Privacy advocacy group Digital Rights Ireland has filed a legal challenge to an EU-US commercial data transfer pact underpinning billions of dollars of trade in digital services just two months after it came into force, sources said.

The EU-US Privacy Shield was agreed earlier this year after the European Union’s highest court struck down the previous such framework for transferring Europeans’ private data to the United States on concerns about intrusive US surveillance.

The framework gives businesses moving personal data across the Atlantic – from human resources information to people’s browsing histories to hotel bookings – an easy way to do so without falling foul of tough EU data transferral rules.

As was widely expected, Digital Rights Ireland has challenged the adoption of the Privacy Shield by the EU executive – which negotiated the pact with Washington – in front of the second-highest EU court, arguing it does not contain adequate privacy protections, several people familiar with the matter said on Wednesday.

The case has been published on the website of the Luxembourg-based General Court – the lower court of the Court of Justice of the European Union (ECJ) – but says only it is an “action for annulment”. The case number is T-670/16.

Digital Rights Ireland declined to comment.

Ruling

It will be a year or more before the court rules on the case and it could still be declared inadmissible if the court finds the Privacy Shield is not of direct concern to Digital Rights Ireland, two of the people said.

Individuals or companies may challenge EU acts before the EU courts if they are directly concerned within two months of the act coming into force.

“We are aware of the application (for annulment),” a spokesman for the European Commission said.

“We don’t comment on ongoing court cases. As we have said from the beginning, the Commission is convinced that the Privacy Shield will live up to the requirements set out by the European Court of Justice (ECJ) which has been the basis for the negotiations.”

Revelations three years ago from former US intelligence contractor Edward Snowden of mass US surveillance practices caused political outrage in Europe and have cast cross-border data transfers in a pall of uncertainty.

The Privacy Shield seeks to strengthen the protection of Europeans whose data is moved to US servers by giving EU citizens greater means to seek redress in case of disputes, including through a new privacy ombudsman within the State Department who will deal with complaints from EU citizens about US spying.

Companies had to rely on other more cumbersome legal mechanisms in the wake of the ECJ ruling invalidating Safe Harbour, the framework that for 15 years was used by more than 4,000 companies for transatlantic data transfers.

More than 500 companies have signed up to the Privacy Shield so far, including Google, Facebook and Microsoft.

Reuters