The validity of Model Clauses for EU personal data transfer to the United States is now in real doubt as a result of a new Irish High Court judgment stating that there are “well founded grounds” to find the Model Clauses invalid. The issue of Model Clauses as a legitimate data transfer mechanism will now be adjudicated by the European Court of Justice (ECJ), the same court that previously overturned the Safe Harbor arrangement. EU and US companies will need to consider various strategies in anticipation of this decision.
Background
The case arose from a complaint to the Irish Data Protection Commissioner (DPC) against Facebook Ireland, Ltd. Max Schrems, the complainant in the case, alleged that Facebook Ireland’s data sharing agreement with its US parent, Facebook, Inc., violated his rights under the Charter of Fundamental Rights of the European Union. That data sharing arrangement between the Facebook entities was legitimized by the Model Clauses, which are promulgated by the European Commission and used by companies all over the world to validate the transfer of EU personal data to entities outside of the European Union. The Irish DPC has brought this case in the Irish Courts to allow the ECJ to determine whether the Model Clauses breach applicable European law.
This is not Schrems’ first foray into the international data protection scene. Schrems’ prior complaint against Facebook Ireland resulted in proceedings being brought by the DPC that concluded in the invalidation by the ECJ of the US-EU Safe Harbor Program. The ECJ held in 2015 that the Safe Harbor program contravened EU data protection principles safeguarding individual privacy, in large part as a result of data that could be accessed on a bulk-basis by US intelligence authorities, such as the National Security Agency (NSA). After the demise of Safe Harbor, protracted negotiations between EU and US government agencies resulted in the adoption of the Privacy Shield framework, which included layered remedies for individuals and protections intended to better safeguard individual privacy.
The Decision
The Irish High Court referred the decision about the validity of Model Clauses for determination by the ECJ. No specific questions have yet been formulated, but were hinted at and may include:
-
Whether a comprehensive adequacy analysis of US laws relating to electronic surveillance on grounds of national security is necessary;
-
Whether there are adequate rights of redress for individuals whose data was treated wrongfully; and
-
Whether there are proper limitations on remedies if the infringement by intelligence agencies is proportionate, necessary, or needed to protect the rights and freedoms of others.
Next Steps for Companies
After the invalidation of Safe Harbor, Facebook and many other companies switched to Model Clauses to ensure adequate privacy protection of EU data transferred to the United States, both for the intragroup transfer of personal data and for the transfer of personal data with suppliers and customers.
This judgment from the Irish High Court does not invalidate Model Clauses. Model Clauses may still be used to legitimize the transfer of personal data from the European Union to the United States for the present—at least until the ECJ decides the case, which may not be until after the General Data Protection Regulation (GDPR) comes into effect next May.
Many companies are rightly asking what they should do now.
Companies need to begin to re-evaluate their EU personal data transfer compliance posture because, if Model Clauses are invalidated, the remaining options will take time to implement. When Safe Harbor was invalidated, switching to or amending Model Clauses was relatively quick and easy. The same will often not be true if Model Clauses are invalidated.
The following are several options:
-
Create an inventory of the Model Clauses that you currently use, including the types of data transferred under the agreements. Having a consolidated list of Model Contracts will assist, should a new version need to be put in place quickly. As part of this process, you should consider whether any updates should be made in light of the new requirements of the GDPR, which may also affect your data transfer compliance posture. The GDPR will, for the first time, regulate data processors directly and an effective way for a data processor, whether in the European Union or the United States, to mitigate their liability is with updated contractual terms with its customers.
-
Consider whether Privacy Shield for EU to US data transfers may be a viable option. We recommend looking at the Privacy Shield as it confers a number of advantages of the Model Clauses, as well as a reduced liability profile. Self-certifying under Privacy Shield typically requires greater effort than Model Clauses and has a number of robust implementation components. McDermott can assist with this process using our Privacy Shield Tool Kit. (The Privacy Shield applies only to data transfers from the European Union to the United States. It does not apply to transfers from the European Union to other countries besides the United States.) Although the Privacy Shield has recently passed its annual review by the European Commission, there are still concerns that it needs to be updated in order to secure its long term viability.
-
Consider in which cases consents, while frowned upon in some instances, may be supportable and adequate. Again, as part of this process, you should consider whether any updates to your consents should be made in light of the new requirements of the GDPR.
-
Consider whether Binding Corporate Rules may now be an option. These are more difficult to implement than the Privacy Shield; however, they represent best practice in the eyes of many European data protection regulators. They have a statutory basis under the GDPR and a streamlined application as a result of the GDPR’s more simplified approach and “one stop shop” with a sole Data Protection Authority.
-
Keep an eye on the Schrems 2 case and developments at the ECJ. We expect there will be further commentaries on the validity of Model Clauses from the Art. 29 Working Group and various EU Member State Data Protection Authorities.