EU-US Privacy Shield Faces Legal Challenge
The Irish privacy advocacy group, Digital Rights Ireland, is challenging the validity of the recently agreed EU-U.S. data transfer agreement, the Privacy Shield. The Privacy Shield is the replacement for the old Safe Harbor Principles, which were deemed insufficient protection in October 2015 by the Court Justice of the European Union (CJEU).
The Safe Harbor Principles were challenged by Austrian citizen Maximilian Schrems on the basis that some or all of his data provided to Facebook was transferred from Ireland to the U.S. and as a result was not sufficiently protected.
Following the CJEU decision, the EU and U.S. agreed on a new framework to safely transfer personal information from the EU to the U.S. The European Commission determined that the framework set in place by the Privacy Shield was adequate, providing a level of protection “essentially equivalent” to the rights guaranteed by the EU.
A recent publication by the EU Article 29 Working Party claimed that the new framework still fails to address the “massive and indiscriminate surveillance of individuals” by U.S. national security authorities.
In September 2016, Digital Rights Ireland appealed the validity of the Privacy Shield directly to the CJEU. Digital Rights Ireland can argue that it has standing as an affected third party, given that the data of individuals with whom it communicates, and the organizations own data, falls under the provisions of the Privacy Shield. The group has already been recognized by the Irish courts as an entity entitled to represent the Irish population. It is also formally recognized as an amicus to the court.
The case will likely challenge the fact that the provisions of the Privacy Shield are not actually stated in U.S. law. It will also likely argue that the agreement does not sufficiently address the issues presented by the Safe Harbor or adequately protect citizens’ rights. Digital Rights Ireland is also challenging the legality of the Model Clauses, which potentially serve as an alternate mechanism for transferring data.
It is estimated that the case will take about a year to resolve. However, the European Commission is required to decide if the Privacy Shield is in fact adequate by August 2017. In the meantime, the Privacy Shield will remain intact. The effects of the pending decision, however, will be felt around the globe.