Executive summary:  The EU’s standard contractual clauses may be on the fast track to invalidation, putting a vast number of personal data transfers from the EEA at risk.  A case brought by Maximilian Schrems (whose first complaint resulted in the invalidation of Safe Harbor) has been referred to the EU’s highest court, via a 153-page Irish High Court decision that provides ample ammunition to those who would like to see the standard contractual clauses struck down.  Although aimed at Facebook, the consequences of the decision are virtually certain to affect all US companies that rely on the standard contractual clauses.

Many companies around the world rely on the EU’s standard contractual clauses (also known as the model clauses, and referred to in this article as the “SCCs”) as the legal basis for transferring personal data from the European Economic Area (EEA) to countries whose privacy laws have not been found adequate by the EU Commission.  The SCCs are private contracts, and while some EEA countries require that parties that enter into SCCs deposit a copy, other countries do not, so no one knows for sure how many companies rely on the SCCs.  But the answer is probably “an awful lot of companies.”  Given the data flows between the EEA and US, and the fact that, as of today, only around 2,500 companies rely on Privacy Shield as the legal basis for the data transfers, it’s safe to assume that for US companies, the standard contractual clauses are the primary mechanism for transferring personal data to the US.

The SCCs have been subject to a legal challenge by Maximillian Schrems (often called the Schrems II case) that has just reached a critical inflection point: The Irish High Court has just issued a decision referring to the Court of Justice of the EU (CJEU) the question of whether the SCCs are invalid.  The main thrust of the invalidity argument is the assertion that US national security laws do not offer adequate levels of protection for the rights of EU residents.  In particular, the argument runs, EU residents lack a meaningful remedy before US courts for uses of their personal data by US national security agencies that are inconsistent with those persons’ rights under EU law. Continue Reading Will the EU box itself in?  Fate of Standard Contractual Clauses (aka the Model Clauses) for personal data transfers is now in the hands of the EU’s highest court

According to press reports, European Union and U.S. negotiators in Brussels finalized what is being called a “political agreement” on a new Safe Harbor transatlantic data transfer agreement. European Union justice commissioner Vera Jourová will present the agreement to the European Commission’s 28 commissioners today. Continue Reading Political Agreement Reached on US-EU Safe Harbor; Details “Hazy”

No news is not good news this time.  The January 31 deadline for getting a new Safe Harbor Agreement in place came and went last weekend.  Commissioner Jourova, who is leading the Safe Harbor 2.0 negotiations for the EU, reported on the negotiation’s status last evening to LIBE, the European Parliament committee that oversees privacy matters.  While reporting that substantial progress has been made, Jourova noted that the details of the redress mechanisms for EU persons are still under negotiation, along with a few other issues relating to the overall robustness of the new framework.  The Article 29 Working Party (representing the 28 member states’ data protection authorities) meets today and tomorrow to discuss the post-Schrems legal landscape.  The  Working Party has said that they will also release the results of their consideration of whether the Schrems decision vitiates the model clauses and binding corporate rules.  The model clauses and BCRs are particularly vital data transfer mechanisms, given the limited options available for transfers outside of the European Economic Area, so the Working Party’s opinions will be an extremely important indicator for the the uncertain future of EU to US data flows.

EU Commissioner Vera Jourova recently announced in a speech to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) that the Commission and the US have made substantial progress in finalizing a new Safe Harbor program. Jourova noted that the collection and use of European personal data for US national security purposes remains a key open issue.  However, she also reminded LIBE that the US has undergone a substantial review of the NSA’s alleged mass surveillance activities over the past couple of years.

Overall, Jourova’s comments seemed optimistic regarding getting a new Safe Harbor program finalized prior the Art. 29 Working Party’s January deadline for increased enforcement by national Data Protection Authorities starting at the end of January 2016. (The Art. 29 Working Party’s statement is available as a PDF on this page.)

In the meantime, the German regional data protection authorities have collectively announced that they will investigate data transfers by Google and Facebook to the US (without waiting for complaints by German users).  The German DPAS have also suspended approval of new Binding Corporate Rules and customized data protection clauses.  (Model clauses, which don’t require DPA approval in Germany, are not immediately affected, but could be vulnerable to attack.)

Keeping an eye on national data protection authorities’ enforcement agendas will be important once we have Safe Harbor 2.0 in place, since under the Schrems decision, Safe Harbor 2.0 will be effectively subject to the review of national DPAs and courts.

The EU Parliament committee that is charged with considering data protection matters (LIBE) has issued a press release calling on the European Commission to take action before the end of 2015 to come up with alternatives to Safe Harbor.  Importantly, LIBE has also called on the Commission to reassess whether the European Court of Justice’s recent invalidation of Safe Harbor casts doubt on other means for legitimizing the transfer of personal data from the EEA to the US.

As we have commented previously here, the ECJ’s rationale in the Schrems Safe Harbor decision could be used to attack both BCRs and Model Clauses.  LIBE certainly seems to have picked up on that also. Continue Reading EU Parliament Committee calls on the Commission for immediate action on US data transfers

Written by Susan Foster, Solicitor England & Wales/Admitted in California

 (LONDON) The Art. 29 Working Party, a key advisory body to the EU Commission, recently proposed draft model clauses to cover the transfer of personal data from EEA data processors to non-EEA sub-processors.

The draft model clauses have the potential to bring greater certainty to the rules applicable to data transfers from a data processor that is located within the EEA to a sub-processor located outside of the EEA.  (The EEA, or European Economic Area, comprises the 28 EU members, plus Norway, Liechtenstein and Iceland.)  While the Art. 29 Working Party does not have authority to put the model clauses into effect, the European Commission routinely considers its advice, so the model clauses are worth a read.

The model clauses run to over fourteen pages of text.   Broadly speaking, the proposed model clauses would create a high level of transparency and accountability across various levels of sub-contracting of data processing.  This is particularly relevant to cloud computing arrangements

Continue Reading New Draft Processor to Sub-processor Model Clauses (Art. 29 Working Party)