Court challenge to Privacy Shield will have wide reverberations

Last week, news broke that Irish privacy advocacy group Digital Rights Ireland will challenge the validity of the recently agreed EU-US digital data transfer agreement Privacy Shield, raising the prospect of transatlantic trade chaos.

Privacy Shield is the replacement for the old Safe Harbour principles thrown out by the European Court of Justice in its October 2015 Schrems/Facebook decision. Safe Harbour, the court said, offered wholly insufficient protections for the data of European citizens.

Digital Rights Ireland will question this rushed-through compromise, which really was always destined to end up before the court. In recent cases, Europe’s highest court has repeatedly indicated it sees the issues at stake as central to the core, defining rights of European citizens.

A story by my colleague Elaine Edwards in the newspaper noted last week that it was understood the challenge would question Privacy Shield's adequacy, given that its provisions are not actually fixed in US law. It will also argue that the agreement neither adequately addresses the court's specific objections to Safe Harbour, nor protects citizens' rights provided for under the EU Charter of Fundamental Rights and by the general principles of EU law.

Secret access

In addition, the US Foreign Intelligence Surveillance Act continues to permit public authorities to have secret access on a generalised basis to the content of electronic communications, the case will argue.

Unusually, the advocacy group has appealed the validity of Privacy Shield directly to the Court of Justice’s General Court.

In the past, under the European treaties of the previous three decades, a case would typically be referred over to the justice courts by a judge hearing a case in a member state. European case law is currently structured around those older treaties. But the advocacy group is taking the case under article 263 of the more recent Lisbon treaty, which allows third parties, including individuals or “legal persons”, to bring a case directly to the court if a legislative act affects them.

Digital Rights Ireland can argue it has the right to act as an affected third party here, given that the data of individuals with whom it communicates, and the organisation’s own data, falls under the provisions of Privacy Shield.

Also, the group already has been recognised by the Irish courts as an entity entitled to represent the Irish population – as an actio popularis, in legal terms – to challenge the Irish Government's data retention legislation. It has also been recognised formally as an amicus to the court – an interested party able to provide guidance – for cases such as the Schrems challenge when it was before the court.

Incidentally, the European Court of Justice has already thrown out the European data retention directive on which current Irish legislation is based (after Digital Rights Ireland's Irish case was referred by the High Court here to the European court).

That was two years ago. And the Government has still failed to do anything in response, which doesn’t exactly provide comfort that the Government or its agencies are overly concerned about data privacy where Irish citizens are involved.

But onwards.

Interesting angle

Another interesting angle to the case is that the Digital Rights Ireland action may also be among the first to explore just how effective – or not – the new EU General

Data Protection Regulation

is. Article 80 of the regulation grants individuals “the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a member state, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data” to lodge a complaint related to data and privacy protection.

So theoretically, an non-government organisation like Digital Rights Ireland should be able to bring a case.

The case will be considered first – either in writing, or orally – by a panel of EU General Court justices. This normally takes about a year, but all recent indications are that the justice courts are inclined to move faster than usual on privacy cases with potentially far-reaching implications.

There’s some time pressure here, too as, by August 2017, the European Commission is required to decide if it, personally, feels Privacy Shield is adequate. The court might feel it best to give an independent view before then.

Depending on how the General Court justices rule, the case will surely be appealed upward to the European Court of Justice from the advocacy group or via the commission, either to determine whether Digital Rights Ireland has the standing to take the case (thus, also a challenge to the strength of the General Data Protection Regulation) or for the top court’s view on the adequacy of Privacy Shield.

All of this makes this particular case a fascinating one to watch. How it is handled, and the ultimate decision, will reverberate across many levels, affecting new European legislation, establishing fresh case law, and testing the boundaries of EU-US trade and political relations.