After Safe Harbor

Will EU Standard Contractual Clauses be declared invalid as well?

The Irish Data Protection Commissioner (DPC) has announced to refer Facebook’s use of so-called EU Standard Contractual Clauses to the Irish High Court in order to test whether they validly permit transfers of personal data to the US. It is the intention of the DPC that the Irish High Court will forward the request to the European Court of Justice (CJEU) who had already declared the EU “Safe Harbor” decision invalid in October 2015. If the EU Standard Contractual Clauses were declared invalid as well, this would create difficulties for many European companies who rely on EU Standard Contractual Clauses.

The Irish DPC’s action is based on the Austrian Max Schrems’ initial claim against Facebook arguing that personal data stored by companies in the US were subject to mass surveillance conducted by the US NSA and, therefore, US data transfers were in breach of EU data protection standards. Schrems’ claim led to the CJEU’s 2015 judgment declaring the EU Commission’s Safe Harbor decision invalid. So far, European companies are still able to rely on the EU Standard Contractual Clauses by which they could oblige US companies to ensure an adequate level of data protection. Most European data protection authorities refrained from taking any actions against companies using EU Standard Contractual Clauses.

Although a CJEU judgment on the EU Standard Contractual Clauses is not expected too soon, European data exporters are advised to assess the following options in order to be prepared: 

  • Assess internally to which extent you rely on EU Standard Contractual Clauses (with US providers in particular);
  • Check whether there is any practical alternative to US data transfers, in particular the use of EU data centres;
  • Determine if there is any legal alternative to using the EU Standard Contractual Clauses, such as Binding Corporate Rules (which could, however, potentially also be under scrutiny in the future), or obtaining consent from the persons to whom the personal data relate; and
  • Where new EU Standard Contractual Clauses are entered into, ask for “opening clauses” to be able to modify the EU Standard Contractual Clauses as might be required in the future in the light of the above proceeding or “Privacy Shield” discussion.

The “Privacy Shield” is currently being negotiated by US officials and the EU Commission; such negotiations may potentially be finished in July 2016. Should the Privacy Shield be adopted and create a legal basis for US data transfers, this might have a positive impact on the above proceeding with the Irish High Court / CJEU.

We will keep you updated on important news with respect to the EU Standard Contractual Clauses. Please do not hesitate to contact us in case of any questions.