Model Clauses Update: Facebook’s appeal to stop the Irish High Court’s referral to ECJ on standard contractual clauses is dismissed – are they now less attractive as a transfer mechanism?
On 3 October 2017, the Irish High Court decided to refer questions relating to the validity of the standard contractual clauses to the ECJ. This followed the complaint by Maximilian Schrems to the Irish Data Protection Commissioner that Facebook's transfer of his personal data from Ireland to the US using standard contractual clauses did not afford his personal data an adequate level of protection.
Facebook was granted leave to appeal this decision back in July 2018. However, the Irish Supreme Court has now dismissed Facebook's attempt to stop the Irish High Courts referring such questions on the validity of the standard contractual clauses to the ECJ.
It will now be for the ECJ to determine the validity of standard contractual clauses. Currently both the Privacy Shield and standard contractual clauses present viable solutions for a lawful transfer mechanism when transferring personal data outside the EEA. We explore the legal background to this below and what it will mean if standard contractual clauses are found to be incompatible with EU law.
Legal Background
The GDPR contains a prohibition on controllers and processors transferring personal data outside the European Economic Area (EEA) unless an adequate level of protection for the rights and freedoms of the relevant data subjects can be ensured.
Model Clauses
There will be adequate protection where the transfer is carried out in accordance with the model contracts adopted by the European Commission which provide standard wording for both the transfer of data to a controller established outside the EEA (adopted in 2004) and the transfer of data to a data processor established outside the EEA (adopted in 2010) (together the “Model Clauses”).
This means that transfers made on the basis of an agreement incorporating the Model Clauses are deemed to be made in a manner that ensures adequate safeguards for the rights and freedoms of data subjects.
Model Clauses are often perceived to be an attractive solution given that they are relatively straightforward to put in place. The key advantage of them (with respect to both intra-group and third party data transfers) is that they are freely available and, as a standard document little to no negotiation is required, as amendments are not permitted.
The disadvantage of the regime is that it lacks flexibility, particularly in the case of intra-group data transfers where, realistically, the parties are unlikely to take substantive steps to remedy contractual breaches. This risks the data importer simply failing to comply with the mechanism’s more cumbersome requirements. Moreover, if data flows are likely to evolve over time, the agreements may require updating.
Privacy Shield
There are alternative methods of achieving adequate protection for certain jurisdictions.
In the US, organisations have the option of ‘self-certifying’ with the US Dept of Commerce as Privacy Shield Certified and making a corresponding ‘public declaration’ (likely included in the relevant privacy policy). The Privacy Shield only applies to transfers of personal data from the EEA to the US.
The advantages of the regime is that it’s relatively straightforward to get the certification, and requires little substantive involvement from a relevant EEA based entity from which the data is transferred, other than receiving an assurance from the US data controller or processor that it had entered into the Privacy Shield regime.
The principle disadvantage of Privacy Shield is that it exposes a US data controller or processor to potential regulatory supervision from another body (i.e. the US Dept of Commerce), which some businesses prefer to avoid.
Adequacy Decision
A transfer of personal data to a third country or an international organisation outside the EEA may also take place if the European Commission has decided that the third country, a territory or one or more specific sectors within that third country, or the international organisation ensures an adequate level of protection.
The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection.
This is clearly the most attractive transfer solution for data controllers, although one which they have no control over (its either available or it isn’t).
Other Alternatives
The GDPR also introduced two new types of appropriate safeguards that were not included in the Data Protection Directive regime:
- Approved code of conducts whereby EU controllers and processors may transfer personal data to third countries under an approved code of conduct. In practice, this means that associations and other bodies representing certain categories of controllers or processors are encouraged to prepare codes of conduct that would then be subject to approval by the competent national supervisory authority.
- Transfers using an approved certification mechanism: Under the GDPR, the member states, the national supervisory authorities, the EDPB and the Commission must encourage the establishment of certification mechanisms and privacy seals that would allow controllers and processors to demonstrate their compliance with the GDPR.
To date neither of these mechanisms for the adoption of appropriate safeguards have been implemented into the UK data protection regime.
It worth noting here that Binding Corporate Rules can be used as a lawful transfer mechanism for intra-group transfers.
Comment
Model Clauses are commonly used as one of, if not “the”, primary lawful transfer mechanism used for data transfers outside the EEA. The ECJ’s determination of the validity of Model Clauses will be hotly anticipated by the many organizations that rely on them for international data transfers.
A new data transfer mechanism may be required if Model Clauses are found to be incompatible with EU law. We may therefore see concentrated efforts from national regulators to roll out new types of appropriate safeguard mechanisms which were introduced by the GDPR but not yet in generally in use.
A hearing date for the ECJ’s review of questions relating to the validity of Model Clauses is set for 9 July 2019 in Luxembourg.
For more information please contact Jonathan McDonald on +44 (0)20 7427 6725 or at jonathan.mcdonald@crsblaw.com, or Christina Fleming on +44 (0)20 7427 1022 or at christina.fleming@crsblaw.com.
Our thinking
IBA Annual Conference
The IBA heads to Miami for its 2022 Annual Conference bringing together thousands hundreds of lawyers from around the world.
Martin Wright
Joint Venture Opportunities
Join our panel where we will discuss various topics including Joint Venture structuring and Partner procurement.
Julia Cox
Mind your business: Safeguarding your business against loss of mental capacity
Practical considerations to safeguard your business against loss of mental capacity.
Stephen Burns
PART 36— A move towards greater flexibility?
Discussing the possibility of the Part 36 regime opening up with recent developments.
Sarah Anticoni
FT Wealth quotes Sarah Anticoni on forum shopping
"Being the first to file for divorce is not a foolproof way of securing an English hearing"
Louise Ward
What can UK investors interested in Life Sciences learn from their more experienced, including US, counterparts?
The recent tie-up between Canary Wharf and Kadans demonstrates the enthusiasm to access the lucrative UK life sciences market.
Hanh Nguyen
The hurdles in establishing retrospective validation of post-petition dispositions
A discussion on the key takeaways from ICC Judge Barbers recent case ruling.
Helen Coward
Helen Coward writes for Tax Journal on the main purpose test for SDLT group relief
Mainly ignored? The main purpose test for SDLT group relief
Patricia Nathan-Amissah
The Ayes have it - Collateral Warranties can be a ‘Construction Contract’
The Court of Appeal handed down its judgment in the case of Abbey Healthcare (Mill Hill) Limited v Simply Construct (UK) LLP
Jonathan Morley
Charles Russell Speechlys advising Battery Ventures on the sale of SPT Labtech for £650 million.
Battery Ventures has raised over $9 billion to invest in software and services, enterprise infrastructure, and much more around the world.
Sarah Farrelly
Windrush Day 2022 – supporting access to justice
Charles Russell Speechlys is proud to continue supporting survivors of the Windrush scandal in their fight for justice.
Laura Bushaway
The Leasehold Reform (Ground Rent) Act 2022: Landlords and developers beware serious sanctions for non-compliance
The Leasehold Reform (Ground Rent) Act 2022 received Royal Assent on 8 February 2022 and will come into force on 30 June 2022.
Emma Preece
EG quotes Emma Preece on the Picturehouse and BNY Mellon rent arrears cases
“The case is being closely watched by landlords and tenants alike as the impact of the pandemic lives on in the commercial property sector”
David Coates
Charles Russell Speechlys has advised long-standing client Stonegate on a series A investment into Peckwater Brands
Stonegate is one of the largest pub companies in the UK with a rich portfolio that covers over 4,500 sites.
Sarah Farrelly
Pro bono support for major office premises move for charity in Stoke-on-Trent
Emmaus entities provide safe homes, community support and meaningful work to formerly homeless people across the UK.
Rachel Warren
Financier Worldwide quotes Rachel Warren on the UK’s Economic Crime Act
Evaluating the UK’s Economic Crime Act
Felicity Chapman
Julia Cox and Felicity Chapman write for International Adviser on the rise of pre-nups in the UK
Julia Cox and Felicity Chapman write for International Adviser on the rise of pre-nups
Samuel Lear
Property Patter: Reasonable Endeavours
What does it mean to use ‘best’, ‘all’ or ‘reasonable’ endeavours?
Rose Carey
Could the UK’s Life Sciences Vision be restricted by its Immigration Policy?
We explore some of the visa options that may be open to businesses in the sector and their relative pros and cons.
Grégoire Uldry
New Swiss succession law on the transfer of businesses
On 10 June 2022, the Federal Council adopted its Message amending the Civil Code on the transfer of businesses by succession.