Model clauses for EU-US transfers provide sufficient protections says non-binding decision


Share This Post

If you’ve followed the challenges of EU data protection legislation by privacy activist Max Schrems, you’ll have heard about his most recent challenge that the use of the EU standard contract clauses (which allow, by legal contract, for non-EU transfers of data) are not adequate in protecting EU Facebook data, when that data is transferred to the US and could be used by US surveillance services (viz Edward Snowdon’s revelations a few years ago).

The advocate general’s decision on this matter dates back to the referral to the CJEU in 2018 by the Irish data protection commissioner about the case raised by Schrems. The main issue is that the standard contract clauses (or model clauses) are not sufficient to provide protection for EU citizens’ data when a US business processes that data in the US, particularly if the US business is subject to agreements with US government relating to surveillance by the security services.

The preliminary ruling today (19th December 2019) by the advocate general clarifies that in his opinion the standard contractual clauses are valid and therefore the transfer would be lawful. However, he also noted that observations and potentially withdrawal around their validity should be made if national law in the non-EU country goes against the principles set out in the contractual terms.

Schrems also raised the issue about the validity of the EU-US Privacy Shield agreement (which was a reworking of the previous safe harbour agreement which Schrems previously,  and successfully, demonstrated was not fit for purpose). On this matter the advocate general agreed with Schrems there could be a conflict with laws of the countries where the data is transferred, but in his opinion it was not for the court to rule on the legality of Privacy Shield but recognised concerns over people’s right to privacy and effective remedies.

However, all that said, this is a non-binding decision and the final decision will be made by the CJEU (based on the advocate general’s opinion) in the coming months – usually judges in court follow the recommendations of the advocate general in four out of five cases, so this is widely seen as the likely outcome, although not guaranteed.

If the opinion is essentially ratified by the CJEU next year, this will make everyone’s life easier if they’re using non-EU based cloud-based service providers that process personal data. If the opinion goes the other way and the contractual clauses (or even Privacy Shield) are deemed invalid for lawful transfer to the US, then most businesses will be impacted and would need to make different arrangements not to be in breach of GDPR.

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy