Model Clauses and the Privacy Shield - Where you Stand
On 12 July 2016, after over two years of negotiations between the EU and the US, the European Commission adopted the Privacy Shield. The Privacy Shield became effective immediately, with companies being able to self-certify with the US Department of Commerce from 1 August last.
In this article we consider the options currently available to companies transferring data outside the EU.
European data protection regulators have been attempting for a number of years to address the issue of protecting its citizens' privacy when data is transferred outside the EU. Agreement was finally reached between the EU and US on 12 July last and the Privacy Shield is now in operation.
The Privacy Shield, though the subject of significant criticism by the Article 29 Working Party ("WP29") and the European Data Protection Supervisor ("EDPS") before its implementation, introduces a number of improvements to the Safe Harbor framework, including the following:
An independent US ombudsman will handle complaints from EU citizens about access to their personal data;
Written assurance from the US Office of the Director of National Intelligence has been given that Europeans' personal data will not be subject to mass surveillance; and
The EU and US will conduct an annual review to check the new system is working properly.
Readers will recall that in April 2016 the WP29 expressed its concern about the Privacy Shield and particularly the possibility of "massive and indiscriminate" bulk collection of EU citizens' data by the US authorities. The WP29's opinion was seen as effectively rejecting the Privacy Shield, with WP29 regulators stating that they were not in a position to confirm that the provisions of the Privacy Shield provided adequate levels of data protection to personal data transferred to the US. Following the publication of the WP29's opinion, a number of amendments were made to the Privacy Shield to take into account their and the EDPS's concerns.
The WP29 ultimately released a statement on 26 July 2016, endorsing the Privacy Shield, but noting that it still had concerns, particularly in relation to the protections around the processing of automated data and the general right to object to processing. The WP29 stated, however, that the EU and US' first joint annual review of the Privacy Shield will be a key point at which the robustness and efficiency of the Privacy Shield can be assessed.
In addition to the Privacy Shield, companies also have the option of using Model Clauses with their US parent companies in order to justify data transfers.
However, there have been concerns that Model Clauses will not withstand a legal challenge as they do not offer suitable redress to EU citizens who feel that their rights have been impinged. The logic is that no contractual clause between parties can adequately protect a data subject if the US (or any state) chooses to 'overreach' in a manner that is contrary to European ideals of privacy.
The ODPC made an application before the Commercial Court of Ireland in May 2016 to have the matter referred to the CJEU to determine the legal status of data transfers under Model Clauses. Subsequently, the Commercial Court heard a number of applications by various third parties to be joined as amicus curiae ("friends of the court") to the case. Four of those third parties, including the US Government were successful in their application. A trial date for the full hearing of the case has been set for 7 February 2017.
Some commentators, including Mr Schrems himself, have concluded that Model Clauses are likely to suffer the same fate as the Safe Harbor framework and be struck down by the CJEU on the basis that they offer inadequate levels of protection in respect of US government monitoring.
In reality however, it is likely to take two to three years before the CJEU determines the fate of Model Clauses. Furthermore, the CJEU ruling, if and when it comes, could have many nuances and is by no means certain to conclude that Model Clauses are invalid for all types of data transfers. The referral could provide an opportunity for the CJEU to specify less demanding criteria that the US surveillance practices and redress mechanisms must meet.
With the Privacy Shield now in operation, companies have another option available to them when it comes to facilitating the transfer of data outside of the EU. However, given the residual criticism of the Privacy Shield as enacted in August, it seems likely that there will be a challenge to it before long.
Companies wishing to avail of the Privacy Shield may do so by registering to be on the Privacy Shield here ("The Privacy Shield List"). It is a self-certification scheme, whereby the company wishing to be on the Privacy Shield List must make an annual submission to the US Department of Commerce that it meets the data protection requirements set out in the Privacy Shield. Companies wishing to transfer data to a US company should always ensure that that company is listed on the Privacy Shield List. If companies self-certify within 2 months of 1 August 2016, they will be given a nine-month grace period to bring existing data transfer arrangements into compliance with the law.
Until the CJEU makes a ruling as to the legality of Model Clauses, they too remain an acceptable method by which to transfer personal data outside of the EU. Practitioners and businesses should however continue to remain alert for future developments.
To read the ODPC's complete statement please click here.
To read the EDPS complete statement please click here.