Model contract clauses and international data transfers

21st March 2017

This article was first published on Lexis®PSL IP & IT on 16 February 2017. Click for a free trial of Lexis®PSL.

On 16 December 2016, the EU Commission amended its adequacy decisions on model contract clauses and ‘whitelisting’ countries. The Regulatory Team at Walker Morris considers these amendments and assesses their implications for international data transfers.

What are adequacy decisions?

Under the current EU data protection regime, personal data can only be transferred outside the European Economic Area (EEA) if it is being transferred to a country or territory which ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Under Article 25(6) of Directive 95/46/EC (the Data Protection Directive) the European Commission has the power to issue ‘adequacy decisions’ which find that a country or territory outside the EEA provides adequate protection as a result of its domestic laws or the international commitments it has entered into.

Under Article 26(4) of the Data Protection Directive, the Commission also has the power to issue adequacy decisions which find that certain standard contractual clauses provide adequate safeguards.

What adequacy decisions has the Commission issued?

The Commission has so far issued adequacy decisions in respect of:

• two sets of standard contractual clauses for transfers from data controllers to data controllers established outside the EEA, and
• one set of standard contractual clauses for transfers from data controllers to data processors established outside the EEA

These are often referred to as the standard contractual clauses or model contract clauses.

To date, the Commission has recognised Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection which means that personal data can be transferred to these eleven countries and territories without any further safeguards being necessary (sometimes referred to as ‘whitelisting’ decisions).

The Commission also issued Decision 2000/520/EC in respect of transfers to the US which took place within the Safe Harbor framework (the Safe Harbor Adequacy Decision). However, on 6 October 2015, this adequacy decision was held to be invalid by the Court of Justice of the European Union in its decision in Schrems v Data Protection Commissioner, Case C-362/14, [2015] All ER (D) 34 (Oct).

Safe Harbor has now been replaced by the EU-US Privacy Shield pursuant to an adequacy decision adopted by the Commission on 12 July 2016 (see News Analysis: Putting the EU-US Privacy Shield into motion—what next? And Practice Note: The Privacy Shield for more details).

Why did the Court of Justice decide that the Safe Harbor adequacy decision was invalid?

Under Article 28 of the Data Protection Directive, the national data protection authorities (the DPAs) have the power to restrict transfers of data to countries and territories outside the EEA.

Article 3 of the Safe Harbor Adequacy Decision laid down the conditions under which the DPAs could decide to suspend data flows to a US company which had registered under Safe Harbor, notwithstanding the Safe Harbor Adequacy Decision.

The Court of Justice held that these conditions were so restrictive that they effectively prevented the DPAs from exercising their powers under Article 28 of Data Protection Directive, that the Commission does not have the competence to restrict the powers of the DPAs in this way and that Article 3 was therefore invalid.

The Court of Justice also held that Article 1 of the Safe Harbor Adequacy Decision was invalid as it neither specifically stated that the ‘United States in fact “ensures” an adequate level of protection by reason of its domestic law or its international commitments’ nor contained:

‘any finding regarding the existence in the United States of rules adopted by the State intended to limit any interference with the fundamental rights of the persons whose data is transferred from the European Union to the United States.’

Why has this resulted in the Commission amending its adequacy decisions?

The adequacy decisions ‘whitelisting’ the eleven countries and territories set out above all contained similar restrictive conditions as those set out in Article 3 of the Safe Harbor Adequacy Decision which the Court of Justice ruled were invalid.

The Commission has therefore amended these decisions with:

• a new Article 3 which requires a DPA to inform the Commission without delay if it exercises its power to restrict data flows to the relevant country, and
• a new Article 3a which provides that the Commission will monitor, on an ongoing basis, developments in the relevant country’s domestic laws that could affect the Commission’s adequacy decision and where evidence shows that an adequate level of protection is no longer ensured, the Commission will take action to repeal or suspend the adequacy decision or limit its scope

There is also a new obligation for the Commission and the DPAs to share information where the DPA of a third country fails to ensure adequate protection or the public authorities responsible for national security, law enforcement or other public interest interfere with the rights of individuals to privacy and to protection of their personal data beyond what is strictly necessary, and that there is no effective legal protection against such interference.

The Commission has also amended the adequacy decisions for model contract clauses for set 1 controller to controller transfers and controller to processor transfers. A new Article 4 makes it clear that the only condition relating to the DPAs exercise of the powers under Article 28 of the Data Protection Directive, is the requirement to inform the Commission without delay if they exercise the power to restrict data flows to a country outside the EEA.

Do these changes address all the issues raised by the Court of Justice in the Schrems decision?

No, not according to the Article 29 Working Party (which is made up of representatives of the DPAs).

Under the procedure for adopting adequacy decisions, the Commission must obtain the Article 29 Working Party’s opinion on its proposals, before decisions can be adopted. The Article 29 Working Party issued its opinion on the Commission’s proposed amendments to the adequacy decisions on 31 October 2016.

In its Opinion, WP 245, the Article 29 Working Party highlights its concern that the decisions only deal with the issues which the Court of Justice raised in respect of Article 3 and fail to address the issues with Article 1 (the requirement for the Commission to specifically set out the reasons why the relevant country’s domestic laws or international commitments in fact ensure adequate protection).

The Article 29 Working Party strongly recommends that the Commission should reinstate its previous practice of appointing external experts to provide extensive and in-depth adequacy assessments of the relevant country’s domestic laws and international commitments to form the basis of its adequacy decisions.

It also insists that the ‘whitelisting’ decisions must be amended as soon as possible to include an assessment of whether the public authorities responsible for national security, law enforcement or other public interest in each relevant country or territory:

 ‘do not interfere with the rights of individuals to privacy and to protection of their personal data beyond what is strictly necessary, and that there is no effective legal protection against such interference.’

What impact will this have on the Court of Justice’s review of the model contract clauses?

On 25 May 2016, the Irish Data Protection Commissioner announced, that as part of its ongoing review of the complaint made by Max Schrems against Facebook Ireland, it intended to seek declaratory relief in the Irish High Court and a referral to the Court of Justice to determine the legal status of data transfers under model contract clauses.

Although the changes which the Commission has made to its adequacy decisions address some of the issues raised by the Court of Justice in the Schrems decision, the referral of the model contract clauses to the Court of Justice will almost certainly go ahead.

What do the changes mean in practice?

They actually mean very little in practice for businesses in respect of the day-to-day transfer of personal data.

The changes to the adequacy decisions for model contract clauses don’t affect the model contract clauses themselves. So, for the time being at least, businesses which have incorporated the model contract clauses into their agreements won’t need to make any changes.

The changes to the ‘whitelisting’ adequacy decisions have no impact on the Commission’s finding that the eleven countries and territories provide adequate protection and so businesses can continue to transfer personal data to these countries without having to implement any additional safeguards.

So what should businesses do now?

Businesses should review all personal data which they transfer outside the EEA to ensure that an appropriate transfer mechanism is in place for each transfer.

However, as the model contract clauses (and the EU-US Privacy Shield) are subject to legal challenges before the Court of Justice, which are likely to continue notwithstanding the Commission’s amendments to its adequacy decisions, businesses will need to keep up to date with developments in this area to ensure that they are ready to implement any necessary changes if the Court of Justice rules that any of these transfer mechanisms are invalid.