Greetings from Brussels!
This week the Irish Data Protection Commissioner announced she will forward a complaint regarding Facebook’s transfer of EU users’ data to the U.S. to the Court of Justice of the European Union. Like many multinationals, Facebook has switched to standard contractual clauses as a mechanism for transfer of EU user data out of the Europe and to the United States, following the demise of Safe Harbour and without a finalized Privacy Shield to take its place. Max Schrems, who undid Safe Harbour, is again the complainant, arguing that model clauses, like Safe Harbour before them, offer no protection from the NSA's spying eyes.
Who can blame the companies for using model clauses? They simply can’t stay in limbo indefinitely due to political and legal stalemates. That said, this could be a significant move by the Irish as it could well mean that model clauses could also suffer demise when considered by the CJEU.
The commissioner has come to a preliminary view that Facebook’s mechanism for transferring data is not satisfactory in terms of the redress facilities open to EU citizens. In effect, the concern is that EU citizens would not be able to pursue an effective legal remedy in the event their rights were infringed by a U.S. public authority. This isn’t just about Facebook — it could be very bad news for many multinationals with a European presence.
In statements made Wednesday, the Data Protection Commissioner, Helen Dixon, said it would “continue to thoroughly and diligently investigate Mr. Schrems’ complaint to ensure the adequate protection of personal data.” Max Schrems in a statement of his own said, “There is no way the CJEU can say that model contracts are valid if they killed Safe Harbour based on the existence of these U.S. surveillance laws.” He added that if model contract clauses were to go, it will be huge for all industry and the companies that rely on the clauses will face serious issues. A spokeswoman for Facebook alluded to the same conclusions citing that thousands of companies utilize the model contract mechanism to transfer data.
Alarm bells are ringing everywhere.
In a non-legislative resolution passed on Thursday, the European Parliament said the European Commission should keep negotiating with the U.S. to remedy “deficiencies” in the proposed Privacy Shield protection for EU citizens’ data transferred to the U.S. for commercial purposes. MEPs welcome the efforts of the Commission and the U.S. administration to achieve "substantial improvements" in the Privacy Shield compared to the Safe Harbour decision that it is to replace.
The more notable deficiencies cited by the Parliament were the U.S. authorities' access to data, and the collection of bulk data without adequate “necessity" and "proportionality" laid down in the EU Charter of Fundamental Rights. Other items questioned were the levels of independent powers afforded the new Ombudsperson function, as well as the complexity of the redress system, which was deemed to be non-user-friendly or effective in the current draft framework.
Clearly it is the position of the Parliamentary majority — as it is the position of the European regulators — that there is still some way to go before the Privacy Shield can receive its endorsement. In the meantime, international companies can only make do with those mechanisms available. And should they fail, well, its anyone’s guess where the data goes from there!
If you want to comment on this post, you need to login.