Here We Go Again: Schrems 2 Puts The Model Clauses For Transfer Of EU Personal Data In Doubt

On October 3, 2017, the High Court of Ireland rendered a decision in The Data Protection Commissioner v. Facebook Ireland Limited & anor, [2017] IEHC 545. This decision, which could well be labeled Schrems 2, is effectively a sequel to the original Schrems decision, based on the same underlying facts and issues. In this most recent decision, the High Court has granted a request from the Irish Data Protection Commissioner ("DPC") for a reference to the CJEU for a ruling on the validity of the so-called "Model Clauses" (or "Standard Contractual Clauses") for transfer of EU personal data to the US. In so doing, it has set in motion a potentially drastic shake-up of the existing order for export of EU personal data, which could ultimately have far broader consequences than the first Schrems decision.

Background

Under EU law, an organization may only transfer "personal data" about an individual to a non-EU country for processing if the destination country "ensures an adequate level of protection". The European Commission has the authority to make a determination of whether the protections afforded to personal data in a given third country are or are not "adequate" in this regard.

In some cases "adequacy" decisions apply broadly. In the case of Canada, for example, the Commission concluded that Canadian privacy laws were sufficiently similar to European laws that they were inherently adequate.1 But the US has a very different legal regime in this regard. As a result, the Commission has taken a more circumstantial approach, considering incremental measures that can be applied by the exporting and importing organizations.

The Commission has recognized three bases for lawful transfer of EU personal data to the US:

A voluntary arrangement, originally known as "Safe Harbour", by which U.S. organizations self-certify compliance with certain privacy principles; Standardized contractual commitments between the data controller and data processor, based on approved "Model Clauses"; and Similar commitments adopted in binding non-contractual rules applicable within a corporate group (so-called "Binding Corporate Rules"). In the wake of the 2013 Snowden revelations about US data surveillance programs, Austrian law student Max Schrems brought a complaint against Facebook in Ireland, arguing that Facebook's transfer of his personal information to the US was unlawful under both Irish and EU law. This case was eventually referred to the Court of Justice of the...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT