The EU-U.S. Privacy Shield register may now be open for business, and Europe's privacy regulators may have collectively (though grudgingly) agreed to assess its progress in a year rather than kick and scream about its flaws now, but at least one regulator is still itching for a fight.

Johannes Caspar, the Hamburg data protection authority, is keen to ask the Court of Justice of the European Union whether it thinks the Commission's decision to strike the data-transfer deal was valid. The ECJ, of course, was the court that declared Privacy Shield's predecessor, Safe Harbor, to have been an invalid "adequacy decision."

Caspar is hoping that upcoming legal changes in Germany will make it possible for the country's DPAs to challenge adequacy decisions as soon as next year. It is by no means certain that the changes will make this possible, though.

"The decision of the EU Commission concerning the Privacy Shield constitutes a new legal ground for data subjects, which is a binding document for all members of the [Article 29 Working Party of data protection authorities]," Caspar told The Privacy Advisor in an email. "On the other hand, I have serious doubts whether this adequacy decision meets the legal requirements of the principle of proportionality and judicial redress in the [CJEU's] Safe Harbor judgement."

He continued, "It is expected that sooner or later the CJEU will assess whether the access by public U.S. authorities to personal data transferred under the Privacy Shield is limited to what is strictly necessary and proportionate in a democratic society. If there is a legal way to seek reference to the CJEU – and we hope that the national lawmaker will enact a law for national DPAs soon – we will take all appropriate steps for getting a ruling on the validity of the Commission’s decision."

Caspar was referring to amendments that the German government is drafting to bring the country's data protection legislation in line with the new EU General Data Protection Regulation. (Being a regulation rather than a directive, the GDPR does not require transposition into national laws, but those laws may need tweaking to comply with its terms.)

Acting on a request from Hamburg to prepare for the GDPR (specifically, paragraph 5), Germany's Bundesrat – the country's equivalent to the U.S. Senate – asked the government in April to make it possible for federal and state DPAs to challenge the European Commission's adequacy decisions.

This would involve allowing the DPAs to go directly to a national court in search of a referral to the CJEU, the only body that can nullify the Commission's decisions. Because the identity of the defendant would be unclear, and because DPAs do not currently have an explicit right to sue in this way, this is where existing German laws get fuzzy.

"[The Bundesrat said] in their resolution that the current procedural law is unclear [regarding] whether DPAs would be entitled to commence such court action or not, and therefore it's necessary to clarify the situation," said Thomas Jansen, a partner with DLA Piper in Munich.

In mid-July, the government finally replied to the Bundesrat, saying it is working on the new legislation but not mentioning whether it would allow DPAs to challenge adequacy decisions. 

"They wanted to create a new legal remedy for DPAs to go directly to the federal administrative court in Germany, and, let's say, not go to the local administrative court in Hamburg, and ask the court if they have doubts about the validity of such an adequacy decision," said Carlo Piltz of JBB Lawyers.

"But the German government doesn’t say anything about this possibility. I would assume that we will only see the rights for the DPA to challenge data processing operations, like we see them now."

The relevant paragraph in the GDPR text only explicitly talks about being able to properly tackle infringements, and it would arguably take a broad interpretation to see the Privacy Shield adequacy decision classified as an infringement.

Caspar's office said it has no information about the content of the new legislative changes. "It will come out in a short time and data protection authorities will work to ensure that no [initiating] complaint will be necessary," said a spokesman.

Timing is also an issue. Caspar himself said he expected the new law to be enacted by the end of the year. He also noted that the Article 29 Working Party's next opportunity to scrutinize the Privacy Shield's robustness will come in a year's time, "if the Shield will still be in force" at that point.

However, both Jansen and Piltz were skeptical that any change would come so soon. After all, the GDPR itself doesn't come into effect until May 2018, and there's no need to rush the amendments to German legislation until closer to that time.

If DPAs do win the power to challenge adequacy decisions, then "it seems it will only happen not in the next few months, but in one year," said Piltz.

Jansen also pointed out that giving DPAs the right to challenge adequacy decisions could be seen as having a negative effect on transatlantic trade, due to the importance of personal data in the modern economy and the fact that a successful challenge to Privacy Shield might also bring down the other mechanisms that companies use to process EU data in the U.S.

After all, if U.S. mass surveillance means Privacy Shield doesn't protect EU citizens' rights, then the same goes for model clauses and binding corporate rules.

"I would assume that Germany would not pass that law before the GDPR comes into effect," Jansen said. "There will be elections in Germany next year."

Of course, even if Hamburg doesn't get what it wants, that doesn't mean the CJEU won't consider the new data pact.

"Many [European] data protection and privacy experts see a high risk that the Privacy Shield will be invalidated," Jansen said. 

"This assessment needs to be done either way," said Piltz.

 

Image courtesy of European Commission