Out-Law News 3 min. read

Legitimacy of model contract clauses for EU-US data transfers to be tested in Irish case


A court in Ireland has begun hearing arguments on whether the EU's highest court should be asked to rule on the validity of model contract clauses as a means for businesses to transfer personal data from the EU to the US.

Ireland's data protection commissioner was expected to ask the High Court in the country to "make a reference" to the Court of Justice of the EU (CJEU) to rule on the issue of validity of the standard clauses.

In a background briefing published on its website about the case, the watchdog said it has concerns that the model contract clauses mechanism for EU-US data transfers fails to provide for individuals' rights to privacy, the protection of their personal data and their rights to effective remedy as required under of the Charter of Fundamental Rights of the EU.

Hearings in the case are expected to last approximately three weeks. Austrian privacy campaigner Max Schrems, social networking giant Facebook and the US government are among those that will submit views on the issue.

Schrems was behind the legal proceedings that led to the EU-US 'Safe Harbour' framework being effectively invalidated by the CJEU in 2015.

The ability to transfer personal data outside the European Economic Area (EEA) is restricted under existing EU data protection laws set out in the Data Protection Directive, and similar restrictions will apply under the General Data Protection Regulation (GDPR) when it takes effect on 25 May 2018.

If 'adequate protections' are put in place for data transfers, or if special derogations apply, such as a data subject's consent has been obtained to the transfer of personal data, then data can flow. Personal data can also be transferred to destinations that the European Commission has pre-approved as providing data protection that is "essentially equivalent" to that on offer in the EU.

Back in 2000, the Commission, on behalf of the EU, negotiated the Safe Harbour framework with US officials to allow personal data to flow from the EU to the US where US businesses had self-certified their compliance with the Safe Harbour privacy principles.

However, following the legal challenge brought by Schrems, the CJEU ruled that the Commission was wrong to determine that the Safe Harbour scheme offered protections essentially equivalent to EU data protection law standards for personal data transferred to the US from the EU. In its decision, the CJEU referenced US authorities' surveillance activities and data access powers as well as the lack of rights EU citizens enjoyed at the time to raise objections over the way their transferred data is handled before the US courts.

A new EU-US Privacy Shield has since been agreed as a replacement for Safe Harbour. EU and US officials have claimed that the framework addresses the failings identified with the Safe Harbour regime, but two separate legal challenges have already been lodged against the Privacy Shield.

Many businesses use model contract clauses, developed by the European Commission, as an alternative means for transferring personal data from the EU to non-EEA countries, including the US, in line with EU data protection law requirements, even more so since the Safe Harbour adequacy decision was invalidated.

Data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said model contract clauses are popular tools used to enable everyday trans-Atlantic business operations, particularly as some businesses "lack confidence" in the future of the Privacy Shield.

"From what we see in the international data transfers market, model contract clauses are the most popular method used by businesses to send personal data from the EU to the US," Wynn said. "The standard clauses are recognised under the existing EU data protection regime as well as within the new GDPR. Businesses may have to explore alternative means for transferring data to the US if this case before the Irish High Court leads to a ruling that their use for EU-US data transfers does not accord with EU data protection rules."

"The options for businesses could be limited if the validity of the Privacy Shield is successfully challenged. Many of the same concerns regarding the way data is safeguarded in the US, which led to the fall of the Safe Harbour regime, are being raised in relation to the Privacy Shield and the model contract clauses mechanism. It may be that industry codes of conduct or certification schemes, provided for under GDPR, become data transfer tools businesses rely on in the future," she said. 

"The market is also adjusting to the uncertainty over compliant transfers of personal data to the US. Some of the major technology providers enable their customers to store data exclusively within the EEA, and others have even restructured their business in a bid to prevent data stored with subsidiaries operating in Europe from being subject to the US Freedom Act, which replaced the Patriot Act, and other disclosure laws," Wynn said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.