Last July, the United States and the European Union agreed on a new framework to allow for the transfer of Europeans’ personal data to the United States. This new framework, known as Privacy Shield, replaced the Safe Harbor Principles which the European Court of Justice struck down over concerns about the U.S.’s government’s online data surveillance activities.
The architects of Privacy Shield sought to address the Court’s concerns by including in it mechanisms allowing Europeans to raise claims about U.S. spying, including through a new ombudsman at the U.S. State Department. However, European advocacy groups have challenged the adequacy of these mechanisms. First, advocacy group Digital Rights Ireland sued the European Commission in the Court of Justice of the EU. Most recently, three French organizations, La Quadrature du Net, a French privacy advocacy group, French Data Network, a non-profit Internet service provider, and ISP industry association Federation brought an action in Luxembourg-based General Court challenging the E.U.’s adoption of the Privacy Shield.
These actions challenge whether the U.S. ombudsman is really independent of the U.S. government, as well as raise concerns about U.S., bulk data collection efforts and how the data may be used by U.S. law enforcement and intelligence agencies. It is unknown how these cases will be resolved. Until a resolution, many U.S. companies will rely on the Privacy Shield to facilitate the transfer of personal data from the E.U. To date, more than 1,500 U.S. companies have registered or applied for Privacy Shield certification. Other companies have elected to use the model clauses or other mechanism to enable the cross-border transfer of personal data, until the Privacy Shield legal challenges are resolved.