Digital Rights Ireland, an Irish privacy advocacy group, has filed the first legal challenge to the EU-U.S. Privacy Shield, the Trans-Atlantic agreement reached earlier this year to permit the lawful transfer of personal data from the European Union to the United States. The Privacy Shield was formally adopted on July 12, 2016, by the European Commission, which released an Adequacy Decision concluding that “the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. Privacy Shield from the Union to self-certified organisations in the United States.” Digital Rights Ireland’s application to the EU General Court seeks annulment of the Commission’s Adequacy Decision. A spokesman for the European Commission stated that it was aware of the application and “is convinced that the Privacy Shield will live up to the requirements set out by the European Court of Justice.”
Very limited information regarding the case is publicly available at this time; the CJEU’s website shows that the application for annulment (concerning an “area of freedom, security and justice”) was filed on September 16, 2016. The U.S. Department of Commerce began accepting applications for self-certification to the Privacy Shield on Aug. 1, 2016.
Although the Article 29 Working Party issued a statement in late July indicating that EU data protection authorities themselves would not challenge the validity of the Privacy Shield for at least a year, many expected some form of legal challenge in the interim. Digital Rights Ireland’s application for annulment is permitted under an EU treaty allowing individuals or companies to seek an annulment of an EU act before the EU Court of Justice or General Court if they can prove direct or individual concern with the act.
Currently more than 600 companies are included on the Department of Commerce’s Privacy Shield List of self-certified entities, with more being added each week.