In October of last year, we reported that digital rights advocacy group Digital Rights Ireland (“DRI”) had brought an action to annul the EU-U.S. Privacy Shield. DRI filed its challenge before the General Court of the European Union, which is the court of first instance in the EU system with exclusive jurisdiction over challenges to the validity of EU legal acts. Last week, the General Court dismissed DRI’s challenge, meaning that Privacy Shield remains valid and in force.
DRI based its Privacy Shield suit on Article 263 of the Treaty on the Functioning of the European Union (TFEU), under which “[a]ny natural or legal person may . . . institute proceedings against an [EU] act addressed to that person or which is of direct and individual concern to them,” or “against [an EU] regulatory act which is of direct concern to them and does not entail implementing measures.” It asserted a number of arguments against Privacy Shield’s validity, including, inter alia:
- Privacy Shield allegedly violates privacy rights contained in the EU Charter of Fundamental Rights, as interpreted by the European Court of Justice’s Schrems decision;
- The commitments made by the US government in Privacy Shield did not constitute “international commitments” as required by applicable EU directives;
- US surveillance legislation allegedly permitted US agencies to have “access on a generalized basis” to international communications; and
- As a result of the foregoing and additional arguments (which can be viewed in their entirety here), Privacy Shield did not offer adequate protection of EU citizens’ rights.
On November 22, 2017, the EU General Court issued an order dismissing DRI’s challenge to Privacy Shield as inadmissible. In short, the General Court found that DRI did not have standing to sue under Article 263 TFEU and its associated case law. To reach this result, the Court relied on three major conclusions:
• DRI did not have standing to sue in its own name. The Court held that DRI did not have standing to sue in its own name for a number of reasons, including:
– As a legal person, DRI has no personal data. Since DRI is a legal person, it did not possess any personal data within the meaning applicable data protection law. As a result, DRI “cannot avail of the protection of personal data,” and the Privacy Shield mechanism is “thus incapable of breaching any right to protection of personal data” claimed by DRI.
– To the extent DRI is a controller of its members’ data, its rights are unaffected by Privacy Shield. DRI argued it had standing because it was a controller of data held on behalf of its (individual) members. The Court agreed that this may be the case, but noted that – as a European organization – DRI is not subject to Privacy Shield. Instead, Privacy Shield only applies to US organizations, and enables them to receive data transfers from EU individuals and organizations. To the Court, this meant that DRI has no standing-conferring injury because Privacy Shield “has the effect of entitling [DRI] to carry out transfers under certain conditions,” but “does not restrict its rights or impose obligations on it.”
– Privacy Shield is not insufficient as a transfer mechanism until declared invalid. DRI argued that if it transferred data to the US under the protection of Privacy Shield, it would potentially violate its obligation “ensure the lawful processing of data of which it is controller” – potentially inviting the Court to find that Privacy Shield, without more, was insufficient to protect data transferred to the US, without having to completely annul the Commission’s decision. The Court responded that as long as Privacy Shield remained in force, any transfers DRI made on the basis of Privacy Shield would be “in accordance with the applicable rules, as they follow from, inter alia, [Privacy Shield].”
• DRI did not have standing to sue in the name of its members or the general public. As a matter of ECJ case law, associations can assert standing in specific situations, specifically: (a) when the association “represent[s] the interests of persons who, for their part, would have standing to take action;” (b) when the association is “individually identified by reason of the impact on their interests as an association, particularly because their position of negotiator has been affected by the act the annulment of which is sought;” or (c) when “a legal provision expressly grants [the association] a number of powers of a procedural nature.” Here, the General Court found that DRI satisfied none of the organizational-standing prongs because:
– DRI had not “demonstrate[d] that it has been empowered to bring legal actions in the name and on behalf of those members and supporters with a view to protecting their personal data”;
– DRI was not a “negotiator . . . in the procedure which resulted in the adoption of [Privacy Shield”;
– In the present case, DRI could not claim the benefit of certain EU environmental directives granting organizational standing; and
– DRI – which argued that its action was in the public interest – had no general residual organizational standing claim, since “EU law does not, in principle, allow for the possibility of an applicant to bring an actio popularis in the public interest.”
• The GDPR does not yet apply. Article 82(1) GDPR permits consumers to permit a “not-for-profit body, organisation or association” to assert their privacy rights before EU courts. As a last argument, DRI argued that it should be considered a consumer-rights association entitled by Article 80 GDPR to assert the rights of its members in challenging Privacy Shield. The Court retorted that the GDPR was not yet in force; “suffice it to point out that that regulation will apply only as from 25 May 2018.”
The Court thus found that DRI did not have standing under Article 263 TFEU to challenge Privacy Shield. DRI may appeal the General Court’s ruling to the European Court of Justice. The General Court’s ruling may be viewed in full here.
Note, however, that DRI’s suit is not the only challenge to Privacy Shield. A French digital-rights organization named “La Quadrature du Net”, along with several other French organizations, have also filed a suit challenging Privacy Shield before the General Court. (See a summary of La Quadrature’s suit here.) Since La Quadrature’s challenge is also an organizational suit, observers will be interested to see whether it survives the reasoning laid down in the DRI decision.
* * * * *
Alston & Bird and its Brussels-based EU privacy team is closely following Privacy Shield challenges and other privacy litigation throughout the EU. For more information, contact Jim Harvey or David Keating.