The EU-US Privacy Shield, introduced earlier this year to provide a lawful means of transferring personal data from the EU to the US, is facing a second legal challenge, this time from several French privacy rights groups. Alongside this, a number of German regulators are investigating hundreds of randomly-chosen companies in relation to exports of personal data from Germany out of the EU.
The EU-US Privacy Shield scheme ("Privacy Shield") was approved on July 12, 2016, when the European Commission ("Commission") issued its Adequacy Decision, formally launching the scheme (see our previous alert). The Privacy Shield provides a mechanism for transferring personal data from the EU to the US. Up to that point, businesses had been facing uncertainty over transfers of personal data to the US, following the decision of the Court of Justice of the European Union ("CJEU") in Schrems in which the CJEU invalidated the Commission's Safe Harbor Adequacy Decision. However, less than three months after the formal launch, the Privacy Shield is already under fire. As previously reported, in September 2016, Digital Rights Ireland ("DRI"), a digital rights lobbying and advocacy group, filed a challenge to the Privacy Shield (Case T-670/16) with the EU's second highest court, the Luxembourg-based General Court (the lower court of the CJEU). DRI is seeking an annulment of the Commission's Adequacy Decision which approved and adopted the Privacy Shield. Now the Privacy Shield faces a second legal challenge, after a number of French privacy rights groups followed suit.
The French not-for profit Internet service provider French Data Network, its Federation FDN industry association, and the French privacy advocacy group La Quadrature du Net have collectively challenged the Commission's decision in the General Court (Case T-738/16 – the documents are not published as at the date of writing), claiming that the Privacy Shield does not provide sufficient protection for personal data that is transferred from the EU to the US. The French groups argue two things: First, they claim that the US ombudsperson, who is responsible for handling EU complaints about surveillance in the US, is not an effective mechanism for dealing with complaints. Second, they claim that the ombudsperson lacks sufficient independence.
A company (or an individual) may only challenge EU legislation (e.g., the Commission's Adequacy Decision) before the European courts within two months of the relevant legislation coming into force, and only if the company (or individual) is directly concerned. If the General Court finds that the French groups (or indeed the DRI) are not directly concerned, the relevant applications might be declared inadmissible. If they are directly concerned, however, it is likely to take more than a year for the General Court to rule on the applications.
These developments in relation to the Privacy Shield run alongside other challenges to transfers of personal data out of the EU. Another recent development comes in the form of investigations by a number of Data Protection Authorities ("DPAs") in Germany of 500 companies (chosen at random) relating to exports of personal data from Germany out of the EU. Although the DPAs have stated that the investigations are only intended to increase awareness of the issue, this illustrates that the risk of enforcement is becoming increasingly serious. The German DPAs highlighted that a growing number of companies are not even aware that they transfer personal data to countries outside the EU – for example, by using cloud-computing services.
Impact on businesses
The Privacy Shield was intended to create greater certainty for businesses that need to send personal data from the EU to the US. However, in less than three months, it has attracted two legal challenges, raising concern among the hundreds of companies that have already signed up to the new scheme, as well as those that are currently going through the application process. If either of the legal challenges succeeds, the Privacy Shield is likely to be entirely undermined. In the meantime, the status of the Privacy Shield, and confidence in the scheme, remains uncertain.
For the time being, businesses having to deal with this uncertainty should keep their cross-border data transfer mechanisms under review.