Model clauses for EU-US data transfers under threat in latest Schrems challenge
24 July 2019
The privacy activist and student, Max Schrems, who started the litigation which ultimately led to the collapse of Safe Harbor, is pursuing a new challenge to the validity of model clauses. The case could have significant ramifications for EU-US data transfers, and also for UK-EU data transfers after Brexit.
The original Schrems litigation and the end of Safe Harbor
In 2015 Max Schrems, an Austrian law student, brought a case to the European Court of Justice (“ECJ”) that resulted in “Safe Harbor” - one of the mechanisms that allowed the transfer of EU citizens’ personal data to the US - being declared invalid. That case led to frantic negotiations between the European Commission (“EC”) and the US Department of Commerce which resulted in a new framework to replace Safe Harbor called “Privacy Shield”.
Safe Harbor was rejected largely because of the ECJ’s concerns about the potential “mass indiscriminate surveillance” of EU citizens’ personal data by US agencies (such as the National Security Agency), prompted by the Wikileaks and Edward Snowden revelations.
The ECJ’s concerns were not about the way in which EU citizens’ personal data was transferred, but about what might happen to the personal data once it got to the US and what EU citizens could do to retain control over their personal data, given the evidence of the apparent extent of US surveillance.
To address these concerns, the EC and US speedily agreed the Privacy Shield, improving data protection practices and giving more rights of redress to EU data subjects. Crucially, however, nothing was changed in terms of US intelligence agency practices.
The latest Schrems litigation and challenge to model clauses
Instead of signing up to Privacy Shield, transferring entities can enter into so-called “model clauses” - standard contractual clauses that have been approved by the EC. Model clauses are another way of trying to ensure that personal data remains protected on transfer to the US (i.e. treated broadly to the same standard as when in the EU) and that EU data subjects have some means of redress. Model clauses guarantee a basic level of personal data protection between the contracting parties.
However, Schrems has launched a new claim in the Irish courts challenging the validity of model clauses, and the Irish High Court has referred the case to the ECJ for a decision. The ECJ hearing took place on 9 July and a full decision is expected by 2020.
What if model clauses are struck down?
Bearing in mind that all the same issues regarding potential “mass indiscriminate surveillance” of EU citizens’ personal data by US agencies are still present with model clauses then, assuming that US agencies continue to routinely monitor EU citizens’ personal data, the ECJ could also strike down model clauses.
If the ECJ rejects model clauses because of the treatment of personal data in the US, rather than the mechanism for transferring the personal data to the US, then Privacy Shield would logically also have to be regarded as invalidated.
Some commentators are suggesting that binding corporate rules (“BCRs”) may be a useful alternative basis for transferring personal data to the US. BCRs are used by companies transferring personal data with the same group, and set out the ways in which the group as a whole ensures the security of personal data of EU data subjects. However, for most organisations, BCRs will be too expensive to adopt (as extensive provisions need to be drafted and then sent for approval to regulators), and in any event, they do not solve the conundrum that it is the country the personal data is being sent to that is the problem rather than the transfer mechanism. BCRs do not stop surveillance in the US, or any other country for that matter.
If the latest Schrems challenge succeeds, it must also surely call into question the validity of the EC’s various adequacy decisions, i.e. decisions that particular countries have an adequate system of data protection so that personal data can be transferred from the EU to that country without additional protection. For instance, Israel, Canada and New Zealand have adequacy decisions but all have significant intelligence service surveillance.
Schrems’s lawyer made the following point at the hearing: “When data is transferred to Facebook in the U.S., this high level of protection is undermined by certain U.S. laws, and that is true of any transfer mechanisms, whether standard contractual clauses, Privacy Shield or other any other contractual arrangement. U.S. law requires Facebook to assist the U.S. in surveillance of non-U.S. persons”.
If the Schrems challenge succeeds, businesses may therefore be faced with the difficult decision of whether to silo personal data and prevent data flows to the US, or to transfer the personal data in breach.
A more practical and real world approach?
At the heart of this debate is the extent to which citizens’ personal data should be processed by government agencies. One option would be for the EU to demand that the US reduces the level of personal data processing carried out by its agencies, or at least adopts more oversight of it. However, this is unrealistic. Another more practical option would be for the ECJ to conclude that the US agencies’ processing is actually legitimate and proportionate, and that model clauses can therefore continue to work as an effective transfer mechanism. Indeed, many EEA governments also engage in extensive processing of personal data so this would be a real world approach for the ECJ to take.
What does this mean for the UK and its hope of an adequacy decision post-Brexit?
Following Brexit (whether in a “no deal” scenario or under the terms of an agreement) the UK will seek an adequacy decision from the EC. However, the main concern about what could prevent the EC from granting an adequacy decision is similar to Schrems’s concern over “mass indiscriminate surveillance”, namely the width of the UK’s Investigatory Powers Act and the question of whether the UK security and police forces can look too easily at our personal data.
We would hope that the UK’s thorough data protection regime, its well-respected and well-resourced supervisory authority, and its role as a signatory of the Council of Europe’s Convention 108 on data protection would be taken into account. Adherence to this Convention is specifically mentioned in the recitals to the GDPR as having an impact on whether a third country is judged adequate.
Also, the UK also has a body of over seventy people, headed by the Investigatory Powers Commissioner, whose sole purpose is to oversee use of the Investigatory Powers Act by security agencies. So, whilst there are no guarantees, we think it unlikely that the UK would be refused an adequacy decision after its withdrawal from the EU.
Having said that, however, the notion of what is adequate could change as a result of the ECJ’s ruling in the latest Schrems case. The future for personal data flows out of the UK now looks even more uncertain.
Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18).