A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 1 August 2016
Model Clauses and the Privacy Shield – where you stand
On 12 July 2016, after over two years of negotiations between the EU and the US, the European Commission adopted the Privacy Shield. The Privacy Shield became effective immediately, with companies being able to self-certify with the US Department of Commerce from 1 August 2016.
European data protection regulators have been attempting for a number of years to address the issue of protecting its citizens' privacy when data is transferred outside the EU. Agreement was finally reached between the EU and US on 12 July 2016 and the Privacy Shield is now in operation.
The Privacy Shield, though the subject of significant criticism by the Article 29 Working Party ("WP29") and the European Data Protection Supervisor ("EDPS") before its implementation, introduces a number of improvements to the Safe Harbor framework, including the following:
In April 2016 the WP29 expressed its concern about the Privacy Shield and particularly the possibility of "massive and indiscriminate" bulk collection of EU citizens' data by the US authorities. The WP29's opinion was seen as effectively rejecting the Privacy Shield, with WP29 regulators stating that they were not in a position to confirm that the provisions of the Privacy Shield provided adequate levels of data protection to personal data transferred to the US. Following the publication of the WP29's opinion, a number of amendments were made to the Privacy Shield to take into account their and the EDPS's concerns.
The WP29 ultimately released a statement on 26 July 2016, endorsing the Privacy Shield, but noting that it still had concerns, particularly in relation to the protections around the processing of automated data and the general right to object to processing. The WP29 stated, however, that the EU and US's first joint annual review of the Privacy Shield will be a key point at which the robustness and efficiency of the Privacy Shield can be assessed.
As of August, only 103 companies have signed up to the Privacy Shield agreement—representing a fraction of the 5,526 signatories to the defunct Safe Harbor framework. The only well-known tech names on the list are Microsoft and Salesforce with Facebook, Google, Apple, and Twitter yet to adopt Privacy Shield. We understand that the Department of Commerce is currently reviewing the privacy policies of a further 190 firms that want to sign up and that an additional 250 companies are in the process of submitting their applications.
In addition to the Privacy Shield, companies also have the option of using Model Clauses with their US parent companies in order to justify data transfers.
However, there have been concerns that Model Clauses will not withstand a legal challenge as they do not offer suitable redress to EU citizens who feel that their rights have been impinged. The logic is that no contractual clause between parties can adequately protect a data subject if the US (or any state) chooses to 'overreach' in a manner that is contrary to European ideals of privacy.
The ODPC made an application before the Commercial Court of Ireland in May 2016 to have the matter referred to the CJEU to determine the legal status of data transfers under Model Clauses. Subsequently, the Commercial Court heard a number of applications by various third parties to be joined as amicus curiae ("friends of the court") to the case. Four of those third parties, including the US Government were successful in their application. A trial date for the full hearing of the case has been set for 7 February 2017.
Some commentators, including Mr Schrems himself, have concluded that Model Clauses are likely to suffer the same fate as the Safe Harbor framework and be struck down by the CJEU on the basis that they offer inadequate levels of protection in respect of US government monitoring.
In reality however, it is likely to take two to three years before the CJEU determines the fate of Model Clauses. Furthermore, the CJEU ruling, if and when it comes, could have many nuances and is by no means certain to conclude that Model Clauses are invalid for all types of data transfers. The referral could provide an opportunity for the CJEU to specify less demanding criteria that the US surveillance practices and redress mechanisms must meet.
With the Privacy Shield now in operation, companies have another option available to them when it comes to facilitating the transfer of data outside of the EU. However, given the residual criticism of the Privacy Shield as enacted in August, it seems likely that there will be a challenge to it before long.
Companies wishing to avail of the Privacy Shield may do so by registering to be on the Privacy Shield list (the "Privacy Shield List"). It is a self-certification scheme, whereby the company wishing to be on the Privacy Shield List must make an annual submission to the US Department of Commerce that it meets the data protection requirements set out in the Privacy Shield. Companies wishing to transfer data to a US company should always ensure that that company is listed on the Privacy Shield List. If companies self-certify within 2 months of 1 August 2016, they will be given a nine-month grace period to bring existing data transfer arrangements into compliance with the law.
Until the CJEU makes a ruling as to the legality of Model Clauses, they too remain an acceptable method by which to transfer personal data outside of the EU. Organisations should however continue to remain alert for future developments.
Where organisations, such as financial service firms, cannot certify under the Privacy Shield, all organisations should nevertheless be aware when entering into arrangements with service providers that they may seek to rely on Privacy Shield certification in order to provide their services and that otherwise any transfers of data outside of the EEA should be governed by Model Clauses for the time being.
To read the ODPC's complete statement please click here.
To read the EDPS complete statement please click here.
+353 (0)1 231 9628
Shehana Cameron Perera, Lorraine Ekong, Jade Kowalski, Rhiannon Webster, Ceri Fuller, Khurram Shamsee, Christopher Air, Sophie Devlin
Aleksandar Dimitrov, Neal Pal
Rhiannon Webster, Charlie Christie
Hans Allnutt, Mark Anderson, Gregory Bautista, Anjali Das, Kieran Doyle, Bastian Finkel
Hans Allnutt, Rhiannon Webster
Hans Allnutt, Patrick Hill, Laura Stewart, Lorraine Ekong
Lorraine Ekong, Hans Allnutt
Hans Allnutt, Camilla Elliot
Hans Allnutt, Patrick Hill
Hans Allnutt, Rhiannon Webster, Patrick Hill