Brexit: the legal implications
Analysis, commentary and checklists on the legal and governance implications of Brexit on businesses operating in, and trading with, the UK
Analysis, commentary and checklists on the legal and governance implications of Brexit on businesses operating in, and trading with, the UK
The Accountant's Liability Collection brings you topical news and insight of interest to accountants, actuaries, trustees and other financial…
The Solicitors' Risk Collection addresses issues and developments affecting legal practitioners, and the professional indemnity insurers of legal…
The Insurance Market Conditions and Trends report is DAC Beachcroft's insurance sector flagship publication. Now in its tenth year, the report…
For all the latest news and comment in clinical negligence healthcare law
For the latest news and comment on Corporate, M&A and Equity Capital Markets.
For all the latest new and comment in tax law.
For the latest news and comment on banking and finance disputes.
This collection looks at the latest news and comment on commercial contracting healthcare law. With the health and social care sector under…
For all the latest news and comment in employment and pensions healthcare law
For all the latest legal and regulatory news and comment in health technology
This collection contains DAC B eachcroft's latest report, The Route to Integrated Healthcare , which provides the first practical examples of how…
This collection looks at the latest strategic, commercial, regulatory and negligence legal and advisory news and comment in health and social care. …
For all the latest news and comment on employment and pensions law.
DAC Beachcroft Dublin specialises in insurance, professional indemnity, defendant personal injury, health, commercial litigation and employment work.…
The GC Collective collection offers insight and comment for General Counsels (GCs) and in-house legal teams.
Events and online training for the health and social care sector.
DAC Beachcroft's LatAm Quarterly Newsletter discusses topical news and issues in Latin America
In response to client suggestions and requests, DAC Beachcroft's insurance sector flagship publication.
For all the latest legal and regulatory news and comment in health and social care integration
For all the latest news and comment in corporate regulatory healthcare law
Find advice, commentary and thought leadership on all aspects of Director's & Officer's Insurance; from contract formation through to complex…
This collection looks at the latest news, comment and development on the law affecting mental health services. The law affecting mental health…
Our market-leading Information Law team regularly publish articles and updates addressing the ever-evolving Information Law landscape.
This collection looks at our Safety, Health and Environment Team and the products and services they can provide. In the climate of increased…
The Insurance Act 2015 comes into force in August 2016 and will represent a significant change to insurance contract law in this country. This…
Legislative changes are bringing major changes to the Insurance landscape. This collection houses DAC Beachcroft's alerts on the pertinent issues.
For all the latest news and comment in clinical regulatory healthcare law
Organisations face ever-increasing expectations from Government, regulators, customers or service users, and other stakeholders, so scrutiny and…
For all the latest legal and regulatory news and comment in healthcare estates and facilities management
This collection addresses the full spectrum of cyber security and data risk management – the zeitgeist of our age.
We have acted for clients in the majority of significant product liability cases that have been decided in the UK over the last 35 years. Our product…
Considering the future landscapes of our cities
The European General Data Protection Regulation (GDPR) came into force on 25 May 2016. A rewrite of European data protection law, the GDPR imposes…
Considering the future of housing
For the latest news and comment on public procurement law.
Welcome to the Construction Risks collection. This space is used to report upon issues of interest to those who seek to allocate, manage and reduce…
Technology, brands and intellectual capital are key assets for any successful business. Our intellectual property (IP) team are experts at helping…
Considering the future of retail
Published On: 21 June 2016
Model Clauses and Privacy Shield Under Further Scrutiny as the US Government seeks to be joined to proceedings in Ireland
Further to the opinion issued by the Article 29 Working Party (WP29) in April 2016 on Privacy Shield, which we discuss in more detail here, and following its continued investigation of EU - US transfers, on 25 May 2016 the Office of the Data Protection Commissioner in Ireland ("ODPC") announced that it intended to make an application to the Irish High Court to determine the legal status of Standard Contractual Clauses (also known as "Model Clauses"). In the same week, on 30 May 2016, the European Data Protection Supervisor ("EDPS") indicated that the so called 'Privacy Shield' (intended to replace the Safe Harbor framework) needed "significant improvements" in order to withstand future legal scrutiny.
The ODPC issued proceedings against Facebook Ireland and Max Schrems on 31 May 2016. During its application to have the matter transferred to the Commercial Court (an arm of the High Court which deals with high value or urgent cases) the ODPC informed the Court that the matter was urgent and that they would be making an application to have the proceedings referred to the Court of Justice of the European Union ("CJEU"). At the same time, a number of parties including the US Government, the American Chamber of Commerce, Business Software Alliance and Irish Business and Employers Confederation (IBEC), expressed an interest in being joined to the proceedings as amicus curiae (friends of the court). The Court admitted the matter to the Commercial list and agreed to hear the ODPC's application for a referral to the CJEU on 27 June 2016 together with any application by interested parties to be joined to the proceedings. As things currently stand, there is no doubt that this is a very challenging time for companies that wish to transfer personal data from the EU to the US. This issue no longer just concerns large companies such as Facebook, Microsoft and Linkedin (all with their European headquarters in Ireland) transferring personal data to their US parent companies. More and more Irish companies are using, for example, cloud storage and data processing facilities based in the US which require personal data (of individuals living in the EU) to be transferred to that US company. It is imperative, therefore, that certainty is provided in this area.
Safe Harbor was an EU-US agreed framework whereby US companies receiving personal data were bound by certain data protection principles intended to provide an adequate level of protection for EU citizens. However, transfers of Europeans' personal data to the US became a hot topic in 2013 following revelations about mass US surveillance programmes (such as Prism) which allowed US authorities to harvest personal data of EU citizens directly from large tech companies such as Facebook and Google.
In 2013, Austrian privacy activist Max Schrems made a complaint against Facebook Ireland to the ODPC. The essence of Schrems' argument was that Safe Harbor violated his data protection rights, failed to provide adequate safeguards in relation to his personal data and that Facebook Ireland should be immediately prevented from transferring his data to the US. The matter went before the CJEU which ultimately repealed the Safe Harbour framework on the basis that it did not ensure an adequate level of data protection compatible with the protection of privacy and the fundamental rights and freedom of individuals in the EU. As a direct result of the CJEU decision, the transfer of personal data under the Safe Harbor regime is now prohibited.
Almost immediately after the CJEU's decision in the Schrems case, many organisations that had relied on the Safe Harbor framework entered into Model Clauses with their US parent companies in order to justify data transfers. The use of Model Clauses allowed companies to carry on their business as usual, despite the Schrems decision and the striking down of the Safe Harbor framework.
However, there have been concerns that Model Clauses will not withstand a legal challenge as they do not offer suitable redress to EU citizens who feel that their rights have been impinged. The logic is that no contractual clause between parties can adequately protect a data subject if the US (or any state) chooses to 'overreach' in a manner that is contrary to European ideals of privacy.
On 27 June, the ODPC will be making an application before the Irish Commercial Court to have this matter referred to the CJEU to determine the legal status of data transfers under Model Clauses. Some commentators, including Mr Schrems himself, have concluded that Model Clauses are likely to suffer the same fate as the Safe Harbor framework and be struck down by the CJEU on the basis that they offer inadequate levels of protection in respect of US government monitoring.
In response to the ODPC's announcement, a spokesman for Facebook said: "Thousands of companies transfer data across borders to serve their customers and users. The question the Irish DPC plans to raise with the court regarding Standard Contract Clauses will be relevant to many companies operating in Europe…Facebook has other legal methods in place to transfer data between countries."
Following the ODPC's application, Mr Schrems welcomed the US government's application to be joined as an amicus curiae stating “This may be a unique opportunity for us. I therefore very much welcome that the US government will get involved in this case. This is a huge chance to finally get solid answers in a public procedure”.
European data protection regulators have been attempting to address this issue with the proposed Privacy Shield Agreement. It is clear, however, that negotiations are going more slowly than planned. The Privacy Shield, though the subject of significant criticism by the Article 29 Working Party and the EDPS, proposed a number of improvements to the Safe Harbor framework, including the following:
However, notwithstanding those additional safeguards, both the Article 29 Working Party and the European Parliament have called for further improvements to the proposal to better safeguard EU citizens' right to privacy. In April 2016, the Article 29 Data Protection Working Party said it was still concerned about the possibility of "massive and indiscriminate" bulk collection of EU citizens' data by the US authorities. The opinion was seen as effectively rejecting Privacy Shield, with WP29 regulators stating that they are not in a position to confirm that the provisions of the Privacy Shield provide adequate levels of data protection to personal data transferred to the US. Its opinion expressed a range of concerns, listing a number of areas where clarification is required, including the following:
More recently, in May 2016, the EDPS has echoed those concerns. In a statement the EDPS said "Significant improvements are needed…to respect the essence of key data protection principles". The statement went on to say that the Privacy Shield agreement needed to provide "adequate protection against indiscriminate surveillance" and "obligations on oversight, transparency, redress and data protection rights".
It is likely to take two to three years before the CJEU determines the fate of Model Clauses. Furthermore, the CJEU ruling, if and when it comes, could have many nuances and is by no means certain to conclude that Model Clauses are invalid for all types of data transfers. However the decision by the ODPC to seek to have the matter referred to the CJEU will undoubtedly put further pressure on EU/US negotiators to find an acceptable political solution that meets the CJEU requirements in the first Schrems decision. The referral could also provide an opportunity for the CJEU to specify less demanding criteria that the US surveillance practices and redress mechanisms must meet.
As discussed above, in the meantime there is much work taking place with the aim of facilitating EU/US transfers and cross border transfers more generally, including the discussions around the Umbrella agreement, and a recent call by EU Member States for the removal of barriers to the free flow of data both within the EU and outside of it.
In any case, there are certainly interesting times ahead; the CJEU's ruling will have a significant impact on the future of personal data transfers outside of the EU. If Model Clauses are found to be invalid, we can only hope that a more robust Privacy Shield Agreement will be in place by then.
Until the CJEU makes a ruling as to the legality of Model Clauses, they remain an acceptable method by which to transfer personal data outside of the EU. Therefore, if you are using Model Clauses, there is no need to take any immediate action at this time. Model Clauses continue to remain the least onerous export route if other derogations (e.g., the data subject consents or the transfer is necessary for the performance of a contract) are not available. Practitioners and businesses should continue to remain alert for future developments.
In the meantime, we will continue to track this challenge and the results of the Article 31 Committee vote on whether the Commission will adopt the EU/US Privacy Shield as presented by the Commission or as amended as a result of the current EU/US discussions. This committee, made up of EU Member State representatives, must approve the EU/US Privacy Shield before the Commission can adopt it. It is scheduled to meet on 6 and 20 June 2016 and a vote could be taken at either of these meetings or, perhaps, not at all.
To read the ODPC's complete statement please click here.
To read the EDPS complete statement please click here.
Submitted by Rowena McCormack, Associate and Charlotte Burke, Solicitor - DAC Beachcroft Dublin