The EU Commission and U.S. government agreed on the EU-U.S. Privacy Shield at the beginning of this month. That agreement will now form the basis of a proposal for an EU Commission adequacy decision pursuant to Article 25(6) of the Data Protection Directive, a complex process must be followed before such this proposed decision can become law.
So what does that process look like?
Firstly, the decision must be proposed by the EU Commission (this is promised for the latter half of this month).
Secondly, the opinion of the Article 29 Working Party may be sought. As its name suggests, this Working Party is established by Article 29 of the Data Protection Directive (a meeting to discuss EU-U.S. data transfers is scheduled). The Article 29 Working Party is made up of the data protection authorities of the member states and the EDPS together with a representative of the Commission. The data protection directive provides that the Working Party may “ … give the Commission an opinion on the level of protection … in third countries” and that opinions and recommendations of the Working Party may “ … be forwarded to the Commission and to the committee referred to in Article 31.” Such an opinion may issue in April, but it will not be binding upon the EU Commission. As Hamburg’s DPA has explained: “ … the EU-US Privacy Shield system will initially be valid regardless of the decision of the European data protection authorities.”
Thirdly, the approval of the Article 31 Committee will be sought. This committee is established pursuant to Article 31 of the Data Protection Directive. When the Directive was originally enacted in 1995, it set out specific procedures to be followed by this committee. However, the Directive was amended so that the Article 31 Committee now follows the standard comitology procedure for the adoption of measures such as these.
Finally, the proposed decision may be adopted by the College of the EU Commission. The complexity of this process means it will take time to complete. And it is a process that may be vulnerable to disruption. The Article 31 Committee could deliver a negative opinion; or the EU Council or Parliament might form the view that the proposed decision “ … exceeds the implementing powers” provided to the EU Commission by the Data Protection Directive.
But once the proposed decision is adopted then the only body that can query its validity will be the Court of Justice of the European Union. This is clear from the CJEU’s judgment in Schrems that it “ … alone has jurisdiction to declare that an EU act, such as a Commission decision adopted pursuant to Article 25(6) of Directive 95/46, is invalid.”
It may well be that the proposed decision will be referred to the CJEU once it is made. An investigation by a DPA may take place, following which an application to the national courts of the relevant Member State may be made. Such an application may request the referral to the CJEU of questions about that decision. If that referral is made, then it may well be heard by the CJEU on an expedited basis. The CJEU recently granted an expedited hearing in the case of Davis, which was referred by the English Court of Appeal to the CJEU in October. This case may be heard on April 12, which would be less than five months after it was referred to the CJEU. Davis concerns: “ … national legislation that permits the retention of all electronic communications data and subsequent access to that data" in the UK.
An expedited hearing is being granted to “ … dispel … uncertainty … as regards the possibility of serious interference with … fundamental rights.” Similar uncertainty may arise in respect of the proposed decision, so it may well be that the CJEU will ensure that any challenge to that decision will receive a similarly expedited hearing.
Speculation as to the outcome of such a hearing may be pointless as the specifics of both the EU-U.S. Privacy Shield agreement and the proposed decision are still unknown. But that outcome may be determined by whether the CJEU only considers whether there are an errors on the face of the proposed decision or if the CJEU goes further and examines whether the EU-U.S. Privacy Shield agreement does, in fact, provide “ … a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order.”
Top photo courtesy of European Commission.