On 25 May 2016, the Irish Data Protection Commissioner ("IDPC") announced that it would be seeking a judgment from the Court of Justice of the European Union ("CJEU") on the legal status of the EU Standard Contractual Model Clauses ("EU Model Clauses") for cross-border data transfers.
This development further increases the uncertainty around permissible means of transferring personal data from the EU to the US. Last year, the CJEU declared the EU-US Safe Harbour Framework “inadequate” following a complaint brought to the IDPC by an Austrian citizen, Maximillian Schrems. Over 5,500 US companies self-certified to the EU-US Safe Harbour program as a means of legitimising transfers of personal data from the EU to the US. Since the Schrems decision, many companies have adopted the EU Model Clauses as an alternative means of legitimising transatlantic personal data transfers.
Future of EU-US Data Transfers Uncertain
While the IDPC announcement may not be surprising to many, one of its effects is that it puts the privacy regime applicable to EU-non-EU data transfers in a state of uncertainty. The Article 29 Working Party ("WP29") issued a statement following the Schrems decision confirming the adequacy of the EU Model Clauses and Binding Corporate Rules. However, the WP29 also stated that EU data protection authorities could investigate particular cases based on individuals’ complaints. Many European data protection authorities urged Safe Harbour companies to notify them of their alternative means to transfer personal data by the end of January 2016.
Hopes for a "Pragmatic Decision"
"There are some key differences between EU Model Clauses and Safe Habour which bring hope of a practical and pragmatic decision from the courts," Dyann Heward-Mills, Head of the Data Protection and Cyber Security Practice Group in Baker & McKenzie's London Office and Ian Walden, Counsel to Baker & McKenzie.
Heward-Mills and Walden pointed out that the EU Model Clauses were adopted under a different legal regime to Safe Harbor. "The EU Model Clauses are not country specific; hence the determination would have to be based on the laws of the country where the transfer takes place under the EU Model Clauses. This referral may therefore expose the suggested hypocrisy of the EU authorities in holding other countries to a higher standard on law enforcement and national security access to data than exists in the EU," stated Heward-Mills and Walden.
EU-US Privacy Shield Update
While the adequacy of the EU Model Clauses faces uncertainty following the IDPC announcement, the EU-US Privacy Shield negotiation continues to make its way through the EU system.
On 19 May 2016, the Art.31 Committee - made up of representatives of each of the EU member states and chaired by a Commission representative - failed to reach consensus on Privacy Shield and is expected to enter into further discussions during the month of June. In order for Privacy Shield to be adopted in its current form, the Art. 31 Committee must vote in favor of the current proposal by qualified majority. This means that at least 16 member states representing at least 65% of the EU population must vote in favor of Privacy Shield as currently proposed. If the Art. 31 Committee votes against the current proposal, the Commission cannot adopt its draft adequacy decision. It will then have to submit a revised draft adequacy decision or appeal the Art. 31 Committee decision in order to keep Privacy Shield alive.
On 26 May 2016, the EU Parliament passed a non-legislative resolution approving of the existing efforts by the EU Commission and the US administration in negotiating the Privacy Shield framework. However, Members of the EU Parliament ("MEPs") also voiced their concerns regarding the resolution, including with respect to the following:
- US authorities’ broad access to personal data transferred under the Privacy Shield;
- the possibility of organizations collecting bulk data in light of the required criteria of "necessity" and "proportionality" provided in the EU Charter of Fundamental Rights;
- the limited independence and power of the proposed US ombudsperson; and
- the complexity of the redress mechanism.
The points raised by the MEPs generally mirror the concerns raised in the WP29 Opinion dated 13 April 2016 on the adequacy of the proposed Privacy Shield. The European Data Protection Supervisor ("EDPS") is also expected to be publishing its opinion on the Privacy Shield on 30 May 2016, but, similarly to the MEPs, the EDPS has already expressed that he shared similar concerns raised by the WP29.
The final EU Commission adequacy decision on the Privacy Shield is expected to be adopted in June 2016.