There was a new and potentially significant development this week in the Irish courts that could mark the start of a fundamental change in the field of privacy law and the transfer of personal data from the European Union to the United States. The "model clauses," which are a widely used European Commission-sanctioned method for lawfully transferring personal data outside the EU, may be on the chopping block.
Readers will likely remember the 2015 case of Austrian law student, Max Schrems, against Facebook in which Mr. Schrems filed a complaint that successfully led to the downfall of the US-EU Safe Harbor scheme that had provided a legal basis for data transfers from the EU to the United States. (Read more in Katten's advisory "The Court of Justice of the European Union Sinks the Safe Harbor Program.") The Safe Harbor has since been replaced by the EU-U.S. Privacy Shield (the "Privacy Shield"), which includes ostensibly stronger privacy protections. (For more information on the Privacy Shield please read Katten's advisory, "U.S., EU Launch "Privacy Shield" Data Transfer Framework, Certification to Begin August 1.")
In this latest development, an Irish court has referred another case brought by Mr. Schrems against Facebook to the EU's top court, the Court of Justice of the European Union (the CJEU), to determine whether the standard (i.e., "model") contractual clauses drafted by the EU to provide an "adequate" level of protection when companies transfer personal data outside the EU ("model clauses") are compliant with the EU's laws on privacy.
By way of background, there are four main ways in which businesses can lawfully transfer personal data from the EU to the United States. (Three of these also apply to transfers to other countries that have not been determined to provide an adequate level of protection.) These methods include:
- obtaining appropriate data subject (individual) consent to do so;
- for transfers to the United States only, the US company complies with the requirements of the Privacy Shield;
- the corporate group puts in place a set of "binding corporate rules" which apply to the intra-group transfer of personal data; or
- the relevant entities sign up to contracts containing the model clauses.
Mr. Schrems argues that the model clauses do not adequately safeguard EU privacy standards when transferring personal data to the United States because of the US government's extensive powers of surveillance. In relation to the referral to the CJEU, the Irish Information Commissioner was keen to emphasize that this does not mean that model clauses, or the Privacy Shield, are invalid, or that businesses must immediately stop transferring personal data out of the EU. The referral, however, gives the CJEU the opportunity to review the validity of the model clauses and determine whether or not they can be retained in their current form. EU companies that rely upon model contracts to transfer personal data outside the European Union to jurisdictions which have not been determined by the European Commission as having an adequate level of protection may face particular challenges. If the CJEU determines that the model clauses do not comply with the EU's laws, then those businesses will need to rely on some other option in order to transfer the data lawfully, and alternative transfer options may be difficult to find.