Model Clauses Update: Facebook’s appeal to stop the Irish High Court’s referral to ECJ on standard contractual clauses is dismissed – are they now less attractive as a transfer mechanism?
On 3 October 2017, the Irish High Court decided to refer questions relating to the validity of the standard contractual clauses to the ECJ. This followed the complaint by Maximilian Schrems to the Irish Data Protection Commissioner that Facebook's transfer of his personal data from Ireland to the US using standard contractual clauses did not afford his personal data an adequate level of protection.
Facebook was granted leave to appeal this decision back in July 2018. However, the Irish Supreme Court has now dismissed Facebook's attempt to stop the Irish High Courts referring such questions on the validity of the standard contractual clauses to the ECJ.
It will now be for the ECJ to determine the validity of standard contractual clauses. Currently both the Privacy Shield and standard contractual clauses present viable solutions for a lawful transfer mechanism when transferring personal data outside the EEA. We explore the legal background to this below and what it will mean if standard contractual clauses are found to be incompatible with EU law.
The GDPR contains a prohibition on controllers and processors transferring personal data outside the European Economic Area (EEA) unless an adequate level of protection for the rights and freedoms of the relevant data subjects can be ensured.
There will be adequate protection where the transfer is carried out in accordance with the model contracts adopted by the European Commission which provide standard wording for both the transfer of data to a controller established outside the EEA (adopted in 2004) and the transfer of data to a data processor established outside the EEA (adopted in 2010) (together the “Model Clauses”).
This means that transfers made on the basis of an agreement incorporating the Model Clauses are deemed to be made in a manner that ensures adequate safeguards for the rights and freedoms of data subjects.
Model Clauses are often perceived to be an attractive solution given that they are relatively straightforward to put in place. The key advantage of them (with respect to both intra-group and third party data transfers) is that they are freely available and, as a standard document little to no negotiation is required, as amendments are not permitted.
The disadvantage of the regime is that it lacks flexibility, particularly in the case of intra-group data transfers where, realistically, the parties are unlikely to take substantive steps to remedy contractual breaches. This risks the data importer simply failing to comply with the mechanism’s more cumbersome requirements. Moreover, if data flows are likely to evolve over time, the agreements may require updating.
There are alternative methods of achieving adequate protection for certain jurisdictions.
The advantages of the regime is that it’s relatively straightforward to get the certification, and requires little substantive involvement from a relevant EEA based entity from which the data is transferred, other than receiving an assurance from the US data controller or processor that it had entered into the Privacy Shield regime.
The principle disadvantage of Privacy Shield is that it exposes a US data controller or processor to potential regulatory supervision from another body (i.e. the US Dept of Commerce), which some businesses prefer to avoid.
A transfer of personal data to a third country or an international organisation outside the EEA may also take place if the European Commission has decided that the third country, a territory or one or more specific sectors within that third country, or the international organisation ensures an adequate level of protection.
The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection.
This is clearly the most attractive transfer solution for data controllers, although one which they have no control over (its either available or it isn’t).
The GDPR also introduced two new types of appropriate safeguards that were not included in the Data Protection Directive regime:
- Approved code of conducts whereby EU controllers and processors may transfer personal data to third countries under an approved code of conduct. In practice, this means that associations and other bodies representing certain categories of controllers or processors are encouraged to prepare codes of conduct that would then be subject to approval by the competent national supervisory authority.
- Transfers using an approved certification mechanism: Under the GDPR, the member states, the national supervisory authorities, the EDPB and the Commission must encourage the establishment of certification mechanisms and privacy seals that would allow controllers and processors to demonstrate their compliance with the GDPR.
To date neither of these mechanisms for the adoption of appropriate safeguards have been implemented into the UK data protection regime.
It worth noting here that Binding Corporate Rules can be used as a lawful transfer mechanism for intra-group transfers.
Model Clauses are commonly used as one of, if not “the”, primary lawful transfer mechanism used for data transfers outside the EEA. The ECJ’s determination of the validity of Model Clauses will be hotly anticipated by the many organizations that rely on them for international data transfers.
A new data transfer mechanism may be required if Model Clauses are found to be incompatible with EU law. We may therefore see concentrated efforts from national regulators to roll out new types of appropriate safeguard mechanisms which were introduced by the GDPR but not yet in generally in use.
A hearing date for the ECJ’s review of questions relating to the validity of Model Clauses is set for 9 July 2019 in Luxembourg.
Strategic Planning for Modern Landed Estates
The second in our series of articles on succession planning for landed estates covering a wide variety of matters.
When can you set off claims against different elements of a project
The Court’s decision raises important drafting considerations for construction contracts involving multiple elements of a project.
Drafting terms and conditions or negotiating a contract? Be wary of "unusual" and "exorbitant" exclusion clauses
When drafting a set of terms and conditions, companies must adhere to the requirements contained in the Unfair Contract Terms Act 1977
Stop, collaborate and listen: Top 10 Tips with Collaboration Agreements
Providing you with the top ten tips on collaboration agreements - what should you know?
Fiona Edmond and Mark Smith write for Property Week on data centres as an infrastructure asset class
The complexity of operational issues is something those new to the sector may not anticipate and interest is likely to increase.
Preparing your company for sale
We set out here some initial steps to consider in anticipation of a sale.
ESG investment and the challenges for trustees
What challenges does the ESG revolution present for trustees of private family trusts?
The impact of COVID-19 on commercial and residential tenancies
What impact has COVID-19 had on commercial and residential tenancies? Read more here.
Charles Russell Speechlys advises discoverIE on its acquisition of Antenova
discoverIE is a leading international designer, manufacturer and supplier of customised electronics to industry.
Q&A: Separate blocks, common parts and enfranchisement
Miriam Seitler and Lauren Fraser answer queries relating to leaseholders seeking to acquire the freehold.
Coded messages for landlords and tenants
“What does the code of practice mean for landlords and tenants? Read more here”
The family court’s role in micro managing 'trivial' disputes
The recent decision has dealt with the family court’s role in micro managing “trivial” disputes in relation to children
Gareth Mills writes for Lexology Getting The Deal Through on technology disputes in Bahrain
The most common disputes occur following perceived or actual failures to deliver required technology services an lack of clarity.
Taxing horizons and fiscal black holes
A super-massive black hole at the centre of the nation’s finances means that tax reform and rates rises look increasingly likely.
Charles Russell Speechlys advises Acora on acquisition of Westgate IT
Westgate IT specialises in providing IT support to businesses in the South West.
Jason Saiban writes for Food Manufacture on the food industry's climate change challenge
The key challenge will be how the environmental targets are actually met.
Q&A: Wrestling with restrictive covenants
Camilla Lamont (barrister at Landmark Chambers) and Real Estate Disputes Partner Emma Humphreys answer a pair of covenant queries
Charles Russell Speechlys advises Grape Paradise on the acquisition of a fine wine business
Charles Russell Speechlys has advised Grape Paradise on the acquisition of the Sarment Group in the China Mainland territories.
Grab the tail by the horns - Why is tail spend so critical in today’s outsourced portfolio?
It’s usually invisible, but in all likelihood, you’ve got tail spend.
eCommerce and the Post-Brexit State of Play
Key UK and EU legislation governing how online platforms deal with consumers and their business users.