Two legal challenges have been filed at the Court of Justice of the European Union (“CJEU”) against the European Commission’s adequacy decision on the EU-U.S. Privacy Shield. Privacy Shield was adopted on July 12, 2016 after the CJEU struck down the earlier Safe Harbour agreement in October 2015 over concerns about U.S. surveillance techniques.
First, Digital Rights Ireland, an Irish privacy advocacy group, brought the action in the lower, General Court of the CJEU on September 16, 2016. The case has been allocated the number T-670/16. This followed on November 2, 2016 with a challenge by the French advocacy group La Quadrature du Net (not yet assigned a case number).
Individuals and or companies may challenge EU legislation before the CJEU if they are directly concerned, within two months of the act coming into force. Whether Privacy Shield is of direct concern to either Digital Rights Ireland or La Quadrature du Net is open to question, but if the CJEU finds this not to be the case then the relevant action will be declared inadmissible. If deemed admissible, then it will still be over a year before the CJEU rules on the case.
Officials from both the European Commission and the U.S. Department of Commerce reacted to news of the challenge by expressing their confidence in Privacy Shield and the protections it contains. The Commission has until December to respond to the Digital Rights Ireland pleading.
The Privacy Shield is designed to strengthen the protection of Europeans whose data is moved to the U.S. Companies preparing to self-certify their adherence to the Privacy Shield Principles should carefully review the associated documentation to understand the new requirements and consider carrying out a gap analysis against their existing privacy program. This is particularly important given the potential for increased enforcement action from the US Federal Trade Commission against participating companies that fail to comply with the Principles.