In an arguably predictable data development, the Irish privacy advocacy group, Digital Rights Ireland, has issued proceedings to challenge the EU-US Privacy Shield regime in the European Courts.
The group filed an action to annul the European Commission's "adequacy decision" that approved and adopted the transfer of personal data from the EU to the US in accordance with the principles of the EU-US Privacy Shield (the "Privacy Shield"). The challenge includes an argument that the Privacy Shield does not, on the face of it, provide an adequate level of protection for EU citizens' rights under EU law where their data is transferred to the US.
The Privacy Shield was developed earlier this year following the decision of the Court of Justice of the European Union (the "CJEU") in October 2015 finding the previous transatlantic compliance mechanism, the US Safe Harbor, invalid. Since the Digital Rights Ireland challenge, another challenge to the Privacy Shield has also been filed in the General Court by the French civil society groups La Quadrature du Net, the French Data Network and Fédération FDN.
According to the United States Department of Commerce, 1,500 companies have submitted Privacy Shield self-certifications for review since its adoption in July 2016, with further certifications being processed every day. However, commentators have long speculated that the Privacy Shield would be challenged in the courts.
Indeed, the combination of Privacy Shield challenges, together with unresolved Article 29 Working Party concerns regarding the Privacy Shield, the referral of the so-called Model Clauses to the CJEU, and the recent announcement by the German data protection authorities that they would be conducting an audit of 500 companies with regard to their international transfers of data, means that the issue of cross-border data transfers is likely to remain uncertain for the foreseeable future.
To view a copy of the Digital Rights Ireland pleading, please click here.