News

Action for annulment against the EU-US Privacy Shield and coordinated review by the German data protection authorities

10.11.2016

Action for annulment against the EU-US Privacy Shield

By its Implementing Decision (EU) 2016/1250 of 12 July 2016, the EU Commission certified that the EU-US Privacy Shield, the successor to the US/EU Safe Harbor overturned by the ECJ last year (see our report), provides adequate protection for the transfer of personal data to companies in the US. US companies have been able to obtain certification for the EU-US Privacy Shield since 1 August 2016. Since then, over 500 companies have made use of this option (see our report).

There has been some fierce criticism of the EU-US Privacy Shield from many sides. So it is hardly surprising that the Irish data privacy group Digital Rights Ireland (DRI) brought an action for annulment in the court of the European Union on 16 September 2016 against the Commission’s adequacy decision on the matter. The grounds for the action and the main arguments regarding the pending action for annulment (case no. T-670/16) were published in the Official Journal of the European Union on 7 November 2016. In DRI’s view, the Implementing Decision was afflicted by a manifest error of assessment regarding the adequacy of protection. The applicant therefore calls for the Implementing Decision to be declared null and void.

Whether the court will even consider the content of DRI’s arguments depends largely on whether the court considers the action to be admissible. The admissibility of an action for annulment before the court is governed by strict conditions. There is no indication in the Official Journal of the European Union as to how DRI will justify the admissibility of the action in concrete terms. It will therefore be fascinating to see how the proceedings unfold.

But it cannot be ruled out that the court could ultimately agree with DRI’s view, overturn the Commission’s adequacy decision on the EU-US Privacy Shield and thus also pull the rug out from under the Safe Harbor successor. When structuring international data transfers it is therefore still advisable to consider other options for securing data transmission, especially the use of EU standard contractual clauses. However, in the medium term, the fate of EU standard contractual clauses remains unclear. The Irish data protection authorities are seeking a review of standard contractual clauses by the ECJ.

Coordinated review by the German data protection authorities

In the meantime, certain German data protection authorities have announced (only available in German) a coordinated, written review of transfers of personal data to non-EU countries (‘third countries’). The data protection authorities of the federal states Bavaria, Berlin, Bremen, Hamburg, Lower Saxony, North Rhine-Westphalia, Rhineland-Palatinate, Saarland and Saxony-Anhalt are involved in this review. The supervisory authorities intend to contact some 500 companies across Germany in the next few days and ask them to agree to answer a questionnaire.

According to the federal states, the aim of the review is primarily to raise awareness among companies about transferring data to countries outside the European Union. If personal data is transmitted to non-EU Member States, the companies checked are to be asked to say which data privacy law is being used as a basis for the transmissions. For example, they are to specify whether the destination country has an adequate level of data privacy acknowledged by decision of the EU Commission (also including the EU-US Privacy Shield), whether standard contractual clauses are used as the basis or whether the transmissions are based on consent given by those concerned.