As we’ve reported before, last October the European Court of Justice (the ECJ) ruled “Safe Harbor”, one of the mechanisms for legitimately transferring personal data from the EU to the US, as invalid.
That matter originated from Ireland following a complaint made by Mr. Max Schrems to the Irish data protection regulator about data transfers being made by Facebook whose European servers are in Ireland. The decision focussed on mass surveillance carried out by the US as disclosed by the Snowdon allegations.
Following the decision of the ECJ, the Irish regulator was required to investigate these transfers in more detail.
In a very new development the Irish regulator has announced that it has informed Mr. Schrems and Facebook of the regulator’s intention to now go to the Irish High Court and ask the ECJ to give a legal interpretation about the legal status of data transfers under so-called “Model Clauses”:
This does not have any immediate impact on the legal status of Model Clauses in general, which, as we have reported before, have been confirmed as being an appropriate protection for transfers of data by European data protection regulators.
However, this question will now be for the ECJ to decide upon, and, on average it can take 18 months to 2 years before the European Court gives its ruling.
At this stage there are few details about the substance of the referral. We do not know whether any question (or judgement) will relate to Model Clauses in general, or be limited to Facebook’s particular use of Model Clauses when making data transfers from the EU to the US, and any interaction with the US authorities. This action however adds to the uncertainty facing European businesses with presence in the US or using US service providers.
On a related note, in an adjacent development this week concerning the proposal to replace Safe Harbor, “EU-US Privacy Shield”, which still has to be finalised, the European Parliament has just passed an official Resolution which, whilst welcoming the work done on Privacy Shield by the European Commission, also “calls on the Commission to continue the dialogue with the US Administration in order to negotiate further improvements to the Privacy Shield arrangement in the light of its current deficiencies”:
We will comment further on these developments as further details come out.
Jonathan Armstrong and André Bywater are lawyers with Cordery in London where their focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784
jonathan.armstrong@corderycompliance.com
André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1785
andre.bywater@corderycompliance.com