A new EU-US pact governing the transfer of personal data faces a second legal challenge, putting the details of the deal which underpins billions of dollars of transatlantic trade in digital services under further scrutiny.
French privacy advocacy group La Quadrature du Net, non-profit internet service provider French Data Network and its Federation FDN industry association have now challenged the adoption of the Privacy Shield pact by the European Commission at the Luxembourg-based General Court, following in the steps of Irish group Digital Rights Ireland.
The Privacy Shield agreement was reached earlier this year after the European Union’s highest court struck down the previous Safe Harbour Principles used by companies to enable them to transfer Europeans’ personal data to the United States, due to concerns about intrusive US surveillance of online data.
EU member states today (8 July) signed off on the controversial Privacy Shield agreement for data transfers to the US, locking down the final deal after the European Commission haggled for months with the US over legal details.
The new agreement gives businesses storing Europeans’ data on US servers – from human resources information to people’s browsing histories and hotel bookings – an easy way to do so without falling foul of tough EU private data transfer rules.
More than 500 companies have signed up to Privacy Shield so far, including Google, Facebook and Microsoft, while over 1,000 are being processed by the US Department of Commerce.
The agreement seeks to strengthen privacy protections for EU citizens by giving them a means of seeking redress in the case of disputes, including through a new privacy ombudsman within the State Department who will deal with complaints from Europeans about US spying.
But the objectors say that restrictions on US surveillance activities – in particular the bulk collection of data and the purposes for which the data can be used – are inadequate and therefore the Privacy Shield agreement should be annulled.
Under EU law companies or individuals may challenge EU acts before the EU courts if they are directly concerned within two months of the act coming into force, otherwise they have to go through national courts, a process which takes longer.
However both challenges face a strong risk of being declared inadmissible if the court finds that the associations are not directly concerned.
The group of powerful data protection watchdogs from EU countries have reprimanded Yahoo and WhatsApp over concerns the companies are violating Europeans’ privacy rights.
In their challenge the French groups say that the US ombudsman is not an effective mechanism for dealing with complaints.
“The fact that it relies on so-called ‘independent’ instruments is in no way sufficient to consider it an independent judicial entity,” they said.
A spokesman for the European Commission, which negotiated the Privacy Shield with Washington, said it was aware of the new complaint.
“We don’t comment on ongoing court cases. As we have said from the beginning, the Commission is convinced that the Privacy Shield lives up to the requirements set out by the European Court of Justice, which have been the basis for the negotiations,” Christian Wigand said.
The US Department of Commerce did not respond to questions about the second challenge.