A recent decision of the Dutch Court* based on the EAPO Regulation (655/14)

in which the discussion (amongst other issues) concerned the questions whether Wirecard is a ‘Bank’ in the meaning of the EAPO Regulation and if an urgent need for a preservation Order exists under the given circumstances.

Creditor has primarily demanded that the preliminary relief judge withdraw the prejudgment bank attachment, in particular because the conditions or requirements set out in the regulation are not met, since amongst other omissions, the following conditions have not been met in the present bank attachment:

-1 the EAPO-Reg does not apply, because Wirecard, under which a prejudgment attachment has been levied against Creditor, is not a “bank” within the meaning of the Regulation

-2 there is no urgent need for the Preservation Order, as there is no risk that later collection of the claim will be made impossible or seriously hampered

Ad 1) EAPO-Reg not applicable?

Under the EAPO-Reg, there is a “bank” if the requirements of being a credit institution within the meaning of Article 4 (1), under 1 of Regulation (EU) No. 575/2013 on prudential requirements for credit institutions and investment firms (see art. 4 under 2 EAPO-Reg). There must therefore be "an undertaking the business of which consists in taking deposits or other repayable funds from the public and granting credits for its own account".

Creditor states that Wirecard is an internet payment service provider that is comparable to Adyen or Mollie, that it does not attract money from the public and does not grant credit for its own account.

The preliminary relief judge is of the opinion that Creditor has made its assertion insufficiently plausible.

First, Wirecard did not state in its bank statement with regard to the attachment in question that it is not a credit institution within the meaning of the Regulation. She simply stated which monies are in Creditor's account with her. If Wirecard did not regard itself as a “bank” within the meaning of the EAPO-Reg, a different course of action would have been obvious.

Second, Wirecard's website states that it focuses on both private individuals and companies, that it engages in private banking, and that it is a full-service bank.

The preliminary relief judge therefore assumes that Wirecard does meet the requirements of a “bank” within the meaning of the EAPO-Regulation.

The EU-US Privacy Shield agreement that attempts to guarantee the secure transmission of EU data to the United States, has been declared invalid by the European Court of Justice, in a ruling that will provoke major disruption to transatlantic data flows.

The ruling by Europe’s highest court on Thursday (16 July) found that the scope and pervasiveness of the US surveillance framework does not allow for a sufficient degree of protection for European data, putting it at a risk that would violate rights afforded to citizens under the EU’s general data protection regulation (GDPR).

“The limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country…are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law,” the court found, adding that the domestic law in this regard refers to US surveillance programmes.

The ruling is a big win for Austrian Privacy activist Max Schrems, a defendant in the case, who had argued that the Privacy Shield does not provide for adequate protection of EU data.

“I am very happy about the judgment. It seems the Court has followed us in all aspects. This is a total blow to the Irish DPC and Facebook,” a statement from Schrems read on Thursday.

“It is clear that the US will have to seriously change their surveillance laws if US companies want to continue to play a major role on the EU market.”

FISA 702

In this regard, Schrems’ concern was that Section 702 of the US Foreign Intelligence Surveillance Act (FISA), permits the National Security Agency to collect foreign intelligence belonging to non-Americans located outside the US, by way of obtaining their data stored with electronic communications services providers, such as Facebook.

In Thursday’s ruling, the ECJ concurred with this view.

“In respect of certain surveillance programmes, those provisions do not indicate any limitations on the power they confer to implement those programmes or the existence of guarantees for potentially targeted non-US persons,” the court said, highlighting that EU citizens do not have ‘actionable rights’ against US authorities amid such a regime of surveillance.

For Oliver Patel, a research associate at UCL’s European Institute, the ruling on Privacy Shield came as no surprise, following the 2015 decision of the European courts to invalidate the Safe Harbour agreement, the previous framework in place that attempted to ensure adequacy between EU and US data transfers.

In a previous case in 2015, Schrems successfully mounted a legal challenge over the EU’s ‘Safe Harbour’ privacy principles, developed to prevent private companies in the EU or the US from losing or accidentally revealing personal data belonging to citizens.

That year, ECJ Advocate General Yves Bot issued an opinion to the court that stated the Safe Harbour agreement should be rendered invalid, and added that individual data protection authorities could suspend data transfers to other countries should there be evidence of data protection rights being breached.

The ECJ ultimately upheld Bot’s opinion and the Safe Habour agreement was invalidated.

Patel believes Thursday’s ruling confirms what had been obvious all along: the incompatibility of the US surveillance framework with EU privacy protections.

“This now makes it crystal clear how FISA 702 is incompatible with the EU’s charter of fundamental rights,” he told EURACTIV.

“It’s even audacious to think that the Commission could ever have sought to argue otherwise.”