The transfer of personal data from the EU to the US is continuing to come under attack in the EU, with Model Clauses now in the regulatory crosshairs. Consequently, organisations that do business on both sides of the Atlantic are facing an increasingly uncertain future.
Several recent developments have emphasised that the ability of businesses to transfer personal data from the EU to the US is under serious threat:
- Most of these developments have focussed on the EU-US Privacy Shield (the "Privacy Shield") deal currently being negotiated between the European Commission (the "Commission") and the US government.
- However, Ireland’s Data Protection Authority (the "Irish DPA") has now challenged the legality of Model Clauses, in a case likely to be referred to the Court of Justice of the European Union ("CJEU").
The outlook for businesses that transfer personal data from the EU to the US is bleak. If the Privacy Shield cannot be agreed, and if Model Clauses are declared unlawful, it will become exceedingly difficult for businesses to lawfully carry out such transfers. Consequently, this is an issue to which all such businesses should currently be paying attention.
EU data protection law prohibits the transfer of personal data from the EU to countries outside the European Economic Area ("EEA") (such as the US) unless the European Commission has determined that the country in question provides an adequate level of data protection, or there is a mechanism to ensure an adequate level of protection in the importing country. Between 2000 and 2015, personal data could lawfully be transferred from the EU to US businesses that were certified to the US-EU Safe Harbor, on the basis that the Commission had issued an ‘Adequacy Decision’ declaring that Safe Harbor satisfied the requirements of EU data protection law in relation to such transfers to the US. However, in October 2015, the CJEU ruled that the Commission’s Adequacy Decision regarding Safe Harbor was invalid.
Over 4,000 businesses that had been relying on Safe Harbor have been left in limbo for the last six months, with the threat of enforcement from EU Data Protection Authorities ("DPAs") hanging over them. Further, despite subsequent assurances from some DPAs (see below), the CJEU’s judgment has cast a shadow over the lawfulness of other mechanisms for transferring personal data from the EU to the US (such as Model Clauses), because the arguments made by the CJEU, in finding that Safe Harbor no longer provides an adequate level of protection for such transfers, could equally be applied to such other transfer mechanism(s).
In addition, as we previously reported, different DPAs have interpreted the CJEU’s decision differently, adopting their own approaches to enforcement, leaving businesses facing inconsistent levels of risk across the EU.
On 2 February 2016, the Commission and the US government announced a provisional agreement on a replacement for Safe Harbor: the Privacy Shield. The Privacy Shield needs to be formally ratified under an Adequacy Decision from the Commission before it can become a lawful data transfer mechanism. The Commission draft Adequacy Decision was published on 29 February 2016, but since then has come under attack on several fronts, as set out below.
Model Clauses called into question
The Article 29 Working Party ("WP29" – an EU advisory body made up of representatives from EU DPAs and the European Data Protection Supervisor) had indicated that Model Clauses are a valid alternative for carrying out transfers of personal data from Europe to the US. However, on 25 May 2016, the Irish DPA confirmed that it will ask the Irish High Court refer a question to the CJEU on the validity and legal status of Model Clauses. The question is understood to relate to whether transfers of personal data from the EU to the US pursuant to the Model Clauses provide adequate protection for Europeans against US government surveillance (i.e., the same concern noted by the CJEU in relation to Safe Harbor).
Given these court proceedings (and the fact that other DPAs, notably in Germany, have also been critical of Model Clauses), the validity of the Model Clauses for transfers of personal data from Europe to the US now seems uncertain. This is an issue that potentially impacts thousands of businesses currently transferring personal data to the US under Model Clauses.
The main reason for attacking the validity of the Model Clauses is the fact that the shortfalls of the Safe Harbor Principles apply equally to Model Clauses. Safe Harbor could not effectively protect against access by US government authorities (e.g., the NSA) to personal data, and Model Clauses also do not provide such protection. Safe Harbor could not ensure that a data subject is able to seek judicial remedies against access by national authorities to personal data and Model Clauses also cannot offer such remedies.
Interestingly, the focus has been on access to personal data by national authorities in the US (a democratic country that has admitted to giving national authorities access to personal data under certain circumstances) whereas less democratic countries, with weaker controls over their national authorities, have so far escaped censure.
Privacy Shield proposals under fire
At the same time, the Commission’s draft Adequacy Decision for the Privacy Shield is under attack on several fronts. The WP29 released an Opinion in which it criticised the Commission’s proposal and recommended a number of changes to the Privacy Shield. The WP29 cited "strong concerns" about the level of protection afforded to personal data under the Privacy Shield, and advised that businesses that were still relying on Safe Harbor should promptly implement other safeguards, such as Model Clauses or Binding Corporate Rules. However, the legal status of Model Clauses is now also being thrown into doubt (see above).
On 26 May 2016, the European Parliament (the "Parliament") voted on a non-binding Resolution, passed by a majority of almost 400, to remedy "deficiencies" in the Privacy Shield. Like the WP29 Opinion, the Parliament’s resolution is not legally binding, and the Commission could theoretically ignore it. However, the Parliament’s Resolution ratchets up the political pressure on the Commission to address perceived failings in the Privacy Shield, which include:
- access by US authorities to personal data transferred under the Privacy Shield, which the Parliament considers to be a major sticking point;
- the possibility of bulk data collection in the US, which the Parliament believes does not meet the EU criteria of "necessity" and "proportionality";
- the proposed US Ombudsperson mechanism, to be implemented under the Privacy Shield, which the Parliament considers to be neither "sufficiently independent", nor "vested with adequate powers to effectively exercise and enforce its duty"; and
- the complexity of the redress mechanism under the Privacy Shield, which the Parliament believes should be made more "user-friendly and effective".
Finally, the European Data Protection Supervisor (the "EDPS") – the body tasked with overseeing compliance with EU data protection law by the EU institutions – issued its Opinion on the draft Adequacy Decision, concluding that "as currently formulated" the Privacy Shield "does not adequately include … all appropriate safeguards to protect the EU rights of the individual to privacy and data protection … with regard to judicial redress" and that "[s]ignificant improvements are needed should the European Commission wish to adopt an adequacy decision". In particular, the EDPS is concerned that the benchmark for access by US national authorities to personal data transferred from Europe to the US under Privacy Shield should be an EU standard, rather than "legitimising routine access to transferred data by US authorities on the basis of criteria having a legal basis in the recipient country, but not as such in the EU".
Following the CJEU’s decision in October 2015 to invalidate the Commission’s Safe Harbor Adequacy Decision, Model Clauses have been one of the few alternative mechanisms open to businesses for transferring personal data from the EU to the US, while they wait for the Privacy Shield to be finalised. However, this alternative mechanism is now under threat as well.
The Commission had been aiming to finalise its final Adequacy Decision on the Privacy Shield in June, but the unfavourable Opinions of the WP29, the Parliament and the EDPS may result in significant delays. Both options open to the Commission are unpalatable. If the Commission issues an Adequacy Decision in favour of the Privacy Shield in its current form, various privacy activists have already threatened to challenge that Adequacy Decision through the courts. On the other hand, if the Commission seeks further concessions from the US government on the issues raised by the WP29, the Parliament and the EDPS, the negotiations will effectively be re-opened, with no immediate resolution in sight.
The present state of uncertainty looks set to continue for the foreseeable future. Businesses should prepare themselves for the fact that final resolution of this issue may not be achieved for several months. During this period, business should stay alert to developments in this area, as any adverse court ruling could require a complete overhaul of data transfer mechanisms. If the Model Clauses are invalidated by the CJEU, the ability of businesses to transfer data from Europe to the US will be placed in further jeopardy, and not only the transatlantic economic relationship but even the global economy may suffer material setbacks as a result.