Reuters reports that privacy rights organization Digital Rights Ireland has filed a legal challenge against Privacy Shield, arguing it does not contain adequate privacy safeguards, citing several people familiar with the matter.
Critics of the new deal had predicted this day would come, arguing the arrangement lacks adequate privacy safeguards to pass muster with Europe’s courts.
The agreement, which was multiple years in negotiation, was only formally adopted this July, with sign-ups open from August. Urgency had been injected into the negotiating process after fall 2015 when Europe’s top court struck down the prior Safe Harbor agreement, ending a regime that had authorized personal data transfers between the EU and the U.S. for some 15 years.
The EC argues Privacy Shield greatly strengths privacy safeguards to ensure Europeans’ data protection rights are secure when personal data flows to the U.S. Critics disagree, pointing to U.S. mass surveillance programs as an inexorable violation of these fundamental rights.
According to the news agency’s sources, it will be a year or more before the court rules on the case and it could still be declared inadmissible if the court finds the Privacy Shield is not of direct concern to Digital Rights Ireland.
A spokesman for Digital Rights Ireland declined to comment on the case at this stage, or provide details of its legal arguments.
A digital court filing also lists minimal detail, noting only that the parties are Digital Rights Ireland versus [European] Commission; that the subject matter pertains to “area of freedom, security and justice” and the procedure and result sought is “actions for annulment.”
Commenting on the case in a statement, Christian Wigand, European Commission spokesman, said: “We are aware of the application, we don’t comment on ongoing court cases. As we have said from the beginning, the Commission is convinced that the Privacy Shield lives up to the requirements set out by the European Court of Justice, which have been the basis for the negotiations.”
DRI has past precedent challenging European data processes, having brought a legal challenge to the CJEU on the issue of data retention back in 2014 — when it argued successfully for the striking down of Safe Harbor. It also has an ongoing challenge to Ireland’s data protection regime.