Background
The controversy surrounding Safe Harbour began with the Edward Snowden revelations. Snowdon, a former CIA Systems Analyst, claimed (among other things) that Facebook and other US companies were being forced to make user data, including EU user data, available to US intelligence (particularly the National Security Agency).
When Austrian law graduate Max Schrems became aware of these claims, he lodged a formal complaint against Facebook Ireland with the DPC claiming that the laws and practices of the US offer no real protection against state surveillance. He also asked the DPC to prohibit Facebook Ireland from transferring his personal data to the US.
What was Safe Harbour?
Safe Harbour was a framework agreed between the US and the European Commission whereby personal data could (up to the date of the CJEU’s judgment) be transferred to the US. This could be done without contravening the general prohibition under EU data protection law on the transfer of personal data outside of the European Economic Area (“EEA”) to countries which are deemed not to provide an adequate standard of protection for personal data.
The Safe Harbour decision
The CJEU held that the Safe Harbour arrangement was invalid because of the lack of protection for EU personal data in the United States. This meant that companies could no longer rely on safe harbour certification to legalise the transfer of personal data to the US.
The case was then remitted to the High Court which instructed the DPC to fully investigate Schrems’ complaint. While the DPC continues to investigate Schrems’ complaint, it has now indicated its intention to seek declaratory relief in the High Court and a referral to the CJEU to determine the legal status of data transfers under Model Contract Clauses.
What are Model Contract Clauses?
The European Commission is empowered to recognise standard contractual clauses (otherwise known as Model Contract Clauses) as offering adequate safeguards. The Commission has approved a number of Model Contract Clauses which can be used by companies to legalise the transfer of personal data to another company outside the EEA.
Like many companies that relied on Safe Harbour, after the CJEU's decision, Facebook Ireland entered into a Model Contract Clause contract with its US parent in order to justify its data transfers to the US. However, the CJEU ruling raises questions about the validity of Model Contract Clauses and so it is conceivable that the CJEU could conclude that, like the Safe Harbor, Model Contract Clauses are also invalid.
What should companies do?
There is no need to take any immediate action. Until they are invalidated, Model Contract Clauses can still be used to justify the transfer of personal data to the US (and to other countries outside the EEA). However, companies should monitor developments.
The DPC’s actions will also put pressure on the EU and the US to conclude the ongoing negotiations regarding the proposed "Privacy Shield" to replace Safe Harbour in order to alleviate business concerns over transferring personal data outside the EEA.