Ever since the first draft of the EU-US Privacy Shield framework was published in early 2016, groups opposed to the idea have indicated their intent to challenge the legality of the framework under EU law. Recently, the privacy advocacy group Digital Rights Ireland made good on that promise. Following the filing of a formal complaint on 15 September asking for an annulment of the framework by the Court of Justice of the European Union, DRI has now made public the details of its complaint.
On 12 July 2016, the European Commission issued its much awaited “adequacy decision” concerning the Privacy Shield framework for the transfer of personal data from the EU to the U.S. This adequacy decision is based on the latest version of the Privacy Shield, which was further negotiated and revised following the Article 29 Working Party’s April 2016 concerns with the terms of the original Privacy Shield framework. Many of our clients have questions about Privacy Shield—what it is, when it will be available for use, and how it differs from other data transfer mechanisms, among others. We have prepared blog post to answer these questions about the updated version of Privacy Shield and its implications for companies engaging in trans-Atlantic data flows.
One of Harry Houdini’s most difficult tricks consisted of escaping from a nail-fastened and rope-bound wooden crate with manacles on his hands and feet, while submerged in New York’s East River. That feat is starting to look straightforward when compared to the prospect of lawfully exporting personal data out of the European Union. The restrictions on transfers of data to jurisdictions that do not provide an adequate level of protection have been in place for more than 20 years. And while these restrictions have not prevented the development of the digital economy, judging by this issue’s current direction of travel, we could be facing a situation from which not even the great Houdini could escape.