The Privacy Shield is now live, having gone into effect on August 1. Perhaps emboldened by the Article 29 Working Party’s late July announcement that European regulators will not challenge the program’s adequacy for at least a year (after the first annual review of the program in May 2017), companies have begun self-certifying in order to legalize their transfers of personal data from the EU to the US. However, as we reported previously, the Privacy Shield nevertheless faces a somewhat precarious future, as it is likely that it will face multiple legal challenges.
This uncertainty was underscored just after the Privacy Shield went live, when Hamburg, Germany’s data protection authority (DPA) announced its intention to challenge the Privacy Shield’s legality before the Court of Justice of the European Union (CJEU) – the same court that struck down the Safe Harbor program last October. There are a few obstacles standing in the way of the Hamburg DPA’s proposed challenge, however. First, pursuant to the Article 29 Working Party announcement mentioned above, the Hamburg DPA would not challenge the Privacy Shield until after the program’s first annual review, meaning that the soonest the DPA could bring its challenge would be in mid-2017. Second, and perhaps more significantly, the DPA needs to wait for German law to be amended to allow a DPA to challenge European Commission adequacy decisions – such as the decision regarding the adequacy of the Privacy Shield – in court. Currently, German law does not explicitly give German DPAs the right to bring such a suit. However, the Hamburg DPA has taken the position that in order to bring the country’s laws into line with the requirements of the General Data Protection Regulation (see our posts here and here), German law should be amended to give DPAs the right to bring those challenges in court.
It likely will be at least several months before the law is amended, which means that it may be awhile before the Hamburg DPA can follow through on its threat. Regardless, the Hamburg DPA’s announcement shows that companies need to approach the Privacy Shield with caution, as it remains at risk of facing legal assaults from all sides – individuals, privacy activists, and DPAs included.