Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
Schrems again? Model clauses under threat
Having already brought down Safe Harbor, Max Schrems is now causing the most attractive alternative for EU-US data transfers be examined by the CJEU
Following the successful invalidation of Safe Harbor by the Court of Justice of the European Union (CJEU) in the Schrems case, companies transferring data from the European Economic Area to the USA have been increasingly reliant on standard contractual clauses (Model Clauses) when transferring data to the United States.
Safe Harbor and Model Clauses are both primarily based on decisions by the European Commission that those arrangements offer sufficient protection, under Articles 25(6) and 26(4) of the Data Protection Directive (95/46/EC) respectively.
The referral to the CJEU that led to the invalidation of the Safe Harbor decision in 2015 was the result of a challenge brought against the Irish Data Protection Commissioner (IDPC) by the privacy campaigner Max Schrems. In light of revelations about US surveillance, the CJEU concluded that the protections offered the Safe Harbor regime for personal data transferred to the US were not “essentially equivalent” to protections in the EEA.
Similar issues of adequacy arise in the context of Model Clauses as approved by the Commission. The EU’s Article 29 Working Party has announced in the light of the first Schrems decision that it is considering whether Model Clauses (and indeed Binding Corporate Rules) can still be used for personal data transfers to the US.
Max Schrems has also complained to the IDPC that Model Clauses do not offer adequate protection for the rights of EU data subjects when their personal data is transferred to the US. The IDPC announced on 25 May 2016:
“We continue to thoroughly and diligently investigate Mr Schrems’ complaint to ensure the adequate protection of personal data. We yesterday informed Mr Schrems and Facebook of our intention to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under Standard Contractual Clauses. We will update all relevant parties as our investigation continues.”
Mr Schrems said:
“I see no way that the CJEU can say that model contracts are valid if they killed Safe Harbor based on the existence of these US surveillance laws. All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with. As long as the US does not substantially change its laws I don’t see [how] there could be a solution.”
With Safe Harbor gone and its intended replacement, Privacy Shield, looking increasingly uncertain, many companies involved in EU-US data transfers are reliant on Model Clauses. It would be a disruptive and inconvenient result for such businesses commercially if, simultaneously, neither option were available.
Against this backdrop of uncertainty are the ongoing preparations for the General Data Protection Regulation (GDPR) coming into force on 25 May 2018 and the possibility that the Commission could, prior to such date, exercise its powers under the GDPR to amend or replace the existing Model Clauses with new standard contractual clauses that provide greater protection for data transfers outside the EU.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.