international transfers: model contracts and Privacy Shield

With the arrival of the General Data Protection Regulation, the rules concerning the processing and protection of personal data within the European Union (‘EU’) have been largely harmonized. This means that organizations within the EU can, in principle, exchange personal data with peace of mind.

Outside the Netherlands and other EU member states, privacy legislation is often less strict. The transfer of personal data to countries outside the EU therefore requires special attention. Transfer to third countries is only lawful if the right safeguards have been put in place or if explicit consent has been given for this.

Model contracts

An example of such a guarantee is the conclusion of the so-called EU Standard Contractual Clauses. These are also known as model contracts. It is important to know that, in principle, these model contracts may not be changed by the parties. These contracts are frequently used when it comes to the international transfer of personal data, partly because these model contracts can be easily found on the website of the European Commission.

The question is, however, whether and for how long these standard contracts are considered to be legally valid. Max Schrems is of the opinion that these model contracts do not offer sufficient protection of the privacy of European citizens. The Irish High Court has now referred a number of important preliminary questions on this subject to the highest European court: the European Court of Justice (‘ECJ’). We await this decision with interest.

Privacy Shield

Earlier Schrems had already achieved that the Safe Harbor treaty, on which the transfer of personal data between the EU and the US was based, was declared invalid by the ECJ. This eventually led to the conclusion of a completely new treaty between the EU and the US: the Privacy Shield. However, there is also much to be done about this new treaty at the moment.

In a resolution of 5 July, the European Parliament called on the European Commission to suspend the Privacy Shield, because it would not offer European citizens sufficient protection. Parliament is particularly concerned about the recently adopted US Cloud Act, which allows US law enforcement agencies to access personal data stored in the EU. The Facebook/Cambridge Analytica scandal has also given the European Parliament little confidence. Finally, the Financial Times recently reported that Commissioner Jourova had sent a letter to the White House stating that the US should appoint an Ombudsman by October at the latest. The Ombudsman should supervise and handle complaints about the Privacy Shield. If this is not done in time, the EU may withdraw the Privacy Shield.

This could have major consequences for the more than 3000 companies that are now certified under the Privacy Shield and of course also for the organizations that exchange personal data with these companies. In short, it is important to keep a close eye on these developments when your organization exchanges personal data with countries outside the EU, and more specifically the US.