Privacy Shield lawsuits in EU court face ‘admissibility’ hurdle
First published by MLex 16 November 2016. By Vesela Gladicheva.
The EU-US Privacy Shield deal for data transfers could be in trouble, after Irish and French civil-society groups pressed the EU’s lower-tier General Court to annul the accord. But before the privacy activists even get a chance to argue their case, EU judges will think long and hard about whether to review the challenges.
Agreeing to hear the cases could open the floodgates to lawsuits from countless individuals, companies and lobbyists unhappy with other EU rules and decisions. This could put a significant strain on the court and its judges.
If the lower court decides the lawsuits fall outside its remit, the activists could still challenge the agreements through a more traditional route: They could voice their concerns in a national court, which could then refer the case to the EU’s highest court in Luxembourg.
The EU Court of Justice already has a track record in annulling international deals. In October 2015, the court scrapped the Privacy Shield’s predecessor because it failed to protect European citizens from US government agencies harvesting their data.
The Privacy Shield accord replaced the repealed “Safe Harbour” agreement that allowed some 4,500 US companies, including Google and Coca-Cola, to shift personal information in and out of the EU by certifying that they comply with the bloc’s data-protection rules.
But two months after it came into force on Aug. 1, Digital Rights Ireland asked the General Court in Luxembourg to strike down the accord. A similar lawsuit was filed a month later by three French groups: La Quadrature du Net, a Paris-based group campaigning for an open Internet; the French Data Network, a not-for-profit Internet service provider; and Fédération FDN, an association of operators such as French Data Network.
They all argued that the Privacy Shield fails to protect Europeans from mass surveillance by US intelligence services.
Potential landmark decision
The EU’s General Court now faces an important if difficult decision about whether it can hear the challenges.
Revamped EU treaty rules from 2009 stipulate that individuals and companies can bring an action against EU decisions that are “of direct concern” to them.
This may prove to be a stumbling block as the civil-rights groups have to prove they are directly affected by the deal.
This type of action isn’t routine for the court. But if it decides to show its teeth, judges could be signaling to individuals, lobbyists and non-governmental organizations that there are more avenues to annul EU rules than previously thought.
The EU Court of Justice has shown that it’s possible to bring down EU laws and decisions, once national courts have scrutinized them. In addition to the ruling repealing the Safe Harbour agreement last year, in 2014 the court invalidated EU rules obliging telecom operators to retain subscriber data for law-enforcement purposes.
Even if the General Court agrees to review the lawsuits, some commentators have cast doubt on their likely success.
“I’d be surprised … if the challenge in the end would be successful,” Peter Hustinx, who served as European Data Protection Supervisor for 10 years, told a conference in Brussels last week.
“The Privacy Shield would survive full scrutiny,” he said, describing the accord’s prospects as “fairly good.”
For now, the Privacy Shield agreement will remain in force and it could be while before its long-term fate is decided.
Complete this form to receive emails from MLex with selected highlights from our global coverage of regulatory risk and opportunity, as well as upcoming events, special reports and exclusive interviews.