Model Clauses under attack

Companies must take special precautions when transferring personal data to non-European countries, if the recipient country does not have an appropriate level of data protection, recognized by the European Commission. In addition to the consent of the data subjects on a case-by-case basis, the instruments available to companies comprise approval by the supervisory authorities, transfer subject to the rules of the Privacy Shield (in cases of transfer to the USA), or the use of the so-called EU standard contractual clauses (Model Clauses). Many companies in Germany place their faith predominantly in the Model Clauses for this purpose, as the Privacy Shield is applicable only to transfers of personal data to the USA, but not for example to Asia, Africa or Australia. Privacy Shield also requires data recipients to have corresponding certification. By contrast, the Model Clauses are a formalistic but uncomplicated instrument for enabling transfers to non-EU countries.

This option is now coming under attack. Following legal action by the Austrian activist Max Schrems against the Irish Data Protection Commissioner that already brought about the downfall of the predecessor to Privacy Shield - Safe Harbor - and resulted in the re-launch of a modified Privacy Shield, the High Court of Ireland - Commercial Law Division - has now also submitted the question to the CJEU of whether the Model Clauses constitute a sufficient means of establishing an appropriate level of data protection, thus offering sufficient protection of the rights of data subjects in Europe when company data is transferred to countries outside Europe. No date has yet been set for a decision by the CJEU. Rather, the Irish High Court will first formulate the specific questions to the CJEU on October 11, 2017. Based on the time schedule for the decision on Safe Harbor, a decision can be expected by the end of 2018.

Until then, the Model Clauses will remain a legitimate means for carrying out transfers of personal data to the USA and other non-European countries. However, any decision of the CJEU declaring the Model Clauses to be invalid could have significant effects, as this would affect not only transfers to the USA, as is the case with Safe Harbor, but also transfers to the entire rest of the world. In contrast to the situation with Safe Harbor, many corporations throughout the world also use the Model Clauses for their own internal data transfers.

Companies should therefore monitor developments very closely and, wherever possible, choose purely European solutions, for example for IT operations, so as not to be caught on the wrong foot by any possible decision of the CJEU.