Model clauses, Safe Countries, Oh My! [Updated]

Today the CJEU rules in the Schrems Facebook case. In anticipation, many of the service providers I’ve spoken to on behalf of clients are proposing to adopt Model Contract clauses as their fall back position.

I’ve updated this post with in-line comments in RED reflecting the CJEU decision published a few minutes ago (press release here) Judgement can be found here

This is, I fear, an error. At best it is a stop-gap based on the fact that the CJEU hasn’t been asked to rule on Model Clauses, and is not likely to be. Because Model Clauses weren’t included in the reference from the Irish High Court to the CJEU. The questions they were asked related to Safe Harbor, and the powers of national Data Protection Authorities to overrule decisions of the EU Commission where fundamental Data Privacy Rights were not being upheld to an adequate standard.

Model Contract clauses are a decision of the Commission. They are an agreed format and form of words agreed by the Commission for cases where Safe Harbor doesn’t apply. So, on the checklist running order of grounds for transfer outside the EEA, they tick the next box down on the list. However, should the Court find that national Data Protection Authorities can overrule decisions of the Commission, then Model Contract clauses are in the firing line.

Model Contract clauses still suffer from the weakness that, should the CJEU follow AG Bot’s Opinion, the jurisdiction that the data is being transferred into would require equivalent adequate safeguards for the protection of fundamental data privacy rights. So, Model Contracts addressing transfer to the US would be no better than Safe Harbor, and might actually be worse because of the lack of even the remote threat of sanction by the FTC. The ability to have a meaningful right of audit and inspection coupled with an effective contractual remedy for breaches would go some of the way to addressing some of those issues but it is by no means a panacea and Model Clauses would not be immune from challenge by a national DPA in the future, assuming AG Bot’s Opinion is followed.

Model Clauses still stand. For now. The CJEU has rule Safe Harbor is invalid and must be struck down with immediate effect. It has ruled that National Data Protection Authorities must and can investigate decision of the Commission where there are concerns about the protection of fundamental rights, but the power to strike down a Commission Decision rests with the CJEU.

So… it’ll take another trip to Luxembourg to kill Model Contract clauses. But it is likely only a matter of time in the context of transfers to the United States, unless the fundamental issues raised in Schrems case regarding respect for fundamental rights, oversight, and redress, are addressed to the satisfaction of EU Data Protection Regulators, and the CJEU.

The ticking bomb has been passed from the Harbor to the Clauses.

[Update 2: Article 38 of the ruling ties the whole shebang back to fundamental rights (ain’t that a bitch). As such, these principles are the basis against which everything else gets measured. This has implications for everything. Model clauses are just the tip of the iceberg. Article 83 of the ruling essentially holds that Safe Harbor is what was cooked up when adequacy couldn’t be established in any other way…)

And that will affect more than just transfers from the EU to the US.

That’s OK, we can still transfer our data to “Safe Countries”, right. Yes… but for the same reason that Model Contract Clauses are currently the ‘fall-back position de jour’. The CJEU hasn’t been asked to rule on the lawfulness of Safe Country decisions. But it has been asked whether a National Data Protection Authority can rule on the lawfulness of decisions of the EU Commission. Safe Country decisions are a decision of the EU Commission, albeit on the recommendation of the Article 29 Working Party. Safe Countries ostensibly have equivalent protections over personal data. But there aren’t that many of them, and Australia (as my Law Society students find out every year) is NOT a Safe Country for all types of data.

But the awarding of “Safe Country” status is a decision of the European Commission. If AG Bot is followed, then each of those decisions is potentially subject to review by individual Data Protection Authorities. This is a nightmare scenario.

As above. The CJEU has rule Safe Harbor is invalid and must be struck down with immediate effect. It has ruled that National Data Protection Authorities must and can investigate decision of the Commission where there are concerns about the protection of fundamental rights, but the power to strike down a Commission Decision rests with the CJEU.

So… it’ll take another trip to Luxembourg to kill the “Safe Country” listings. But it is likely only a matter of time in the context of transfers to the United States, unless the fundaental issues raised in Schrems case regarding respect for fundamental rights, oversight, and redress, are addressed to the satisfaction of EU Data Protection Regulators, and the CJEU. It also means that the assessments of adequacy will be much more driven by fundamental rights concerns than ‘economic expediency’. The letter of the law may not be sufficient and attention will likely be paid to the operation of regulation and oversight.

Safe, but not bullet proof is the current status.

[Update 2: Tick tock. Fundamental Rights are the key test here. Safe countries will need to have effective routes for remedy of breaches of fundamental rights]

Binding Corporate Rules might still be an option, as it is achieved through agreement by the Article 29 Working Party, not the EU Commission, to allow an organisation apply the standards from one EU Member State to their processing internationally. But in an environment where they have suddenly been given greater tangible powers, I fear that the ego-wagon will arrive in force and the chances of getting agreement on BCR will be slim. And the challenge of adequacy of oversight of surveillance where data in being hosted in the US (or elsewhere) still arises.

BCRs with data going into and out of the US will be a lot harder to obtain and may be subject to challenge as they cannot operate contrary to EU Charter of Fundamental Rights. it is likely these will result in CJEU cases if they are challenged by Regulators or citizens.

[Update 2: Expedience and efficiency are no longer the key threshold. Adequacy of access to remedies and respect for fundamental rights will be key. I’d expect to see EXISTING BCRs challenged if residents of a Member State feel that (for example, Ireland) didn’t provide them an effective remedy. One Stop Shop in the GDPR just got a lot more tricksier.]

This just leaves us with Consent of the Data Subject, requirement under legal obligation or International Treaty, and approvals of adequacy on a case by case basis by Data Protection Authorities. Life will potentially be a lot more complex. Interestingly, the Bara ruling of last week has clarified that even where there is a transfer on foot of a legal or Treaty obligation there would still need to be notification to the Data Subject in advance that such transfers were going to take place.

consent will probably need a full disclosure of risks to fundamental rights to be considered valid and above challenge.

[Update 2: Read alongside Bara, this is a certainty. But Article 1 of the Charter states that we can’t contract out of fundamental rights… so there’s a major swing towards ethical modes of processing that uphold dignity. We wrote a thing about that.]

The car crash may take a while to unfold fully, but a finding against Safe Harbor and in favour of Regulators being able to overrule the Commission on matters of Fundamental Rights will have profound effects. There are over 100 countries with data privacy laws on their books right now, many of which are modelled on the EU’s Directive 95/46/EC. The challenge for the future will be to ensure that those laws are properly respected in their own countries, with proper enforcement and support for fundamental rights so that a new framework for cross border data transfer can arise which addresses the fundamental challenges outlined by AG Bot.

Which brings me full circle. American commentators have, rightly, compared the surveillance carried out by the NSA to the surveillance powers enjoyed by EU governments such as France and the UK. The CJEU struck down the Data Retention Directive in 2014, but a year later the majority of EU countries (including Ireland, where it all started) still have national data retention laws or are proposing new ones that repeat many of the mistakes of the old. Perhaps the sinking of the convenient arrangement that is Safe Harbor will turn the attention of EU citizens back to the issues that exist closer to home.

In a little under two hours we will know what the next headache will be.

The headache is as I’ve been predicting since the Commission gave its Oral testimony to the CJEU in March. The CJEU has put Safe Harbor out of our misery and has raised the very clear parameters that any replacement agreement needs to meet. Of course, this will likely mean that attention will now turn again to the mass surveillance activities of EU member states as the US jostles for position in more fraught negotiations on a replacement deal.

[Update 2: Pesky fundamental rights. While Safe Harbor has been kicked to death today, all other modes of overseas transfer are now in the firing line.]