On 6 November 2015, The EU Commission published a communication addressed to the European Parliament and the EU Council, in an attempt to reduce current legal uncertainties surrounding the transfer of personal data from European Union countries to the U.S.
The communication follows on the decision of the Court of Justice of the EU (“CJEU”) of 6 October 2015, reported here, in which the Court held the legal basis for the Safe Harbor scheme to be invalid. The Commission observes that personal data can no longer be transferred lawfully outside the EU territory based on the Safe Harbor scheme and that alternative arrangements must be put in place. In practice, the Commission made it clear that companies that relied so far on the Safe Harbor scheme to transfer data to the U.S. have to put in place contractual arrangements in accordance with EU legislation if they wish to continue making such transfers lawfully.
How do model clauses work?
Model clauses are based on EU legislation and on binding decisions of the Commission. The idea behind the contractual mechanism is that an entity collecting personal data in the EU can transfer it to another entity outside the EU under a contract that imposes on the receiving party obligations to protect the data and the privacy of the data subjects in line with the requirements of EU law. Data subjects are third party beneficiaries of these arrangements and the parties have to submit to the jurisdiction of the regulator and the courts in the data exporter’s country. These are meant to ensure the provisions of the agreement are enforceable by data subjects and the regulators.
Accordingly, in order to put in place a data transfer agreement, an entity established in the EU must be in control of the data and will have the primary liability under EU law as the data controller.
The model clauses themselves (in fact, four different versions) have been drafted and approved by the EU Commission more than a decade ago. All that is left is to complete the names of the parties and add some general information relating to the type of data to be transferred and the type of processing operations to be undertaken. The information is usually provided at a fairly high level.
In some EU countries, data transfer agreements have to be notified to the local regulator. In some of these (including France and Austria) the regulator’s approval has to be obtained before data flows can commence under the contract. Other countries like the United Kingdom do not require notification or approval. Accordingly, if the data controller is a UK entity or an entity established in another country that does not require notification or prior approval, there is no formal process involved.
Is it safe to rely on contractual arrangements following Schrems?
Certain regulators in the EU, particularly in Germany, voiced the view that contractual arrangements do not cure the problem of bulk surveillance by U.S. national security authorities or the alleged absence of proper judicial overview, which gave rise to the challenge against the Safe Harbor scheme. According to that view, data transfers to the U.S. should not be allowed under these contracts.
As we pointed out in our note on the Schrems decision, such challenges remain a possibility. Clearly, hurdles are likely to occur more easily in countries where pre-approval or notification are required. It is preferable therefore not to place the data controller/exporter in one of those countries.
Time will tell to what extent, if any, contractual arrangements will be successfully challenged. The Commission’s view is that their application should be assessed on a case-by-case basis. It is possible that in some cases data flows will have to be suspended, following a complaint, in view of national security interference. In other cases, this might not be an issue in practice. In the meantime, the U.S. and the EU may reach agreement on a new Safe Harbor and the matter could be resolved for good.