Will the European Commission’s model clauses stand up to scrutiny?

The inevitable has happened. In light of the issues highlighted by the European Court in its Schrems v. Facebook ruling in October last year (explained in our blog), the Irish Data Protection Commissioner has reportedly referred the use of the European Commission’s (EC) model clauses to the European Court of Justice (ECJ) for a determination as to whether they stand up to scrutiny.

Previously, large multinationals had their US entity sign up ‘Safe Harbor‘. This agreement seemed to worked until the ECJ ruled that it did not: following the Snowden revelations, it became evident that the formerly unknown National Security Agency (NSA) could access all personal data in the US. This meant that even if a company signed up to Safe Harbor, it could not guarantee the European Data Controller or the data subject that their data was given adequate protection.

In response the Data Protection Directive’s requirement that personal data only be transferred outside of the European Economic Area (EEA) if one of a small number of conditions are met, the European Commission identified model clauses for the transfer of personal data  to an entity – often in its group of companies – outside of the EEA that offered adequate safeguards. These have, for many years, been an easy route through which an EU based entity could transfer personal data.

Shortly after the Schrems v Facebook ECJ decision, the various European data protection regulators decided that the model clause contracts were the way forward, pending a bigger solution. (The proposed solution is currently going through the system, under the ‘Privacy Shield’ name.) But surely no-one really thought that the NSA would happily ignore the Safe Harbor promises of a US data importer, yet refuse to have a look behind the very same entity’s contractual promise, even on the EC’s model clause terms?

This is the reality that the Irish commissioner has woken up to: the EC’s model clauses give data subjects no more protection than Safe Harbor did, which is why, I believe, the ECJ will also rule against the efficacy of the model clauses. And so it is back to the drawing board, with no real solution in sight. How to ensure data privacy in the transfer of data outside the EEA is a complex and difficult question, evidenced by the fact that the recently adopted General Data Protection Regulation (GDPR) did not fully address it. As a result, international firms face indefinite uncertainty