Digital Rights Ireland Challenges the EU-U.S. Data Transfer Privacy Shield
Bloomberg Privacy & Security Law Report
In this article, John Eustice discusses the action for annulment filed by Digital Rights Ireland Ltd. (DRI), which asks the Court of Justice for the European Union (CJEU) to declare the new EU-U.S. Privacy Shield law insufficient to protect the movement of personal data between the EU and U.S. He also addresses the basis of DRI's action, the current structures in place governing cross-border data transfers, and what companies can expect going forward. "DRI's action is rooted in a deep mistrust of any deal by the U.S. government to protect the personal data of European citizens," Eustice wrote. Claims similar to those set forth in DRI's current action were upheld by the CJEU in Schrems v. Data Protection Comm'r, which "found that U.S. intelligence surveillance programs involving the collection and processing of personal data (e.g., the PRISM program) rendered adherence to the safe harbor principles virtually impossible," ultimately ending the U.S.-EU Safe Harbor Framework, he said.
As companies prepare for business under the new EU-U.S. Privacy shield, they must commit to adhere to all privacy principles set forth in the new EU-U.S. Privacy Shield Policy and implement changes to their privacy regime consistent with those principles. While there is much to be done to comply with the new law, "the good news for companies revising their privacy policies is that the primary complaint lodged by DRI concerns not the actions of private companies, but the commitment to privacy by the U.S. government," he said. "Privacy officers should keep one eye on the docket at the CJEU and the other on the incoming Trump administration's approach to the Privacy Shield."