Privacy Shield Background
In August 2016, the EU-U.S. Privacy Shield replaced the Safe Harbor Program, which was invalidated on October 6, 2015 by the Court of Justice of the European Union (CJEU) in the Schrems decision, C-362/14. The EU-U.S. Privacy Shield provides companies with a mechanism to comply with international data transfer requirements under European data protection law when personal data is transferred from the EU to the U.S. The EU-U.S. Privacy Shield is based on a decision by the European Commission, which provides that companies in the U.S. that self-certify under the EU-U.S. Privacy Shield are considered to provide an adequate level of data protection (so called, Adequacy Decision). In light of the requirements specified by the CJEU in the Schrems decision for an Adequacy Decision, data protection authorities and privacy groups have criticized the EU-U.S. Privacy Shield, even before it was enacted.
Actions Questioning the Adequacy Decision
Digital Rights Ireland – an attorneys’ data privacy initiative – brought an action against the Adequacy Decision in the CJEU.[1] Digital Rights Ireland claims that the Adequacy Decision of the European Commission regarding the EU-U.S. Privacy Shield is null and void as it does not provide a level of data protection equivalent to the level of data protection established by European data protection law. Therefore, the CJEU has been asked to annul the Adequacy Decision. Among others, Digital Rights Ireland argues that the Adequacy Decision does not comply with the European Data Protection Directive (95/46/EC), the Charter of Fundamental Rights of the European Union and the judgment of CJEU in the Schrems decision. Currently, the arguments of Digital Rights Ireland are not published in full text and it remains to be seen whether the CJEU would even accept the action as there is uncertainty whether Digital Rights Ireland has the necessary standing for this type of action. Furthermore, at the end of October, a French privacy advocacy group has also challenged the Adequacy Decision in a legal action to the CJEU allegedly claiming that the U.S. Ombudsman redress mechanism is not sufficiently independent and effective and therefore the Adequacy Decision must be annulled.[2]
Moreover, there is a pending proceeding in the Irish High Court initiated by the Irish Data Protection Authority challenging the Adequacy Decision relating to the Standard Contractual Clauses (another mechanism to transfer personal data out of the EU). The Irish High Court fixed a date for a hearing to determine the question as to whether it should make a referral to the CJEU in order to have the CJEU decide on the validity of the Adequacy Decision and thereby on the question of whether or not the Standard Contractual Clauses as approved by the European Commission can be used to transfer personal data outside of the EU. The hearing before the Irish High Court is due to commence in February 2017.[3]
From the side of the Data Protection Authorities of the European Member States, no challenges of the EU-U.S. Privacy Shield are expected for the time being. In a Press Release of July 1, 2016[4] of the Art. 29 Working Party it was indicated that the Data Protection Authorities of the European Member States will refrain from challenging the EU-U.S. Privacy Shield during its first year and will await the first joint annual review in the Summer of 2017 to further assess the robustness and efficiency of the Privacy Shield. Still, the German Data Protection Authorities are currently lobbying[5] to obtain a direct right under German law to challenge Adequacy Decisions by the European Commission without having to wait for an appropriate legal action in the course of which the case can be referred to the CJEU. But such an amendment of German law will take several months.
The on-going discussions and challenges surrounding the EU-U.S. Privacy Shield and the Standard Contractual Clauses show that there is still uncertainty for international data transfers and that companies need to pay attention on any new developments in this respect.
[1] http://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=uriserv:OJ.C_.2016.410.01.0026.01.ENG&toc=OJ:C:2016:410:TOC; (Case T-670/16)
[2] Details of that case have not yet been published by the CJEU (http://curia.europa.eu/juris/fiche.jsf?id=T%3B738%3B16%3BRD%3B1%3BP%3B1%3BT2016%2F0738%2FP) (Case T-738/16)
[3] https://www.dataprotection.ie/docs/28-9-2016-Explanatory-memo-on-litigation-involving-Facebook-and-Maximilian-Schrems/1598.htm
[4] http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/20160726_wp29_wp_statement_eu_us_privacy_shield_en.pdf
[5] https://www.datenschutz-mv.de/datenschutz/themen/beschlue/ent_klagerecht.html (German only)