The General Court of the European Union has dismissed as inadmissible an action by Digital Rights Ireland (DRI) to annul the EU-U.S. Privacy Shield (Privacy Shield), meaning that Privacy Shield remains valid and in force. As we previously reported, Privacy Shield is the successor to the Safe Harbor framework following the latter's invalidation by the Court of Justice of the European Union (CJEU) in October 2015. Since July 2016, Privacy Shield has facilitated the free-flow of cross-border transfers of personal data between Europe and the US and has already been subscribed to by over 2400 companies. Privacy Shield has also just passed its first annual review, something which has provided much-needed certainty to participating organisations.
DRI based its action against Privacy Shield on Article 263 of the Treaty on the Functioning of the European Union (TFEU) which provides that: “[a]ny natural or legal person may […] institute proceedings against an [EU] act addressed to that person or which is of direct and individual concern to them” or “against [an EU] regulatory act which is of direct concern to them and does not entail implementing measures.” However, the Court found that DRI did not have standing under Article 263 TFEU to challenge Privacy Shield either in its own name (including because legal persons do not possess personal data rights) or in the name of its members or the general public. While Article 80 of the General Data Protection Regulation (GDPR) will introduce the possibility for consumers to permit a "not-for-profit body, organisation or association" to assert their privacy rights before EU courts, the GDPR only applies from 25 May 2018 and so DRI could not claim its protection.
DRI may decide to appeal the General Court's ruling to the CJEU and we will be closely monitoring any future developments. There is also a challenge to Privacy Shield by a French digital rights group and it will be interesting to see if the same rational will be applied by the General Court as in the DRI decision. The DRI judgment, combined with the fact that Privacy Shield has passed its first annual review, is positive news for organisations using the transfer mechanism, especially in light of the ongoing judicial challenges that the standard contractual clauses are currently facing.