Newsflash: EU-US Privacy Shield challenged before the European court

2nd November 2016

Digital Rights Ireland (DRI), an Irish privacy campaign group, is seeking to have the EU-US Privacy Shield annulled by the European Courts.

The Privacy Shield is a framework for transatlantic exchanges of personal data for commercial purposes, with the aim both of protecting the fundamental rights of EU individuals whose personal data is transferred to the US and ensuring legal certainty for businesses relying on such data transfers. For more information on the background to the Privacy Shield, see our earlier briefings Putting the EU-US Privacy Shield into motion – what next? and Details of the EU-US Privacy Shield published – what do organisations on both sides of the Atlantic need to know?

DRI has declined to comment on the application for annulment which it has lodged with the EU General Court, one of the three courts of the Court of Justice of the European Union (CJEU) on 16 September 2016 and there is currently no information publicly available on the court file.

However, according to The Irish Times, the application is being made under Article 263 of the Lisbon Treaty for an annulment of the European Commission’s ‘finding of adequacy’ that US organisations signing up to the Privacy Shield provide an equivalent level of protection for EU personal data transferred to the US. The Irish Times also states that the proceedings will claim that the Commission’s decision is void on the basis that:

• the principles and representations in the Privacy Shield are not US law
• US law does not provide an adequate level of protection for personal data consistent with the CJEU’s ruling in the Schrems decision in which the Privacy Shield’s predecessor “Safe Harbor” was ruled invalid, see our briefing Safe Harbor out, Privacy Shield in for more details
• the provisions of the US Foreign Intelligence Surveillance Act permit public authorities to have secret access on a generalised basis to electronic communications
• the Privacy Shield is in breach of rights to privacy and data protection as provided for under the Charter of Fundamental Rights and by the general principles of EU law.

Further details of DRI’s claim will not be available until they are published in the EU’s Official Journal which is expected to happen in the next few days.

The Commission has two months from being sent DRI’s application in which to file a defence. The Commission does not comment on ongoing court cases but Commission spokesman Christian Wigand has been reported as saying “The Commission is convinced that the Privacy Shield lives up to the requirements set out by the European Court of Justice, which have been the basis for the negotiations”.

The challenge does not come as a surprise in view of the outstanding concerns over the Privacy Shield’s safeguards for protecting European personal data. What is surprising, however, is both the timing, in light of the Article 29 Working Party’s comments that the first joint annual review (which is not due to take place until Summer 2017) would be a key moment for the Privacy Shield, and the fact that DRI has applied directly to the General Court rather than complaining through the Irish Data Protection Commissioner.

In the three months since the Privacy Shield was launched, over 500 companies have already self-certified under the Privacy Shield, including many of the major names such as Facebook, Google and Amazon.

Given the general consensus that the Privacy Shield was almost certainly going to face a legal challenge at some point in the not too distant future, this is a significant number, especially considering that only approximately 4,500 companies registered with its predecessor Safe Harbor during the 15 years it was in force.

There is no immediate impact on data transfers to the US and it is likely to be quite some time before the outcome of the challenge is known.

In the meantime, the European Commission has released its proposed amendments to the Model Clauses which are also being referred to the CJEU.

US organisations should carry out a cost-benefit analysis of the various available transfer mechanisms and decide in accordance with their risk appetite whether they register under the Privacy Shield, adopt the model contract clauses, incorporate both into their compliance programme or use alternative mechanisms.

Given the uncertainty over the future validity of the model contract clauses and the potential legal challenges to the Privacy Shield, it may be prudent for US organisations to hedge their bets and employ both mechanisms. However, this will need to be weighed carefully against the costs and administrative burden of complying with two mechanisms.

Walker Morris will continue to monitor and report on developments in this area. In the meantime, if you have any queries arising from this or any of our earlier briefings, please contact Jeanette Burgess, Andrew Northage or any other member of the Regulatory and Compliance Team.