Irish privacy group, Digital Rights Ireland (DRI), has entered a legal challenge to the EU-US Privacy Shield Framework – a legal agreement allowing businesses to export European personal data to the US.
The Safe Harbour agreement – predecessor to the Privacy Shield – was struck down by the Court of Justice of the European Union last year for not containing adequate safeguards against surveillance of data. Businesses operating internationally were then forced to either no longer send personal data to the US or implement an alternative legal basis to legitimise these data exports. The latter lacked legal certainty, leading to the European Commission and the US government developing the Privacy Shield, which came into effect in July. The Privacy Shield allows US companies seeking to receive personal data from the EU to apply for self-certification. Over 500 companies have so far been approved.
DRI is seeking annulment of the Privacy Shield arguing that – just like Safe Harbour – it does not ensure an adequate level of data protection. The case has been taken directly to the EU’s second highest court, the Court of Justice’s General Court, under Article 263 of the Lisbon Treaty, which allows third parties, including individuals or ‘legal persons’, to bring a case directly to the court if a legislative act directly affects them. The action could, therefore, yet be declared inadmissible by the General Court if it finds that DRI does not have standing.
It is likely the case will take up to a year to be considered, but all recent indications suggest that the courts are inclined to move faster than usual on privacy cases with potentially far-reaching implications.
DRI has also served proceedings challenging whether the office of the Irish Data Protection Commissioner (DPC) is an independent data protection authority under EU law. Having indicated its intention to mount the challenge in January, DRI is arguing that Ireland has failed to properly implement EU data protection law, or to follow the requirements of the Charter of Fundamental Rights, by failing to ensure the DPC is genuinely independent from the Government.
DRI has previously won cases dealing with privacy protection, including striking down the EU Data Retention Directive in 2014, and acting as amicus curiae to the case that ended Safe Harbour.
Click here for a summary of DRI’s action in the EU’s Official Journal.
Click here for a previous Bulletin article on the Safe Harbour judgement.
Click herefor a Case Summary of Digital Rights Ireland Ltd – v – Minister for Communication & Ors  IEHC 221which explored the standing of an NGO before the Irish courts.