Built on sand? Actions for annulment against the EU-U.S. Privacy Shield

The successor of the Safe Harbor Agreement – annulled by Court of Justice of the European Union (CJEU) - the EU-U.S. Privacy Shield was introduced on February 2, 2016 by the European Commission.

Since then, a lot has happened: with Implementing Decision EU 2016/1250 from July 12, 2016 the Commission made an adequacy decision, stating that EU-U.S. Privacy Shield ensures adequate protection when transmitting personal data to a third country. It is now possible to register for Privacy Shield via Self-Certification-Process: global players, such as Google, Facebook, Amazon and Microsoft already did.

Once again: claim from Ireland – and from France

On September 16, 2016 the Irish data protection organization Digital Rights Ireland brought an action for annulment according to Article 263 TFEU against the adequacy decision at the General Court of the European Union (T-670/16) The Claimant aims to ascertain the invalidity of the EU-U.S. Privacy Shield adequacy decision by the Commission. The argument: the decision contains a manifest error of assessment by the Commission – and is therefore null and void. But already the admissibility requirements of the action for annulment are problematic: the Commission decision is primarily addressed to the Member States. Digital Rights Ireland – as a legal entity -would have to be ‘directly’ and ‘individually’ concerned (cf. Article 263 para. 4 TFEU). If this specific interest in bringing proceedings is unable to be proven, the admissibility requirements are already not fulfilled.

Following this example, the French civil rights organization La Quadrature du Net and the French non-profit organization French Data Network have also filed an action for annulment at the General Court (T-738/16). Especially the US-Ombudsman – provided for Privacy Shield as an independent institute for complaints and enquiries by individuals – is no effective mechanism for handling complaints. Following the French Claimants, the US-Ombudsman is no ‘independent judicial entity’.

Germany fighting for Privacy Shield 

Currently, Germany is intervening in the proceedings before the General Court: according to information of the Internet blog netzpolitik.org, the German and Czech governments have requested to be admitted as interveners in support of the applicant. These information was confirmed by the German Ministry of Economics. As an intervener, Germany requests no direct legal protection, but supports the EU Commission to safeguard its own interests. In this context it is allowed to submit applications or pleadings and by doing so, to represent its own legal opinions and interests in the proceedings (Article 142 of the rules of procedure of the General Court).

Fact is, that the Federal German Government adheres to the Privacy-Shield-agreement – and will actively defend it. Further details, such as the motivation of the Federal German Government were not provided, with reference to the ongoing proceedings.

Data protection authority initiates investigation 

The Bavarian Data Protection Authority initiated an audit at the beginning of November 2016. The authority wants to illustrate the dimensions of cross-border transmissions of personal data in the private sector – and how many small, medium-sized and large companies are potentially affected by Privacy Shield. In total around 500 companies shall be contacted in writing and must answer a questionnaire. The audit asks for the current basis of data transmissions to the United States and, if these are based on Privacy Shield, how it is ensured, that the data receiver has a valid Privacy Shield certification. In case of transferring personal data to other third countries, companies shall communicate on what basis the transfer occurs and whether the Commission approved an adequate level of data protection for the target country.

Privacy Shield – legal basis on demand?

It is not clear, if the EU-U.S. Privacy Shield will suffer a similar fate as Safe Harbor. Anyways: legal proceedings harbor the risk of legal uncertainty. What can companies refer to? Shall they better rely on well-known procedures such as EU standard contractual clauses, binding corporate rules or consent under data protection law?

According to a study of the digital association bitkom, 78% of the companies surveyed still count on EU standard contractual clauses as a transmission basis for personal data to the United States. But also here problems can arise in the future: once again it is Ireland, more precisely the Irish Data Protection Commissioner, who seeks a review of the standard contractual clauses by the Irish High Court and the ECJ. Further details are not known yet, but also standard contractual clauses stand on a shaky foundation.

If the European data protection shield is built on sand, or if the European courts make it to the foundation of transfers of personal data and thus defend the Commission’s adequacy decision, remains entirely open.

Save as PDF

Tags: #EU-U.S. Privacy Shield, #Internationaler Datenschutz, #International Data Privacy, #Safe Harbor


Den Kontakt zu Ihrem Ansprechpartner finden Sie auf: buse.de/anwaelte
Vielen Dank für Ihr Interesse an diesem Artikel.



Artikel versenden