Europe: International data transfers – are model clauses now under threat?

Max Schrems, an Austrian law student successfully brought a case to the European Court of Justice in 2015 that resulted in the “safe harbour” – an agreement that allowed the transfer of EU citizens’ data to the US – being declared invalid. Since then, transfers outside the EU have largely been conducted based on previously approved ‘model clauses’. But Mr Schrems has now brought a case to the Irish High Court questioning the adequacy of those clauses and the Court has been given approval to ask the European Court of Justice whether transfers based on them are adequately protected.

Schrems I – not so safe harbour

The European Court of Justice’s judgment meant that data could no longer be transferred to the US under the safe harbour regime and sent the relevant institutions scrambling with frayed tempers into negotiations that resulted in the replacement Privacy Shield regime.

The ruling did not, however, affect the validity of the so-called “model clauses,” standard contractual clauses that have been approved by the European Commission. Once entered into, the model clauses guarantee a basic level of protection for data, meaning that it can be legally transferred.

As we commented at the time, the safe harbour had been rejected because of concerns about the potential mass indiscriminate surveillance by US agencies over EU citizens and the lack of any adequate redress for those citizens. Conceptually, this was not about the method or vehicle by which data arrived in the US, but what might happen to it once it got there and what EU citizens could do to retain control over their data.

This meant that from the moment that the European Court of Justice articulated its concern as a reason why the harbour was unsafe, model clauses were potentially also susceptible to challenge.

Schrems – the sequel

Mr Schrems has now brought a new case before the Irish High Court resting precisely on this concern. He asserts that if the US government is still taking more of an interest in EU citizens’ personal data than it should, the transfer mechanism, whether safe harbour or model clauses, is irrelevant. The US government would still be processing citizens’ data without their knowledge, so no transfer mechanism could be deemed to be safe.

The Irish court has given permission to ask the European Court of Justice whether transfers outside of the European Economic Area are adequately protected by the use of model clauses. While the precise wording of the questions to be asked remains unknown, the Court hinted that it may ask whether an analysis of US laws and practices in relation to surveillance is required – and whether the US offers effective remedies for breaches of the model clauses.

Don’t panic but watch this space…

The Irish Data Protection Commission has commented that this development does not invalidate the model clauses or the Privacy Shield or prohibit their continued use. The proceedings are still at an early stage and the next stage will be the formulation of the wording of the questions to be asked of the European Court of Justice.

In the longer term, it may be that the model clauses are struck down. Organisations relying on them would then need to work out a new mechanism for transferring data outside of the European Economic Area.

It also seems likely that, if US conduct in relation to data means that model clauses cannot be relied on, the Privacy Shield will also be struck down. On that point, the US Secretary of Commerce and the EU Commissioner completed their first annual review of the Privacy Shield in September, having investigated how US commitments under it were being met. While the Privacy Shield mechanism was endorsed, the EU Article 29 Working Party has yet to give its opinion.

The risk for the UK will be increased after Brexit. We will hope to be on the “white list” – a list of countries which the European Commission deems to offer an adequate level of data protection, thereby not requiring a transfer mechanism for the transfer of data to and from the European Economic Area. This is because the UK is implementing the EU General Data Protection Regulation into national law in any event via the Data Protection Bill currently before Parliament.

If, however, the focus turns to what our national security agencies can do, it may be open to the European Court of Justice to look disapprovingly at what may happen to EU citizens’ personal data this side of the channel.

For now, we would recommend that business should carry on as usual and continue to use model clauses for the transfer of data outside of the European Economic Area. This is for want of a better alternative and also because it will be some time before the European Court of Justice makes a determination regarding the adequacy of model clauses. If it ultimately does rule that model clauses are no longer valid, the legal basis for many transfers will need to be reconsidered – although the landscape may look very different by then.