The Court of Justice of the EU (CJEU) is being asked 11 questions by the High Court in Ireland that could lead to it preventing businesses from relying on 'model clauses' to transfer personal data from the EU to 'third' countries, against what is provided for in EU data protection law.
The questions posed by the Irish court stem from an underlying investigation by the country's data protection authority into whether the use of model clauses to facilitate EU-US data transfers ensures compliance with EU data protection laws.
However, the case now before the CJEU has the potential to have an impact far beyond EU-US data transfers and goes to the heart of provisions laid out in the existing EU Data Protection Directive and the new General Data Protection Regulation (GDPR) that will replace it next month.
EU data protection law says that personal data can only be transferred outside of the EEA if it is protected as well there as it is within the EU. At the moment, there are a number of mechanisms in place to achieve that. These include where the European Commission has designated the non-EEA destination country as having adequate data protection, or where businesses put in place 'binding corporate rules', agreed with regulators, to govern intra-group data transfers to non-EEA countries.
The use of European Commission-provided 'model clauses' is a further option.
Model clauses are a series of standard contract clauses (SCCs) that the European Commission has developed for use in cross-border contracts. They set out how personal data should be handled when transferred outside of the EU to 'third countries'. The Commission has previously issued decisions that endorse model clauses as tools providing for adequate protection of personal data when used for data transfers, as is required by EU data protection law.
The use of model clauses has therefore become widespread among international businesses. Many companies have come to rely on their use of model clauses as demonstrating their compliance with EU data protection law requirements on data transfers.
The questions the CJEU has been asked
A central question that the CJEU has been asked to answer is whether a European Commission decision to endorse model clauses as providing for 'adequacy' violates the EU's Charter of Fundamental Rights.
The High Court in Ireland has asked, specifically, whether Charter provisions that provide for individuals' rights to respect for his or her private and family life, home and communications; the protection of their personal data; and/or their rights to an effective remedy and to a fair trial, are violated by the decision.
The High Court's additional 10 questions will serve to inform how the CJEU answers that central question.
From those questions the CJEU could clarify a number of issues, including whether US authorities can be considered, for the purposes of EU law, to be engaged in mass indiscriminate processing of data; where there is processing of personal data for national security purposes in the US or other third countries, whether EU privacy and data protection rules should apply; what the relevant factors are to be considered as part of an adequacy assessment; and whether a Commission decision that approved the EU-US Privacy Shield constitutes a general finding that the US ensures an adequate level of protection and has all the safeguards it needs to have to meet the EU's adequacy requirements.
The Privacy Shield is already subject to separate legal challenge, and EU data protection authorities have also threatened to raise their own legal challenge against the framework.
The intention of EU data protection law
Existing rules governing the transfer of personal data to third countries are set out in Articles 25 and 26 of the EU's Data Protection Directive.
The rules in Article 25 require that data transfers only be transferred to third countries where "an adequate level of protection" exists, and sets out factors to be taken into account when determining "the adequacy of the level of protection afforded by a third country".
According to those rules, adequacy should be assessed "in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations".
As part of that assessment, the Directive states that "particular consideration" should be given to "the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country".
While Article 25 states that steps should be taken to stop data transfers to third countries where adequate protection is not in place, Article 26 sets out derogations that can apply.
Derogations include where a data transfer is necessary for at least one of a number of set reasons, including, among other grounds, the performance of a contract, to meet legal requirements, or to protect the vital interests of the data subject.
Notwithstanding those set derogations, Article 26 also provides for data transfers to third countries that do not ensure an adequate level of protection "where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights". Those safeguards could result from "appropriate contractual clauses", it states.
Article 26 also empowers the European Commission to determine that "certain standard contractual clauses offer sufficient safeguards" in this respect. Since the 1995 Directive was introduced, the Commission has done just that with its various decisions endorsing SCCs for data transfers outside the EEA.
These principles have been fleshed out to a greater degree under the GDPR, but the overall position remains that the use of SCCs are envisaged for permitting transfers of personal data from the EU to the US, Russia and China, and other third countries where the local data protection regime has not yet been deemed to provide for adequate protection.
In this sense, SCCs have been deemed to effectively export EU data protection standards to these third country locations through contractual obligations on the recipients of the data.
This mechanism is provided for in EU law, and it is incumbent on the CJEU to recognise that in how it addresses the questions posed by the High Court in Ireland.
The implications for businesses and global trade should the CJEU tear down the existing framework for data transfers would be severe.
Andreas Carney is a Dublin-based expert in data protection law at Pinsent Masons, the law firm behind Out-Law.com.