May 11, 2021

Volume XI, Number 131


May 10, 2021

Subscribe to Latest Legal News and Analysis

An Irish Court Clouds the Future of EU Data Transfers: The Luck of the Model Clauses May Be Done

There was a new and potentially significant development this week in the Irish courts that could mark the start of a fundamental change in the field of privacy law and the transfer of personal data from the European Union to the United States. The "model clauses," which are a widely used European Commission-sanctioned method for lawfully transferring personal data outside the EU, may be on the chopping block.

Readers will likely remember the 2015 case of Austrian law student, Max Schrems, against Facebook in which Mr. Schrems filed a complaint that successfully led to the downfall of the US-EU Safe Harbor scheme that had provided a legal basis for data transfers from the EU to the United States. (Read more in "The Court of Justice of the European Union Sinks the Safe Harbor Program.") The Safe Harbor has since been replaced by the EU-U.S. Privacy Shield (the "Privacy Shield"), which includes ostensibly stronger privacy protections. (For more information on the Privacy Shield please read "U.S., EU Launch "Privacy Shield" Data Transfer Framework, Certification to Begin August 1.")

In this latest development, an Irish court has referred another case brought by Mr. Schrems against Facebook to the EU's top court, the Court of Justice of the European Union (the CJEU), to determine whether the standard (i.e., "model") contractual clauses drafted by the EU to provide an "adequate" level of protection when companies transfer personal data outside the EU ("model clauses") are compliant with the EU's laws on privacy.

By way of background, there are four main ways in which businesses can lawfully transfer personal data from the EU to the United States. (Three of these also apply to transfers to other countries that have not been determined to provide an adequate level of protection.) These methods include:

  1. obtaining appropriate data subject (individual) consent to do so;

  2. for transfers to the United States only, the US company complies with the requirements of the Privacy Shield;

  3. the corporate group puts in place a set of "binding corporate rules" which apply to the intra-group transfer of personal data; or

  4. the relevant entities sign up to contracts containing the model clauses. 

Mr. Schrems argues that the model clauses do not adequately safeguard EU privacy standards when transferring personal data to the United States because of the US government's extensive powers of surveillance. In relation to the referral to the CJEU, the Irish Information Commissioner was keen to emphasize that this does not mean that model clauses, or the Privacy Shield, are invalid, or that businesses must immediately stop transferring personal data out of the EU. The referral, however, gives the CJEU the opportunity to review the validity of the model clauses and determine whether or not they can be retained in their current form. EU companies that rely upon model contracts to transfer personal data outside the European Union to jurisdictions which have not been determined by the European Commission as having an adequate level of protection may face particular challenges. If the CJEU determines that the model clauses do not comply with the EU's laws, then those businesses will need to rely on some other option in order to transfer the data lawfully, and alternative transfer options may be difficult to find.

©2021 Katten Muchin Rosenman LLPNational Law Review, Volume VII, Number 279



About this Author

Matthew R. Baker, Environmental White Collar Attorney, Katten Muchin Law Firm

Matthew Baker focuses his practice on environmental white collar, internal investigation, complex electronic discovery and information governance issues, and domestic and international data privacy compliance. Matthew represents clients in connection with a variety of environmental and regulatory criminal matters, as well as assists corporate clients with information governance, data privacy and litigation preparedness issues.

Matthew's pro bono work includes assisting nonprofit organizations with data privacy and information governance issues,...

Doron Goldstein, Katten Muchin Law Firm, Intellectual Property Attorney

Doron S. Goldstein's practice primarily deals with intellectual property, information technology and advertising, marketing and branded entertainment transactions and counseling, including privacy and information security, trademark, copyright, software and technology matters, and he is co-head of Katten's Advertising, Marketing and Promotions practice and of the firm's Privacy, Data and Cybersecurity group.

Doron regularly advises on various aspects of integrated marketing campaigns, including talent and production agreements, advertising agency...

Christopher Hitchins, Katten Muchin London UK, investment documentation attorney, labor disputes management lawyer

Christopher Hitchins focuses his practice on the full range of employment law issues, acting for employers or senior individuals in a wide range of sectors, with a particular focus on the financial services, technology, hotel, retail and media industries.

Chris advises on all contentious and non-contentious UK employment law matters. He has significant experience advising on senior executive employment, partnership and investment documentation, managing disputes and exits as well as team moves, advising businesses on restructurings involving the...

44 (0) 20 7776 7663
Bridgitte Weaver, Katten Law Firm, London, Labor and Employment Litigation Attorney

Brigitte is an employment lawyer who focuses on a broad range of contentious and non-contentious employment matters, acting for both employers and individuals. Brigitte’s contentious experience covers both Employment Tribunal claims and High Court litigation, including unfair dismissal, discrimination claims and breach of contract. Her non-contentious experience covers a variety of advisory matters, as well as corporate support work and advising on TUPE.