It will probably come as little surprise to anyone in the data protection world but the inevitable has happened – it seems that the Court of justice of the European Union (CJEU) is now going to be asked to consider whether model form clauses provide a valid basis on which to transfer personal data from the EU to the US.
Readers of this blog will recall that last October the CJEU struck down the ‘Safe Harbor’ system under which personal data had been transferred from the EU to US companies that had signed up to treat personal data according to principles that were broadly similar to those that applied under the EU Data Protection Directive.
Safe Harbor had been the subject of a finding of adequacy by the European Commission and the CJEU struck that decision down on the basis that the Commission had not sufficiently considered the wider US legal regime, in particular the sweeping powers of US intelligence agencies to access that data without respecting the Safe Harbor regime. The CJEU ruled that the US system didn’t offer
sufficient safeguards and, thus, was contrary to the rights guaranteed to EU citizens under the EU Charter of Fundamental Rights.
The reaction to the CJEU’s decision was one of (mild) panic. The European Commission and the US Government renewed long running negotiations (but this time with real urgency) to try and agree a new regime that would fill the gap left by Safe Harbor. At the beginning of February, they announced proposals for a new ‘Privacy Shield”’, which the Commission contended remedied the inadequacies of Safe Harbor. Unfortunately, Privacy Shield itself has run into trouble with concerns being expressed by European regulators and others that the regime isn’t good enough.
Meanwhile, the reaction of business to the removal of Safe Harbor was largely to move to model clauses as a basis on which to legitimise US data transfers. Model clause contracts are contracts which are in a form mandated by the European Commission as providing adequate protection to personal data.
This time the protection is contractual – rather than self-regulatory. The basis of challenge seems to be that, in the absence of sufficient legislative or regulatory safeguards for the personal data of EU citizens in the US, the contractual protections afforded by the model clause mechanism are flawed for the same reasons as Safe Harbor. Interestingly, as with Safe Harbor, the complaint has again arisen in the form of a challenge to data flows to the US from Facebook in Ireland and the complainant is one Max Schrems.
Watch this space. Definitely more to follow!