Consumer Electronics Daily was a Warren News publication.
Model Clauses at Issue

EU, US Sign Law Enforcement Privacy Pact

June 3, 2016 by Dugie Standeford|Top News

The EU and U.S. finalized a trans-Atlantic data flow pact Thursday. The "umbrella agreement," which provides safeguards and guarantees for data transfers carried out for law enforcement purposes, and which gives Europeans the same rights of redress before U.S. courts as U.S. citizens, is a "major step forward" in EU-U.S. relations, the EU Council said. The instrument needs European Parliament approval.

Lawmaker Jan Philipp Albrecht, of the Group of the Greens/European Free Alliance, said concerns remain about whether the accord is compatible with EU fundamental rights and whether the U.S. will guarantee unrestricted legal protection to EU residents. Meanwhile, concerns are growing about the potential consequences of a challenge to the standard contractual clauses (or model clauses) that many companies use to shift personal data to the U.S. and elsewhere. That is according to interviews with data protection lawyers Thursday.

The signing of the umbrella agreement came as Privacy Shield's fate hangs in the balance (see 1605310017), and the Irish Data Protection Commissioner (DPC) announced plans May 25 to seek European Court of Justice (ECJ) review of standard contract clauses. The office notified Max Schrems, whose challenge to safe harbor resulted in its being thrown out, and Facebook of its "intention to seek declaratory relief in the Irish High Court and a referral to the [ECJ] to determine the legal status of data transfers under Standard Contractual Clauses."

After the ECJ invalidated safe harbor, Facebook Ireland continued to transfer user data to the U.S. under the model clauses, Schrems said in a media briefing. "However, this switch of a legal basis for data transfers did not change the underlying problem of applicable US mass surveillance laws and the lack of legal redress in the United States, especially for foreign nationals," he wrote. If the Irish High Court refers the case to the ECJ as intended by the DPC, the questions raised will also affect Privacy Shield because the factual and legal issues are the same, he said.

Little is known of what the Irish DPC has in mind because there has only been a news release, said Linklaters (Brussels) privacy attorney Tanguy Van Overstraeten. If the Irish High Court refers the case to the ECJ, there could be a "dramatic outcome," but differences between safe harbor and standard contract clauses could result in the latter being upheld, he said.

One key difference is that while safe harbor was a U.S. creation that was approved by the European Commission (as would be Privacy Shield), standard clauses are a fully European instrument drafted and organized by the EC, in which data is protected by contract, not legislation, said Van Overstraeten. A second difference is the safe harbor system enables transfer between only the EU and U.S., but standard clauses can be used anywhere. There's a concern that, depending on what the ECJ is asked to decide, a ruling might mean that standard clauses would be barred everywhere, he said.

Another difference between safe harbor and model contract clauses is that the latter allows audits from the EU by the data controller exporting the data and the relevant EU-based data protection authority, which wasn't part of safe harbor and which should reinforce the validity of model clauses, Van Overstraeten said. Privacy Shield also has increased powers for EU data protection authorities, he said. The ECJ wouldn't necessarily come to the same conclusion on model contract clauses as on safe harbor, he said.

Privacy Shield is in motion, with agreement expected in coming weeks, said Van Overstraeten: If it doesn't work, "we have a major issue." If it does, he said that it's possible that the different safeguards granted under Privacy Shield also might be extended to standard contract clauses so any transfers to the U.S. could benefit.

The main question on model clauses is "What is the scope of this?" said Squire Patton (London) privacy and cybersecurity attorney Ann LaFrance. It could go way beyond the U.S., because the EC has made similar adequacy findings with other countries that might have similar surveillance issues, she said.

There are two types of standard contractual clauses, one between data controllers involved in, for example, intra-group, cross-border data transfers, and controller-to-data-processor, which might be used in a situation such as where human resources information is transferred to a provider in a third country, LaFrance said. The model clauses must be used as they are, and any tailored changes need approval from the relevant data protection authority, she said. If the main concern with safe harbor boiled down to NSA leaker Edward Snowden revelation-type issues, there might not be much difference with model clauses used by, say, telcos, that are subject to mass law enforcement data sweeps, she said. For those companies with no history of receiving bulk surveillance requests, however, standard clauses might still be acceptable, LaFrance said. If the challenge gets to the ECJ, it might take a more nuanced position, depending on which companies are using model clauses and where, she said.

There could be another headache for businesses, said LaFrance. Under the controller-to-controller provisions, data importers must warrant they have no reason to believe any national laws applicable to themselves prevent them from fully complying with their obligations under the model clauses, and if that changes they will notify the data exporter, which can then suspend or terminate the contract, she said. Companies subject to extensive law enforcement requests must ensure they can comply with those contractual obligations, she said.

If model clauses and Privacy Shield fail, binding corporate rules are another route for data transfers, said LaFrance. Binding corporate rules will suffer from similar issues, meaning data can't be exported, she said. In that case, enterprises might have to site servers in Europe and keep European data there, she said. That will be expensive and difficult, but it's "where this could be heading."

Since the Irish DPC referred standard contractual clauses to the court for review of their adequacy, "greater focus will be placed on whether the criticisms of Privacy Shield are well founded," Hogan Lovells privacy lawyers Julie Brill and Winston Maxwell wrote in a Wednesday blog.