EU Data Transfer Solutions Under Further Judicial Scrutiny – What Next For Model Contract Clauses?

Posted

TAKEAWAYS:

  • The European Union Court of Justice (“CJEU”) to rule on the validity of Model Contractual Clauses (“MCCs”) following referral by the Irish High Court.
  • The Irish High Court has “well-founded” concerns that there is no effective remedy in US law for EU citizens whose personal data is transferred to the United States and the use of MCCs does not eliminate those concerns.
  • The CJEU’s ruling may have seismic implications for billions worth of trade between the EU and the rest of the world.
  • If MCCs are declared invalid then EEA data exporters and non-EEA data importers will need to find alternative transfer solutions to ensure compliance – and quickly.
  • Given the ongoing problems associated with MCCs and the EU-US Privacy Shield framework, alternative transfer solutions, including the use of Binding Corporate Rules (“BCRs”) where appropriate, should be considered.

On the 3rd October 2017, Ms Justice Costello delivered her judgement on behalf of the Irish High Court in the case of The Data Protection Commissioner v Facebook Ireland and Maximilian Schrems (referred to by some as “Schrems II”).

The case involves a reformulated complaint brought by Schrems following the CJEU’s ruling in 2015 (“Schrems I”) which invalidated the EU-US Safe Harbour framework. Schrems II focuses on the validity of MCCs but is based on similar concerns as those expressed in Schrems I, i.e. (a) indiscriminate, mass surveillance of EU derived data by US security agencies, and (b) the perceived lack of an effective remedy for EU citizens under US law.

The judgement of the Irish High Court does not invalidate MCCs immediately. Instead, Ms Costello accepted that the concerns expressed by the Irish Data Protection Commissioner (the “DPC”) were “well-founded” and held that the High Court would refer the validity of MCCs to the CJEU. Since references to the ECJ generally take 18 months, a judgement is not expected before the implementation of the EU General Data Protection Regulation 2016/679 (“GDPR”) on 25 May 2018.

Background

The Law

Since the GDPR comes into force next year, this case was argued on the basis of the current law – the EU Data Protection Directive 95/46/EC (the “Directive”). The Directive implements the fundamental rights of European Citizens as set out in the European Charter of Fundamental Rights (the “Charter”). These include Article 7 (right to a private and family life), Article 8 (protection of personal data) and Article 47 (the right to an effective remedy and a fair trial).

The Directive provides a high standard of protection to EU citizens with regard to the processing of their personal data within the EU and states that personal data must not be transferred to non-EU countries which do not provide an equivalent high level of protection (Article 25 of the Directive).

Under Article 25(6) of the Directive, the European Commission may find that a non-EU country ensures an adequate level of protection of personal data by reason of its domestic law (this is known as an “Adequacy Decision”).

Where a non-EU country has not received an Adequacy Decision, entities must rely on one of the grounds set out in the Directive to transfer personal data to other entities based in that non-EU country. One such ground is the use of MCCs provided for in Article 26(4) of the Directive and various decisions by the European Commission. The relevant decision, in this case, is Commission Decision 2010/87/EU which creates model contractual clauses for the transfer of personal data from EU data controllers to non-EU data processors.

Factual Background

Following the invalidation of EU-US Safe Harbor framework in 2015, Schrems asked Facebook to confirm on what legal basis it transferred European personal data to the US. Like many companies, Facebook uses MCCs.

Schrems reformulated his complaint to the DPC arguing:

  • the MCCs used had a number of “formal insufficiencies”; and
  • exporters could not rely on the MCCs as a legal basis for transferring data from the EU to the US because US law does not “adequately protect” the rights of EU citizens under Articles 25 and 26 of the Directive.

Decision

MCCs and the Law of Third Countries

In summary, Ms Costello held that data exporters could not rely solely upon MCCs as complying with the requirements of the Directive. In particular, Data Protection Authorities (“DPA”), “have an obligation to ensure that the data still received a high level of protection and they are expressly granted powers to suspend or prohibit data transfers if the laws of the third country undermine that mandatory high level of protection in the EU” (Paragraph 153).

Surveillance by US Security Agencies

Ms Costello also reviewed the legal basis for electronic surveillance by the US and concluded that on the basis of, “evidence in relation to the operation of the PRISM and Upstream programmes authorised under s. 702 of Foreign Intelligence Surveillance Act (“FISA”), it is clear that there is mass indiscriminate processing of data by the United States government agencies, whether this is described as mass or targeted surveillance” (Paragraph 194).

Right to a Remedy in the US

In Ms Costello’s view, “the arguments of the DPC that the laws – and indeed the practices – of the United States do not respect the essence of the right to an effective remedy before an independent tribunal guaranteed by Article 47 of the Charter, which applies to data of all EU data subjects transferred to the United States, are well-founded” (Paragraph 294).

Ms Costello identified a number of “significant barriers” to EU citizens obtaining any remedy for unlawful processing of their personal data by US intelligence agencies.

MCCs provide a contractual remedy for data subjects against the non-EU entity. On the basis that the contractual clause cannot bind the sovereign authority of the US and its agencies, Ms Costello held that, “the MCCs themselves do not provide an answer to the concerns raised by the DPC in relation to the existence of effective remedies for individual EU citizens in respect of possible infringement of their data privacy protection rights if their data are subject to unlawful interference” (Paragraph 154).

Conclusion

The Irish High Court was therefore of the view that “[if] there are inadequacies in the laws of the US within the meaning of [EU law], the standard clauses cannot and do not remedy or compensate for these inadequacies.” Hence the referral to the CJEU to confirm the validity of the MCCs.

How does this affect my company whether based inside or outside the EEA?

Many organisations rely on MCCs to transfer personal data to group companies and third parties worldwide (and not just in the US).

If MCCs are ultimately invalidated, then EEA based data exporters and non-EEA based data importers will need to consider which other transfer solutions might be appropriate.

BCRs may well be the answer where intra-group transfers are concerned. Alternatively, the codes of conduct or certification mechanisms envisaged until the GDPR might be worthy of consideration once these frameworks are settled. Other derogations e.g. under Article 49 of the GDPR, such as where the transfer concerns only a limited number of data subjects, are very narrowly construed and hence will likely have limited value in practice.

The EU-US Privacy Shield framework, which safeguards data transfers to the US, is likely to be a key fall-back for companies transferring to the US if they are unable to rely on MCCs, however, this comes with a serious health warning in light of this CJEU referral and given the Privacy Shield is currently being challenged before the General Court in the Digital Rights Ireland and La Quadrature du Net cases.

Given the CJEU’s ruling will strike at the heart of global commerce, its ruling is much anticipated – not just in data protection circles and companies exporting or receiving EU data might well be advised to consider what their “Plan B” may look like in the event MCCs (and/or the EU-US Privacy Shield) are invalidated.