Challenge claims Privacy Shield does not properly protect EU citizens

Digital Rights Ireland take case on data transfer between EU and US to EU court

The Privacy Shield data transfer framework agreed between the EU and the US earlier this year does not sufficiently protect the personal data of EU citizens, court proceedings lodged by advocacy group Digital Rights Ireland will claim.

DRI has filed a legal challenge to the framework, which underpins billions of dollars of transatlantic trade in digital services.

The EU-US Privacy Shield was agreed in July, following the striking down of its predecessor, Safe Harbour, by the Court of Justice of the European Union in its judgment in the Schrems case in October 2015.

It claims to impose strong obligations on companies and to provide clear safeguards and transparency obligations in relation to access to data by US government authorities. About 500 companies have so far self-certified with the scheme, including Facebook, Microsoft and Google.

The European Commission made a so-called "finding of adequacy" in relation to Privacy Shield, effectively certifying that firms signing up to it provide an equivalent level of protection for personal data to that provided in the EU.

DRI’s proceedings lodged with the General Court of the European Union – the lower court of the Court of Justice – are an application under Article 263 of the Lisbon Treaty for an annulment of that decision, it is understood.

The proceedings will claim that the commission’s decision is void as the principles and representations in Privacy Shield are not US law.

US law

They will also allege that the commission’s adequacy finding is invalid as US law does not furnish an adequate level of protection for personal data consistent with the Schrems judgment.

DRI’s case will also allege that the provisions of the US Foreign Intelligence Surveillance Act permit public authorities to have secret access on a generalised basis to the content of electronic communications.

The proceedings will also claim the framework is in breach of rights to privacy and data protection, as provided for under the Charter of Fundamental Rights and by the general principles of EU Law.

Announcing the Privacy Shield pact in July, EU Commissioner for Justice Vera Jourová said the US had given the EU assurance that the access to data by public authorities for law enforcement and national security would be subject to clear limitations, safeguards and oversight mechanisms.

Any citizen who considers their data has been misused under the Privacy Shield scheme is offered “accessible and affordable” dispute resolution mechanisms.

They may also go to their national data protection authorities, who will work with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved.

Daragh O'Brien, managing director of Irish data protection consultancy firm Castlebridge Associates, said the proceedings appeared to mark "the start of open season on Privacy Shield".

‘Huge holes’

Mr O’Brien said there were “huge holes” in the framework, including the fact that the Federal Trade Commission’s remit did not cover a number of areas of trade, including healthcare and some areas of financial services.

The commission has six weeks to enter a defence once the proceedings are published. It confirmed this week that it was aware of the application to have the Privacy Shield decision annulled, but said it did not comment on ongoing court cases.

Digital Rights Ireland declined to comment.