Just four months after its adoption by the European Commission,
the EU-U.S. Privacy Shield is facing its first formal legal
The challenge comes from the Irish advocacy group Digital Rights
Ireland, who is joined by French privacy advocacy group La
Quadrature du Net and non-profit internet service provider French
The Privacy Shield, which was agreed earlier this year following
the ECJ's invalidation of the EU-US Safe Harbor regime in
October 2015, has faced considerable criticism from privacy groups
that claim the new regime does not adequately address concerns
about intrusive US surveillance practices.
Since 1 August of this year, the US Department of Commerce has
been accepting registrations from US companies seeking to become
Privacy Shield certified. According to the Privacy Shield list,
over 500 registrations have already been issued to companies and
over 1000 applications are being processed.
While most businesses have welcomed the Privacy Shield and the
return to an accepted regime for the safeguarding transatlantic
personal data transfers, many privacy advocacy groups remain
unconvinced, echoing concerns raised by the Article 29 Working
EU law allows individuals and/or companies to challenge EU acts
within two months of their coming into force. Not surprisingly,
given the range of criticisms directed at the new regime, a
challenge has been brought by three groups that claim to be
directly concerned and, therefore eligible, to bring the action
before the court.
The case, which appears on the General Court's website as
Digital Rights Ireland v Commission (Case T-670/16), shows only a
filing date of 16 September and that it is an action for annulment.
No further details have been made public.
It is unclear whether the case will be admitted to the courts,
which depends on a finding that the Privacy Shield is a direct
concern of Digital Rights Ireland. If admitted, it will still be
another year or more before the court rules on the substance of the
Data transfers conducted under the Privacy Shield framework
meanwhile remain valid.
However, this challenge serves as a reminder to the
controversial nature of this transatlantic adequacy regime and the
uncertainty surrounding other mechanisms currently in use for
international transfers of personal data.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).