Irish Court Has Referred Case to European Court Which Challenges Privacy Shield: Will the EU-U.S. Privacy Shield Framework Withstand Scrutiny by the European High Court?

If your software company has pursued Privacy Shield certification or is contemplating pursuit of certification, then you should know that an Irish Court has referred a case to the Court of Justice of the European Union, which could potentially invalidate the EU-U.S. Privacy Shield as it previously did with the Privacy Shield predecessor, Safe Harbor, according to a Tech Crunch report.

As Tech Crunch explains, the current case against Facebook was initiated by the lawyer and privacy campaigner Max Schrems, who also initiated the prior compliant which resulted in the judgment by the Court of Justice of the European Union overturning Safe Harbor.

The High Court of Ireland referred eleven questions for consideration to the Court of Justice of the European Union, including several questions (nos. 9 and 10) that specifically deal with the adequacy of the EU-U.S. Privacy Shield.  Tech Crunch suggests that this referral could lead to a complete collapse of the EU-U.S. Privacy Shield framework.

With the evident uncertainty over the future of Privacy Shield: does it still make sense to pursue and/or maintain certification if your company has European customers?  In light of the fact that the new data privacy rules in Europe (the “GDPR”) go into effect May 25th, which increase the fines for violations, and the Privacy Shield framework remains the best guidance currently available for American companies intending to do business in Europe, pursuit of certification remains a sound business and legal strategy.  However, companies need to follow what happens with this challenge and remain cognizant of the fact that Privacy Shield has not yet been tested by this European high court and it is uncertain that it will withstand the current challenge.