On May 25, 2016, Austrian law student Max Schrems issued a press release stating that he has been informed that the Irish Data Protection Commissioner (DPC) is planning to refer a question to the Court of Justice of the European Union (CJEU) as to whether the EU model clauses remain a valid data transfer mechanism to the US, given the issues raised by the CJEU in its Schrems v. Facebook ruling last October, on mass surveillance of communication by US intelligence agencies and the lack of legal redress where this is disproportionate for EU data subjects. Such a referral would require the DPC to seek a declaratory judgement in the Irish High Court, which would in turn request a ruling from the CJEU.
We do not know the exact terms of the question that is being referred at this stage.
As unwelcome as this latest challenge is for organisations whose operations rely on personal data flows to the US, there is a certain inevitability about it following the Article 29 Working Party’s negative reaction to the EU/US Privacy Shield, the proposed replacement to the US/EU Safe Harbor Agreement, which was invalidated by the Schrems ruling. The referral will put further pressure on the EU/US negotiators to find an acceptable political solution that meets the CJEU requirements in the first Schrems decision. The referral also could provide an opportunity for the CJEU to specify less demanding criteria that the US surveillance practices and redress mechanisms must meet.
The CJEU ruling, if and when it comes, could have many nuances and is by no means certain to conclude that EU model clauses are invalid for all types of data transfers. In the meantime, use of the EU model clauses (together with compliance with local prior authorisation and data subject notice requirements) will remain a valid export method to the US and other non-EEA countries which have not been deemed to have adequate data protection regimes. They also remain the least onerous export route if other derogations (e.g., the data subject has consented or the transfer is necessary for the performance of a contract) are not available.
We will be tracking this challenge and the results of the Article 31 Committee vote on whether the Commission will adopt the EU/US Privacy Shield as presented by the Commission or as amended as a result of the current EU/US discussions. This committee, made up of EU Member State representatives, must approve the EU/US Privacy Shield before the Commission can adopt it. It is scheduled to meet on June 6th and 20th and a vote could be taken at either of these meetings or not taken at all.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.