A legal challenge to a data transfer mechanism that’s used by thousands of companies to authorize taking European citizens’ personal data to the US for processing has been delayed.
As we reported last month, the General Court of the EU had set a date of July 1 and 2 to hear the complaint brought by French digital rights group, La Quadrature du Net, against the European Commission’s renegotiated data transfer agreement, the EU-US Privacy Shield.
That hearing has now been canceled — as the court intends to await the decision on another separate but related hearing, on July 9.
La Quadrature du Net has argued for years that Privacy Shield is incompatible with EU law as a result of US government mass surveillance practices — filing its first complaint back in October 2016.
Nor is it alone in its concerns, with the European parliament, European data protection agencies, and privacy and data protection experts all raising questions about the legality of the arrangement which went into operation in August 2016.
But in a series of tweets posted to Twitter today the digital rights group says it has been informed by the court that the hearing has been cancelled — in favor of waiting for the upshot of July 9 hearing.
The latter pertains both to the EU-US Privacy Shield and another data transfer mechanism, called standard contractual clauses (SCCs).
Following an updated complaint against Facebook’s use of SCCs, filed with the Irish Data Protection Commission by lawyer and privacy campaigner Max Schrems back in 2016, the watchdog referred its concerns to the courts.
Irish judges went on to ask Europe’s top court to weigh in on a number of legal questions — including whether Privacy Shield ensures an adequate level of protection for EU citizens’ personal data, as EU law requires that it must. So European judges will be considering how US government mass surveillance programs of the digital sphere — as revealed back in 2013 by NSA whistleblower, Esward Snowden — impact European’s fundamental privacy rights.
At this point you’d be forgiven for feeling a sense of deja-vu because it was via an earlier legal challenge, also brought by Schrems, that led Europe’s top court to strike down the prior data arrangement, Safe Harbor, back in 2015.
Critics of Privacy Shield are hoping the successor arrangement’s days are similarly numbered.
“All that remains is to wait for the Court’s decision, which is not expected to arrive for several months,” writes La Quadrature du Net in a final tweet [translated from French using Microsoft technology]. “We wish a lot of courage and a lotfor his business! Hearing on July 9th!”
Facebook tried and failed to block the Irish court’s referral of legal questions about Privacy Shield to the CJEU.
Following the July 9 hearing, a decision from the CJEU is possible later this year — perhaps as soon as October. Although a deliberation timeframe of up to six months is not unusual European judges have shown themselves willing to move remarkably quickly in issuing decisions if they believe EU citizens’ fundamental rights are being undermined.
Since getting up and running less than three years’ ago, Privacy Shield has also suffered from the Trump effect — with key elements of the arrangement, which had been agreed in writing between the European Commission and the Obama administration, being neglected by the incoming US president.
Late last year Europe’s executive body expressed its impatience by issuing the US with a deadline to fulfil outstanding Privacy Shield requirements — including nominating a permanent ombudsperson to handle EU citizens’ complaints.
In January the US duly nominated DocuSign chairman and former CEO, Keith Krach, to be the undersecretary of state for economic growth, energy, and the environment — and also the Privacy Shield ombudsperson.
All of that will, however, be meaningless fiddling if Europe’s top court decides the mechanism is fundamentally incompatible with EU law on account of US national security priorities that allow the government to help itself to everyone’s data. So, er, watch this space.