Menu
New court request raises further doubts about transatlantic data transfers

New court request raises further doubts about transatlantic data transfers

Irish data protection authority wants EU court to rule on whether standard contracts offer better privacy protection than the Safe Harbor pact it has already struck down

Thousands of companies were turned into lawbreakers at a stroke the last time the High Court of Ireland referred a question about data protection to the Court of Justice of the European Union. And it may be about to do it again.

That means yet more uncertainty for companies processing European citizens' personal information in the U.S., as they struggle to keep up with the changes in privacy regulations triggered by the CJEU's response to the Irish court's last question.

Under EU law, citizens' personal information can only be exported to jurisdictions guaranteeing a similar level of privacy protection to that required by the 1995 Data Protection Directive.

The Safe Harbor Agreement made by EU and U.S. authorities in July 2000 was supposed to make that guarantee for data transferred to the U.S..

Last October, though, the CJEU struck down the agreement, saying it did not adequately protect European citizens' personal information from massive and indiscriminate surveillance by U.S. authorities.

The Irish high court triggered that ruling by asking the CJEU to rule on some matters of law in a case pitting Austrian Facebook user Maximilian Schrems against the Irish Data Protection Commissioner.

Schrems had complained that, in the light of the revelations of Edward Snowden about the U.S. National Security Agency's surveillance of data held by U.S. companies, Facebook's handling of his personal information did not meet EU legal requirements. Facebook CEO Mark Zuckerberg has denied the accusations.

In the wake of the CJEU's ruling, the European Commission told businesses making transatlantic data transfers to use alternative legal mechanisms, such as standard contract clauses or binding corporate rules, to offer the necessary legal guarantees while it struck a new agreement with U.S. authorities.

But now the Irish Data Protection Commissioner wants the country's high court to ask the CJEU whether standard contract clauses suffer from the same inadequacies as Safe Harbor.

The Article 29 Working Party, which brings together data protection authorities from all EU member states, has been studying just that question since the CJEU's ruling in October.

To minimize the potential disruption to businesses, the working party will wait until the Commission has completed its negotiations with U.S. authorities on Privacy Shield, the replacement for Safe Harbor, before giving its verdict on alternative transfer mechanisms, it said in April.

That the working party feels the need to withhold its opinion of those mechanisms suggests it is not entirely happy with standard contract clauses either. But if it were to torpedo all the data transfer mechanisms allowed under the directive, there would be no legal way for businesses to send personal information from the EU to the U.S.

Facebook is taking the whole thing calmly. "There is no immediate impact for people or businesses who use our services," a company spokeswoman said Wednesday. "Standard contract clauses remain valid, and Facebook has other legal methods in place to transfer data between countries," she said.

That's certainly true for now, but a new ruling from the CJEU could change that.

Schrems, whose complaint to the Irish DPC triggered the whole legal process, expects the CJEU to invalidate standard, or model, contract clauses, for exactly the same reasons it struck down Safe Harbor.

"All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with. As long as the U.S. does not substantially change its laws I don't see how there could be a solution," he said via email.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Privacy Shield

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments