The negotiations between the EU and the US for a new data transfer agreement to replace the struck-down Safe Harbor program continue as the clock ticks down to the enforcement deadline of January 31, 2016 (as declared by the EU’s national data protection authorities via the Article 29 Working Party).

While the CJEU’s decision striking down the current Safe Harbor arrangements is usually discussed in isolation as a purely US-EU matter, the decision in fact flows from an earlier intra-EU case, Digital Rights Ireland and Others (C293/12 and C594/12, EU:C:2014:238; decided April 8, 2014) that invalidated the 2006 Data Retention Directive and cast doubt on all mass data collection in the EU by EU and national authorities.  Today, in an feature commentary published by The Cipher Brief, we take a look at some of the key cases in Europe that frame the tension between mass surveillance-based security operations and individual privacy rights.  These cases provide a critical backdrop for understanding the challenges that the EU Commission and the US face in crafting a new Safe Harbor agreement that meets European legal standards.