Ireland is referring a high-profile privacy case to the European Court of Justice for clarity on the rules governing international data transfers.
The case that Max Schrems brought to the Irish data protection regulator against Facebook resulted in last October’s ruling that the “Safe Harbor” clause is declared invalid. The effect of this is that American tech companies can no longer easily house their international customer/member/subscriber data on servers within EU countries.
Under European data privacy principles, companies operating in the EU are not allowed to send personal data to countries with less stringent privacy regulations. The US is considered to be one such country. To overcome this commercial difficulty the two sides had developed the Safe Harbor agreement: Provided that the US company concerned agrees to abide by certain privacy guarantees, it was able to receive personal data from EU sources.
The Edward Snowden revelations on the NSA Prism surveillance program prompted many European politicians and private citizens to question whether the Safe Harbor arrangement was actually compatible with EU privacy dictates. Schrems thought not, and took the case to Ireland, where Facebook houses its European servers. After taking the social network to court, he was eventually gratified with a ruling in his favor and the EU’s tossing out of Safe Harbor.
Now, as the US and the EU try to hammer out an appropriate Safe Harbor replacement, the Irish regulator is carrying out a requirement to investigate these transfers in more detail. It has now informed Schrems and Facebook that it plans to go through the Irish High Court to ask the ECJ to give a legal interpretation about the legal status of data transfers under so-called “Model Clauses.”
Model Clauses are kind of like best practices. The Council and the European Parliament have given the Commission the power to decide on certain standard contractual clauses—the Model Clauses—that offer sufficient safeguards “with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights.”
“We continue to thoroughly and diligently investigate Mr. Schrems’ complaint to ensure the adequate protection of personal data,” it said in a statement. “We yesterday informed Mr. Schrems and Facebook of our intention to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under Standard Contractual Clauses. We will update all relevant parties as our investigation continues.”
This does not have any immediate impact on the legal status of Model Clauses in general, according to Jonathan Armstrong, a compliance lawyer with Cordery in London. This is because they have already been confirmed as being an appropriate protection for transfers of data by European data protection regulators.
“However, this question will now be for the ECJ to decide upon, and, on average it can take 18 months to two years before the European Court gives its ruling,” he said in a brief.
He added, “at this stage there are few details about the substance of the referral. We do not know whether any question (or judgement) will relate to Model Clauses in general, or be limited to Facebook’s particular use of Model Clauses when making data transfers from the EU to the US, and any interaction with the US authorities. This action however adds to the uncertainty facing European businesses with presence in the US or using US service providers.”
Incidentally, Giovanni Buttarelli, the European Data Protection Supervisor, rejected the EU-US Privacy Shield pact this week, saying it is not robust enough and that the data transfer pact between the EU and US needs “significant improvements.” While his statement does not mean the agreement will be scrapped, his concerns echo those expressed by European privacy regulators in April.
Photo © sezer66