The Safe Harbor Framework, an agreement which thousands of multinational companies used to transfer personal data between the EU and the US without breaching the EU’s strict data protection rules, was invalidated last October by the EU Court of Justice (CJEU) in the Schrems case. Following the collapse of this framework, many business entities entered into standard contractual clauses like Model Clauses and Binding Corporate Rules (BCRs) to effect transatlantic transfers of personal data to the United States.
In an ear l i er al ert, we opined that the CJEU’s rationale for striking down the Safe Harbor Framework – namely, the alleged large scale access to private data enjoyed by U.S. intelligence agencies – seemed at least potentially applicable to Model Clauses and BCRs as well, and warned that companies relying on these mechanisms should expect future legal challenges. It appears that time has come.
Just last week, the Irish Data Protection Commissioner announced its intention to seek declaratory relief in the Irish High Court and a referral to the CJEU to “determine the legal status of data transfers under standard contractual clauses.” This announcement was precipitated by the filing of an amended complaint by Max Schrems, the privacy activist responsible for the collapse of the Safe Harbor Framework, in which he challenged Facebook’s continuing transfer of his personal data. In this complaint, Schrems asserts that Model Clauses, and in particular Facebook’s reliance on these clauses to allow its Irish subsidiary to transfer his personal data to its U.S. parent company, do not provide EU citizens with adequate means to seek relief to the extent required under EU law if a citizen discovers that a U.S. governmental agency has tapped into their data.
Schrems’ challenge also places a renewed focus on the “Privacy Shield” agreement reached by EU agencies and the U.S. government this February. EU privacy laws restrict the export of their citizens’ personal data to those countries which provide an adequate level of privacy protection. EU law considers data privacy protections to be inadequate in the U.S. and thus prohibits the transfer of personal information. The Privacy Shield is intended to address these legal requirements by imposing stronger data protection obligations on U.S. companies in order to align them with EU standards and remedy the deficiencies found by the CJEU in the Safe Harbor framework. The Privacy Shield is scheduled to be voted upon for ratification in June.
However, the Privacy Shield agreement is not without its own obstacles. Several EU privacy groups, including the Article 29 Data Protection Working Party, have criticized aspects of the plan, including the continuing right of the U.S.government to collect or monitor personal information under certain circumstances. Earlier this week, the European Data Protection Supervisor issued an opinion stating, in part, that “the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court.” The supervisor noted that improvements would be needed to address “key data protection principles with particular regard to necessity, proportionality and redress mechanisms.”
While neither of these developments has any immediate effect, they highlight the continuing uncertainty that companies face with respect to personal data transfers from the EU to the U.S. Companies should continue to closely monitor these developments and work with legal counsel to implement contingency measures in the event that either or both of these data transfer frameworks are invalidated by the EU data protection agencies.