EU court asked to consider validity of 'model clauses' for facilitating data transfers to the US

Out-Law News | 10 Oct 2017 | 10:08 am | 2 min. read

The EU's highest court is to be asked to determine whether 'model clauses', endorsed by EU policy makers to help facilitate the flow of personal data overseas, offer sufficient protection to EU citizens when their data is transferred to the US.

The High Court in Ireland confirmed its plans in a ruling earlier this week in a long-running case involving the country's data protection authority, Facebook and privacy campaigner Max Schrems. Schrems brought the legal challenge that led to the former EU-US Safe Harbour regime effectively being invalidated by the Court of Justice of the EU (CJEU).

The precise questions that the High Court in Ireland will ask the CJEU to answer on model clauses have not yet been set.

Model clauses are a series of standard contract clauses (SCCs) that the European Commission has developed for businesses to use in cross-border contracts. They set out how personal data should be handled when transferred outside of the EU to 'third countries'. The Commission has previously issued decisions that endorse model clauses as tools providing for adequate protection of personal data when used for data transfers, as is required by EU data protection law.

The use of model clauses has therefore become widespread among international businesses. Many companies have come to rely on their use of model clauses as demonstrating their compliance with EU data protection law requirements on data transfers.

However, following the CJEU's ruling on Safe Harbour, EU data protection authorities began reviewing mechanisms enabling data transfers, including model contract clauses. Their work on that has, to-date, not led to any formal, final opinion being expressed on the validity of those tools for data transfers.

The Safe Harbour scheme, specific for EU-US data transfers, was replaced by the Privacy Shield, which policy makers on both sides of the Atlantic have tried to rally behind in light of the threat of new legal challenges.

Some of the concerns that persist in relation to EU-US data transfers concern the scope of access US intelligence and security agencies have to the data, as well as whether there are sufficient safeguards and oversight and redress procedures in place to mitigate risks in relation to disproportionate surveillance of EU citizens.

In its ruling, the Irish High Court said that it shared concerns expressed by the Irish data protection commissioner (DPC) about whether there are sufficient safeguards in place to ensure adequate protection of EU citizens' data when the information is transferred to the US, given the scope of US surveillance powers.

It said that those concerns are not addressed by the introduction of a new ombudsperson mechanism under the Privacy Shield.

"Neither the introduction of the Privacy Shield ombudsperson mechanism nor the provisions of Article 4 of the SCC decisions eliminate the well founded concerns raised by the DPC in relation to the adequacy of the protection afforded to EU data subjects whose personal data are wrongfully interfered with by the intelligence services of the United States once their personal data has been transferred for processing to the United States," the court said.

The High Court noted the importance of the case to businesses and consumers alike.

"The case raises issues of very major, indeed fundamental, concern to millions of people within the European Union and beyond," it said. "First, it is relevant to the data protection rights of millions of residents of the European Union. Secondly, it has implications for billions of euro worth of trade between the EU and the US and, potentially, the EU and other non-EU countries. It also has potentially extremely significant implications for the safety and security of residents within the European Union."

In a statement, Ireland's DPC Helen Dixon welcomed the court's decision to refer questions regarding model clauses to the CJEU, but that the decision to do so does not mean that model clauses, or the Privacy Shield, have been invalidated.

"Rather, it invites the CJEU to consider whether, under EU law, [model clauses] in their present form can and should be retained as a basis for the transfer of personal data from the EU to the US," she said.

Parties to the case have been invited to make submissions to the High Court to help determine the questions to be referred to the CJEU.