Client Alerts

New Attack on EU/US Data Transfers Challenges the Validity of Standard Contractual Clauses

By: Frances Floriano Goins and Michael A. Marrero

About: Cybersecurity & Privacy

Standard contractual clauses, which have quickly become a popular means for transferring personal data from the European Union to the United States following the demise of the Safe Harbor, may suffer the same fate as the Safe Harbor and be found to be an invalid mechanism for legally transferring personal data from the EU to the US. The Irish Data Protection Commissioner intends to refer the case against Facebook challenging its transfers of personal data from the EU to the US to the Court of Justice of the European Union (CJEU). On October 6, 2015, in an earlier case, Schrems v. Data Protection Commissioner, the CJEU determined that the Safe Harbor program was an invalid method of transferring data to the United States because of issues related to government surveillance of data and Facebook’s practices of transferring data pursuant to the Safe Harbor were found invalid. Before that decision, the Safe Harbor, a privacy framework that had been in place between the US and EU since 2000, was the most popular basis for US companies to transfer EU personal data to the US. Mr. Schrems, an Austrian law student, is again contesting the validity of Facebook’s practices, this time arguing that Facebook may not make transfers pursuant to standard contractual clauses, because the underlying problems related to US mass surveillance remain the same.

Implications for U.S. Companies

All companies that rely on standard contractual clauses to support data transfer from the EU to the US must pay close attention to this case. Many companies are still responding to the invalidation of the Safe Harbor, and this new challenge may further impact how they can structure their information technology systems and data transfer in a legally compliant manner. The importance of ensuring that data transfers are compliant is becoming more significant with the recent enactment by the European Parliament of the General Data Protection Regulation (GDPR), which regulates transfers of personal data by members of the EU. The GDPR becomes effective in May 2018. The GDPR includes fines that can equal the greater of 20 million EUR or 4% of worldwide revenue. Companies must now begin to consider the possibility that standard contractual clauses will suffer the same fate as the Safe Harbor and, if the new challenge is successful, how they can restructure their information technology systems and data transfers to comply with EU law.