Is the Privacy Shield Bulletproof?
18 November 2016
Less than 3 months after the commencement of the EU-US Privacy Shield, two challenges have been lodged with the EU courts. One of the challenges has been submitted by the Irish privacy advocacy group, Digital Rights Ireland. Separately, a French trio, comprising privacy advocacy group, La Quadrature du Net; non-profit ISP, French Data Network; and its Federation FDN industry association, has also collectively submitted a challenge. The groups claim that the Privacy Shield doesn't go far enough to protect the personal data of EU data subjects when it is transferred to the US.
Both groups have made their challenges on the basis of a specific process which is available for two months after an EU law is introduced. These challenges, however, must be made by individuals or organisations who are “directly concerned” with the EU law. We examine these challenges and what they mean for the Privacy Shield.
The Privacy Shield regime
The EU-US Privacy Shield was agreed in the wake of the Schrems case, in which the EU’s highest court (the “CJEU”) found the Safe Harbor regime invalid. The Privacy Shield was aimed at remedying the deficiencies of Safe Harbor, as identified by the CJEU. These changes included requiring US companies to comply with stronger privacy obligations, imposing clearer limits on US surveillance in the context of EU-based individuals, and providing redress mechanisms for those individuals. The Privacy Shield was approved by EU Member States and adopted in July 2016.
Since 1 August 2016, over 500 companies have signed up to the framework including the likes of Google, Microsoft and Salesforce.
Digital Rights Ireland (“DRI”) lodged its challenge with the General Court, the EU’s second most senior court. DRI has sought an annulment of the Privacy Shield Decision, via a specific process available under Article 263 of the Lisbon Treaty. In essence, this process permits third parties to bring a case directly to the General Court, rather than via national courts, if an EU law affects them.
DRI’s challenge to the Privacy Shield focuses on the inadequacy of US protections for personal data. In particular, it focuses on the incompatibility of the Privacy Shield with the privacy and data protection provisions of the EU Charter of Fundamental Rights. DRI also claims that the US Foreign Intelligence Surveillance Act continues to permit public authorities to have secret “access on a generalised basis to the content of electronic communications”.
DRI has a degree of experience in front of the EU courts having previously been at the forefront of the CJEU’s invalidation of the Data Retention Directive in 2014. The judgment, in that case, was one of the first privacy cases to draw from the EU Charter of Fundamental Rights. However, DRI’s challenge to the Privacy Shield might not result in the same degree of success. While it could be at least one year before the General Court rules on this challenge, EU law requires that such challenges are made by individuals or companies who are “directly concerned” with the EU law. This may pose a challenge for DRI.
In addition to DRI’s challenge, a French trio, comprising privacy advocacy group, La Quadrature du Net; non-profit ISP, French Data Network; and its Federation FDN industry association has also sought an annulment of the Privacy Shield. Similar to the challenged mounted by DRI, however, it remains to be determined whether the French trio is “directly concerned” with the Privacy Shield.
The French challenge is reported to be focusing on the ‘privacy ombudsman’ within the US State Department, who is tasked with handling European complaints about US surveillance. The French groups claim that this ombudsman is not an effective mechanism for dealing with concerns about intrusive US surveillance.
What might the future hold for the Privacy Shield?
Both the Irish and French challenges face the risk of being declared inadmissible if the General Court find the groups do not meet the required standard. Past cases show that the threshold is particularly difficult to achieve. Each challenge will first be considered by a panel of General Court Justices. It is likely that we may then see an appeal to the CJEU. Such an appeal may be made to determine whether a group is “directly concerned” or in order to challenge the annulment of the Privacy Shield.
As well as possible challenges in the courts, the European Commission, FTC and US Department of Commerce are likely to have their sights set on the review of the Privacy Shield, scheduled for mid-2017. The Article 29 Working Party (“WP29”) has also indicated that the first annual review will be a critical time for the Privacy Shield. Although WP29 somewhat accepted revisions to the Privacy Shield before its launch, it made clear that it may raise concerns when it comes up for review. In addition, EU Commissioner Jourová has said that the Privacy Shield would need to be reviewed prior to the GDPR coming into force.