International data flows between the U.S. and EU may have taken yet another hit late Tuesday with news that the Irish Data Protection Commissioner is planning to refer a case to the Court of Justice of the European Union to determine whether Facebook can use standard contractual clauses, also often called model clauses, to transfer data out of the EU.
After the court invalidated the Safe Harbor arrangement between the U.S. and EU in October 2015, Facebook – like many other companies – switched to standard contractual clauses as the new basis for transfer of EU user data out of the region and to the United States. Since the proposed Privacy Shield framework is still not approved, companies needing to transfer EU citizens' data to the U.S. are generally relying on model clauses and binding corporate rules.
At issue, as it was with the case invalidating Safe Harbor, is that the legal basis for transferring the data under model clauses does not prevent mass surveillance by U.S. intelligence authorities. According to a press release from Europe-v-Facebook, the Max Schrems-led group that brought both the Safe Harbor and current complaint to the Irish DPA, “Under current CJEU case law, it is highly unlikely that Facebook Ireland could … continue sharing data with the U.S. authorities.”
If the case does make it to the high court, and model clauses are found to be invalid, the fate of the Privacy Shield could be in jeopardy as well.
In a statement, Schrems said he had received a draft decision by the Irish DPC and that the agency “is intending to file the necessary proceedings with the Irish courts within the next days.” He said his group “will engage in the procedure as a party,” but that details about the case “are not clear yet, as the DPC did not provide us with the evidence, submissions, or documents before it.”
In a statement provided to The Privacy Advisor, the Irish DPC said, “We continue to thoroughly and diligently investigate Mr. Schrems’ complaint to ensure the adequate protection of personal data. We yesterday informed Mr. Schrems and Facebook of our intention to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under Standard Contractual Clauses. We will update all relevant parties as our investigation continues.”
A Facebook spokesperson told The Privacy Advisor, “Thousands of companies transfer data across borders to serve their customers and users. The question the Irish DPC plans to raise with the court regarding Standard Contractual Clauses will be relevant to many companies operating in Europe. While there is no immediate impact for people or businesses who use our services, we of course will continue to cooperate with the Irish Data Protection Commission in its investigation. Standard Contractual Clauses remain valid, and Facebook has other legal methods in place to transfer data between countries.”
Schrems said this “is a very serious issue for the U.S. tech industry,” adding, “I see no way that the CJEU can say that model contracts are valid if they killed Safe Harbor based on the existence” of what he called “far-reaching U.S. surveillance ... All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution that they came up with.”
Hogan Lovells Partner Eduardo Ustaran, CIPP/E, said the news is not entirely surprising. “The EU regulators have so far been coy at publicly criticizing model clauses," he said, "but in their hearts they know that the level of protection contracts provide is not higher than that provided by the Privacy Shield, for example.”
Ustaran continued, emphatically adding, “The prospect of the standard contractual clauses being declared invalid is the Armageddon of lawful global data flows.”
Outside of leaving the marketplace, the last options for companies would be BCRs or individual consent. The former is expensive, takes time, and is not necessarily an option for small companies. The latter, according to Ustaran, will be attempted “and no doubt over used.” Ustaran also said that BCRs are “seen as the gold standard of global privacy.”
“If they are not good enough, what is?”
Ustaran also warned that stopping global data flows “would be swimming against the current of the digital economy.”
News of the Irish DPC’s referral comes in the wake of other bad news for EU-U.S. data flows. Earlier this week, the European Data Protection Supervisor sided with the Article 29 Working Party and said he has “serious concerns” about Privacy Shield. To pile on, last week members of the Article 31 committee could not reach an agreement on Shield, saying they needed more time to reach a consensus.
With both SCCs and the Shield in a sort of limbo, uncertainty for data transfers between the EU and U.S. will remain for the time being. Whether this uncertainty will spread to BCRs, it’s too soon to tell. For Schrems, the answer resides in U.S. surveillance law: “As long as the U.S. does not substantially change its laws, I don’t see (how) there could be a solution.”