Privacy group shoots legal arrow at Privacy Shield

Privacy Shield, the legal agreement allowing businesses to export Europeans’ personal information to the U.S., is under fire.

An Irish privacy advocacy group has challenged the adoption of the decision in the EU’s second-highest court, Reuters reported Thursday, citing sources familiar with the case.

Privacy Shield entered effect in July, replacing the Safe Harbor framework, which had itself fallen victim to a legal challenge in October 2015. The new agreement supports transatlantic commerce worth US$260 billion, U.S. Secretary of Commerce Penny Pritzker has said, and has consequences for many companies offering cloud services to consumers.

While Safe Harbor’s demise was an unexpected legal consequence of a complaint to the Irish privacy regulator about Facebook’s handling of one user’s personal information, the challenge to Privacy Shield is more explicit: a direct attempt to overturn the decision implementing it.

Digital Rights Ireland filed an action on Sept. 16, seeking annulment of a European Commission decision in the area of freedom, security and justice, according to electronic records of the Court of Justice of the EU.

Further details of the action will not be made public until they are published in the EU’s Official Journal, a move that is expected in the next few days.

Digital Rights Ireland declined to comment on its action. “Unfortunately we aren’t in a position to offer any statement at all on this at this stage,” a spokesman said.

The organization has a history of challenging EU authorities on privacy matters, though, helping overturn the Commission’s Data Retention Directive in 2014, and contributing to the case that ended Safe Harbor.

The European Commission is aware of Digital Rights Ireland’s application to the court, but does not comment on ongoing court cases, said Commission spokesman Christian Wigand. “The Commission is convinced that the Privacy Shield lives up to the requirements set out by the European Court of Justice, which have been the basis for the negotiations,” he said.

A court challenge to Privacy Shield was expected, but the method used is surprising, said Aaron Tantleff, a privacy and information security lawyer at Foley & Lardner.

Tantleff said he would have expected Digital Rights Ireland to file its complaint through a national data protection authority, which in turn could have referred it to the court. By going to the court directly itself, it faces “an uphill battle proving that the Privacy Shield is ‘of direct and individual concern'” to it, he said via email.

“I do not have high expectations that this case will proceed based upon the current facts,” he said, but given Digital Rights Ireland’s past record, “I am not ready to dismiss this as a mere PR stunt or just a nuisance.”