International data transfers - are model clauses now under threat?
05 October 2017
Many of you will remember Max Schrems, the Austrian law student who in 2015 successfully brought a case to the European Court of Justice (“ECJ”) that resulted in the “safe harbor” - the agreement that allowed the transfer of EU citizens’ data to the US - being declared invalid.
Schrems I – not so safe harbor
The ECJ’s judgment meant that data could no longer be transferred to the US under the safe harbor regime and sent the relevant institutions scrambling with frayed tempers into negotiations that resulted in the replacement Privacy Shield regime.
The ruling did not, however, affect the validity of the so-called “model clauses” - standard contractual clauses that have been approved by the European Commission (“EC”). Once entered into, the model clauses guarantee a basic level of protection for data, meaning that it can be legally transferred.
As we commented at the time, the safe harbor had been rejected because of concerns about the potential “mass indiscriminate surveillance” by US agencies over EU citizens and the lack of any adequate redress for those citizens. Conceptually, this was not about the method or vehicle by which data arrived in the US, but what might happen to it once it got there and what EU citizens could do to retain control over their data.
This meant that from the moment that the ECJ articulated its concern as a reason why the harbor was unsafe, model clauses were potentially also susceptible to challenge.
Schrems – the sequel
Mr Schrems has now brought a new case before the Irish High Court resting precisely on this concern. He asserts that if the US government is still taking more of an interest in EU citizens’ personal data than it should, the transfer mechanism - whether safe harbor or model clauses - is irrelevant. The US government would still be processing citizens’ data without their knowledge, so no transfer mechanism could be deemed to be safe.
The Irish court has given permission to ask the ECJ whether transfers outside of the European Economic Area (“EEA”) are adequately protected by the use of model clauses. While the precise wording of the questions to be asked remains unknown, the Court hinted that it may ask whether an analysis of US laws and practices in relation to surveillance is required - and whether the US offers effective remedies for breaches of the model clauses.
Don’t panic but watch this space…
The Irish Data Protection Commission has commented that this development does not invalidate the model clauses or the Privacy Shield or prohibit their continued use. The proceedings are still at an early stage and the next stage will be the formulation of the wording of the questions to be asked of the ECJ.
In the longer term, it may be that the model clauses are struck down. Organisations relying on them would then need to work out a new mechanism for transferring data outside of the EEA.
It also seems likely that, if US conduct in relation to data means that model clauses cannot be relied on, the Privacy Shield will also be struck down. On that point, the US Secretary of Commerce and the EU Commissioner completed their first annual review of the Privacy Shield in September, having investigated how US commitments under it were being met. While the Privacy Shield mechanism was endorsed, the EU Article 29 Working Party has yet to give its opinion.
The risk for the UK will be increased after Brexit. We will hope to be on the “white list” - a list of countries which the EC deems to offer an adequate level of data protection, thereby not requiring a transfer mechanism for the transfer of data to and from the EEA. This is because the UK is implementing the EU General Data Protection Regulation into national law in any event via the Data Protection Bill currently before Parliament.
If, however, the focus turns to what our national security agencies can do, it may be open to the ECJ to look disapprovingly at what may happen to EU citizens’ personal data this side of the channel.
For now, we would recommend that business should carry on as usual and continue to use model clauses for the transfer of data outside of the EEA. This is for want of a better alternative and also because it will be some time before the ECJ makes a determination regarding the adequacy of model clauses. If it ultimately does rule that model clauses are no longer valid, the legal basis for many transfers will need to be reconsidered – although the landscape may look very different by then.