Ireland - Transferring data from the EU to the US – is there a right way?
Published 21 June 2016
Model Clauses and Privacy Shield Under Further Scrutiny as the US Government seeks to be joined to proceedings in Ireland
Further to the opinion issued by the Article 29 Working Party (WP29) in April 2016 on Privacy Shield, which we discuss in more detail here, and following its continued investigation of EU - US transfers, on 25 May 2016 the Office of the Data Protection Commissioner in Ireland ("ODPC") announced that it intended to make an application to the Irish High Court to determine the legal status of Standard Contractual Clauses (also known as "Model Clauses"). In the same week, on 30 May 2016, the European Data Protection Supervisor ("EDPS") indicated that the so called 'Privacy Shield' (intended to replace the Safe Harbor framework) needed "significant improvements" in order to withstand future legal scrutiny.
The ODPC issued proceedings against Facebook Ireland and Max Schrems on 31 May 2016. During its application to have the matter transferred to the Commercial Court (an arm of the High Court which deals with high value or urgent cases) the ODPC informed the Court that the matter was urgent and that they would be making an application to have the proceedings referred to the Court of Justice of the European Union ("CJEU"). At the same time, a number of parties including the US Government, the American Chamber of Commerce, Business Software Alliance and Irish Business and Employers Confederation (IBEC), expressed an interest in being joined to the proceedings as amicus curiae (friends of the court). The Court admitted the matter to the Commercial list and agreed to hear the ODPC's application for a referral to the CJEU on 27 June 2016 together with any application by interested parties to be joined to the proceedings. As things currently stand, there is no doubt that this is a very challenging time for companies that wish to transfer personal data from the EU to the US. This issue no longer just concerns large companies such as Facebook, Microsoft and Linkedin (all with their European headquarters in Ireland) transferring personal data to their US parent companies. More and more Irish companies are using, for example, cloud storage and data processing facilities based in the US which require personal data (of individuals living in the EU) to be transferred to that US company. It is imperative, therefore, that certainty is provided in this area.
Safe Harbor was an EU-US agreed framework whereby US companies receiving personal data were bound by certain data protection principles intended to provide an adequate level of protection for EU citizens. However, transfers of Europeans' personal data to the US became a hot topic in 2013 following revelations about mass US surveillance programmes (such as Prism) which allowed US authorities to harvest personal data of EU citizens directly from large tech companies such as Facebook and Google.
In 2013, Austrian privacy activist Max Schrems made a complaint against Facebook Ireland to the ODPC. The essence of Schrems' argument was that Safe Harbor violated his data protection rights, failed to provide adequate safeguards in relation to his personal data and that Facebook Ireland should be immediately prevented from transferring his data to the US. The matter went before the CJEU which ultimately repealed the Safe Harbour framework on the basis that it did not ensure an adequate level of data protection compatible with the protection of privacy and the fundamental rights and freedom of individuals in the EU. As a direct result of the CJEU decision, the transfer of personal data under the Safe Harbor regime is now prohibited.
Almost immediately after the CJEU's decision in the Schrems case, many organisations that had relied on the Safe Harbor framework entered into Model Clauses with their US parent companies in order to justify data transfers. The use of Model Clauses allowed companies to carry on their business as usual, despite the Schrems decision and the striking down of the Safe Harbor framework.
However, there have been concerns that Model Clauses will not withstand a legal challenge as they do not offer suitable redress to EU citizens who feel that their rights have been impinged. The logic is that no contractual clause between parties can adequately protect a data subject if the US (or any state) chooses to 'overreach' in a manner that is contrary to European ideals of privacy.
On 27 June, the ODPC will be making an application before the Irish Commercial Court to have this matter referred to the CJEU to determine the legal status of data transfers under Model Clauses. Some commentators, including Mr Schrems himself, have concluded that Model Clauses are likely to suffer the same fate as the Safe Harbor framework and be struck down by the CJEU on the basis that they offer inadequate levels of protection in respect of US government monitoring.
In response to the ODPC's announcement, a spokesman for Facebook said: "Thousands of companies transfer data across borders to serve their customers and users. The question the Irish DPC plans to raise with the court regarding Standard Contract Clauses will be relevant to many companies operating in Europe…Facebook has other legal methods in place to transfer data between countries."
Following the ODPC's application, Mr Schrems welcomed the US government's application to be joined as an amicus curiae stating “This may be a unique opportunity for us. I therefore very much welcome that the US government will get involved in this case. This is a huge chance to finally get solid answers in a public procedure”.
European data protection regulators have been attempting to address this issue with the proposed Privacy Shield Agreement. It is clear, however, that negotiations are going more slowly than planned. The Privacy Shield, though the subject of significant criticism by the Article 29 Working Party and the EDPS, proposed a number of improvements to the Safe Harbor framework, including the following:
- The US would create an ombudsman to handle complaints from EU citizens about access to their personal data;
- The US Office of the Director of National Intelligence would give written commitments that Europeans' personal data will not be subject to mass surveillance; and
- The EU and US would conduct an annual review to check the new system is working properly.
However, notwithstanding those additional safeguards, both the Article 29 Working Party and the European Parliament have called for further improvements to the proposal to better safeguard EU citizens' right to privacy. In April 2016, the Article 29 Data Protection Working Party said it was still concerned about the possibility of "massive and indiscriminate" bulk collection of EU citizens' data by the US authorities. The opinion was seen as effectively rejecting Privacy Shield, with WP29 regulators stating that they are not in a position to confirm that the provisions of the Privacy Shield provide adequate levels of data protection to personal data transferred to the US. Its opinion expressed a range of concerns, listing a number of areas where clarification is required, including the following:
- The WP29 commended the insertion of key definitions, the mechanisms set up to ensure the oversight of Privacy Shield list and the mandatory external and internal reviews of compliance, but highlighted their strong concerns on both the commercial aspects and the access by public authorities to data transferred under Privacy Shield.
- Regarding the commercial aspects of Privacy Shield, of particular concern to the WP29 was the failure of Privacy Shield to provide express data retention provisions, the failure to provide a sufficiently robust onward data transfer system where data is flowing to a third country and the inadequate redress provisions in the US for EU citizens, where an EU citizen feels their data was misused.
- Of further concern to the WP29 is the possibility of access by public authorities to data transferred under Privacy Shield. The WP29 stated that it regretted that the representations of the US Office of the Director of National Intelligence did not provide sufficient details in order to exclude the widespread and indiscriminate collection of personal data originating from the EU.
More recently, in May 2016, the EDPS has echoed those concerns. In a statement the EDPS said "Significant improvements are needed…to respect the essence of key data protection principles". The statement went on to say that the Privacy Shield agreement needed to provide "adequate protection against indiscriminate surveillance" and "obligations on oversight, transparency, redress and data protection rights".
It is likely to take two to three years before the CJEU determines the fate of Model Clauses. Furthermore, the CJEU ruling, if and when it comes, could have many nuances and is by no means certain to conclude that Model Clauses are invalid for all types of data transfers. However the decision by the ODPC to seek to have the matter referred to the CJEU will undoubtedly put further pressure on EU/US negotiators to find an acceptable political solution that meets the CJEU requirements in the first Schrems decision. The referral could also provide an opportunity for the CJEU to specify less demanding criteria that the US surveillance practices and redress mechanisms must meet.
As discussed above, in the meantime there is much work taking place with the aim of facilitating EU/US transfers and cross border transfers more generally, including the discussions around the Umbrella agreement, and a recent call by EU Member States for the removal of barriers to the free flow of data both within the EU and outside of it.
In any case, there are certainly interesting times ahead; the CJEU's ruling will have a significant impact on the future of personal data transfers outside of the EU. If Model Clauses are found to be invalid, we can only hope that a more robust Privacy Shield Agreement will be in place by then.
Until the CJEU makes a ruling as to the legality of Model Clauses, they remain an acceptable method by which to transfer personal data outside of the EU. Therefore, if you are using Model Clauses, there is no need to take any immediate action at this time. Model Clauses continue to remain the least onerous export route if other derogations (e.g., the data subject consents or the transfer is necessary for the performance of a contract) are not available. Practitioners and businesses should continue to remain alert for future developments.
In the meantime, we will continue to track this challenge and the results of the Article 31 Committee vote on whether the Commission will adopt the EU/US Privacy Shield as presented by the Commission or as amended as a result of the current EU/US discussions. This committee, made up of EU Member State representatives, must approve the EU/US Privacy Shield before the Commission can adopt it. It is scheduled to meet on 6 and 20 June 2016 and a vote could be taken at either of these meetings or, perhaps, not at all.
To read the ODPC's complete statement please click here.
To read the EDPS complete statement please click here.
Submitted by Rowena McCormack, Associate and Charlotte Burke, Solicitor - DAC Beachcroft Dublin