The issue of lawfully transferring personal data to the United States has become problematic over the last 12 months.
The Court of Justice of the European Union's (CJEU) decision in Schrems v Irish Data Protection Commissioner last October saw Safe Habor ruled unlawful, meaning any transfers of personal data to the US made under the Safe Harbor agreement breached the Data Protection Directive.
Max Schrems has now issued challenges to the other mechanisms that permit the transfer of personal data to the US. The Irish Data Protection Commissioner has announced that it will be referring a challenge to the legitimacy of model contractual clauses (Model Clauses) to the CJEU.
As Safe Harbor's replacement, the EU – US Privacy Shield agreement, is not yet in place, most transfers of personal data to the US that had previously used the Safe Harbor were moved to Model Clauses. These are standard contractual terms that have been approved by the EU and permit the lawful transfer of personal data to countries outside the EEA, including the USA.
We believe there is a strong possibility that the Model Clauses could be rendered unlawful, on similar grounds to the rationale behind the judgment in the Safe Harbor decision.
However, there is no need for immediate concern.
The CJEU has not yet reached any judgment in respect of Model Clauses, and if Model Clauses are found to provide insufficient safeguards to the individuals whose personal data is being transferred, then member states' Data Protection Commissioners will be unlikely to rush to take enforcement action without any appropriate alternative mechanism.
It is most likely that the EU will be reviewing Model Clauses with a view to bringing them in line with the additional obligations imposed on data controllers and data processors under the General Data Protection Regulation (GDPR), and one would expect the EU to amend them to accommodate any judgment of the CJEU.
However, as part of any organisation's preparations for the GDPR, it should review the data protection provisions in contracts with third parties. Where personal data is being transferred outside the EEA, such a review should take into account the likelihood of changes to the Model Clauses.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at May 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions.