In October of last year, the Court of Justice of the European Union (CJEU), the highest court of the EU, decided following a request for a preliminary ruling from the High Court in Ireland that the Commission’s decision regarding the adequacy of the Safe Harbour scheme was invalid. The Safe Harbour scheme was challenged on the premise that public authorities in the U.S. had access to content of electronic communications originating in the EU.
Initial complaints were lodged with the Irish Supervisory Authority by Austrian citizen Maximillian Schrems on the basis that some or all data provided by Mr Schrems to Facebook was transferred from Facebook’s Irish subsidiary to the U.S. where such information was processed. Mr Schrem’s complaint was grounded on the argument that following the 2013 Edward Snowden scandal, it was made clear that the law and practice of the U.S. did not offer sufficient protection against the surveillance by public authorities of the data transferred to that country. The Irish Authority rejected the complaint citing a decision of the European Commission given in July of 2000, where it considered that the U.S. ensures an adequate level of protection of personal data transferred under the Safe Harbour Scheme. When the case was brought before the High Court of Ireland, a request was brought to the CJEU to ascertain whether the Commission’s decision of 2000 prevented the authority from investigating the complaint.
In making its decision, the CJEU considered that the scheme could not be deemed adequate when such a regime compromises the right to respect for private life, and neglects to give individuals methods of redress and access to their own personal data, and therefore invalidated the decision taken by the European Commission which deemed the scheme adequate.
Following this decision, the EU and the U.S. agreed on a new framework for the exchange of personal data for commercial purposes which was to replace the Safe Harbour scheme, and was to be called the Privacy Shield Framework. In July of 2016, the Commission decided that this new framework was adequate, meaning that the standard of protection in the U.S. was deemed “essentially equivalent” to the rights and freedoms guaranteed by the EU regime on data protection.
In its recently published opinion on the EU-U.S. Privacy Shield, however, ‘EU Article 29 Working Party’ said that notwithstanding the fact that Privacy Shield improved on the Safe Harbour scheme, the new framework still failed to sufficiently address the “massive and indiscriminate surveillance of individuals” by U.S. national security authorities carried out under the guise of counter-terrorism. This, according to the Working Party, could never be considered proportionate and strictly necessary in a democratic society, as required by applicable fundamental rights.
It has recently come to light that in September of 2016, privacy advocacy group ‘Digital Rights Ireland’ filed a legal challenge in Europe’s General Court for the annulment of the Commission’s approval of the adequacy decision on the Privacy Shield Framework. The challenge will presumably take into consideration the fact that the provisions of the Framework are not actually crystallised in U.S. law. Furthermore, Digital Rights Ireland could also argue that the U.S. Foreign Intelligence Surveillance Act will still allow public authorities to have “secret access” to content of electronic communications.
The challenge presents uncertainty for the future of the Framework, which could be extremely valuable for digital business relationships depending heavily on the transfer of personal data. Moreover, the Ireland Data Protection Authority is also challenging the legality of Model Clauses, which could potentially serve as an alternative mechanism for the transfer of personal data between the EU and the US. If either or both mechanisms are considered invalid, business relationships between the EU and the U.S. could take a dangerous toll which may affect the global economy.
It is uncertain how long it will take for the CJEU to decide on the matter, although it is estimated that such lawsuit may take over a year to resolve. In the interim, the Privacy Shield Framework will remain in effect. With more than 500 companies signing up to the Privacy Shield, businesses are left uncertain on how, and if, the situation will be resolved.