Businesses fret about EU court challenges to international data transfers

5 July 2019 9:55am

2 July 2019, by Matthew Newman and Vesela Gladicheva

Facebook, Microsoft, Twitter and Coca-Cola will be closely watching arguments at an EU court this month in a case that could lead to sweeping changes in how companies transfer personal data — from pay slips to health data — to countries outside the EU.

Judges at the EU’s highest court will hear a challenge by Ireland’s top watchdog and Austrian privacy activist Max Schrems against a key mechanism for international data transfers used by Facebook for data transfers to the US. Companies can use EU-approved model clauses to ship data around the globe — including to countries such as China and Russia — in compliance with the EU’s strict data privacy rules.

The July 9 hearing in Luxembourg comes nearly three years after the EU and the US signed the so-called Privacy Shield, which assured that companies could continue the smooth transfer of data across the Atlantic. The legality of the deal has also been challenged in a separate case by French civil-rights groups before the EU’s lower-tier General Court, whose hearing has been delayed until after the Schrems hearing.

However, Privacy Shield’s compatibility with the EU fundamental right to privacy will be tested during the July 9 hearing. That’s because EU judges are reviewing questions from Ireland’s High Court in the Schrems case about whether a US dispute mediator for national-security complaints under the accord can sufficiently protect EU citizens’ data transferred to the US via model clauses.

The EU and US carved out the Privacy Shield in 2016 after the EU Court of Justice declared its predecessor, known as the Safe Harbor agreement, to be invalid. That setback came after Schrems argued that Facebook’s trans-Atlantic transfers of his data didn’t provide adequate protection because of mass surveillance revealed by whistleblower Edward Snowden.

Companies scrambled to fill the gap. Alternative, but more burdensome, transfer mechanisms that companies could choose from included “binding corporate rules” for intergroup transfers and derogations — such as proving the transfers are necessary on contractual or public-interest grounds — and obtaining individuals' consent to the proposed transfers.

But most companies rushed to one of the most widely used mechanisms: standard-contractual clauses. These contracts — agreed between the sender and the receiver of personal data — ensure that data-protection rules outside the bloc offer individuals a satisfactory level of protection.

First crafted by the EU executive in 2001, they impose non-negotiable obligations on contracting parties to ensure protection for individuals. The clauses allow individuals to enforce their rights and obtain compensation if there is a data breach.

Unlawful clauses?

But now these clauses, through the Facebook lawsuit from Ireland, are at risk. Schrems argues Facebook’s clauses violate the EU’s strict data-protection rules. The EU court may well rule, perhaps later this year or early in 2020, that these contracts don’t provide “adequate” data protection for EU citizens from foreign governments’ access to their data for national-security reasons, and are thus invalid.

These transfers are the lifeblood of global commerce, and are “extremely critical” for a myriad of companies, from insurance and financial-services companies to airlines and social-media giants, company officials said in interviews with MLex.

That’s why if the European Court of Justice strikes down these contracts and finds them not to be a lawful basis for personal data transfers between the EU and the US — and therefore the rest of the world — businesses will face massive legal uncertainty. They’ll have to quickly find a Plan B to avoid major business disruptions.

Nokia has reached “dozens of agreements” with standard-contractual clauses for international data transfers, said Magdalena Góralczyk, the Finnish telecom company's global lead counsel of privacy.

“If you have customers who have to rely on standard-contractual clauses, the impact of Schrems II will be profound,” she said at a conference* in Brussels last week.

Workday, a California-based human-resources software vendor, considers standard-contractual clauses to be an “important transfer mechanism for European personal data,” Barbara Cosgrove, Workday’s chief privacy officer, said at the same conference in Brussels.

“As one of the first companies to certify, Workday also offers our customers the option to rely on our Privacy Shield certification as well as our binding corporate rules,” she said. “We will continue to pursue other legitimate data-transfer mechanisms as they become available.”

The problem with the current model clauses is that as a contract-based mechanism, they can’t prevent government access to data for national-security reasons. Companies simply can’t refuse such requests.

At next week’s hearing, the US and British governments and tech industry groups the Software Alliance and Digital Europe will, as intervening parties, fiercely defend the model clauses and Privacy Shield, arguing they offer strong safeguards for EU citizens’ data.

The court’s appetite to annul these mechanisms could become clear from the type of questions judges will ask the parties. Considerations will include US improvements to the Privacy Shield — such as the recent confirmation by the US Senate of Keith Krach as Privacy Shield ombudsman — but also evident gaps in protection to data shifted via model clauses to countries such as China.

Commission evaluation

The European Commission, faced with the threat of further annulments of its data-transfer mechanisms, is now updating the model clauses to bring them up to speed with the EU’s General Data Protection Regulation.

The move will please companies, which have repeatedly asked the EU executive to overhaul the clauses to specifically allow transfers from data processors in the bloc to sub-processors outside the bloc. Currently, the model clauses cover transfers between two data controllers, and between a controller and a processor.

In a questionnaire in March, the commission asked businesses whether there is also a need for contracts covering companies that have joint control over data. In its responses, the Centre for Information Policy Leadership — whose members include Boeing, Facebook, Huawei and Vodafone — has suggested adding data-sharing terms to the clauses, regardless of the location of the controller importing the data. Others have put forward ideas for how the clauses could limit the US government's access to data.

The commission plans to decide on whether to issue new model clauses to fill in any missing pieces in the coming months, MLex understands. Following the ruling in the Schrems II case, the commission might have to adapt the clauses to ensure the smooth flow of data. But even the updated clauses could trigger legal challenges.

If judges annul the model clauses in Schrems II, and with no viable alternative data-transfer methods, companies will be left at the mercy of EU data privacy regulators.

* "GDPR at Year One. After a successful start, where do we go from here?", CEPS, Brussels, June 26, 2019

GDPR