We are off to the adequacy races, again. The first horse to bolt is very often the first to reach the first fence. While EU litigation has many fences, there's only ever one first fence: admissibility.
Broadly speaking, there are two main routes by which an adequacy decision (as with other EU regulatory instruments) can be struck down.
- A ruling by the EU General Court, having adjudicated on a direct action for annulment (under Article 263 of the TFEU).
- A ruling by the Court of Justice of the EU, having received a request for preliminary reference on a point of EU law from a member state court (under Article 267 of the TFEU).
Reports surfaced 8 Sept. that French MP Philippe Latombe filed an application to annul the EU-U.S. Data Privacy Framework. Such an application would be within the period of time allotted for applications to be made — two months from the decision being published in the EU Official Journal.
Actions for annulment are powerful and often more expeditious routes by which parties can seek to strike out EU regulatory instruments. Actions brought by the EU member states, the European Parliament, the Council and the European Commission are always admissible on account of their "privileged" status in EU litigation. Other EU institutions and agencies are "semi-privileged applicants," in that they can bring actions "for the purpose of protecting their prerogatives." Everyone else, including Latombe, is nonprivileged and so need to prove that they have the requisite legal standing to bring a case.
The threshold for standing is high. It has been high since 1963, with the seminal case of Plaumann & Co v. Commission. The doctrine in that case was codified into the Treaty on the Functioning of the EU. In 2013 and was reaffirmed by the CJEU in 2013 in Inuit Tapiriit Kanatami v European Parliament and Council. In Inuit Tapiriit Kanatami, a nonprofit Canadian organization representing over 50,000 Inuit, challenged an EU regulation on seal products. They were denied standing on account of not being "directly and individually concerned" by the measure they sought to annul. It was not enough that the Inuit had concerns and were adversely affected by the measure.
Fast forward to 2016. The EU finalized its adequacy decision for the EU-U.S. Privacy Shield in July 2016. Within the two-month period for lodging an application to annul the decision, not one but two applications were filed with the EU General Court. One was brought by La Quadrature du Net, a French privacy advocacy group. The other by Digital Rights Ireland. Questions were asked in both proceedings as to whether the applicants had "standing" to bring their case. LQdN's case was subsumed by and eventually aborted because of the process and outcome in "Schrems II." (N.b., Schrems II, like with Schrems I manifested via preliminary references from the Irish High Court.)
Digital Rights Ireland had its action declared inadmissible, on account of a lack of standing. In dismissing the action, the General Court clarified that the adequacy decision specifies that the Privacy Shield applied to American organizations in restricting what they could and could not do with EU data. The adequacy decision applied to European controllers transferring personal data to the U.S. only in so far as it authorised them to carry out transfers to American organisations that are covered by the Privacy Shield.
The adequacy decision thus had the effect of entitling the applicant to carry out transfers under certain conditions. It did not restrict its rights or impose obligations on it. Digital Rights Ireland did not have the standing to bring a case in its own right — by virtue of its argument that it owned a mobile phone and computer — nor did it have standing to bring a case on behalf of its members, supporters, or the general public.
So, can one bring an action for annulment of the EU-U.S. Data Privacy Framework, claiming they have standing on account of, for example, making use of U.S. cloud-based email services which requires the transfer of personal data to the United States? Many think not and the past jurisprudence of the CJEU would seem to support that thinking.
Why does any of this matter?
Litigation rules and procedures can have substantive consequences. The procedural track for a case can affect the involvement of interested third parties in that case, including those third parties that might have relevant information to share (e.g., the U.S. government, industry and civil society) as well as the length of time to get a ruling. Direct actions take around 15 months to be processed by the EU General Court, with roughly a year added if there’s an appeal to the CJEU.
Preliminary references which require an applicant to satisfy domestic member states admissibility rules can take many months or years to reach the CJEU. Once a reference has been lodged with the CJEU it takes on average 17.3 months for the CJEU to process.
Amidst all the noise and litigation jockeying — and, undoubtedly, there's more to come — until and unless there's an EU court decision to the contrary, there is an EU adequacy decision in place for the U.S., in the form of the EU-U.S. Data Privacy Framework. The significance of that EU adequacy decision and the DPF framework in place in the U.S. extends beyond transfers of EU personal data to DPF-certified entities. Find out how and why.