A legal challenge against the EU-US Privacy Shield agreement has been launched by an Irish privacy campaign group.
The Privacy Shield covers how the personal data of Europeans can be transferred to the USA. The EU has much stronger controls over the movement of data as well as much stronger privacy protections than the US and requires these rules to be respected by US companies when it comes to the data of EU citizens.
It came into force earlier in the year as a replacement for the for the former Safe Harbour agreement between the EU and the US. This was struck down by the Court of Justice of the European Union (ECJ) in the wake of the Edward Snowden revelations about the extent of US surveillance.
Digital Rights Ireland
Digital Rights Ireland are the group who have brought the case, although they have at this stage not commented on the case, which has been raised in the Luxembourg-based General Court – a lower court in the ECJ.
They are seeking to annul the new Privacy Shield on the grounds that it has inadequate privacy safeguards. EU law allows any individual or company to challenge a new law that directly concerns them within two months of it coming into force. That is what Digital Rights Ireland have done, although the case could be thrown out if the court decides that Privacy Shield does not directly concern them.
‘Sufficiently robust safeguards’
The European Commission has said that it is convinced that Privacy Shield has sufficiently robust safeguards to comply with the ECJ ruling that threw out its predecessor, the Safe Harbour agreement.
Privacy Shield gives EU citizens greater privacy protections as well as a number of ways to complain if they are unhappy with the way their data is being handled. This includes a dedicated privacy ombudsman based within the US State Department.
It also makes the process of transferring data between the EU and the US much easier than it otherwise is. Safe Harbour was used by more than 4,000 companies and Privacy Shield is already used by in excess of 500, including Microsoft, Facebook, and Google.
But it has also faced criticism from privacy campaigners that its safeguards still do not go far enough to be compatible with EU law. This legal challenge has long been expected and both the US and EU officials sound confident they can win the case.
A spokesperson for the U.S. Department of Commerce told Reuters that “The United States stands behind the Privacy Shield Framework and the critical privacy protections it affords individuals… and is ready to explain our safeguards and limitations if necessary.”
Meanwhile, a spokesperson for the EU commented that “the Commission is convinced that the Privacy Shield will live up to the requirements set out by the European Court of Justice.”
Inevitably there will be no quick solution to the case. If it gets as far as n ECJ ruling, the case will take more than a year. And there is a chance it might be thrown out before then too.
What that means for the data privacy of EU citizens in the meantime, is that Privacy Shield remains in place. It will be the basis of how data is transferred between the US and the EU for at least the next 12 months.
If that makes you uncomfortable, and it does make many people uncomfortable, then turning to a VPN to protect your online privacy by encrypting all your data and masking your IP address is advisable. Being conscious of the data you are putting onto social media and other web platforms is another good tip.
And if you do feel your online privacy has been violated in the US, be sure to use the provisions that Privacy Shield provides for you. They may not be perfect, but they are better than nothing.