Executive summary:  The EU’s standard contractual clauses may be on the fast track to invalidation, putting a vast number of personal data transfers from the EEA at risk.  A case brought by Maximilian Schrems (whose first complaint resulted in the invalidation of Safe Harbor) has been referred to the EU’s highest court, via a 153-page Irish High Court decision that provides ample ammunition to those who would like to see the standard contractual clauses struck down.  Although aimed at Facebook, the consequences of the decision are virtually certain to affect all US companies that rely on the standard contractual clauses.

Many companies around the world rely on the EU’s standard contractual clauses (also known as the model clauses, and referred to in this article as the “SCCs”) as the legal basis for transferring personal data from the European Economic Area (EEA) to countries whose privacy laws have not been found adequate by the EU Commission.  The SCCs are private contracts, and while some EEA countries require that parties that enter into SCCs deposit a copy, other countries do not, so no one knows for sure how many companies rely on the SCCs.  But the answer is probably “an awful lot of companies.”  Given the data flows between the EEA and US, and the fact that, as of today, only around 2,500 companies rely on Privacy Shield as the legal basis for the data transfers, it’s safe to assume that for US companies, the standard contractual clauses are the primary mechanism for transferring personal data to the US.

The SCCs have been subject to a legal challenge by Maximillian Schrems (often called the Schrems II case) that has just reached a critical inflection point: The Irish High Court has just issued a decision referring to the Court of Justice of the EU (CJEU) the question of whether the SCCs are invalid.  The main thrust of the invalidity argument is the assertion that US national security laws do not offer adequate levels of protection for the rights of EU residents.  In particular, the argument runs, EU residents lack a meaningful remedy before US courts for uses of their personal data by US national security agencies that are inconsistent with those persons’ rights under EU law. Continue Reading Will the EU box itself in?  Fate of Standard Contractual Clauses (aka the Model Clauses) for personal data transfers is now in the hands of the EU’s highest court

No news is not good news this time.  The January 31 deadline for getting a new Safe Harbor Agreement in place came and went last weekend.  Commissioner Jourova, who is leading the Safe Harbor 2.0 negotiations for the EU, reported on the negotiation’s status last evening to LIBE, the European Parliament committee that oversees privacy matters.  While reporting that substantial progress has been made, Jourova noted that the details of the redress mechanisms for EU persons are still under negotiation, along with a few other issues relating to the overall robustness of the new framework.  The Article 29 Working Party (representing the 28 member states’ data protection authorities) meets today and tomorrow to discuss the post-Schrems legal landscape.  The  Working Party has said that they will also release the results of their consideration of whether the Schrems decision vitiates the model clauses and binding corporate rules.  The model clauses and BCRs are particularly vital data transfer mechanisms, given the limited options available for transfers outside of the European Economic Area, so the Working Party’s opinions will be an extremely important indicator for the the uncertain future of EU to US data flows.