Privacy advocacy group Digital Rights Ireland is challenging the EU-US “Privacy Shield” (allowing for EU-US data transfers based on self-certification by US companies) before the EU’s General Court, accusing it of failing to provide sufficient guarantees to ensure adequate data protection.

1 Background – invalidation of the EU-US “Safe Harbour”

On 6 October 2015, in the “Schrems” case (C-362/14), the EU Court of Justice (the “CJEU”) ruled that the EU Commission’s “Safe Harbour” decision was no longer valid. This regime allowed transfers of European citizens’ personal data to the United States based on self-certification of the US ‘data receiver’, committing itself to adhere to a number of ‘data protection principles’.

The CJEU ruled that the Safe Harbour regime did not contain adequate safeguards where US legislation allows access to personal data transferred to the US by the NSA and other US security agencies, in the course of a mass and indiscriminate surveillance and interception of such data. US law furthermore did not provide for any effective judicial redress mechanisms for European citizens in case of an infringement of their rights.

Click here for a more detailed analysis of the “Schrems” case and the invalidation of the “Safe Harbour”.

2 Adoption of the “Privacy Shield”

As the “Safe Harbour” adequacy finding could no longer serve as a legal basis to legitimise data exports from the EU to the US, companies operating internationally were forced to either stop sending personal data to the US, or to implement an alternative legal basis to legitimise these data exports (consent, Binding Corporate Rules, Data Transfer Agreements). However, these alternatives often appeared to be inadequate as well and failed to provide the desired legal certainty.

On 2 February 2016, the European Commission announced its initial agreement with the US government to replace the “Safe Harbour” regime by the so-called “Privacy Shield” (Click here to read more). Even though the Commission was convinced that the “Privacy Shield” would live up to the requirements set out by the CJEU, it was quickly criticised by several stakeholders, among which members of the European Parliament, and data protection ‘activist’ Maximilian Schrems (who filed the complaint that led to the invalidation of the “Safe Harbour”).

On 12 July 2016, the European Commission ultimately adopted the final version of the EU-US Privacy Shield. As from 1 August 2016, US companies wishing to receive personal data from the EU were able to apply for self-certification under these new rules (Click here for a more detailed discussion). Today, more than 500 companies have been approved by the US government under this new regime, including Microsoft, Facebook and Google.

Nevertheless, there were lingering uncertainties about this decision, and several actors very quickly expressed their intention to challenge the “Privacy Shield”.

3 Annulment sought by Digital Rights Ireland

On 16 September 2016, the (expected) challenge of the “Privacy Shield” was filed with the EU General Court by Digital Rights Ireland, a digital rights advocacy group (case number T-670/16). It is seeking the annulment of the “Privacy Shield”, arguing that – just like the “Safe Harbour” – it does not ensure an adequate level of data protection.

There is still a possibility that the General Court will declare the action inadmissible if it finds that the “Privacy Shield” is not of ‘direct concern’ to Digital Rights Ireland. Individuals or companies may challenge EU acts only if they are directly concerned, and such within two months of the act coming into force. Digital rights Ireland has previously won cases dealing with privacy protection (including the case against the EU Data Retention Directive which was struck down by the CJEU in 2014), but the CG’s finding on the admissibility of this particular claim is to be awaited.

A spokesman for the European Commission has already commented that they are convinced that the “Privacy Shield” will live up to the requirements set by the CJEU. In the meanwhile, and until the General Court decides otherwise, the Privacy Shield remains fully operational.

4 Periodic review of adequacy decisions – “GDPR”

The “Privacy Shield” already obliges the European Commission to periodically check whether the adequacy finding relating to the level of protection ensured by the United States under the “Privacy Shield” is still factually and legally justified. The “Privacy Shield” adequacy decision is subject to “Annual Joint Review”, covering all aspects of the functioning of the “Privacy Shield”.

Since the adequacy finding may also be influenced by other legal developments in EU law, the Commission should also assess the level of protection provided by the “Privacy Shield” following the entry into force of the EU General Data Protection Regulation (the “GDPR”) on 25 May 2018. Taking into account the number of significant changes and additional data privacy safeguards the GDPR introduces, the “Privacy Shield” is indeed likely to be adjusted in the light thereof, even if it survives the Digital Rights Ireland challenge.

Stay tuned…We will of course keep you posted on further developments!