The American Government is seeking to intervene in the challenge brought by privacy activist Max Schrems to the validity of EU Model Clauses – the mechanism that many organisations switched to as a means to allow transatlantic data transfers following the invalidation of Safe Harbor in October 2015. In our blog, Model Clauses under threat - or are they?, we predicted that there would be more of a fight over Model Clauses than occurred with Safe Harbor. The stage now seems set for a debate about the extent of US Surveillance activities and how they compare with European practices and protections.
To re-cap, in October 2015, the Court of Justice of the European Union (CJEU) invalidated Safe Harbor. This had been used as a gateway for the previous fifteen years for the transfer of personal data from the EU to America. The case was brought by privacy activist, Max Schrems, against Facebook Ireland and the Irish Data Protection Commissioner. The CJEU decided that the EU Commission had not properly considered the protections offered to EU data when transferred to America and accordingly abolished the Safe Harbor mechanism. The Schrems ruling led many organisations to turn to Model Clauses as an alternative transfer mechanism. Last month, Schrems launched a challenge to that mechanism as well, essentially on the same grounds as the Safe Harbor case.
The first administrative hearing regarding that new challenge has now taken place in Dublin. At the hearing the US Government was represented by a lawyer who asked for permission to join it into the proceedings. The US Government now has until next Wednesday (22 June 2016) to file a formal request.
We suspect that the US Government’s case will be based on the points which have been raised in support of the proposed replacement for Safe Harbor, called Privacy Shield. Annexed to the EU Commission’s draft Decision on Privacy Shield are explanations of what the Americans do by way of collecting and analysing personal data. If accurate, it is difficult to see how their practices materially differ from the practices and protections adopted in many EU States. Hence, we suspect the US Government will say its practices are broadly equivalent to those in the EU and therefore Decisions allowing data transfers cannot be attacked on that basis.
Schrems is reported to have said that this is an opportunity to cross-examine the US authorities. Whilst there might be some scope to do so, we suspect that national security issues will be raised to avoid questioning which is too granular.
In addition to the US Government, three other groups – The American Chamber of Commerce, Business Software Alliance and the Irish Business and Employers Confederation – have also asked to join the new proceedings. The fact that the US Government and three other organisations wish to be involved highlights the importance of the case. Companies that rely on Model Clauses are concerned about what might happen if they suffer the same fate as Safe Harbor.
We expect a long drawn out debate on these issues. Meanwhile, Model Clauses continue to be valid.