The Privacy Shield agreement, which regulates cross border data transfer flows between the European Union and the United States and which recently replaced the previous Safe Harbor agreement, is once again under discussion.
Only a few months after the text came into force, the European Court of Justice has been called upon to decide on the adequacy of the level of protection guaranteed by the Privacy Shield agreement.
A number of companies working in the digital sector and performing the transfer of personal data abroad (among which the by now well known Digital Rights Ireland Ltd.) argue that the Privacy Shield agreement does not offer an adequate level of protection, contrary to what was deemed to be the case by the European Commission, which on the 12th July 2016 implemented the adequacy decision, making legitimate the transfer of data towards the United States and those American organizations endorsing the new agreement.
In particular, the claimants maintain that the EU-US Privacy Shield does not fully implement those principles and rights regarding personal data protection included in directive 96/46/EC (which will be repealed from 2018 by means of recent EU Regulation 679/2016) and consequently, does not adequately safeguard the rights of European citizens. In the appeals it is also brought into question that the agreement does not exclude indiscriminate access to electronic communications by foreign authorities, thus in violation of the right to privacy, to the protection of personal data and the freedom of expression as set out in the Charter of Fundamental Rights of the European Union.
For the abovementioned reasons the said companies appealed challenged the Commission’s adequacy decision in accordance with art. 263 TFUE, which grants interested parties the right to appeal against the Commission’s acts and obtain their annulment within two months from their entry into force or their publication.
It is worth recalling that the Article 29 Working Party had already expressed its fears regarding certain aspects of the agreement, which had not been modified, despite repeated requests for review. Immediately following the implementation of the Privacy Shield agreement, in a statement on the 26th July 2016, the Group of European DPAs underlined that no concrete security measures to prevent the general collection of data had been provided and that the independence of the role and powers of important redress bodies (such as the Ombudsperson) had not been guaranteed.
As a consequence, the new system does not seem to have helped to establish a climate of certainty regarding the legal framework regulating cross border data transfer flows to the United States, a country, which has clearly not yet gained the trust of European operators. The decision by the Court of Justice is now awaited since it might either consider the appeals inadmissible due to a lack of legitimization or groundless motivations or decide to uphold them.