Not long after the “Safe Harbor” decision and in the same context (data transfer to the US by Facebook) the Irish Data Protection Commissioner has decided to bring the EU-US data flows before the European Court of Justice (CJEU) (again).
Once more, it is all about Facebook (Facebook Ireland Ltd.). After the CJEU has invalidated the Safe Harbor Agreement with the United States (“US”) last autumn, Facebook, like many other international IT companies, continued to transfer user data to the US relying on the EU Model Clauses for the transfer of personal data to third countries. These Model Clauses allow the transfer of personal data to countries outside the EU and are there to provide adequate safeguards with respect to the protection of personal data.
The CJEU has ruled in October 2015, that the US does not provide adequate protection for personal data coming from the EU and that US mass surveillance applicable to such data violates the essence of the fundamental right to privacy established in the EU. Therefore, according to the court, “Safe Harbor” is not sufficient to make data transfer to the US legal.
The Irish Data Protection Commissioner has now stated that the underlying problems that led to the “Safe Harbor”-decision were not solved by the use of the Model Clauses, and therefore referred to the CJEU again to determine if Facebook can continue to transfer data to the US on the basis of the Model Clauses.
Consequences will be broad if the CJEU decides that the Model Clauses are equally insufficient as “Safe Harbor”. Not only would Facebook be banned from transferring data to the US, but many other international companies (like Google, Amazon and many more) are currently relying on the Model Clauses and would be influenced by such ruling. Further, the EU-US Privacy Shield, which was meant to replace “Safe Harbor” will be discussed again.