Out-Law News 2 min. read

Model clauses face EU court scrutiny as mechanism for personal data transfers

The standard contractual clauses many businesses use to transfer personal data out of the EU could be scrutinised by the EU's highest court, according to a privacy campaigner.

Ireland's data protection commissioner has asked the country's High Court to refer questions about the use of model clauses to the Court of Justice of the EU (CJEU) in a case that involves a challenge to Facebook's data transfer arrangements by Europe v Facebook.

Ireland's data protection commissioner confirmed that it intends for the CJEU "to determine the legal status of data transfers under standard contractual clauses" as part of the case.

Max Schrems of Europe v Facebook said (2-page / 375KB PDF) that he thinks the CJEU would invalidate model contract clauses as a basis for EU-US data transfers. The CJEU previously invalidated the EU-US Safe Harbor framework for data transfers after highlighting concern about US authorities' surveillance activities.

Schrems said: “This is a very serious issue for the US tech industry and EU-US data flows. As long as far-reaching US surveillance laws apply to them, any legal basis will be subject to invalidation or limitations under EU fundamental rights. I see no way that the CJEU can say that model contracts are valid if they killed Safe Harbor based on the existence of these US surveillance laws."

"All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with. As long as the US does not substantially change its laws I don’t see now there could be a solution," he said.

EU and US officials have negotiated a new framework to replace the Safe Harbor regime. The Privacy Shield, however, was not endorsed by EU data protection authorities and EU officials have been trying to amend the framework to address their concerns.

With the Safe Harbor framework invalidated and the Privacy Shield not yet set EU data protection authorities have said that businesses can continue to use other existing data transfer mechanisms, such as model contract clauses or binding corporate rules, to underpin data transfers to the US for now.

However, now it appears that the proposed referral to the CJEU of model contract clauses could threaten their use by businesses in relation to transfers to the US.

"Model clauses are a tool heavily relied on by businesses to facilitate the free flow of data across national borders from the EU and play an important role in international trade," data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said. "Since the EU-US Safe Harbour framework was invalidated last year there has been a reasonable prospect that other mechanisms for facilitating data transfers such as model clauses could be equally at risk, for data transfers to the US, so it is unsurprising that their legitimacy is to be tested before the CJEU."

"For businesses, however, this move represents more uncertainty at a time when data is becoming an increasingly important asset and companies are operating in an increasingly globalised market. Data controllers will be able to rely upon model clauses for transfers to the US until such time as the CJEU declares them invalid. The referral requested to the CJEU must, however, cast further doubt on the draft EU-US Privacy Shield which was intended to provide a new framework for transferring personal data from the EU to the US," he said.

Earlier this week the European Data Protection Supervisor Giovanni Buttarelli said (16-page / 740KB PDF) that the Privacy Shield, as currently drafted, "does not adequately include … all appropriate safeguards to protect the EU rights of the individual to privacy and data protection also with regard to judicial redress".

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.