A widely expected legal challenge has been filed by an Irish privacy advocacy group to an EU-U.S. commercial data transfer pact underpinning billions of dollars of trade in digital services just two months after it came into force, sources said.
The EU-U.S. Privacy Shield was agreed earlier this year after the European Union’s highest court struck down the previous Safe Harbour agreement over the transfer of Europeans’ personal data to the United States, on concerns about intrusive U.S. surveillance.
The new agreement gives businesses moving personal data across the Atlantic—from human resources information to people’s browsing histories to hotel bookings—an easy way to do so without falling foul of tough EU data transferral rules.
Digital Rights Ireland has challenged the adoption of the Privacy Shield pact by the EU executive in front of the second-highest EU court, arguing it does not contain adequate privacy protections, several people familiar with the matter said on Wednesday.
The case has been published on the website of the Luxembourg-based General Court—the lower court of the Court of Justice of the European Union (ECJ)—but says only it is an “action for annulment.” The case number is T-670/16.
Digital Rights Ireland declined to comment.
It will be a year or more before the court rules on the case and it could still be declared inadmissible if the court finds the Privacy Shield is not of direct concern to Digital Rights Ireland, two of the people said.
Individuals or companies may challenge EU acts before the EU courts if they are directly concerned within two months of the act coming into force.
Get Data Sheet, Fortune’s technology newsletter.
“We are aware of the application (for annulment),” a spokesman for the European Commission said. “We don’t comment on ongoing court cases. As we have said from the beginning, the Commission is convinced that the Privacy Shield will live up to the requirements set out by the European Court of Justice (ECJ) which has been the basis for the negotiations.”
Revelations three years ago from former U.S. intelligence contractor Edward Snowden of mass U.S. surveillance practices caused political outrage in Europe and have cast cross-border data transfers in a pall of uncertainty.
The Privacy Shield seeks to strengthen the protection of Europeans whose data is moved to U.S. servers by giving EU citizens greater means to seek redress in case of disputes, including through a new privacy ombudsman within the State Department who will deal with complaints from EU citizens about U.S. spying.
An official at the U.S. Department of Commerce—which negotiated the pact for the United States—said they knew a legal challenge was a possibility and were monitoring the challenge brought by Digital Rights Ireland.
“The United States stands behind the Privacy Shield Framework and the critical privacy protections it affords individuals in furtherance of supporting robust transatlantic commerce and is ready to explain our safeguards and limitations if necessary,” the official said.
Companies had to rely on other more cumbersome legal mechanisms in the wake of the ECJ ruling invalidating Safe Harbour, the framework that for 15 years was used by over 4,000 companies for transatlantic data transfers.
More than 500 companies have signed up to the Privacy Shield agreement so far, including Google (GOOGL), Facebook (FB), and Microsoft.
