Problems for model clauses and Privacy Shield as MEPs and regulators flex their muscles

EU-US data transfer mechanisms look to be on shaky ground

Model contract clauses, the data transfer mechanism deployed by multinational companies like Facebook, Amazon and Google to ship personal data from the EU to the US as an alternative to the now-defunct Safe Harbour framework, look to be in trouble.

Irish data protection authorities have warned that model contract clauses are potentially in breach of EU regulations. The Irish Data Protection Commissioner (IDPC) has suggested that the European Court of Justice (ECJ), the same body that invalidated Safe Harbour, should look into the matter.

According to Out-Law, model contract clauses are "a transfer of data from a data controller in the EEA to a data controller in a third country [that] is permitted if that transfer is made in accordance with standard contractual clauses which the European Commission has decided offer sufficient safeguards".

In other words they are a standardised form of document that, once approved by the European Commission (EC), allow companies to transfer data without further reference to the authorities.

In October, when Safe Harbour was annulled by the European Court of Justice, Marc Dautlich, information law partner at Pinsent Masons, predicted that model contract clauses and binding corporate rules would also be looked at sooner or later.

"It is likely that other legal tools, beyond Safe Harbour, that organisations rely on to transfer personal data from the EU to the US will come in for scrutiny too," he said.

Max Schrems, the Austrian law student whose case against Facebook brought about the demise of Safe Harbour, told the Financial Times yesterday: "If model contract clauses go, it will be huge for all the industry."

He continued: "There's no way that the ECJ can say that model contract clauses are valid if they killed Safe Harbour on the same grounds. Everyone in the room knows model contract clauses are a shaky thing, but it was the best they had so far."

Helen Dixon, head of the IDPC, said her organisation would "seek declaratory relief in the Irish High Court and a referral to the [ECJ] to determine the legal status of data transfers under standard contractual clauses".

Privacy Shield problems

The proposed replacement for Safe Habour, the EU-US Privacy Shield, is also in trouble after the European Parliament passed a resolution demanding that the EC and the US renegotiate the draft framework.

MEPs found fault with the US ombudsman role, the redress mechanism, and the potential for the US authorities to pursue bulk data collection and mass surveillance activities under the draft agreement.

The parliament's resolution was passed by 501 votes to 119 with 31 abstentions. It is not binding, but it is likely that the EC and US representatives will need to renegotiate the deal if Privacy Shield is to avoid problems later, such as when the GDPR becomes law in 2018.