On 25 May 2016 it emerged that the Irish Data Protection Commissioner (‘Irish DPC’) is planning to refer a case to the Court of Justice of the European Union (‘CJEU’) to determine whether Facebook can use standard contractual clauses, (aka model clauses), to transfer data out of the EU.
Since the CJEU declared Safe Harbor to be invalid in October 2015, Facebook – like many other companies – switched to standard contractual clauses as the new basis for transfer of EU user data out of the region and to the United States. As Privacy Shield has still not been approved, many businesses needing to transfer EU citizens’ data to the U.S. are generally relying on model clauses or Binding Corporate Rules (BCRs).
The issue, (as it was with the case that led to Safe Harbor being declared invalid), is that the legal basis for transferring the data under model clauses does not prevent mass surveillance by U.S. intelligence authorities.
A Facebook spokesperson said:
“Thousands of companies transfer data across borders to serve their customers and users. The question the Irish DPC plans to raise with the court [regarding model clauses] will be relevant to many companies operating in Europe. While there is no immediate impact for people or businesses who use our services, we of course will continue to cooperate with the Irish Data Protection Commission in its investigation. Standard Contractual Clauses remain valid, and Facebook has other legal methods in place to transfer data between countries.”
Transatlantic data transfers currently mostly on model clauses. The prospect of them being declared invalid is horrendous and would leave businesses with the options of BCRs, individual consent or self-certified ‘adequacy’.
BCRs are expensive, time consuming to put in place and are not really an option for many businesses. consent can always be withdrawn (as may be difficult to demonstrate has been obtained) and adequacy is a matter of judgement which may turn out to poor.
This development comes in the wake of other bad news for EU-U.S. data flows. Earlier this week, the European Data Protection Supervisor sided with the Article 29 Working Party and said he has “serious concerns” about Privacy Shield.
How long before BCRs are challenged?
This article is intended for informational purposes only and should not be relied upon as legal advice.