More uncertainty over EU-U.S. data flows as Irish DPA warns on legality of model contract clauses

Another development in the slow unraveling of the legal regime governing EU-U.S. data flows: The Irish data protection agency has warned that one of the mechanisms currently being used by thousands of companies might not be legal.

Companies such as Facebook were forced to switch to alternative mechanisms to govern data transfers after the prior data transfer deal, Safe Harbor, was struck down last year.

The DPA said today it is referring so-called “model contract clauses” to the Irish High Court for referral on to the European Court of Justice (CJEU) — the latter being the same court that invalidated Safe Harbor on the grounds that it breached fundamental European data protection rights.

The original 2013 legal challenge that resulted in Safe Harbor being struck down was brought by European privacy campaigner Max Schrems, who had argued that the U.S. government’s mass surveillance programs — which NSA whistleblower Edward Snowden revealed to be mining data from consumer web services such as Facebook — invalidated the long-standing EU-U.S. data flow deal by contravening European data protection laws. The CJEU agreed.

After Safe Harbor’s strike down, model contract clauses were one of the mechanisms the European Commission pointed to as an extant alternative available to companies to switch to. The EC has also been negotiating a new EU-U.S. data transfer deal to replace Safe Harbor — although it is not clear whether that agreement, called Privacy Shield, will pass muster with the CJEU either.

Work on the Privacy Shield is ongoing, with only a draft deal on the table so far, leaving the alternative data flow mechanisms to pick up the slack. Meanwhile, Europe’s article WP29 group, the body made up of the heads of EU Member State DPAs, has signaled it is not satisfied with Privacy Shield in its current form. Schrems has also slammed it as flawed as Safe Harbor. So further murky waters lie ahead there.

The WP29 is also assessing the legality of the alternative data transfer mechanisms, including model clauses, but has previously said companies can use them in the interim, while work to agree the Privacy Shield continues. However given individual DPA action, such as the referral by the Irish authority today, those alternatives are looking to be on increasingly shaky ground.

TechCrunch understands a key concern over model clauses is a structural issue, given the lack of redress facilities for European citizens wanting to pursue claims in the U.S. against companies they believe have breached their European rights. That issue has also been one of the key negotiation areas for Privacy Shield.

The CJEU ruling also instructed National DPAs to seek a referral to the central European court in cases where they believe there are specific causes for concern, such as the structural issue with model clauses outlined above. Which likely explains the Irish DPA’s move in this case.

The Irish DPA has been investigating model clauses following another complaint filed by Schrems, who is clearly not about to pack up his law books and give up campaigning for European data rights.

In a statement provided to TechCrunch about the referral, the Irish DPA said:

We continue to thoroughly and diligently investigate Mr Schrems’ complaint to ensure the adequate protection of personal data. We yesterday informed Mr Schrems and Facebook of our intention to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under Standard Contractual Clauses. We will update all relevant parties as our investigation continues.

In a statement responding to the news of the Irish DPA’s action, Schrems added:

This is a very serious issue for the US tech industry and EU-US data flows. As long as far-reaching US surveillance laws apply to them, any legal basis will be subject to invalidation or limitations under EU fundamental right. I see no way that the CJEU can say that model contracts are valid if they killed Safe Harbor based on the existence of these US surveillance laws. All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with. As long as the US does not substantially change its laws I don’t see now there could be a solution.

In a statement provided to TechCrunch, a Facebook spokesperson had this to say:

Thousands of companies transfer data across borders to serve their customers and users. The question the Irish DPC plans to raise with the court regarding Standard Contract Clauses will be relevant to many companies operating in Europe. While there is no immediate impact for people or businesses who use our services, we of course will continue to cooperate with the Irish Data Protection Commission in its investigation. Standard Contract Clauses remain valid, and Facebook has other legal methods in place to transfer data between countries.

Safe to say, uncertainty looks to be the new normal for businesses needing to transfer European citizens’ data to the U.S.

And with EU Member State DPAs now instructed to follow a set path of referring similar complaints to the CJEU, any quick fixes look set to rapidly run out of road. In short: buckle up for a bumpy ride.