Ever since the first draft of the EU-US Privacy Shield framework was published in early 2016, groups opposed to the idea have indicated their intent to challenge the legality of the framework under EU law. Recently, the privacy advocacy group Digital Rights Ireland (DRI) made good on that promise. Following the filing of a formal complaint on 15 September asking for an annulment of the framework by the Court of Justice of the European Union (CJEU), DRI has now made public the details of its complaint.
In the complaint, DRI asks that the CJEU declare that the European Commission’s Implementing Decision, which found that the Privacy Shield provides an adequate level of protection in the United States for personal data, be declared a “manifest error” and therefore null and void. DRI grounds its plea in ten legal arguments, largely couched in terms of violations of the EU Data Protection Directive, the Charter of Fundamental Rights of the EU, and the CJEU’s October 2015 decision in the Schrems case invalidating Privacy Shield’s predecessor, the EU-US Safe Harbor framework. The arguments are as follows:
- Privacy Shield does not comply with the Data Protection Directive, as interpreted in light of the Charter of Fundamental Rights of the EU.
- Privacy Shield does not comply with the Data Protection Directive, as interpreted in light of the Charter of Fundamental Rights of the EU and the CJEU’s decision in Schrems.
- The Principles listed in Privacy Shield and the US’ representations and commitments with respect to those Principles are not “international commitments”.
- The US’ Foreign Intelligence Surveillance Act (FISA) Amendments Act of 2008 violates Article 7 of the Charter of Fundamental Rights of the European Union—addressing a respect for private and family life—by allowing public authorities to access the content of certain electronic communications.
- The US’ FISA Amendments Act of 2008 also violates Article 47 of the Charter of Fundamental Rights of the EU—on a right to an effective remedy and a fair trial—by allowing public authorities to secretly access the content of certain electronic communications.
- The failure to include the full protections in Article 28(3) of the Data Protection Directive—addressing the powers of supervisory authorities—means that the Privacy Shield does not fully protect the rights of EU citizens where their data is transferred to the US.
- Privacy Shield is incompatible with Articles 7, 8, and 52(1) of the Charter of Fundamental Rights of the EU (on a respect for private and family life, the protection of personal data, and the appropriate limitations on the exercise of rights and freedoms in the Charter).
- Privacy Shield is an invalid breach of the rights of privacy, data protection, freedom of expression, and freedom of assembly and association under the Charter of Fundamental Rights of the EU and general principles of EU law.
- Privacy Shield denies EU citizens the right to an effective remedy and good administration, as provided for under the Charter of Fundamental Rights of the EU and general principles of EU law.
- The failure to include the full protections in Articles 14 and 15 of the Data Protection Directive—addressing data subjects’ right to object to data processing and decisions based solely on automated data processing—means that the Privacy Shield does not fully protect the rights of EU citizens where their data is transferred to the US.
It is too early to say what the implications of this case will be, as there are many important variables—ranging from procedural issues to the potential impact of the forthcoming Trump administration on the current controls on government access to data—that will affect its possible outcome. While this challenged was expected, it seems nonetheless premature that not even three months into operation, the Privacy Shield’s critics have taken the view that it is not good enough and merits a full blown legal challenge in the CJEU. This is all the more rushed given that the data protection authorities themselves were prepared to wait one year and see what the Privacy Shield could deliver before taking any formal action.
In summary, the challenge is based on the assumption that the Privacy Shield has cut some corners, but given the level of scrutiny that has been given to this process, it is by no means obvious that the Privacy Shield does not meet the right standards. This also seems to disregard the considerable efforts made the European Commission to agree a realistic but solid legal framework with the US government for the protection of European data. Unfortunately for EU and US companies alike, this challenge will contribute to perpetuate the uncertainty of how to ensure that transfers of data to the US are lawful.