Transfers of personal data outside the EEA – what's new?
Published on 5th Oct 2017
It seems that barely a week goes by without some form of development in relation to European data protection laws – be it new laws and regulations, guidance on key issues, or case law developments.
This week’s big news is that the Irish High Court has decided, in the case of Data Protection Commission v Facebook Ireland & Schrems, to kick into the long grass of the CJEU, the politically loaded question of whether the use of the EU Model Clauses by Facebook in relation to the transfer of personal data outside of the EEA is legal, and – more broadly – whether those EU Model Clauses are valid.
In other recent news, the United States Government and the European Commission concluded the first annual review of the Privacy Shield with a positive statement on the importance of the framework and their commitment to its success.
After a period of relative certainty on the legality of EU-US data transfers, and on transferring personal data outside the EEA more generally (including through the use of EU Model Clauses), the Schrems case and the annual review of the Privacy Shield had the potential to derail that certainty at a time when businesses are busy preparing for the GDPR coming into effect in May 2018.
However, in the short term at least, these latest developments don’t change anything; for many businesses, the EU Model Clauses will still be the most viable (and in fact only) solution for transferring personal data outside the EEA and for those businesses that have gone to the effort of self-certifying to the Privacy Shield, those efforts are not in vain.
The longer term future of both the EU Model Clauses and the Privacy Shield is less certain, and businesses should keep a close eye on developments as and when they unfold. In order to be prepared for the worst, businesses might want to explore whether there are data processing solutions available which avoid a transfer of personal data outside the EEA and enquire with their service providers what options they offer (although, those options are very likely to come at a cost).
We provide more detail below on the Schrems case and the Privacy Shield review, as well as giving an indication of what happens next, when it is due to happen and what practical steps to take in the meantime.
The Schrems case and EU Model Clauses
Most businesses will, at least in respect of some of their processing activities, rely on the EU Model Clauses to legitimise the transfer of personal data outside the EEA. The EU Model Clauses, as many will know, are standard contractual clauses, which have been approved by the European Commission as providing an adequate level of protection for personal data transferred outside the EEA, when incorporated into a contract between controllers, or a controller and a processor. There are three versions of the EU Model Clauses – the 2001, 2004 and 2010 versions.
Unfortunately, the EU Model Clauses don’t resolve the underlying concerns of many in relation to the transfer of personal data to the U.S (particularly, the bulk collection of data by U.S. authorities for surveillance purposes). Following his success in invalidating the “Safe Harbor” framework back in October 2015, Max Schrems set his sights on the EU Model Clauses. Schrems requested that the Irish Data Protection Commissioner (DPC) declare the EU Model Clauses to be invalid. His complaint is raised in the context of Facebook’s transfer of personal data from Ireland to the U.S. on the basis of the 2010 version of the EU Model Clauses (which are used in transfers from controllers to processors); however, the potential impact of the case is much broader. It is relevant to all businesses currently relying on the EU Model Clauses (whether to the U.S., or otherwise, and whether on the basis of the 2010 version of the EU Model Clauses, or the 2001 or 2004 versions of the EU Model Clauses for transfers between controllers).
The Irish DPC referred the decision on the validity of the EU Model Clauses to the Irish High Court. The Irish High Court has, in turn, referred the decision to the CJEU. The full text of the Irish High Court’s judgment (which reaches 153 pages) is available here, but, in summary:
- the Irish High Court agreed with the Irish DPC that the case raises “well founded concerns” about the transfer of personal data pursuant to the EU Model Clauses (particularly to the U.S.);
- the alternative – which was to refuse to refer the decision to the CJEU and force the Irish DPC to conclude her investigation into Schrems’ complaint on the basis that the EU Model Clauses are valid – would ignore those “well founded concerns”; and
- referring the decision to the CJEU is the only way to ensure that EU Member States take a consistent approach – the Irish High Court made it clear that it is not within its (or any other national court’s) competencies to decide on the validity of the EU Model Clauses.
The decision on the validity of the EU Model Clauses now sits with the CJEU. That decision could take a year, more likely two. In the meantime, the referral does not mean that the EU Model Clauses are invalid; businesses can continue to use them (at least until we hear anything different from regulators).
As the Irish High Court recognises in its judgment:
“The case raises issues of very major, indeed fundamental, concern to millions of people within the European Union and beyond… it [also] has implications for billions of euros worth of trade between the EU and the US and, potentially, the EU and other non-EU countries”.
Certainly not a decision to be taken lightly, and undoubtedly one which is best taken by Europe’s highest court.
Annual review of the Privacy Shield
The Privacy Shield replaced the ill-fated “Safe Harbor” framework. The requirement for an annual review arises from the European Commission’s decision to declare the Privacy Shield as an “adequate” solution for legitimising transfers of personal data to the U.S.
Prior to the review, many (including European data protection authorities) raised concerns in relation to the Privacy Shield, and the extent to which it afforded an adequate level of protection to personal data transferred to the U.S. They cited issues with the bulk collection of data by U.S. authorities for surveillance purposes, the lack of guarantees in relation to automated decision making and the failure by the U.S. to appoint a permanent Ombudsman responsible for handling and solving complaints or enquiries raised by EU individuals.
Nonetheless, on 21 September 2017, Věra Jourová (European Commissioner for Justice, Consumers and Gender Equality) and Wilbur Ross (U.S. Secretary of Commerce) published a joint statement at the end of the two-day review giving their support to the EU-US Privacy Shield.
The full report, setting out the findings of the review and taking into account feedback from regulators, businesses, NGOs and other stakeholders, is expected to be published in the second half of October. Inevitably, that report will identify areas for improvement, designed to address the concerns identified above. The Privacy Shield has therefore lived to survive another year.
It is also important not to forget that, separately, there is a high-profile legal challenge being made in the courts against the Privacy Shield by the Irish privacy campaign group, Digital Rights Ireland. The outcome of that legal challenge is not expected until late in 2018, at the earliest.
What should businesses be doing now?
For the moment, these developments in relation to the EU-US Privacy Shield and the EU Model Clauses change nothing:
- the EU Model Clauses are still valid; and
- businesses can still rely on the EU-US Privacy Shield.
The truth is that for many businesses, without the EU Model Clauses (in particular), transferring personal data outside the EEA would be infinitely more difficult. At the moment at least, the alternatives are few and far between. There is the option of Binding Corporate Rules for intra-group transfers of personal data; though for many, the time and cost involved in putting those in place will be prohibitive. On the plus side, this continued uncertainty could accelerate the creation of additional solutions for transferring personal data outside the EEA; such as, revised versions of the EU Model Clauses (resolving the issues identified in Schrems), or an approved certification mechanism for transferring personal data outside the EEA (as is referred to in the GDPR).
The safest solution is, of course, to consider minimising (as far as possible) the extent to which personal data is transferred outside the EEA. Practically, though, that is very difficult to achieve.
Businesses should also keep arrangements under review and remain agile to address new developments as they emerge.
Written by Ashley Hurst and Georgina Graham.