Max Schrems toppled Safe Harbor – will the Model Clauses be next?
On Monday, the Irish Data Protection Commissioner announced that it intends to seek clarification on the legal status of the EU Standard Contractual Clauses (the Model Clauses).
As part of its ongoing investigation into privacy activist Schrems' complaint against Facebook, the Irish DPC will seek declaratory relief in the Irish High Court (and a referral to the CJEU) in order to determine the legal status of data transfers to the US under the Model Clauses.
Like many organisations that relied on Safe Harbor, almost immediately after the CJEU's decision in the Schrems cases, Facebook Ireland entered into a Model Clauses contract with its US parent in order to justify its data transfers to the US. This allowed Facebook to carry on with its business as usual, despite the Schrems decision.
However, even at the time, it was clear that the Schrems decision also raised questions about the validity of the Model Clauses - the logic being that no contractual terms between parties can adequately protect a data subject if the US (or any state) chooses to 'overreach' in a manner that is contrary to European ideals of privacy. The CJEU could therefore conclude that the Model Clauses are as flawed as Safe Harbor.
European data protection regulators have been attempting to address this issue with the proposed "Privacy Shield". But the negotiations on this are going more slowly than planned. Both the Article 29 Working Party and the European Parliament have called for further improvements to the proposals.
Meanwhile, the Model Clauses remain a valid justification to transfer personal data to the US (and to other countries outside the EEA) and there is no need to take any immediate action in respect of such transfers. However, the action of the Irish DPC will put additional pressure on the EU and the US to push through the Privacy Shield proposals, and in a way that meets all the standards set out by the CJEU in the Schrems decision.