October 16, 2017

October 13, 2017

Subscribe to Latest Legal News and Analysis

Irish Court Casts Serious Doubt on EU Model Clauses

The validity of Model Clauses for EU personal data transfer to the United States is now in real doubt as a result of a new Irish High Court judgment stating that there are “well founded grounds” to find the Model Clauses invalid. The issue of Model Clauses as a legitimate data transfer mechanism will now be adjudicated by the European Court of Justice (ECJ), the same court that previously overturned the Safe Harbor arrangement. EU and US companies will need to consider various strategies in anticipation of this decision.

Background

The case arose from a complaint to the Irish Data Protection Commissioner (DPC) against Facebook Ireland, Ltd. Max Schrems, the complainant in the case, alleged that Facebook Ireland’s data sharing agreement with its US parent, Facebook, Inc., violated his rights under the Charter of Fundamental Rights of the European Union. That data sharing arrangement between the Facebook entities was legitimized by the Model Clauses, which are promulgated by the European Commission and used by companies all over the world to validate the transfer of EU personal data to entities outside of the European Union. The Irish DPC has brought this case in the Irish Courts to allow the ECJ to determine whether the Model Clauses breach applicable European law.

This is not Schrems’ first foray into the international data protection scene. Schrems’ prior complaint against Facebook Ireland resulted in proceedings being brought by the DPC that concluded in the invalidation by the ECJ of the US-EU Safe Harbor Program. The ECJ held in 2015 that the Safe Harbor program contravened EU data protection principles safeguarding individual privacy, in large part as a result of data that could be accessed on a bulk-basis by US intelligence authorities, such as the National Security Agency (NSA). After the demise of Safe Harbor, protracted negotiations between EU and US government agencies resulted in the adoption of the Privacy Shield framework, which included layered remedies for individuals and protections intended to better safeguard individual privacy.

The Decision

The Irish High Court referred the decision about the validity of Model Clauses for determination by the ECJ. No specific questions have yet been formulated, but were hinted at and may include:

  • Whether a comprehensive adequacy analysis of US laws relating to electronic surveillance on grounds of national security is necessary;

  • Whether there are adequate rights of redress for individuals whose data was treated wrongfully; and

  • Whether there are proper limitations on remedies if the infringement by intelligence agencies is proportionate, necessary, or needed to protect the rights and freedoms of others.

Next Steps for Companies

After the invalidation of Safe Harbor, Facebook and many other companies switched to Model Clauses to ensure adequate privacy protection of EU data transferred to the United States, both for the intragroup transfer of personal data and for the transfer of personal data with suppliers and customers.

This judgment from the Irish High Court does not invalidate Model Clauses. Model Clauses may still be used to legitimize the transfer of personal data from the European Union to the United States for the present—at least until the ECJ decides the case, which may not be until after the General Data Protection Regulation (GDPR) comes into effect next May.

Many companies are rightly asking what they should do now.

Companies need to begin to re-evaluate their EU personal data transfer compliance posture because, if Model Clauses are invalidated, the remaining options will take time to implement. When Safe Harbor was invalidated, switching to or amending Model Clauses was relatively quick and easy. The same will often not be true if Model Clauses are invalidated.

The following are several options:

  • Create an inventory of the Model Clauses that you currently use, including the types of data transferred under the agreements. Having a consolidated list of Model Contracts will assist, should a new version need to be put in place quickly. As part of this process, you should consider whether any updates should be made in light of the new requirements of the GDPR, which may also affect your data transfer compliance posture. The GDPR will, for the first time, regulate data processors directly and an effective way for a data processor, whether in the European Union or the United States, to mitigate their liability is with updated contractual terms with its customers.

  • Consider whether Privacy Shield for EU to US data transfers may be a viable option. We recommend looking at the Privacy Shield as it confers a number of advantages of the Model Clauses, as well as a reduced liability profile. Self-certifying under Privacy Shield typically requires greater effort than Model Clauses and has a number of robust implementation components. McDermott can assist with this process using our Privacy Shield Tool Kit. (The Privacy Shield applies only to data transfers from the European Union to the United States. It does not apply to transfers from the European Union to other countries besides the United States.) Although the Privacy Shield has recently passed its annual review by the European Commission, there are still concerns that it needs to be updated in order to secure its long term viability.

  • Consider in which cases consents, while frowned upon in some instances, may be supportable and adequate. Again, as part of this process, you should consider whether any updates to your consents should be made in light of the new requirements of the GDPR.

  • Consider whether Binding Corporate Rules may now be an option. These are more difficult to implement than the Privacy Shield; however, they represent best practice in the eyes of many European data protection regulators. They have a statutory basis under the GDPR and a streamlined application as a result of the GDPR’s more simplified approach and “one stop shop” with a sole Data Protection Authority.

  • Keep an eye on the Schrems 2 case and developments at the ECJ. We expect there will be further commentaries on the validity of Model Clauses from the Art. 29 Working Group and various EU Member State Data Protection Authorities.

© 2017 McDermott Will & Emery

TRENDING LEGAL ANALYSIS


About this Author

Mark Schreiber, McDermott Law Firm, Boston, Cybersecurity Law Attorney
Partner

Mark E. Schreiber focuses his practice on cybersecurity, data breach response and global privacy coordination. He advises entities facing cross-border data protection, Privacy Shield and related issues, strategic decisions, and investigations. Mark has led numerous multi-national and cross-border matters, including those involving data breaches, and has advised senior management, boards, and special board committees on a variety of investigations, including data breach prevention and response. Mark is a leader of the Firm’s Global Privacy and Cybersecurity practice....

617-535-3982
Partner

Michael G. Morgan represents clients in class actions, litigation and other matters involving cybersecurity, privacy, and protection of consumer and business data. He is co-leader of the Firm’s Privacy and Data Protection practice.

With more than 20 years’ experience in data security and privacy matters, Michael advises clients on cyber incident preparation, prevention and response; compliance with US and EU laws and regulations; completion of enterprise-wide cybersecurity assessments; and data security policies and best practices. He has particular experience in advising clients on large-scale data breaches, including those involving more than 50 million consumer records, both in the US and in dozens of countries around the world.

Michael is a seasoned trial lawyer who has first-chaired numerous jury and bench trials and has resolved scores of cases through mediation and other forms of Alternative Dispute Resolution. He has deep experience in the defense of consumer class actions and government investigations by the FTC, CFPB, FCC, and state attorneys general relating to data security and privacy. Before joining his prior firm, Michael was vice president and general counsel of Epic Cycle, a web app development company.

310 551 9366
Ann Killilea, McDermott Will Emery Law firm, Employee Benefits Attorney
Counsel

Ann Killilea is counsel in the law firm of McDermott Will & Emery LLP and is based in the Firm's Boston office.  Ann brings to the Firm and to its Global Privacy and Data Protection Affinity Group more than 25 years of experience as senior in-house corporate counsel advising Hewlett-Packard Company (HP), and its predecessor companies Compaq Computer Corporation and Digital Equipment Corporation, all multinational companies in the information technology industry.

617-535-3933
Partner

Ashley Winton focuses his practice on global data protection and privacy, information governance and cybersecurity compliance. He has particularly in-depth knowledge of cyber breach response, cybersecurity in the context of payment systems, the lawful interception of data, and the conflict of laws in relation to corporate and government investigations and international litigation. Ashley frequently represents major corporations, trade associations, charities and government entities on a range of data privacy and cybersecurity issues and he has significant experience in...

4420-7577-6939
Romain Perray, McDermott Law Firm, Paris, Data Privacy Attorney
Partner

Romain has extensive experience in data privacy and data protection law, and lectures on these subjects in Master of Law classes at the University of Paris-I Panthéon-Sorbonne, the University of Paris-II Panthéon-Assas and the University of Paris V Descartes. He advises on the full range of data protection and data security for clients in life sciences, automotive, insurance, e-commerce, leisure, social networks and even the public sector, especially in the context of smart cities projects.

331-8169-1527