Model Clauses Update: Facebook’s appeal to stop the Irish High Court’s referral to ECJ on standard contractual clauses is dismissed – are they now less attractive as a transfer mechanism?
On 3 October 2017, the Irish High Court decided to refer questions relating to the validity of the standard contractual clauses to the ECJ. This followed the complaint by Maximilian Schrems to the Irish Data Protection Commissioner that Facebook's transfer of his personal data from Ireland to the US using standard contractual clauses did not afford his personal data an adequate level of protection.
Facebook was granted leave to appeal this decision back in July 2018. However, the Irish Supreme Court has now dismissed Facebook's attempt to stop the Irish High Courts referring such questions on the validity of the standard contractual clauses to the ECJ.
It will now be for the ECJ to determine the validity of standard contractual clauses. Currently both the Privacy Shield and standard contractual clauses present viable solutions for a lawful transfer mechanism when transferring personal data outside the EEA. We explore the legal background to this below and what it will mean if standard contractual clauses are found to be incompatible with EU law.
Legal Background
The GDPR contains a prohibition on controllers and processors transferring personal data outside the European Economic Area (EEA) unless an adequate level of protection for the rights and freedoms of the relevant data subjects can be ensured.
Model Clauses
There will be adequate protection where the transfer is carried out in accordance with the model contracts adopted by the European Commission which provide standard wording for both the transfer of data to a controller established outside the EEA (adopted in 2004) and the transfer of data to a data processor established outside the EEA (adopted in 2010) (together the “Model Clauses”).
This means that transfers made on the basis of an agreement incorporating the Model Clauses are deemed to be made in a manner that ensures adequate safeguards for the rights and freedoms of data subjects.
Model Clauses are often perceived to be an attractive solution given that they are relatively straightforward to put in place. The key advantage of them (with respect to both intra-group and third party data transfers) is that they are freely available and, as a standard document little to no negotiation is required, as amendments are not permitted.
The disadvantage of the regime is that it lacks flexibility, particularly in the case of intra-group data transfers where, realistically, the parties are unlikely to take substantive steps to remedy contractual breaches. This risks the data importer simply failing to comply with the mechanism’s more cumbersome requirements. Moreover, if data flows are likely to evolve over time, the agreements may require updating.
Privacy Shield
There are alternative methods of achieving adequate protection for certain jurisdictions.
In the US, organisations have the option of ‘self-certifying’ with the US Dept of Commerce as Privacy Shield Certified and making a corresponding ‘public declaration’ (likely included in the relevant privacy policy). The Privacy Shield only applies to transfers of personal data from the EEA to the US.
The advantages of the regime is that it’s relatively straightforward to get the certification, and requires little substantive involvement from a relevant EEA based entity from which the data is transferred, other than receiving an assurance from the US data controller or processor that it had entered into the Privacy Shield regime.
The principle disadvantage of Privacy Shield is that it exposes a US data controller or processor to potential regulatory supervision from another body (i.e. the US Dept of Commerce), which some businesses prefer to avoid.
Adequacy Decision
A transfer of personal data to a third country or an international organisation outside the EEA may also take place if the European Commission has decided that the third country, a territory or one or more specific sectors within that third country, or the international organisation ensures an adequate level of protection.
The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection.
This is clearly the most attractive transfer solution for data controllers, although one which they have no control over (its either available or it isn’t).
Other Alternatives
The GDPR also introduced two new types of appropriate safeguards that were not included in the Data Protection Directive regime:
- Approved code of conducts whereby EU controllers and processors may transfer personal data to third countries under an approved code of conduct. In practice, this means that associations and other bodies representing certain categories of controllers or processors are encouraged to prepare codes of conduct that would then be subject to approval by the competent national supervisory authority.
- Transfers using an approved certification mechanism: Under the GDPR, the member states, the national supervisory authorities, the EDPB and the Commission must encourage the establishment of certification mechanisms and privacy seals that would allow controllers and processors to demonstrate their compliance with the GDPR.
To date neither of these mechanisms for the adoption of appropriate safeguards have been implemented into the UK data protection regime.
It worth noting here that Binding Corporate Rules can be used as a lawful transfer mechanism for intra-group transfers.
Comment
Model Clauses are commonly used as one of, if not “the”, primary lawful transfer mechanism used for data transfers outside the EEA. The ECJ’s determination of the validity of Model Clauses will be hotly anticipated by the many organizations that rely on them for international data transfers.
A new data transfer mechanism may be required if Model Clauses are found to be incompatible with EU law. We may therefore see concentrated efforts from national regulators to roll out new types of appropriate safeguard mechanisms which were introduced by the GDPR but not yet in generally in use.
A hearing date for the ECJ’s review of questions relating to the validity of Model Clauses is set for 9 July 2019 in Luxembourg.
For more information please contact Jonathan McDonald on +44 (0)20 7427 6725 or at jonathan.mcdonald@crsblaw.com, or Christina Fleming on +44 (0)20 7427 1022 or at christina.fleming@crsblaw.com.
Our thinking
Charity Training: Digital Transformation in the Charity Sector (Session 2)
We would be delighted if you could join us for the second session in our new series of bite-size webinars for charities.
Charity Training Webinar Series: Brand Protection (Session 1)
We would be delighted if you could join us for the first in our new series of bite-size webinars for charities.
Rose Carey
The UK’s New Skilled Worker & Intra-Company Visa Routes: a closer look
Taking a closer look at the UK’s new visas to assist UK businesses.
Daniel Sullivan
Charles Russell Speechlys advises Duke Royalty on increasing and extending its revolving credit facility agreement
London listed Duke Royalty was founded in 2015 and is the leading provider of royalty finance to companies in the UK and Europe.
Julie Sharpe
Explore your Options: Top 10 Tips with Option Agreements
Providing you with the top ten tips with option agreements - what should you know?
Paul Stone
Focus Antitrust - 14 April 2021
This week's competition update.
James Scott
ESG – Searching for substance behind the acronym
ESG is an acronym much used but perhaps less understood.
Mark Rowden
EWS1 Forms - the latest episode
RICS have now published their highly anticipated guidance on when EWS1 forms will be required.
Laura Bushaway
Q&A: Am I insured for COVID-19?
Laura Bushaway writes for Estates Gazette on a recent claim under the “disease clause” of business interruption policy.
Paul Stone
Focus Antitrust - 7 April 2021
This week's competition update.
Rahim Hirji
No ticket, no merger: Viagogo and StubHub are one step closer to merging but must satisfy the CMA’s conditions
The £3.2bn acquisition of online ticketing company Stubhub by one of its competitors, Viagogo is one step closer to being finalised.
Simon Ridpath
The Purpose Podcast: Corporate purpose
Simon Ridpath discusses corporate purpose and the rise of environmental, social and governance (ESG) issues in “The Purpose Podcast”
Paul Henty
Client alert: Construction under competition law spotlight
We outline the three investigations which have either recently concluded or are ongoing together with what this means for businesses.
Paul Stone
Focus Antitrust - 31 March 2021
This week's competition update.
Emma Humphreys
Looking beyond the benefitted land: confirmation that an objector’s wider property may be considered in applications to discharge/modify restrictive covenants
Read our recent case study on applicants who were prevented from developing a new house due to a restrictive covenant covering their land.
Lauren Fraser
Further extension of coronavirus restrictions affecting residential properties: Where are we now?
The extension will be implemented from and including 31 March 2021 by the Coronavirus Act 2020.
Thomas Moran
Knight Frank Wealth Report: The Global Perspective on Prime Property & Investment
Knight Frank partners joined Charles Russell Speechlys for a virtual panel-led discussion on the Knight Frank Wealth Report
Daniel Moore
Case Study: One Blackfriars Limited
An informative and positive judgment for administrators selling high-value property in distressed and complex scenarios.
James Worthington
Keeping Up With Construction: Handover at Practical Completion - Practical Pointers
Practical tips for the handover of a successful project.
Paul Arathoon
Charles Russell Speechlys advises on Trident Royalties’ US$28m Placing
Trident Royalties plc is a growth-focused mining royalty and streaming company.