Legal challenge to model clauses should prompt Privacy Shield extension, says expert

If a legal challenge to model contract clauses is successful then banks, insurers and telcos will need another way to transfer data, but at the moment that could not be the Privacy Shield.

While there is a mechanism for extending the scope of the Privacy Shield, inquiries made by Out-Law.com suggest that there is a lack of will from the US to meet EU demands that would make that happen and that the standards being demanded by the EU may be unnecessarily burdensome.

Banks, insurers and telecoms providers are among the businesses currently precluded from signing up to the Privacy Shield, which became operational in August this year.

The new framework is designed to facilitate the free flow of personal data from the EU to the US in line with the requirements of EU data protection laws. Hundreds of businesses have already self-certified their compliance with the privacy principles that underpin the Privacy Shield, according to a list compiled by the US International Trade Administration.

However, only companies that are subject to the jurisdiction of the US Federal Trade Commission (FTC) or the Department of Transportation (DoT) can sign up to the Privacy Shield. This means many US banks, insurers or telecoms companies are unable to rely on the Privacy Shield for underpinning EU-US data transfers.

This is not a new situation. Financial firms and telecoms companies were similarly unable to sign up to the EU-US Safe Harbour scheme which preceded the Privacy Shield.  

A ruling by the EU's highest court, the Court of Justice of the EU (CJEU), last year effectively invalidated the Safe Harbour framework. It judged that the European Commission was wrong to determine that the Safe Harbour scheme offered protections essentially equivalent to EU data protection law standards for personal data transferred to the US from the EU.

The reduced scope of the Privacy Shield, like the Safe Harbour scheme before it, means that financial firms and telecoms operators that wish to transfer personal data across the Atlantic have to rely on alternative mechanisms for data transfers, such as European Commission-approved model contract clauses, which are ad hoc clauses previously approved by a relevant EU data protection authority, and binding corporate rules (BCRs).

However, the future legitimacy of model contract clauses, and BCRs, is unclear.

EU data protection authorities reviewed the data transfer tools in light of the CJEU's Safe Harbour ruling. Media reports earlier this year suggested some of the watchdogs wanted to prevent companies relying on model contract clauses and BCRs altogether given the CJEU's reflections on US mass surveillance in its judgment. However, the data watchdogs, under the umbrella grouping of the Article 29 Working Party, since deferred a decision on the future of alternative data transfer tools given the agreement reached on the Privacy Shield.

In a statement the Working Party said that whilst it retains some concerns about the Privacy Shield it was prepared to give the framework a year to operate before it would consider any challenge to organisations' data transfers undertaken in line with the Privacy Shield regime.

The overhanging threat of a legal challenge to the Privacy Shield has prompted some companies to adopt a 'belt and braces' approach to compliance. Amazon, for example, said in August that it would put in place data processing contract clauses approved by EU data protection authorities to help underpin the data transfers they facilitate on behalf of customers under the Privacy Shield.

However, against the backdrop of comments made about the Privacy Shield and alternative data transfer frameworks by EU data protection authorities is an ongoing legal dispute in Ireland that also threatens the long-term viability of model contract clauses.

The case relates to a challenge brought by Austrian privacy campaigner Max Schrems against Facebook's use of model contract clauses as a legal basis for the transfer of data from its Irish office to the US. It was Schrems' legal challenge which eventually led to the downfall of the Safe Harbour scheme.

Schrems challenged Facebook's use of model clauses in a complaint filed to Ireland's data protection commissioner. According to the Irish watchdog's provisional view of the case, Schrems' complaint is "well founded". However, the watchdog has asked the High Court in Ireland to issue a determination on the validity of model clauses. The High Court is considering whether to refer the question to the CJEU and has set a date of 7 February 2017 for the beginning of hearings on whether it should proceed with that plan.

The US government is among the parties that will make representations to the court as part of the case.

If model clauses are invalidated it will threaten data flows that support trade and the health of the European economy. Banks, insurers and telcos would be among many US businesses whose ability to carry out everyday business operations would be made more challenging and costly.

As it stands currently, though, banks, insurers and telcos would be unable to turn to Privacy Shield self-certification as a route to continue transatlantic data flows given the limited scope of the scheme.

Leaders in the EU and US therefore need to address the legal risks to both the Privacy Shield and model clauses proactively before data flows and trade grind to a halt. It requires further reassurances from US authorities on data access rights and complaints handling under the Privacy Shield and for the scope of the scheme to be broadened to allow more organisations to sign-up.

Out-Law.com asked both the European Commission and US Department of Commerce (DoC) to explain why the scope of the Privacy Shield, like the Safe Harbour scheme before it, is restricted.

The DoC said: "The scope of Privacy Shield is a continuation of the scope of Safe Harbour. When Safe Harbour was developed, the intent was to launch the program with the broad scope provided by the FTC and expand as needed. The Safe Harbour principles themselves reflect this approach, providing that there could be additional enforcement authorities recognised by the EU and included in the program."

"In developing the Privacy Shield, we have taken the same approach and expansion to other sectors is contemplated. However, our immediate focus in our consultations with the European Commission was to ensure that the Privacy Shield covered those sectors that had previously been covered by Safe Harbour. Now that Privacy Shield is in place, we will continue to look at ways to expand coverage of the program with other agencies in the US government, industry, and our partners in the EU," it said.

The European Commission's response also points to potential expansion of the Privacy Shield scope, but hints that it has yet to be satisfied that other US regulators will oversee compliance with the scheme to an appropriate standard.

The Commission said: "In November 2013 the Commission identified deficiencies in the functioning of Safe Harbour framework (which were later confirmed by the Court of Justice which annulled the Safe Harbour decision). The Commission issued 13 recommendations focused on ensuring greater transparency, redress, enforcement, and addressing concerns around government access to data. It was decided to give priority to these questions, rather than the possibility of widening its scope. Therefore, the Privacy Shield has the same sectoral scope as the Safe Harbour framework."

Pressed further, the Commission added: "The scope of application of the Safe Harbour, like its successor the Privacy Shield, was originally related to the broad scope of enforcement provided by the Federal Trade Commission (FTC) and the Department of Transportation (DOT). The former Safe Harbour and so far the current Privacy Shield contain commitments to enforce the framework only from the FTC and the DOT."

"Nevertheless, in agreement between the Commission and the Department of Commerce, the scope of the framework could always be expanded as necessary to include other sectors such as the financial or telco sectors together with the possibility for the Commission to recognise their relevant enforcement authorities as long as they commit to enforcing the framework," it said.

The responses received suggest that there needs to be a greater political will from the US government to equip financial regulators and other sectoral authorities with the tools they need to enforce compliance under the Privacy Shield.

At the same time the Commission needs to be pragmatic about the standards it demands of US authorities given the legal risks to EU-US data flows and the business case for trade to continue smoothly.

Annabelle Richard is a data protection law expert at Pinsent Masons, the law firm behind Out-Law.com.