Also known as 'model clauses', they are entered into between data controllers based in the European Union and data controllers or data processors based outside the EU. They act as a mechanism to enable the safe transfer of personal data to places outside of the EU whilst complying with EU data protection laws.
The EU Data Protection Directive, and the General Data Protection Regulation which comes into force from 25 May 2018, prohibits transfers of personal data outside of the EU unless one of a number of possible options are chosen. One is if the transfer is to a country that provides adequate data protection laws, but not many countries have been deemed adequate by the European Commission. Another option is to use the model clauses, which were developed by the European Commission.
Max Schrems, the privacy campaigner, successfully brought a case that challenged a key mechanism for transfer of personal data to the US from the EU - called Safe Harbor. After Safe Harbor was deemed invalid as a mechanism following Schrems' challenge, it was replaced by a new system called Privacy Shield. Doubts exist around that mechanism too, in light of the scope of access that US intelligence agencies may make to the personal data, in addition to doubts over whether there are sufficient safeguards and redress procedures in place.
Now, Schrems has challenged Facebook in the Irish High Court over the use of model clauses as a mechanism. As a result, the Irish High Court has decided to refer questions to the ECJ to rule whether model clauses are a valid mechanism for transfers. The referral does not in itself mean that data transfers using the model clauses are invalid, but the current model clauses may be deemed to be so if the ECJ rules as such. The case is therefore extremely important, as the legality of billions of pounds of international trade rides on it.
Since the Safe Harbor ruling, there has already been discussion as to whether model clauses offer sufficient protection for international data transfers. This ruling will now bring matters to a head.
If you allow any personal data to be processed outside of the EU, you will need to watch this case carefully and plan accordingly.
If the current model clauses are deemed to be invalid, this will have major repercussions for international data flows, as organisations will either need to ensure that the personal data is processed only in the EU or another country deemed to be safe, or they will need to find another mechanism to enable the safe transfer.