Are Model Clauses Now in Jeopardy?

Max Schrems is busy again. As many predicted, this time he is going after Facebook’s use of model clauses. He argues that the reasoning for the invalidation of Safe Harbor applies equally to transfers to the US by way of model clauses because the data is subject to the same mass indiscriminate access by the US authorities.

Max Schrems’s website reports that the Irish Data Protection Commissioner is planning to start the process for a referral to the Court of Justice of the European Union (CJEU) on the question of whether Facebook can continue to transfer data from the EU to the US after the invalidation of the European Commission adequacy determination for Safe Harbor in October 2015. At this stage we have no access to the underlying documents (nor, it seems, does Schrems) so it’s not clear just what the CJEU might be asked to rule on. It could consider the validity of the Commission’s decision approving the model clauses as a whole, or simply look at Facebook’s reliance on the clauses to legitimise its transfer of personal data to the US.

It is hard to fault Max Schrems’ logic on this one but, if the model clauses route were removed entirely for transfers to the US, or perhaps even more widely, many companies would have to look to consent or BCRs. Consent has to be informed and freely given already and, with the advent of the more onerous requirements in the new GDPR, is unlikely to be a viable option in many cases. Anyway, assuming that the objective here is to improve privacy protection for individuals, driving individuals to consent to transfers that would otherwise be unacceptable on privacy grounds, would seem to be something of a backwards step. On the other hand BCRs take time to put in place, are necessarily intra-group only and ultimately must beat risk of challenge on the same grounds as Safe Harbor and model clauses.

Max Schrems argues that a change in law in the US is what is required. This may be so but what about the position of other jurisdictions where the state authorities have even more sweeping powers of access to data? If we’re considering model clauses it’s not just the US that they apply to, unlike Safe Harbor. And with the US we have seen that although efforts have been made to change relevant US laws as part of the Privacy Shield negotiations, what the US is currently offering is not considered enough (either by the Article 29 Working Party, the EDPS or the European Parliament). The outlook, so far, is not particularly promising.

So the uncertainty continues and may well be with us for some time yet. Past experience suggests that predicting what the CJEU might decide is fraught with difficulty. At one extreme the CJEU could strike down the Commission decision on the model clauses altogether, removing the ability of businesses to rely on them for transfers not just to the US but worldwide. Alternatively the Court might not look more widely and, despite the reservations of others, might consider that the assurances given by the US in the context of the Privacy Shield negotiations, including the new US Judicial Redress Act, are sufficient to allay the concerns that led to it’s original decision on the Safe Harbor and to the latest Max Schrems case. More likely is that any decision will be somewhere between these extremes, will in any case take a long time in it’s delivery, and may well be preceded by further moves by the European Commission to resolve the situation.

For the time being model clauses remain a valid basis of transfer although, as the European Commission stressed in its Communication of 6th November 2015, exporters must be prepared to take additional measures if necessary to ensure data transferred under such contracts is actually protected in accordance with the requirements of the EU Directive.

by David Smith and Charlotte Mullarkey