Just four months after its adoption by the European Commission,
the EU-U.S. Privacy Shield is facing its first formal legal
The challenge comes from the Irish advocacy group Digital Rights
Ireland, who is joined by French privacy advocacy group La
Quadrature du Net and non-profit internet service provider French
The Privacy Shield, which was agreed earlier this year following
the ECJ's invalidation of the EU-US Safe Harbor regime in
October 2015, has faced considerable criticism from privacy groups
that claim the new regime does not adequately address concerns
about intrusive US surveillance practices.
Since 1 August of this year, the US Department of Commerce has
been accepting registrations from US companies seeking to become
Privacy Shield certified. According to the Privacy Shield list,
over 500 registrations have already been issued to companies and
over 1000 applications are being processed.
While most businesses have welcomed the Privacy Shield and the
return to an accepted regime for the safeguarding transatlantic
personal data transfers, many privacy advocacy groups remain
unconvinced, echoing concerns raised by the Article 29 Working
EU law allows individuals and/or companies to challenge EU acts
within two months of their coming into force. Not surprisingly,
given the range of criticisms directed at the new regime, a
challenge has been brought by three groups that claim to be
directly concerned and, therefore eligible, to bring the action
before the court.
The case, which appears on the General Court's website as
Digital Rights Ireland v Commission (Case T-670/16), shows only a
filing date of 16 September and that it is an action for annulment.
No further details have been made public.
It is unclear whether the case will be admitted to the courts,
which depends on a finding that the Privacy Shield is a direct
concern of Digital Rights Ireland. If admitted, it will still be
another year or more before the court rules on the substance of the
Data transfers conducted under the Privacy Shield framework
meanwhile remain valid.
However, this challenge serves as a reminder to the
controversial nature of this transatlantic adequacy regime and the
uncertainty surrounding other mechanisms currently in use for
international transfers of personal data.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
A fundamental aspect of all fair and lawful processing of personal data under the current data protection rules is the requirement for the party who is the data controller to meet one or more conditions ("the conditions for processing").
The second in our mini-series on the ICO guidance on Consent, published on 2 March 2017, focuses on how the changes to be introduced by the GDPR (General Data Protection Regulation) will impact upon your business and what you can do to pre-empt the changes before their introduction in May 2018.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).