A legal challenge to the EU-US Privacy Shield, a mechanism used by thousands of companies to authorize data transfers from the European Union to the US, will be heard by Europe’s top court this summer.
The General Court of the EU has set a date of July 1 and 2 to hear the complaint brought by French digital rights group, La Quadrature du Net, against the European Commission’s renegotiated data transfer agreement which argues the arrangement is still incompatible with EU law on account of US government mass surveillance practices.
Privacy Shield was only adopted three years ago after its forerunner, Safe Harbor, was struck down by the European Court of Justice in 2015 following the 2013 exposé of US intelligence agencies’ access to personal data, revealed by NSA whistleblower Edward Snowden.
The renegotiated arrangement tightened some elements, and made the mechanism subject to annual reviews by the Commission to ensure it functions as intended. But even before it was adopted it faced fierce criticism — with data protection and privacy experts couching it as an attempt to put lipstick on the same old EU-law breaching pig.
The Shield’s continued survival has also been placed under added pressure as a consequence of the Trump administration — which has entrenched rather than rolled back privacy-hostile US laws, as well as dragging its feet on key appointments that the Commission said the arrangement’s survival depends on.
Ahead of last year’s annual Privacy Shield review the EU parliament called for the mechanism to be suspended until the US came into compliance. (The Commission ignored the calls.)
In one particularly embarrassing moment for the mechanism it emerged that disgraced political data company, Cambridge Analytica, had been signed up to self-certify its ‘compliance’ with EU privacy law…
Pressure mounts on EU-US Privacy Shield after Facebook-Cambridge Analytica data scandal
La Quadrature du Net is a long time critic of Privacy Shield, filing its complaint back in October 2016 — immediately after Privacy Shield got up and running. It argues the mechanism breaches fundamental EU rights and does not provide adequate protection for EU citizens’ data.
It subsequently made a joint petition with a French NGO for its complaint to be heard before the General Court of the EU, in November 2016. Much back and forth followed, with exchanges of writing between the two sides laying out the arguments and counter arguments.
The Commission has been supported in this process by countries including the US, France and the UK and companies including Microsoft and tech industry association, Digitaleurope, whose members include Amazon, Apple, Dropbox, Facebook, Google, Huawei, Oracle and Qualcomm (to name a few).
While La Quadrature du Net getting support from local consumer protection organisation UFC Que Choisir and the American Civil Liberties Union — which it says provided “a detailed description of the US surveillance regime”.
“The General Court of the EU has deemed our complaint serious and grave enough to open proceedings,” La Quadrature du Net says now.
It will be up to the court in Luxembourg to hear and judge the complain.
A decision on the legality of Privacy Shield will follow some time after July — perhaps in just a handful of months, as the CJEU has been known to move quickly in cases involving the defence of fundamental EU rights. Though it may also take the court longer to issue a judgement.
All companies signed up to the Privacy Shield should be aware of the risk and have contingencies in place in case the arrangement is struck down.
Nor is this complaint the only legal questions facing Privacy Shield. A challenge filed to a separate data transfer mechanism in Ireland by privacy campaigner Max Schrems — whose original challenge brought down Safe Harbor — has also now been referred by Irish courts to the CJEU, in what’s being referred to as ‘Schrems II’.
Privacy Shield now facing questions via legal challenge to Facebook data flows
In that case Facebook has attempted to block the court’s referral of questions to the CJEU — by seeking to appeal to Ireland’s Supreme Court, even though there is not normally a right to appeal a referral to the CJEU.
Facebook was granted leave to appeal — and Ireland’s Supreme Court is expected to rule on that appeal early next month. The appeals process has not stayed the referral, though. Nor does it impinge upon La Quadrature du Net’s complaint against Privacy Shield being heard later this summer.
