German watchdog threatens legal challenge against EU-US Privacy Shield

Out-Law News | 23 Aug 2016 | 3:24 pm | 2 min. read

A data protection authority (DPA) in Germany is considering raising a legal challenge against the European Commission's endorsement of the Privacy Shield, a framework designed to facilitate the transfer of personal data between the EU and US, according to a report by The International Association of Privacy Professionals (IAPP).

Hamburg's data protection commissioner Johannes Caspar said he has "serious doubts" whether the Commission was justified in determining that the Privacy Shield provides for data protection standards essentially equivalent to those provided for under EU law, according to the IAPP.

Caspar said he wants the German government to pass new legislation to enable data protection authorities in the country to challenge the legitimacy of Commission decisions before the Court of Justice of the EU (CJEU), via a referral from the national courts in Germany, it said.

Last year the CJEU invalidated a previous decision by the Commission that a now-defunct data transfer scheme between the EU and US, the Safe Harbour framework, accorded with EU data protection law requirements.

"I have serious doubts whether this adequacy decision meets the legal requirements of the principle of proportionality and judicial redress in the [CJEU's] Safe Harbour judgement," Caspar said, according to the IAPP.

"It is expected that sooner or later the CJEU will assess whether the access by public US authorities to personal data transferred under the Privacy Shield is limited to what is strictly necessary and proportionate in a democratic society. If there is a legal way to seek reference to the CJEU – and we hope that the national lawmaker will enact a law for national DPAs soon – we will take all appropriate steps for getting a ruling on the validity of the Commission’s decision," he said.

Since 1 August, US businesses have been able to self-certify their compliance with a set of privacy principles that make up part of the Privacy Shield. US technology giants Amazon and Microsoft are among the businesses that have signalled their intention to sign up to the Privacy Shield.

The European Commission has set out its view that businesses that transfer personal data from the EU to the US in line with the Privacy Shield principles and self-certify under the framework will adhere to EU data protection law requirements regarding the transfer of personal data outside the European Economic Area (EEA).

Earlier this summer the Article 29 Working Party, a committee representing national data protection authorities from across the EU, stated that it retains some concern about aspects of the Privacy Shield, including in respect of "mass and indiscriminate collection of personal data" by US authorities as well as on some "commercial aspects" of the framework. It said it "regrets … the lack of specific rules on automated decisions and of a general right to object" and said it "also remains unclear how the Privacy Shield Principles shall apply to processors".

Despite its concerns, however, the Working Party indicated that the watchdogs will not challenge the legitimacy of data transfer arrangements under the new EU-US Privacy Shield during the first year of its operation.

Instead it said that DPAs within the EU "commit themselves to proactively and independently assist the data subjects with exercising their rights under the Privacy Shield mechanism, in particular when dealing with complaints" during the first year.