EU-U.S. Data Transfer Pact Should Be Voided: Irish Group

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Nov. 8 — A new agreement to allow EU-U.S. data transfers should be voided because it fails to prevent misuse of data by the U.S. government, an Irish privacy group said in a complaint filed in the European General Court (EGC).

The European Union-U.S. Privacy Shield data transfer agreement is relied on by hundreds of U.S. companies, including Microsoft Corp., Facebook Inc. and Salesforce Inc., to ease essential transatlantic data flows of EU citizens’ personal information. But, Digital Rights Ireland argued that just like its predecessor—the invalidated U.S.-EU Safe Harbor agreement—its promises to maintain the privacy of that data is inadequate.

The complaint, filed under seal Sept. 16 by Digital Rights Ireland in the ECG—the lowest court of the European Court of Justice—and made public for the first time Nov. 7, argued the European Commission—the EU’s executive arm—made a “manifest error of assessment” by finding that the EU-U.S. Privacy Shield provides adequate level of protection for personal data transferred to the U.S.

The privacy principles set forth in the pact don’t constitute “international commitments” that actually bind the U.S., the complaint said.

Simon McGarr of McGarr Solicitors in Dublin, which is representing Digital Rights Ireland, told Bloomberg BNA Nov. 8 that, as the European Court of Justice held in the Schrems case that killed the Safe Harbor program in October 2105, protection of personal data must be “embodied” in the law of the third country—the U.S., in the case of the Privacy Shield—or constitute an international commitment, such as a treaty.

Lingering Concerns

Digital Rights Ireland's complaint argued that the Privacy Shield fails to “safeguard against indiscriminate access to electronic communications by foreign law enforcement authorities.”

Daragh O'Brien, CEO of data governance consultant company Castlebridge Associates in Ireland, told Bloomberg BNA Nov. 8 that Digital Rights Ireland is “absolutely right to challenge the Privacy Shield is simply echoing concerns that the Article 29 Working Party have already raised.”

The Art. 29 Working Party of EU data protection officials said in July that they have lingering concerns over U.S. government access to personal data transferred outside the EU, but that they won't challenge the Privacy Shield for at least a year. The main area in which U.S. legislation might be clarified to give Privacy Shield a stronger basis would be the function of the ombudsman, established to look into complaints about U.S. government surveillance, the group said.

“While the Art. 29 Working Party chose to give it 12 months and review it afterwards, Digital Rights Ireland has simply asked the European Court of Justice to review it now,” O'Brien said. “The independence of an ombudsman is very specific in European Union law. The key element is that he must be completely independent of influence whereas an employee of the State Department is not, so that raises a question mark,” he said.

French Challenge

In addition to Digital Rights Ireland's complaint, French privacy advocacy group La Quadrature du Net, internet service provider French Data Network and industry association Federation FDN filed complaint in the EGC challenging the Privacy Shield. According to a Nov. 2 Reuters report, La Quadrature du Net alleged that the U.S. ombudsman “is not an effective mechanism for dealing with complaints.”

A Commerce Department spokesman previously told Bloomberg BNA that the agency is “aware and monitoring the legal challenge brought by La Quadrature du Net.” In response to Bloomberg BNA's Nov. 8 requests for additional comments, the spokesman said “Commerce doesn’t have any additional comment related to the DRI challenge.”

EC spokesman Christian Wigand previously told Bloomberg BNA that the commission “is convinced that the Privacy Shield lives up to the requirements set out by the European Court of Justice, which have been the basis for the negotiations.” Wigand said the commission doesn't have any additional comments.

By Jimmy H. Koo

With assistance from Daniel R. Stoller in Washington and Ali Qassim in London

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editors responsible for this story: Donald G. Aplin at daplin@bna.com

For More Information

Full text of Digital Rights Ireland's complaint is available at http://src.bna.com/jXo.

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.