The EU Data Protection Directive 95/46/EC restricts the transfer of personal data to a country outside of the European Economic Area (EEA) unless that country has an adequate level of protection in place for the protection of individuals. There are a number of ways a data controller may ensure an adequate level of protection is available and certain territories are deemed to have adequate safeguards in place, for example Canada and Switzerland. The USA is not included on the list of adequate territories. Other ways to deal with this is to rely on the parties entering into European Commission approved model clauses or to rely on the entity in the US being registered under the “Safe Harbour” regime.
Recently Mr Schrems, brought personal data transfers from the EU to the US into question when successfully challenging Facebook in relation to reliance on the “Safe Harbour” agreement. A decision by the European Court of Justice (CJEU) was reached on 6 October 2015, making the decision on the Safe Harbour regime invalid. Following this, many companies, turned instead to rely on the set of standard, European Commission-approved clauses, known as the ‘Model Contract Clauses’. The model clauses provide an alternative mechanism for transferring data outside the EEA and are favoured due to the speed and low cost involved in their use.
Ireland’s Data Protection Commissioner recently revealed plans to refer the Facebook case back to the CJEU. This time to assess the adequacy decision on the use of the model clauses, and claims that they do not provide satisfactory redress to EU citizens in relation to how personal data is handled once transferred outside the EEA.
If the CJEU decides that the decision approving the model clauses is invalid, then numerous companies, including Facebook and other companies within and outside the EEA which currently rely on the model clauses will be impacted. This will also apply pressure on the EU-US Privacy Shield which is the proposed replacement of Safe Harbour and currently under negotiation.
Those dealing with personal data issues will have significant issues to deal with at present including dealing with transfers abroad and the introduction of the new General Data Protection Regulation which will replace the current regime in May 2018.