Just four months after its adoption by the European Commission, the EU-U.S. Privacy Shield is facing its first formal legal challenge.
The challenge comes from the Irish advocacy group Digital Rights Ireland, who is joined by French privacy advocacy group La Quadrature du Net and non-profit internet service provider French Data Network.
The Privacy Shield, which was agreed earlier this year following the ECJ’s invalidation of the EU-US Safe Harbor regime in October 2015, has faced considerable criticism from privacy groups that claim the new regime does not adequately address concerns about intrusive US surveillance practices.
Since 1 August of this year, the US Department of Commerce has been accepting registrations from US companies seeking to become Privacy Shield certified. According to the Privacy Shield list, over 500 registrations have already been issued to companies and over 1000 applications are being processed.
While most businesses have welcomed the Privacy Shield and the return to an accepted regime for the safeguarding transatlantic personal data transfers, many privacy advocacy groups remain unconvinced, echoing concerns raised by the Article 29 Working Party.
EU law allows individuals and/or companies to challenge EU acts within two months of their coming into force. Not surprisingly, given the range of criticisms directed at the new regime, a challenge has been brought by three groups that claim to be directly concerned and, therefore eligible, to bring the action before the court.
The case, which appears on the General Court’s website as Digital Rights Ireland v Commission (Case T-670/16), shows only a filing date of 16 September and that it is an action for annulment. No further details have been made public.
It is unclear whether the case will be admitted to the courts, which depends on a finding that the Privacy Shield is a direct concern of Digital Rights Ireland. If admitted, it will still be another year or more before the court rules on the substance of the case.
Data transfers conducted under the Privacy Shield framework meanwhile remain valid.
However, this challenge serves as a reminder to the controversial nature of this transatlantic adequacy regime and the uncertainty surrounding other mechanisms currently in use for international transfers of personal data.