A little over a year ago, on October 6, the Court of Justice of the European Union held in Schrems that “Decision 2000/520 is invalid." This simple statement had the effect of plunging transfers of personal data from the EU to the U.S. into chaos. EU Commission Decision 2000/520 had recognized that the “the safe harbour privacy principles and related frequently asked questions issued by the U.S. Department of Commerce” provided an adequate level of data protection. And roughly 4,400 businesses had relied upon Decision 2000/520 to transfer personal data from the EU to the U.S. in accordance with the EU’s Data Protection Directive. The invalidity of Decision 2000/520 left these controllers searching for alternative transfer mechanisms. 

The EU Commission and U.S. government responded relatively quickly; their negotiations resulted in the replacement Privacy Shield being agreed and in place within a year. Privacy Shield is controversial and many had anticipated that it would be challenged before long. The Article 29 Working Party of EU Data Protection Authorities (DPAs) had expressed its continuing “regrets” but went onto say that the: “first joint annual review will … be a key moment for the robustness and efficiency of the Privacy Shield mechanism to be … assessed.” This effectively gives Privacy Shield a year within which to prove itself. Then in September Digital Rights Ireland lodged a challenge to Privacy Shield before the CJEU; a number of French groups have now issued a challenge of their own. In the meantime a number of challenges are also being brought at national level, and these may result in questions about the legality of Privacy Shield being referred to the CJEU.   

The difficulty with bringing a challenge to Privacy Shield now is that the EU’s new General Data Protection Regulation will apply from May 25, 2018. The significance of the GDPR is that it asserts jurisdiction over the processing of EU personal data anywhere in the world. The GDPR “applies to the processing of personal data … regardless of whether the processing takes place in the Union or not." So controllers and processors established in the EU will have to comply with the GDPR when they are processing data outside the EU. And the GDPR will apply to the processing of EU personal data by controllers or processors established outside the EU where that processing relates to the offering of goods and services to data subjects within the EU or the monitoring of subjects’ behavior within the EU. This assertion of a global jurisdiction for EU data protection laws may address one of the regrets expressed by the Article 29 Working Party, which “would have expected stricter guarantees concerning the independence and the powers of the Ombudsperson mechanism.” The global jurisdiction of the GDPR may address other regrets expressed by the Article 29 Working Party about the absence of “specific rules on automated decisions and of a general right to object” and a lack of clarity about Privacy Shield’s application to processors. Whether the application of the GDPR will address all those regrets or answer all the questions that the CJEU itself raised in Schrems remains to be seen. But we will probably have to wait until after the GDPR applies to find out. 

Hence the timing of a challenge to the Decision of the EU Commission recognizing the adequacy of Privacy Shield is important. Any such challenge must be brought before the CJEU itself through one of two routes. The first is through the national courts, which was the route chosen by Max Schrems in his original challenge and his new challenge to the “standard contractual clauses.” This route has many advantages, not least that the CJEU outlined how it should work in the Schrems judgment. But this route takes time. National proceedings issued in Schrems in 2013; the judgment of the CJEU issued approximately two years later. It may well be the GDPR will apply before such a challenge to Privacy Shield could be considered by the CJEU, but the national court should be able to anticipate this application in the questions it asks of the CJEU.

The second route is to bring a challenge directly to the ECJ pursuant to Article 263 of the Treaty on the Functioning of the EU. This is apparently the approach being taken by Digital Rights Ireland in its recently issued proceedings. Such a challenge must allege that the EU Commission’s recognition of the adequacy of Privacy Shield suffers from a “ … lack of competence, infringement of an essential procedural requirement, infringement of the Treaties or of any rule of law relating to their application, or misuse of powers.” This is a judicial review, which narrows the basis of a challenge to alleged breaches of procedure or absences of formal powers. An argument might be made that anyone who wants to challenge Privacy Shield should follow the process that the CJEU outlined in Schrems: make a complaint to the relevant DPA; let the outcome of that complaint be brought before a national court, and let that national court decide whether or not to refer questions to the CJEU. And anybody who wants to invoke Article 263 must also demonstrate that they have what some courts term locus standi, that they are affected by the Act in question. This all means that significant questions of admissibility may have to be considered as part of an Article 263 challenge.  Consideration of such questions may take some time.

It is possible that these challenges to Privacy Shield will conclude before the GDPR applies in eighteen months’ time, but it is not clear what will happen to such challenges if not. Some may therefore suggest that it may be easier simply to wait until the GDPR applies before a challenge to Privacy Shield is made. Others may caution that digital rights activists may not always like the answers that the CJEU may give. This is illustrated by the recent decision of that court in McFaddenwhere a “… campaign by Digital Rights activists to preserve open Wi-Fi hotspots has resulted in Europe’s highest court deciding the exact opposite." As its previous decisions in Schrems and Digital Rights Ireland demonstrate, the CJEU is going to define the right to data protection in its own way.  

Top image courtesy of European Commission.