Last year the European Court of Justice (CJEU) struck out the so-called Safe Harbor data exchange agreement between the EU and the United States following complaints from Max Schrems, an Austrian legal student who argued that the agreement did not provide adequate provisions to protect European citizens’ data, particularly in light of revelations surrounding US surveillance operations.
Mr Schrems brought his specific complaint against Facebook to the Irish Data Protection Commissioner, as the social media company’s international headquarters are based in Dublin.
After it was struck down, companies such as Facebook depended on model contracts between its Irish and non-EU operations that contain specific provisions dealing with data protection to facilitate transferring citizens’ data outside the EU.
However, Mr Schrems has now suggested that these contracts are equally unfit for purpose — a concern that the Data Protection Commissioner is to refer to the European Court for their opinion.
“This is a very serious issue for the US tech industry and EU-US data flows,” said Mr Schrems.
“As long as far-reaching US surveillance laws apply to them, any legal basis will be subject to invalidation or limitations under EU fundamental rights. I see no way that the CJEU can say that model contracts are valid if they killed Safe Harbor based on the existence of these US surveillance laws.
“All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with. As long as the US does not substantially change its laws I don’t see now there could be a solution.”
The Data Protection Commissioner yesterday confirmed it is their intention “to seek declaratory relief in the High Court and a referral to the CJEU to determine the legal status of data transfers under Standard Contractual Clauses. We will update all relevant parties as our investigation continues.”