Summary: Following the invalidation of Safe Harbor in October many organisations have looked to an alternative separate transfer mechanism known as EU Model Clauses to allow transatlantic data transfers. This mechanism is set to be challenged on the same basis as Safe Harbor, i.e. it does not provide equivalent data protection in the EU. This article looks to explain how this could be debated further following the introduction of Privacy Shield by the US.
In October 2015, the Court of Justice of the European Union (CJEU) invalidated a mechanism called Safe Harbor which was used to validate the transfer of personal data from Europe to America. The case was brought by privacy activist, Max Schrems, against Facebook Ireland. The Schrems ruling led many organisations to look to a separate transfer mechanism, known as EU Model Clauses, to allow transatlantic data transfers. Now that mechanism is also set to be challenged by the Irish Data Protection Regulator who is requesting the Irish Court to refer the validity of that mechanism to the CJEU.
The basis of the challenge is the same - that America does not provide "equivalent protection" to EU data as applies in the EU. In particular, this is based on the assumption that the US Government engages in "mass and indiscriminate" surveillance of data transferred to America. In addition, the criticism is levelled at the Americans that they do not provide sufficient redress to those EU citizens whose data is utilised in this way.
However, it does not follow that the CJEU should reach the same conclusion on this occasion for the following reasons.
Contrary to popular belief, in the Schrems ruling on Safe Harbor, the CJEU did not find that the Americans engage in mass surveillance. The CJEU invalidated Safe Harbor on the basis that the EU Commission had not looked into this sufficiently when setting up this transfer mechanism or subsequently. No-one challenged the underlying assumption that this what the Americans actually do. Since Safe Harbor was abolished the EU Commission and US Government have proposed a new mechanism to replace it called Privacy Shield. As part of that process the US Government has purported to explain what it actually does by way of surveillance. The striking thing about this is that the techniques used to gather and analyse data seem to be no better or worse than those utilised by some countries in the EU. This time the underlying assumption that the American approach is not essentially equivalent to that in the EU (or parts of it) should not go unchallenged.
But what of the issue about EU citizens having equivalent rights to US citizens to challenge what is done with their data? That assumption is also susceptible to challenge following a ruling by the UK Investigatory Powers Tribunal just last week. The IPT decided that with regard to some surveillance undertaken by UK Intelligence Services, anyone other than UK citizens had no right to claim Human Rights violations. This is the "equivalent" criticism levelled at the Americans.
We would expect there to be more of a debate on these issues now that EU Model Clauses are under threat. Not least, this will be driven by the potentially catastrophic impact on transatlantic data flows should EU Model Clauses suffer the same fate as Safe Harbor. Those who criticise the practices adopted by the Americans might expect less of an easy ride this time.