After Safe Harbor, Now Model Clause Validity under Threat
A key mechanism that enables organisations to do international business and transfer data outside of the European Economic Area may be under threat, casting doubt on the validity of sharing personal data with countries outside of Europe.
The Facts
In 2015, the European Court of Justice delivered a landmark ruling in the case of Max Schrems v the Irish Data Protection Commissioner, in which Schrems successfully challenged the validity of the Safe Harbor scheme.
Safe Harbor enabled personal data to be transferred from a party in the EU to one that was based in the US, and which signed up to and adhered to the terms of the Safe Harbor agreement that had been entered into between the European Commission and the US Department of Commerce in 2000.
Schrems had challenged Safe Harbor on the basis that Facebook's use of his data did not protect it adequately when it was in the US, and in particular given how Facebook could be compelled to disclose data to the US National Security Agency.
Under EU data protection law, personal data can only be transferred outside of the European Economic Area in certain circumstances. One such case is if the country of receipt has laws providing adequate protection. Another had been if it was a US-based organisation that signed up to Safe Harbor, but since October 2015 that is no longer valid.
Another common method has been the use of model contractual clauses that were published by the European Commission.
However, there are now question marks over the use of model contractual clauses, as Ireland's data protection commissioner has asked its country's High Court to refer questions to the European Court of Justice to determine whether those clauses are valid in light of the Schrems decision.
Comment
The response within the EU to the Schrems decision had been:
- for the European Commission to try to agree a new basis of data sharing with entities in the US - the Privacy Shield
- for organisations to rely on other methods that had not been declared invalid by the Schrems case such as model contractual clauses
However, the same arguments would seem to apply for model contractual clauses as applied to Safe Harbor. Use of model contractual clauses would therefore be risky.
While discussions over Privacy Shield have continued, a possible challenge to the model clauses have a wider reaching impact. Businesses that are involved in data sharing with places such as India and China have used the model contractual clauses in order to continue trading.
If that method does not provide adequate protection for data export, then businesses need to use an alternative method that does comply with EU data protection law.
This comes at a time of increased regulation and penalties, with the fines for data breach about to increase to up to 4% of annual global turnover or €20 million when the new EU data protection law - the General Data Protection Regulation - comes into force in May 2018.