Model clauses for EU-US transfers provide sufficient protections says non-binding decision

If you’ve followed the challenges of EU data protection legislation by privacy activist Max Schrems, you’ll have heard about his most recent challenge that the use of the EU standard contract clauses (which allow, by legal contract, for non-EU transfers of data) are not adequate in protecting EU Facebook data, when that data is transferred to the US and could be used by US surveillance services (viz Edward Snowdon’s revelations a few years ago).

The advocate general’s decision on this matter dates back to the referral to the CJEU in 2018 by the Irish data protection commissioner about the case raised by Schrems. The main issue is that the standard contract clauses (or model clauses) are not sufficient to provide protection for EU citizens’ data when a US business processes that data in the US, particularly if the US business is subject to agreements with US government relating to surveillance by the security services.

The preliminary ruling today (19th December 2019) by the advocate general clarifies that in his opinion the standard contractual clauses are valid and therefore the transfer would be lawful. However, he also noted that observations and potentially withdrawal around their validity should be made if national law in the non-EU country goes against the principles set out in the contractual terms.

Schrems also raised the issue about the validity of the EU-US Privacy Shield agreement (which was a reworking of the previous safe harbour agreement which Schrems previously,  and successfully, demonstrated was not fit for purpose). On this matter the advocate general agreed with Schrems there could be a conflict with laws of the countries where the data is transferred, but in his opinion it was not for the court to rule on the legality of Privacy Shield but recognised concerns over people’s right to privacy and effective remedies.

However, all that said, this is a non-binding decision and the final decision will be made by the CJEU (based on the advocate general’s opinion) in the coming months – usually judges in court follow the recommendations of the advocate general in four out of five cases, so this is widely seen as the likely outcome, although not guaranteed.

If the opinion is essentially ratified by the CJEU next year, this will make everyone’s life easier if they’re using non-EU based cloud-based service providers that process personal data. If the opinion goes the other way and the contractual clauses (or even Privacy Shield) are deemed invalid for lawful transfer to the US, then most businesses will be impacted and would need to make different arrangements not to be in breach of GDPR.

Leave a comment