Details of the legal challenge to Privacy Shield revealed [PART 1]

Home / Uncategorized / Details of the legal challenge to Privacy Shield revealed [PART 1]

privacy-shield-logo

 

By:

Gregory P. Bufithis, Esq.
Founder/Executive Director

 

14 November 2016 – As I indicated in my long post after the adoption of the Privacy Shield, my view is rather cold. The Privacy Shield has rendered a few changes over Safe Harbor, but substantively … not much. A lot of digital ink spilled on the Ombudsman role, just what the “clarifications” are on the collection of data for U.S. surveillance (what is meant by “targeted and focused”?) – and the myriad exceptions the U.S. has carved out for itself. As noted by a wave of U.S. intelligence experts there have not been, nor will there be, any significant change in the NSA’s surveillance activities or procedures. Now with the ascendancy of “Joffrey Baratheon” to the U.S. Presidency, even more dubious.

 

Oh, and there has been much linguistic contortion by U.S. legal pundits and legal vendors to show the “redress mechanism” and “essentially equivalent” requirements have been met in the Privacy Shield.

 

That the pact would be challenged in the courts was a foregone conclusion, even by the negotiation teams despite public pronouncements of “we’re comfortable it will be secure from challenge”.

 

So far, two groups have lodged papers at the European Court of Justice challenging the Privacy Shield:

  • Digital Rights Ireland (DRI)
  • La Quadrature du Net (a French privacy advocacy group)

I recently received the docket papers for both entities and I will have a more lengthy brief in a few weeks. In short, the complaints are similar: no adequate level of protection in the United States for personal data, and therefore violations of the EU Data Protection Directive, the Charter of Fundamental Rights of the EU, and the CJEU’s October 2015 decision in the Schrems case invalidating Privacy Shield’s predecessor.

 

The Data Protection practice group at Hogan Lovells has done a brilliant job summarizing the DRI arguments which are as follows:

 

  • Privacy Shield does not comply with the Data Protection Directive, as interpreted in light of the Charter of Fundamental Rights of the EU.

 

 

  • Privacy Shield does not comply with the Data Protection Directive, as interpreted in light of the Charter of Fundamental Rights of the EU and the CJEU’s decision in Schrems.

 

 

  • The Principles listed in Privacy Shield and the US’ representations and commitments with respect to those Principles are not “international commitments”.

 

 

  • The US’ Foreign Intelligence Surveillance Act (FISA) Amendments Act of 2008 violates Article 7 of the Charter of Fundamental Rights of the European Union-addressing a respect for private and family life-by allowing public authorities to access the content of certain electronic communications.

 

 

  • The US’ FISA Amendments Act of 2008 also violates Article 47 of the Charter of Fundamental Rights of the EU-on a right to an effective remedy and a fair trial-by allowing public authorities to secretly access the content of certain electronic communications.

 

 

  • The failure to include the full protections in Article 28(3) of the Data Protection Directive-addressing the powers of supervisory authorities-means that the Privacy Shield does not fully protect the rights of EU citizens where their data is transferred to the US.

 

 

  • Privacy Shield is incompatible with Articles 7, 8, and 52(1) of the Charter of Fundamental Rights of the EU (on a respect for private and family life, the protection of personal data, and the appropriate limitations on the exercise of rights and freedoms in the Charter).

 

 

  • Privacy Shield is an invalid breach of the rights of privacy, data protection, freedom of expression, and freedom of assembly and association under the Charter of Fundamental Rights of the EU and general principles of EU law.

 

 

  • Privacy Shield denies EU citizens the right to an effective remedy and good administration, as provided for under the Charter of Fundamental Rights of the EU and general principles of EU law.

 

 

  • The failure to include the full protections in Articles 14 and 15 of the Data Protection Directive-addressing data subjects’ right to object to data processing and decisions based solely on automated data processing-means that the Privacy Shield does not fully protect the rights of EU citizens where their data is transferred to the US.

 

 

As they point out, it is too early to say what the implications of this case will be, as there are many important variables – ranging from procedural issues to the potential impact of the forthcoming Trump administration on the current controls on government access to data – that will affect its possible outcome.

 

 

may-you-live

Related Posts