January 19, 2022

Volume XII, Number 19


January 18, 2022

Subscribe to Latest Legal News and Analysis

Irish Court Casts Serious Doubt on EU Model Clauses

The validity of Model Clauses for EU personal data transfer to the United States is now in real doubt as a result of a new Irish High Court judgment stating that there are “well founded grounds” to find the Model Clauses invalid. The issue of Model Clauses as a legitimate data transfer mechanism will now be adjudicated by the European Court of Justice (ECJ), the same court that previously overturned the Safe Harbor arrangement. EU and US companies will need to consider various strategies in anticipation of this decision.


The case arose from a complaint to the Irish Data Protection Commissioner (DPC) against Facebook Ireland, Ltd. Max Schrems, the complainant in the case, alleged that Facebook Ireland’s data sharing agreement with its US parent, Facebook, Inc., violated his rights under the Charter of Fundamental Rights of the European Union. That data sharing arrangement between the Facebook entities was legitimized by the Model Clauses, which are promulgated by the European Commission and used by companies all over the world to validate the transfer of EU personal data to entities outside of the European Union. The Irish DPC has brought this case in the Irish Courts to allow the ECJ to determine whether the Model Clauses breach applicable European law.

This is not Schrems’ first foray into the international data protection scene. Schrems’ prior complaint against Facebook Ireland resulted in proceedings being brought by the DPC that concluded in the invalidation by the ECJ of the US-EU Safe Harbor Program. The ECJ held in 2015 that the Safe Harbor program contravened EU data protection principles safeguarding individual privacy, in large part as a result of data that could be accessed on a bulk-basis by US intelligence authorities, such as the National Security Agency (NSA). After the demise of Safe Harbor, protracted negotiations between EU and US government agencies resulted in the adoption of the Privacy Shield framework, which included layered remedies for individuals and protections intended to better safeguard individual privacy.

The Decision

The Irish High Court referred the decision about the validity of Model Clauses for determination by the ECJ. No specific questions have yet been formulated, but were hinted at and may include:

  • Whether a comprehensive adequacy analysis of US laws relating to electronic surveillance on grounds of national security is necessary;

  • Whether there are adequate rights of redress for individuals whose data was treated wrongfully; and

  • Whether there are proper limitations on remedies if the infringement by intelligence agencies is proportionate, necessary, or needed to protect the rights and freedoms of others.

Next Steps for Companies

After the invalidation of Safe Harbor, Facebook and many other companies switched to Model Clauses to ensure adequate privacy protection of EU data transferred to the United States, both for the intragroup transfer of personal data and for the transfer of personal data with suppliers and customers.

This judgment from the Irish High Court does not invalidate Model Clauses. Model Clauses may still be used to legitimize the transfer of personal data from the European Union to the United States for the present—at least until the ECJ decides the case, which may not be until after the General Data Protection Regulation (GDPR) comes into effect next May.

Many companies are rightly asking what they should do now.

Companies need to begin to re-evaluate their EU personal data transfer compliance posture because, if Model Clauses are invalidated, the remaining options will take time to implement. When Safe Harbor was invalidated, switching to or amending Model Clauses was relatively quick and easy. The same will often not be true if Model Clauses are invalidated.

The following are several options:

  • Create an inventory of the Model Clauses that you currently use, including the types of data transferred under the agreements. Having a consolidated list of Model Contracts will assist, should a new version need to be put in place quickly. As part of this process, you should consider whether any updates should be made in light of the new requirements of the GDPR, which may also affect your data transfer compliance posture. The GDPR will, for the first time, regulate data processors directly and an effective way for a data processor, whether in the European Union or the United States, to mitigate their liability is with updated contractual terms with its customers.

  • Consider whether Privacy Shield for EU to US data transfers may be a viable option. We recommend looking at the Privacy Shield as it confers a number of advantages of the Model Clauses, as well as a reduced liability profile. Self-certifying under Privacy Shield typically requires greater effort than Model Clauses and has a number of robust implementation components. McDermott can assist with this process using our Privacy Shield Tool Kit. (The Privacy Shield applies only to data transfers from the European Union to the United States. It does not apply to transfers from the European Union to other countries besides the United States.) Although the Privacy Shield has recently passed its annual review by the European Commission, there are still concerns that it needs to be updated in order to secure its long term viability.

  • Consider in which cases consents, while frowned upon in some instances, may be supportable and adequate. Again, as part of this process, you should consider whether any updates to your consents should be made in light of the new requirements of the GDPR.

  • Consider whether Binding Corporate Rules may now be an option. These are more difficult to implement than the Privacy Shield; however, they represent best practice in the eyes of many European data protection regulators. They have a statutory basis under the GDPR and a streamlined application as a result of the GDPR’s more simplified approach and “one stop shop” with a sole Data Protection Authority.

  • Keep an eye on the Schrems 2 case and developments at the ECJ. We expect there will be further commentaries on the validity of Model Clauses from the Art. 29 Working Group and various EU Member State Data Protection Authorities.

© 2022 McDermott Will & EmeryNational Law Review, Volume VII, Number 283

About this Author

Mark Schreiber, McDermott Law Firm, Boston, Cybersecurity Law Attorney

Mark E. Schreiber focuses his practice on cybersecurity, data breach response and global privacy coordination. He advises entities facing cross-border data protection, Privacy Shield and related issues, strategic decisions, and investigations. Mark has led numerous multi-national and cross-border matters, including those involving data breaches, and has advised senior management, boards, and special board committees on a variety of investigations, including data breach prevention and response. Mark is a leader of the Firm’s Global Privacy and Cybersecurity practice....

Michael G. Morgan Prvacy Attorney McDermott Will & Emery Law Firm

Michael G. Morgan represents clients in class actions, litigation and other matters involving cybersecurity, privacy, and protection of consumer and business data. He is co-leader of the Firm’s Privacy and Data Protection practice.

With more than 20 years’ experience in data security and privacy matters, Michael advises clients on cyber incident preparation, prevention and response; compliance with US and EU laws and regulations; completion of enterprise-wide cybersecurity assessments; and data security policies and best practices. He has...

310 551 9366
Romain Perray, McDermott Law Firm, Paris, Data Privacy Attorney

Romain has extensive experience in data privacy and data protection law, and lectures on these subjects in Master of Law classes at the University of Paris-I Panthéon-Sorbonne, the University of Paris-II Panthéon-Assas and the University of Paris V Descartes. He advises on the full range of data protection and data security for clients in life sciences, automotive, insurance, e-commerce, leisure, social networks and even the public sector, especially in the context of smart cities projects.

Amy C. Pimentel, Global Privacy Staff Attorney, McDermott Will & Emery Law Firm

Amy Pimentel is an associate in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Boston office.  Amy is a member of the Firm’s Global Privacy and Data Protection Affinity Group.  She focuses her practice on consumer protection, privacy, information security and international law.

Amy received her J.D. in 2014 from Northeastern University School of Law.  While in law school, Amy worked at the U.S. Department of Justice in the Office of International Affairs and interned for a judge at the International Criminal Tribunal...