Ireland to challenge model clauses as basis for international transfers

Ireland’s Data Protection Commissioner is planning to refer the Facebook case back to the Court of Justice of the European Union (CJEU) to determine if Facebook can continue to transfer data from the EU to the US by using EU model clauses, Europe v Facebook has announced:

"In an unpublished draft decision of May 24th 2016 the Irish DPC followed the objections of the Complainant Mr Schrems in the procedure between Mr Schrems and Facebook Ireland Ltd. Mr Schrems claimed that Facebook USA continues to be subject to US mass surveillance laws, independent of the use of 'model causes' or 'Safe Harbor' and that his data continues to be subject to fundamental rights violations once it reaches the United States."

Max Schrems said: “This is a very serious issue for the US tech industry and EU-US data flows. As long as far-reaching US surveillance laws apply to them, any legal basis will be subject to invalidation or limitations under EU fundamental right[s]. I see no way that the CJEU can say that model contracts are valid if they killed Safe Harbor based on the existence of these US surveillance laws. All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with. As long as the US does not substantially change its laws I don’t see [how] there could be a solution.’

These developments could further complicate international data transfers. As we wait for the approval of the EU-US Privacy Shield framework, companies have been told that they can in the meantime rely on EU model clauses and Binding Corporate Rules.

Great Expectations, PL&B’s 29th Annual International Conference 4-6 July in Cambridge has a session entitled ‘The EU-US Privacy Shield and the future of EU adequacy for 3rd countries’. Speaker: Bruno Gencarelli, Head of the Data Protection Unit, Justice, European Commission.