surveillance.

2018

2018-04-12 The Irish High Court moves forward with Schrems 2.0 and refers its questions to the CJEU after an appeal from Facebook is denied. Schrems comments:

“The question in this case does not seem to be if Facebook can win it, but to what extent the Court of Justice will prohibit Facebook’s EU-US data transfers.”

He added that, in the long-term, “the only reasonable solution is to cut back on mass surveillance laws”. If such a solution isn’t available between the EU and US, he said,

“Facebook would have to split global and US services in two systems and keep European data outside of reach for US authorities, or face billions in penalties under the upcoming EU data protection regulation”¹⁸.

2018-03-23 The CLOUD Act passes into law. Among other things, the law amends the U.S. “Stored Communications Act” to enable U.S. companies to disclose information regardless of where it is stored, without regard to the other country’s potential legislation.

The law also allows the President to enter into bilateral agreements with other countries regarding their ability to request the disclosure of information from the U.S. — requests that must, however, be reviewed before execution.

2018-04-17 The US vs. Microsoft appeal to the U.S. Supreme Court is dropped because the CLOUD Act has rendered the case unnecessary. The U.S. reformulated its request for disclosure under the new legislation and no dispute remains between Microsoft and the U.S.

Sources