Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
Privacy Shield challenged in EU courts
Privacy advocacy groups in Ireland and France have filed legal challenges calling for the Privacy Shield agreement to be annulled, shortly after it was introduced.
Since Privacy Shield was adopted in July 2016, hundreds of companies have signed up to the data transfer scheme. Privacy Shield was created to replace the former Safe Harbor programme which allowed organisations in the EEA to send personal data to US organisations if they agreed to treat it in accordance with EU data protection requirements. Safe Harbor was invalidated in the Schrems case in October 2015 after the Court of Justice of the European Union declared it did not adequately protect personal data.
The first challenge is brought by Digital Rights Ireland (DRI), an Irish privacy advocacy group which previously successfully challenged the EU’s Data Retention Directive that was invalidated as a result in 2014. The second challenge is brought by three French parties including the privacy advocacy group La Quadrature du Net, along with non-profit Internet service provider French Data Network and its Federation FDN industry association.
The groups have made use of a mechanism available under Article 263 of the Lisbon Treaty, which permits a third party to bring a case to the European General Court in Luxembourg within two months of an EU law being published. This two-month timeframe allows challenges to be brought before the EU’s second highest court, rather than having to exhaust national courts first. However, in order to take advantage of the mechanism, parties must prove that the legislation is of direct concern to them. Something which may be difficult for these parties.
The parties calling for the annulment of Privacy Shield argue that the US inadequately protects personal data and that Privacy Shield is incompatible with the EU Charter of Fundamental Rights. The US Foreign Intelligence Surveillance Act has also raised concerned for allowing US authorities access to EU personal data. The Article 29 Working Party has previously criticised Privacy Shield for not providing “stricter guarantees” as to the protection of personal data transferred out of the EEA.
Privacy Shield has faced continued criticism for failing to address the concerns that led to the invalidation of Safe Harbour. In this regard, it may come as no surprise that it is now being challenged by a number of privacy advocacy groups for many of the same reasons.
If the court invalidates Privacy Shield, organisations would be back to a similar position as they were in after the Schrems decision; having to rely on other mechanisms to transfer personal data from the EEA to the US. Model clauses have been the most favoured alternative to Safe Harbour, but they too are now being challenged by Schrems in the Irish High Court, highlighting many of the same complaints regarding excess access to personal data by US authorities.
The courts will no doubt have in mind that if Privacy Shield and model clauses were both held to be ineffective, organisations would find themselves with very few remaining legal bases to transfer personal data outside of the EEA. Binding corporate rules are seen as a very costly option, although expected to be simplified and therefore made cheaper under the incoming GDPR and having to obtain consent from data subjects would be unsuitable for many organisations.
This blog post was written by Amelia Day, Trainee Solicitor at White & Black.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.