Many have recognized that the recent decision by the European Court of Justice (ECJ) on Safe Harbor and the flight of 4,500 companies to model clauses changes the balance of power in privacy globally and nationally, but few have recognized the even bigger changes it offers the balance of power in your life, and the technology doors it opens. Yes, the EU is in a more powerful position in its negotiations with the US over “Safe Harbor 2,” and some DPAs might use the focus of the decision — and more clear focus of the Advocate General’s opinion underlying the decision — on fundamental rights in relation to government surveillance to go after model clauses and binding corporate rules as well. But an unsung power shift in the rush from Safe Harbor to model clauses under intense regulatory and popular scrutiny may be in the power that not only regulated but previously unregulated individuals gain, because the model clauses put so much more clear and direct enforcement power into the hands of individual data subjects, through extraordinarily broad and specific third party beneficiary rights. For example, consider Clause 3 of the controller-processor model clauses:
Third-party beneficiary clause
- The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
The fact that very large numbers of companies are now carefully placing such broad and specific powers into the hands of large numbers of individuals should make it easier for those companies to open the platform of rights and processes they now offer Europeans to others who demand those rights and processes, opens a door to unprecedented opportunities for customer choice in privacy and data protection, particularly as technology emerges to enable that expansion to individuals. If you like the platform of protections that the clauses afford your data, what is to stop you — as a customer, group of customers or software platform representing the interests of customers – from choosing to do business only with companies that will offer you those protections, as they are now offering those protections to all Europeans? Does it ultimately matter, then, whether the U.S. or your other jurisdiction changes its laws to adopt those protections, as long as the law of your jurisdiction continues to honor contracts? You now have new leverage around a standardized group of rights, because (1) as a practical matter the model clauses cannot be changed, (2) they will now have been adopted not only by the great majority of the 4,500 companies now in Safe Harbor, but by the thousands of companies that had already adopted them, and (3) their implementation will be under close scrutiny by many DPAs examining fundamental rights issues.
This is an environment ripe for standardized software representing consumers, such as the UMA authorization server we wrote to you about a few posts ago, drawing on a standardized, coded set of rights, responsibilities and texts now being developed for companies’ implementation of the model clauses by Jim Hazard and CommonAccord. Because CommonAccord is inherently modular, individual customers could pick, choose and add rights and processes, but a lot of customization would squander the new leverage emphasized by this post. So perhaps the model clauses will become a floor, or perhaps some components of them will turn out to matter less to customers. In any event, the rapid, careful, highly scrutinized move into model clauses offers non-European individual customers a chance to ask for something in the privacy context, rather than just accepting what is given to them by law. And for data controllers, processors and sub-processors, of course, the radical proposal of this post offers an opportunity to escalate the true competition on privacy that has exploded this year, this time through obligations spelled out in precise contract language that has been scrutinized by all relevant actors, including regulators and advocacy groups.