The Irish High Court is to ask the EU Court of Justice to review the validity of a system that allows businesses to send personal data out of the EEA. Pending a decision from the EU court, businesses can continue to export personal data using the ‘model clause’ framework, but they should be prepared for the risk that the clauses could be struck down.
Under EU law, personal data - data that could identify a living person - may not be transferred outside the EEA to countries without ‘adequate’ data protection laws. Privacy advocates have been particularly concerned about data transfers to the US, because of the US government’s mass surveillance of communications. The US ‘Safe Harbor’, a self-certification scheme allowing US businesses to receive data from Europe, was struck down by the EU court in 2015. This followed a complaint by Austrian student Max Schrems that, by using Safe Harbor, Facebook was not adequately protecting EU users’ personal data from US surveillance.
In 2016, the ‘Privacy Shield’ scheme replaced the Safe Harbor. However, many businesses had to rely on the model clauses in the interim and many still prefer them as a mechanism for exporting personal data. Indeed, many business models rely on the clauses - which have EU Commission approval - to transfer data intra-group and to third parties. The latest decision also arises out of the Schrems complaint: the Irish data protection commissioner had asked the Irish court to ask the EU court to review the clauses’ validity, on the basis that EU citizens whose data is sent to the US don’t have adequate privacy remedies.
A ruling from the EU court is likely to take many months, so today’s decision isn’t cause for alarm just yet. But businesses should keep an eye on developments and keep their data transfer mechanisms under review.
Many business models rely on the model clauses to transfer data intra-group and to third parties.