On 3 October 2017, the Irish High Court decided to refer questions relating to the validity of the standard contractual clauses to the ECJ. This followed the complaint by Maximilian Schrems to the Irish Data Protection Commissioner that Facebook's transfer of his personal data from Ireland to the US using standard contractual clauses did not afford his personal data an adequate level of protection.

Facebook was granted leave to appeal this decision back in July 2018. However, the Irish Supreme Court has now dismissed Facebook's attempt to stop the Irish High Courts referring such questions on the validity of the standard contractual clauses to the ECJ.

It will now be for the ECJ to determine the validity of standard contractual clauses. Currently both the Privacy Shield and standard contractual clauses present viable solutions for a lawful transfer mechanism when transferring personal data outside the EEA. We explore the legal background to this below and what it will mean if standard contractual clauses are found to be incompatible with EU law.

Legal Background

The GDPR contains a prohibition on controllers and processors transferring personal data outside the European Economic Area (EEA) unless an adequate level of protection for the rights and freedoms of the relevant data subjects can be ensured.

Model Clauses

There will be adequate protection where the transfer is carried out in accordance with the model contracts adopted by the European Commission which provide standard wording for both the transfer of data to a controller established outside the EEA (adopted in 2004) and the transfer of data to a data processor established outside the EEA (adopted in 2010) (together the “Model Clauses”).

This means that transfers made on the basis of an agreement incorporating the Model Clauses are deemed to be made in a manner that ensures adequate safeguards for the rights and freedoms of data subjects.

Model Clauses are often perceived to be an attractive solution given that they are relatively straightforward to put in place. The key advantage of them (with respect to both intra-group and third party data transfers) is that they are freely available and, as a standard document little to no negotiation is required, as amendments are not permitted.

The disadvantage of the regime is that it lacks flexibility, particularly in the case of intra-group data transfers where, realistically, the parties are unlikely to take substantive steps to remedy contractual breaches. This risks the data importer simply failing to comply with the mechanism’s more cumbersome requirements. Moreover, if data flows are likely to evolve over time, the agreements may require updating.

Privacy Shield

There are alternative methods of achieving adequate protection for certain jurisdictions.

In the US, organisations have the option of ‘self-certifying’ with the US Dept of Commerce as Privacy Shield Certified and making a corresponding ‘public declaration’ (likely included in the relevant privacy policy). The Privacy Shield only applies to transfers of personal data from the EEA to the US.

The advantages of the regime is that it’s relatively straightforward to get the certification, and requires little substantive involvement from a relevant EEA based entity from which the data is transferred, other than receiving an assurance from the US data controller or processor that it had entered into the Privacy Shield regime.

The principle disadvantage of Privacy Shield is that it exposes a US data controller or processor to potential regulatory supervision from another body (i.e. the US Dept of Commerce), which some businesses prefer to avoid.

Adequacy Decision

A transfer of personal data to a third country or an international organisation outside the EEA may also take place if the European Commission has decided that the third country, a territory or one or more specific sectors within that third country, or the international organisation ensures an adequate level of protection.

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection.

This is clearly the most attractive transfer solution for data controllers, although one which they have no control over (its either available or it isn’t).

Other Alternatives

The GDPR also introduced two new types of appropriate safeguards that were not included in the Data Protection Directive regime:

• Approved code of conducts whereby EU controllers and processors may transfer personal data to third countries under an approved code of conduct. In practice, this means that associations and other bodies representing certain categories of controllers or processors are encouraged to prepare codes of conduct that would then be subject to approval by the competent national supervisory authority.
• Transfers using an approved certification mechanism: Under the GDPR, the member states, the national supervisory authorities, the EDPB and the Commission must encourage the establishment of certification mechanisms and privacy seals that would allow controllers and processors to demonstrate their compliance with the GDPR.

To date neither of these mechanisms for the adoption of appropriate safeguards have been implemented into the UK data protection regime.
It worth noting here that Binding Corporate Rules can be used as a lawful transfer mechanism for intra-group transfers.

Comment

Model Clauses are commonly used as one of, if not “the”, primary lawful transfer mechanism used for data transfers outside the EEA. The ECJ’s determination of the validity of Model Clauses will be hotly anticipated by the many organizations that rely on them for international data transfers.

A new data transfer mechanism may be required if Model Clauses are found to be incompatible with EU law. We may therefore see concentrated efforts from national regulators to roll out new types of appropriate safeguard mechanisms which were introduced by the GDPR but not yet in generally in use.

A hearing date for the ECJ’s review of questions relating to the validity of Model Clauses is set for 9 July 2019 in Luxembourg.

 For more information please contact Jonathan McDonald on +44 (0)20 7427 6725 or at jonathan.mcdonald@crsblaw.com, or Christina Fleming on +44 (0)20 7427 1022 or at christina.fleming@crsblaw.com.