Out-Law News 1 min. read
28 Oct 2016, 3:18 pm
Digital Rights Ireland has asked the EU's General Court to annul the 'adequacy decision' adopted by the European Commission which stated that businesses transferring personal data from the EU to the US in line with the Privacy Shield principles will accord with EU data protection law standards.
It is not clear from the information published on the court's website what the grounds of the legal challenge are, beyond that the case concerns issues of freedom, security and justice.
The European Commission and US Department of Commerce, who together negotiated the Privacy Shield, have expressed their backing for the data transfer framework in light of the legal challenge, according to Reuters.
EU data protection authorities have previously expressed some concern with the Privacy Shield framework, but suggested earlier this year that it was prepared to give it a year to operate before it would consider any challenge to organisations' data transfers undertaken in line with the Privacy Shield regime.
In the summer the Article 29 Working Party said the Commission had not obtained "concrete assurances" from the US that it will not undertake "mass and indiscriminate collection of personal data", and said it "would have expected stricter guarantees concerning the independence and the powers of the ombudsperson mechanism", who is tasked with handling complaints relating to the accessing of EU citizens' personal data by US intelligence agencies.
The Working Party also highlighted remaining concerns with some "commercial aspects" of the framework. It said it "regrets … the lack of specific rules on automated decisions and of a general right to object" and said it "also remains unclear how the Privacy Shield Principles shall apply to processors".
Hundreds of businesses have already self-certified their compliance with the privacy principles that underpin the Privacy Shield, which was established as a replacement for the previous 'Safe Harbour' framework for EU-US data transfers.
The Safe Harbour regime was invalidated by the EU's highest court, the Court of Justice of the EU (CJEU), last year. The CJEU ruled that the Commission was wrong to determine that the Safe Harbour scheme offered protections essentially equivalent to EU data protection law standards for personal data transferred to the US from the EU.
Data protection law expert Annabelle Richard of Pinsent Masons, the law firm behind Out-Law.com, recently called for the scope of the Privacy Shield to be extended so that banks, insurers and telecoms providers could sign-up.
Richard highlighted the legal challenge to EU model clauses, a popular existing mechanism used by businesses to facilitate the transfer of personal data outside of the European Economic Area (EEA), as a reason to expand the Privacy Shield's scope.