The EU-U.S. Privacy Shield: ensuring the continuation of data flows instead of rebuilding trust? Europe tangled up in its own data protection requirements?

Primary Sources

European Union legal sources

Primary legislation

• Consolidated version of the Treaty on the Functioning of the European Union [2007] OJ C326/47
• Charter of Fundamental Rights of the European Union [2007] OJ C 326/391

Secondary legislation

• Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L281/31
• Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector [1997] OJ L024/1
• Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce [2000] OJ L215/7
• Commission Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC [2001] OJ L181/19
• Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data [2001] OJ L8/1
• Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) [2002] OJ L201/37
• Commission Decision 2004/915/EC of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries [2004] OJ L385/74
• Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC [2006] OJ L 105/54
• Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters [2008] OJ L350/60
• Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council [2010] OJ L39/5
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1
• Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA [2016] OJ L119/89
• Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime [2016] OJ L119/132
• Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council of the adequacy of the protection provided by the EU-U.S. Privacy Shield [2016] OJ L207/1

Agreements

• Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program [2010] OJ L195/5
• Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record (PNR) data by air carriers to Australian Customs and Border Protection Service [2012] OJ L186/4
• Agreement between the United States of America and the European Union on the use and transfer of passenger name records to the United States Department of Homeland Security [2012] OJ L215/5
• Draft agreement between Canada and the European Union on the transfer and processing of Passenger Name Record [2013] <http://register.consilium.europa.eu/doc/srv?l=EN&f=ST%2012657%202013%20…;

Court of Justice of the European Union

• Joined Cases C-293/12 and C-594/12 Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources, Minister for Justice, Equality and Law Reform, The Commissioner of the Garda Síochána, Ireland and the Attorney General, and Kärntner Landesregierung, Michael Seitlinger, Christof Tschohl and Others [2014] ECLI:EU:C:2014:238
• Case C-362/14 Maximilian Schrems v Data Protection Commissioner [2015] ECLI:EU:C:2015:650
• Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others [2016] ECLI:EU:C:2016:970

• Opinion 1/15 Request for an Opinion pursuant to article 218(11) TFEU (CJEU), Opinion of AG Mengozzi

Council of Europe legal sources

Treaties

• Convention for the Protection of Human Rights and Fundamental Freedoms [1950] ETS No. 5
• Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data [1981] ETS No.108
• Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows [2001] ETS No. 181

Judgments of the European Court of Human Rights

• Klass and others v Germany (1978) Series A no 28
• Zakharov v. Russia ECHR 2015
• Szabó and Vissy v. Hungary ECHR App no 37138/14 (ECtHR, 12 January 2016)

Belgian legal sources

• Wet 8 december 1992 tot bescherming van de persoonlijke levenssfeer ten opzichte van de verwerking van persoonsgegevens (BS 18 March 1993, consolidated version BS 28 December 2015)

United States legal sources

• "The Constitution of the United States"
• Privacy Act 1974
• Foreign Intelligence Serivce Act 1978
• Ronald Reagan, "Executive Order 12333—United States Intelligence Activities," US Federal Register, Dec. 4, 1981
• The White House, Presidential Policy Directive 28: Signals Intelligence Activities (PPD-28) (Jan. 17, 2014)

Secondary Sources

Doctrine

• De Busser E, Data Protection in EU and US Criminal Cooperation – A Substantive Law Approach to the EU Internal and Transatlantic Cooperation in Criminal Matters between Judicial and Law Enforcement Authorities (Maklu 2009)
• Granger M-P and Irion K, ‘The Court of Justice and the Data Retention Directive in Digital Rights Ireland: Telling off the EU legislator and Teaching a Lesson in Privacy and Data Protection’ (2014) 20 European Law Review
• Haeck Y and Burbano Herrera C, Procederen voor het Europees Hof voor de Rechten van de Mens (Tweede editie, Intersentia, 2011)
• Hustinx P, ‘EU Data Protection Law: The Review of Directive 95/46/EC and Proposed General Data Protection Regulation’ [2014] <https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documen…; accessed March 2017
• Ripoll Servent A, Institutional and Policy Change in the European Parliament: Deciding on Freedom, Security and Justice (Springer 2015)
• Schneier B, Data and Goliath – The Hidden Battles to Collect Your Data and Control Your World (W. W. Norton & Company Ltd, first edition 2015)
• Severson D, ‘American Surveillance of Non-U.S. Persons: Why New Privacy Protections Offer Only Cosmetic Change’ (2015) 56 Harvard International Law Journal
• Terra P, ‘SWIFT en het ‘Terrorist Finance Tracking Program’: triomf voor de burger of voor het Europees Parlement?’ (2010) 64 Internationale Spectator 577
• Tracol X, ‘Legislative genesis and judicial death of a directive: The European Court of Justice invalidated the data retention directive (2006/24/EC) thereby creating a sustained period of legal uncertainty about the validity of national laws which enacted it’ (2014) 30 Computer Law & Security Review
• Tracol X, ‘“Invalidator” strikes back: The harbour has never been safe’ (2016) 32 Computer Law & Security Review
• Vermeulen G, ‘The Paper Shield: On the degree of protection of the EU-US privacy shield against unnecessary or disproportionate data collection by the US intelligence and law enforcement services’ in Svantesson, Dan J.B. and Dariusz Kloza (eds), Transatlantic Data Privacy Relationships as a Challenge for Democracy; European Integration and Democracy Series, vol 4 (Intersentia 2017)

European Commission documents

Communications

• Commission, ‘Communication from the Commission on the global approach to transfers of Passenger Name Record (PNR) data to third countries’ COM(2010) 492 final
• Commission, ‘Communication from the Commission to the European Parliament and the Council on Rebuilding Trust in EU-US Data Flows’ COM(2013) 846 final
• Commission, ‘Communication from the Commission to the European Parliament and the Council on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the EU’ COM(2013) 847 final
• Commission, ‘Communication from the Commission to the European Parliament and the Council on the Transfer of Personal Data from the EU to the United States of America under Directive 95/46/EC following the Judgment by the Court of Justice in Case C-362/14 (Schrems)’ COM(2015) 566 final
• Commission, ‘Report from the Commission to the European Parliament and the Council on the joint review of the implementation of the Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for the purposes of the Terrorist Finance Tracking Program’ COM (2017) 31 final

Other documents

• Commission, ‘Frequently Asked Questions relating to transfers of personal data from the EU to third countries’ [2009], 23 <http://ec.europa.eu/justice/data-protection/international-transfers/fil…;  accessed 18 March 2017
• Directorate-General for Justice and Consumers (Commission), 2014 report on the application of the EU Charter of Fundamental Rights (Publications Office of the European Union 2015

• Directorate-General for Justice and Consumers (Commission), Guide to the EU-U.S. Privacy Shield (Publications Office of the European Union 2016)

European Parliament documents

Resolutions

• European Parliament Resolution 2013/2831(RSP), ‘Suspension of the SWIFT agreement as a result of NSA surveillance’ (2013) <http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+TA+…; accessed 10 May 2017
• European Parliament Resolution 2014/2966(RSP), ‘Seeking an opinion from the Court of Justice on the compatibility with the Treaties of the Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data’ (2014) <http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-%2F%2FEP%2F%2FNON…;  accessed 8 May 2017
• European Parliament Resolution 2016/2727(RSP), ‘Transatlantic data flows’ (2016) <http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+TA+…; accessed 25 April 2017
• European Parliament Resolution 2016/3018(RSP), ‘Adequacy of the protection afforded by the EU-US privacy Shield’ (2016) <http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-%2F%2FEP%2F%2FNON…; accessed 25 April 2017

Other documents

• LIBE (European Parliament), ‘Questions relating to the judgment of the Court of Justice of 8 April 2014 in Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and others – Directive 2006/24/EC on data retention – Consequences of the judgment’(legal opinion) SJ-0890/14
• Directorate-General for Internal Policies – Policy Department C: Citizens’s Rights and Constitutional Rights (European Parliament), ‘The US legal system on data protection in the field of law enforcement – Safeguards, rights and remedies for EU citizens’ [2015] Study, 17 <http://www.europarl.europa.eu/RegData/etudes/STUD/2015/519215/IPOL_STU%…; accessed 4 May 2016

Working Party on the Protection of Individuals with regard to the Processing of Personal Data (Article 29 Working Party) documents

• Working Party on the Protection of Individuals with regard to the Processing of Personal Data, ‘First orientations on Transfers of Personal Data to Third Countries – Possible Ways Forward in Assessing Adequacy’ [1997] Discussion Document WP4 <http://ec.europa.eu/justice/data-protection/article-29/documentation/op…; accessed 28 March 2017
• Working Party on the Protection of Individuals with regard to the Processing of Personal Data, ‘Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive’ [1998] Working Document WP12 <http://ec.europa.eu/justice/data-protection/article-29/documentation/op…; accessed 18 March 2017
• Working Party on the Protection of Individuals with regard to the Processing of Personal Data, ‘Transfers of personal data to third countries: Applying Article 26 (2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers’ [2003] Working document WP74 <http://ec.europa.eu/justice/data-protection/article-29/documentation/op…; accessed 18 March 2017
• Working Party on the Protection of Individuals with regard to the Processing of Personal Data, ‘Setting Forth a Co-Operation Procedure for Issuing Common Opinions on Adequate Safeguards Resulting From “Binding Corporate Rules”’ [2005] Working document WP107 <http://ec.europa.eu/justice/data-protection/article-29/documentation/op…; accessed 18 March 2017
• Working Party of on the Protection of Individuals with regard to the Processing of Personal Data, ‘A common interpretation of Article 26 (1) of Directive 95/46/EC of 24 October 1995’ [2005] Working Document WP114 <http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2005/wp114_en…; accessed 18 March 2017
• Working Party on the Protection of Individuals with regard to the Processing of Personal Data, ‘Opinion 1/2010 on the concepts of “controller” and “processor” [2010] Opinion WP169 <http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_en…; accessed 26 April 2017
• Working Party on the Protection of Individuals with regard to the Processing of Personal Data, ‘Opinion 7/2010 on European Commission’s Communication on the global approach to transfers of Passenger Name Record (PNR) data to third parties’ [2010] Opinion WP178 <http://ec.europa.eu/justice/data-protection/article-29/documentation/op…; accessed 8 May 2017
• Working Party on the Protection of Individuals with regard to the Processing of Personal Data, ‘Opinion 03/2013 on purpose limitation’ [2013] Opinion WP203 <http://ec.europa.eu/justice/data-protection/article-29/documentation/op…; accessed 29 March 2017
• Working Party on the Protection of Individuals with regard to the Processing of Personal Data, ‘Working Document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees)’ [2016] Working Document WP237 <http://ec.europa.eu/justice/data-protection/article-29/documentation/op…; accessed 18 April 2017
• Working Party on the Protection of Individuals with regard to the Processing of Personal Data, ‘Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy decision’ [2016] Opinion WP238 <http://ec.europa.eu/justice/data-protection/article-29/documentation/op…; accessed 25 April 2017

European Data Protection Supervisor (EDPS) documents

• European Data Protection Supervisor, ‘Opinion on the Proposals for Council Decisions on the conclusion and signature of the Agreement between Canada and the European Union on the transfer and processing of Passenger Name Record data’ [2013] Opinion <https://edps.europa.eu/sites/edp/files/publication/13-09-30_canada_en.p…; accessed 8 May 2017
• European Data Protection Supervisor, ‘The transfer of personal data to third countries and international organisations by EU institutions and bodies’ [2014] Position paper <https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documen…; accessed 18 March 2017
• European Data Protection Supervisor, ‘Guidance: Security Measures for Personal Data Processing, article 22 of Regulation 45/2001’ [2016] Guidance document <https://edps.europa.eu/sites/edp/files/publication/16-03-21_guidance_is…; accessed 30 March 2017
• European Data Protection Supervisor, ‘Opinion on the EU-U.S. Privacy Shield draft adequacy decision’ [2016] Opinion 4/2016 <https://edps.europa.eu/sites/edp/files/publication/16-05-30_privacy_shi…; accessed 25 April 2017

European Union Agency for Fundamental Rights (FRA)

• European Union Agency for Fundamental Rights (FRA), Council of Europe and Registry of the European Court of Human Rights, Handbook on European data protection law (Publications Office of the European Union 2014)
• European Union Agency for Fundamental Rights, Surveillance by intelligence services: fundamental rights safeguards and remedies in the EU – Mapping Member States’ legal frameworks (Publications Office of the European Union 2015)

Websites

• ‘EU Charter of Fundamental Rights’ (Website Commission) <http://ec.europa.eu/justice/fundamental-rights/charter/index_en.htm&gt; accessed 5 May 2017
• ‘Information society, privacy and data protection’ (Website European Union Agency for Fundamental Rights, (FRA)) <http://fra.europa.eu/en/theme/information-society-privacy-and-data-prot…; accessed 5 May 2017
• <https://edwardsnowden.com/&gt; (Website Edward Snowden) accessed 6 May 2017
• <https://edwardsnowden.com/2014/01/17/presidential-policy-directive-ppd-…; (Website Edward Snowden) accessed 26 April 2017
• Data transfers outside of the EU’ (Website Commission) <http://ec.europa.eu/justice/data-protection/international-transfers/ind…; accessed 18 March 2017
• ‘Model Contracts for the transfer of  personal data to third countries’ (Website Commission) <http://ec.europa.eu/justice/data-protection/international-transfers/tra…; accessed 18 March 2017
• ‘Binding Corporate Rules’ (Website Commission)  <http://ec.europa.eu/justice/data-protection/article-29/bcr/index_en.htm…; accessed 18 March 2017
• ‘BCR Procedure’ (Website Commission) <http://ec.europa.eu/justice/data-protection/international-transfers/bin…; accessed 18 March 2017
• <https://www.digitalrights.ie/&gt; (Website Digital Rights Ireland) accessed 4 April 2017
• ‘Accession of the European Union’ (Website ECHR) <http://www.echr.coe.int/Pages/home.aspx?p=basictexts/accessionEU&c&gt; accessed 8 April 2017
• Press Unit of the European Court of Human Rights, ‘Factsheet – Mass surveillance’, 3 (Website ECHR, December 2016) <http://www.echr.coe.int/Documents/FS_Mass_surveillance_ENG.pdf > accessed 6 April 2017
• European Court of Human Rights, ‘Legal summary – Szabó and Vissy v. Hungary’ (Hudoc, January 2016) <http://hudoc.echr.coe.int/eng#{"itemid":["002-10821"]}> accessed 6 April 2017
• Office of the Press Secretary of the White House, ‘FACT SHEET: Review of U.S. Signals Intelligence’ (The White House – President Barack Obama, 17 January 2014) <https://obamawhitehouse.archives.gov/the-press-office/2014/01/17/fact-s…; accessed 1 May 2017
• ‘About the Board’ (Website Privacy and Civil Liberties Oversight Board)<https://www.pclob.gov/about-us.html&gt; accessed 3 May 2017
• ‘Transfer of Air Passenger Name Record (PNR) Data and Terrorist Finance Tracking Programme (TFTP)’ (Website Commission) <http://ec.europa.eu/justice/data-protection/international-transfers/pnr…; accessed 7 May 2017
• ‘Terrorist Finance Tracking Program (TFTP) (Website U.S. Department of the Treasury) <https://www.treasury.gov/resource-center/terrorist-illicit-finance/Terr…; accessed 9 May 2017
• ‘Privacy Shield List’ (Website Privacy Shield Framework (United States)),  <https://www.privacyshield.gov/participant_search&gt; accessed 10 May 2017
• ‘Terrorist Finance Tracking Programme’ (Website Commission) <https://ec.europa.eu/home-affairs/what-we-do/policies/crisis-and-terror…; accessed 10 May 2017

Blogs

• ‘A simple explanation of how money moves around the banking system’ (Richard Gendal Brown) <https://gendal.me/2013/11/24/a-simple-explanation-of-how-money-moves-ar…; accessed 9 May 2017
• ‘European Court Opinion: Canada PNR deal cannot be signed’ (European Digital Rights (EDRi), 8 September 2016) <https://edri.org/european-court-opinion-canada-pnr-deal-cannot-be-signe…; accessed 8 May 2017
• ‘EU-US Privacy Shield review now promised for September’ (Privacy Laws & Business, 5 May 2017) <http://www.privacylaws.com/int_enews_5_4_17&gt; accessed 26 April 2017
• ‘The Article 29 Data Protection Working Party (“WP29”) remain concerned about the recently adopted Privacy Shield as follows from their recent statement dated 1 July 2016” (Stibbe, 13 October 2016) <https://www.stibbe.com/en/news/2016/october/privacy-authorities-remain-…; accessed 3 May 2017
• De Hert P and Cristobal Bocos P, ‘Case of Roman Zakharov v. Russia: The Strasbourg follow up to the Luxembourg Court’s Schrems judgment’ (Strasbourg Observers, 23 December 2015) <https://strasbourgobservers.com/2015/12/23/case-of-roman-zakharov-v-rus…; accessed 6 April 2017
• Hale W, ‘United States: Comparison of Requirements Under The Privacy Shield/Safe Harbor Principles’ (Mondaq, 26 July 2016) <http://www.mondaq.com/unitedstates/x/513810/Data+Protection+Privacy/Com…; accessed 29 April 2017
• Johnson T, ‘Watchdog board that keeps eye on U.S. intelligence agencies barely functions’ (McClatchy DC BUREAU, 7 March 2017) <http://www.mcclatchydc.com/news/nation-world/national/national-security…; accessed 3 May 2017
• Kadial S, ‘Surveillance After the USA Freedom Act: How Much Has Changed?’ (The Center for Constitutional Rights, 17 December 2015) <http://www.huffingtonpost.com/the-center-for-constitutional-rights/surv…; accessed 2 May 2017
• Lynskey O, ‘Tele2 Sverige AB and Watson et al: continuity and radical change’ (European Law Blog, 12 January 2017) <http://europeanlawblog.eu/2017/01/12/tele2-sverige-ab-and-watson-et-al-…; accessed 4 March 2017
• McLaughlin J, ‘The U.S. Government’s Privacy Watchdog Is Basically Dead, Emails Reveal’ (The Intercept, 3 March 2017) <https://theintercept.com/2017/03/03/the-governments-privacy-watchdog-is…; accessed 3 May 2017
• Petrovas S and Rich CJ, ‘Privacy Shield vs. Safe Harbor: A Different Name for an Improved Agreement?’ (Morrison Foerster, 3 March 2016) <https://www.mofo.com/resources/publications/privacy-shield-vs-safe-harb…; accessed 29 April 2017
• Rouse M, ‘Definition COMINT (communications intelligence)’ <http://whatis.techtarget.com/definition/COMINT-communications-intellige…; accessed 1 May 2017
• Stanley J, ‘What Powers Does the Civil Liberties Oversight Board Have?’ (American Civil Liberties Union, 4 November 2013) <https://www.aclu.org/blog/what-powers-does-civil-liberties-oversight-bo…; accessed 3 May 2017
• Seth S, ‘How The SWIFT System Works’ (Investopedia, 5 May 2015) <http://www.investopedia.com/articles/personal-finance/050515/how-swift-…; accessed 9 May 2017
• St.Vincent S, ‘Did the European Court of Human Rights Just Outlaw “Massive Monitoring of Communications” in Europe?’ (Center for Democracy & Technology (CDT), 13 January 2016) <https://cdt.org/blog/did-the-european-court-of-human-rights-just-outlaw…; accessed 9 April 2017
• Vavoula N, ‘I Travel, therefore I am a Supsect’: an overview of the EU PNR Directive’ (FREE Group, 27 October 2016) <https://free-group.eu/2016/10/27/i-travel-therefore-i-am-a-suspect-an-o…; accessed 9 May 2017

Press releases

• Court of Justice of the European Union, ‘The Court of Justice declares the Data Retention Directive to be invalid’ (Press release, 8 April 2014) <http://curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp14005…; accessed 3 April 2017
• Commission, ‘Frequently Asked Questions: The Data Retention Directive’ (Memo, 8 April 2014) <http://europa.eu/rapid/press-release_MEMO-14-269_en.htm&gt; accessed 7 April 2017
• Council of the European Union, ‘Signature of the EU-Canada agreement on Passenger Name Records (PNR) (Press release, 25 June 2014) <http://www.consilium.europa.eu/en/press/press-releases/2014/06/pdf/sign…; accessed 7 May 2017
• European Parliament, ‘MEPs refer EU-Canada air passenger data deal to the EU Court of Justice’ (Press release, 25 November 2014) <http://www.europarl.europa.eu/news/en/news-room/20141121IPR79818/meps-r…; accessed 8 May 2017
• European Parliament, ‘Parliament back EU directive on use of Passenger Name Records (PNR)’ (Press release, 14 April 2016) <http://www.europarl.europa.eu/news/en/news-room/20160407IPR21775/parlia…; accessed 8 May 2017
• Commission, ‘European Commission launches EU-U.S. Privacy Shield: stronger protection for transatlantic data flows’ (Press release, 12 July 2016) <http://europa.eu/rapid/press-release_IP-16-2461_en.htm&gt; accessed 25 April 2017
• Court of Justice of the European Union, ‘Advocate General’s Opinion in the Request for an Opinion 1/15’ (Press release, 8 Septemeber 2016) <https://curia.europa.eu/jcms/upload/docs/application/pdf/2016-09/cp1600…; accessed 8 May 2017
• Committee on Civil Liberties, Justice and Home Affairs of the European Parliament (LIBE), ‘EU-Canada PNR: legal opinion affirms Parliament’s privacy concerns’ (Press release, 8 September 2016) <http://www.europarl.europa.eu/news/en/news-room/20160908IPR41656/eu-can…; accessed 8 May 2017

Newspaper articles

The Guardian

• Glenn Greenwald, ‘NSA collecting phone records of millions of Verizon customers daily’ The Guardian (6 June 2013)  <https://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon…; accessed May 2017
• Glenn Greenwald and Ewen MacAskill, ‘NSA Prism program taps in to user data of Apple, Google and others’ The Guardian (6 June 2013) <https://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data&gt; accessed  May 2017
• James Ball, ‘NSA’s Prism surveillance program: how it works and what it can do’ The Guardian (8 June 2013) <https://www.theguardian.com/world/2013/jun/08/nsa-prism-server-collecti…; accessed 1 May 2017
• James Ball, ‘Edward Snowden NSA files: secret surveillance and our revelations so far’ The Guardian (21 August 2013) <https://www.theguardian.com/world/2013/aug/21/edward-snowden-nsa-files-…; accessed 1 May 2017
• Ian Traynor, ‘EU threatens to suspend deal with US on tracking terrorists’ funding’ The Guardian 24 September 2013) <https://www.theguardian.com/world/2013/sep/24/eu-threat-us-data-sharing…; accessed 9 May 2017

The Washington Post

• Ellen Nakashima, ‘NSA’s bulk collection of Americans’ phone records ends Sunday’ The Washington Post (27 November 2015) <https://www.washingtonpost.com/world/national-security/nsas-bulk-collec…; accessed 13 May 2017 

The New York Times

• Eric Lichtblau and James Risen, ‘Bank Data is Sifted by U.S. in Secret to Block Terror’ The New York Times (23 June 2013) <http://www.nytimes.com/2006/06/23/washington/23intel.html&gt; accessed 9 May 2017

Spiegel Online

• Laura Poitras, Marcel Rosenbach and Holger Stark, ‘NSA Monitors Financial World’ Spiegel Online (16 September 2013) <http://www.spiegel.de/international/world/how-the-nsa-spies-on-internat…; accessed 10 May 2017

Other sources

• EU Co-Chairs of the Ad Hoc EU-US Working Group on Data Protection, ‘Report on the Findings of the EU Co-Chairs of the Ad Hoc EU-U.S. Working Group on Data Protection’ [2013] point 5 <http://ec.europa.eu/justice/data-protection/files/report-findings-of-th…; accessed 1 May 2015
• National Research Council, Division on Engineering and Physical Sciences, Computer Science and Telecommunications Board, Committee on Responding to Section 5(d) of Presidential Policy Directive 28: The Feasibility of Software to Provide Alternatives to Bulk Signals Intelligence Collection, Bulk Collection of Signals Intelligence: Technical Options
• European Ombudsman (Emily O’Reilly), ‘Use of the title ‘ombudsman’ in the ‘EU-US Privacy Shield’ agreement’ (European Ombudsman, Letter to Ms Vĕra Jourová, 22 February 2016) <https://www.ombudsman.europa.eu/resources/otherdocument.faces/en/64157/…; accessed 3 May 2017
• Charles Doyle, ‘Administrative Subpoenas in Criminal Investigations: A Brief Legal Analysis’ (CRS Report for Congress, 17 March 2006), summary <https://fas.org/sgp/crs/intel/RL33321.pdf&gt; accessed 4 May 2017
• European Union Committee, The EU/US Passenger Name Record (PNR) Agreement (HL 2006-07, 108)
• U.S. Customs and Border Protection (CBP) (U.S. Department of Homeland Security (DHS)), ‘U.S. Customs and Border Protection Passenger Name Record (PNR) Privacy Policy’ (2013) 1<https://www.cbp.gov/sites/default/files/documents/pnr_privacy.pdf&gt; accessed 7 May 2017
• Commissie voor de bescherming van de persoonlijke levenssfeer, ‘Advies betreffende de doorgifte van persoonsgegevens door de CVBA SWIFT ingevolge de dwangbevelen van de UST (OFAC)’ (2006) Advies Nr 37/2006 <https://www.privacycommission.be/sites/privacycommission/files/document…; accessed 9 May 2017
• Terrorist Finance Tracking Program – Representations of the United States Department of the Treasury [2007] OJ C166/18
• General Secretariat of the Council of the EU, ‘EU-US agreement on the processing and transfer of financial messaging data for purposes of the US Terrorist Finance Tracking Programme (TFTP) – Questions and Answers’ (Information note, November 2009) <https://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/jha/1…;  accessed 10 May 2017